Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add known vulnerabilities from packagist.org to the SBoM result #142

Closed
jkowalleck opened this issue Nov 13, 2021 · 2 comments
Closed

add known vulnerabilities from packagist.org to the SBoM result #142

jkowalleck opened this issue Nov 13, 2021 · 2 comments
Labels
enhancement New feature or request idea

Comments

@jkowalleck
Copy link
Member

jkowalleck commented Nov 13, 2021
edited
Loading

CDX sbom knows vulnerabilities via

packagist.org - composer's primary source - has an API to list known vulnerabilities per package.
see the docs: https://packagist.org/apidoc#list-security-advisories
implementation detail: the API might have a special handling for leading v in versions - or a special format for version-constraints(which might be handle-able by composers internal version-constraint-library)

summary of feedback/ ideas:

  • IDEA: implement a switch to enable/disable the feature - since some CI/admins don't like unnoticed web traffic to some API
  • IDEA: fetch these API data and add relevant information to the resulting SBOM.
  • IDEA: As the tool is often used during build processes it might be good to have an optional non-zero exit code if a vulnerability is found. Makes it easy to “break the build” if that's what people want. (thanks @coderpatros )

if fetching data from API fails, simply prompt an error on the increased "verbosity"-log-level and dont add any vulns to the SBom result
@jkowalleck jkowalleck added enhancement New feature or request idea labels Nov 13, 2021
@jkowalleck jkowalleck pinned this issue Nov 13, 2021
@jkowalleck jkowalleck unpinned this issue Nov 13, 2021
@jkowalleck jkowalleck changed the title add known vulns from packagist.com to the SBOM add known vulns from packagist.com to the SBOM result Nov 13, 2021
@jkowalleck jkowalleck mentioned this issue Nov 13, 2021
Open
@jkowalleck
Copy link
Member Author

this request caused CycloneDX/cyclonedx-php-library#16

@jkowalleck jkowalleck pinned this issue Nov 13, 2021
@jkowalleck jkowalleck changed the title add known vulns from packagist.com to the SBOM result add known vulnerabilitiess from packagist.com to the SBOM result Nov 13, 2021
@jkowalleck
Copy link
Member Author

jkowalleck commented Nov 13, 2021
edited
Loading

this feature was originally requested, since DependencyTrack/dependency-track#798
is sill in the pipeline.

unfortunately, DependnecyTrack does not honor the known vulns from the schema extension

@jkowalleck jkowalleck changed the title add known vulnerabilitiess from packagist.com to the SBOM result add known vulnerabilitiess from packagist.org to the SBOM result Nov 13, 2021
@jkowalleck jkowalleck changed the title add known vulnerabilitiess from packagist.org to the SBOM result add known vulnerabilities from packagist.org to the SBoM result Nov 13, 2021
@CycloneDX CycloneDX locked and limited conversation to collaborators Nov 26, 2021
@jkowalleck jkowalleck unpinned this issue Nov 26, 2021

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Assignees
No one assigned
Labels
enhancement New feature or request idea
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jkowalleck