Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(report): Include dependencies into scan result and cyclondex for supply chain security on Integration with GitHub Security Alerts #1584

Merged
merged 15 commits into from
Jan 20, 2023
Merged

feat(report): Include dependencies into scan result and cyclondex for supply chain security on Integration with GitHub Security Alerts #1584

merged 15 commits into from
Jan 20, 2023

Conversation

kl-sinclair
Copy link
Collaborator

@kl-sinclair kl-sinclair commented Jan 17, 2023
edited
Loading

What did you implement:

  • When you integrate with GitHub Security Alerts, Vuls did NOT take non-vulnerable packages in SBOM
  • From now on SBOM reporting, it fetches Dependency graph together with GitHub Security Alerts
  • And that becomes components and dependencies
  • Also, Package URL of vulnerable packages are linked to vulnerabilities in affects

Type of change

  • Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

$ vuls report -to-localfile -format-cyclonedx-json
or 
$ vuls report -to-localfile -format-cyclonedx-xml

Checklist:

You don't have to satisfy all of the following.

  • Write tests
  • Write documentation
  • Check that there aren't other open pull requests for the same issue/feature
  • Format your source code by make fmt
  • Pass the test by make test
  • Provide verification config / commands
  • Enable "Allow edits from maintainers" for this PR
  • Update the messages below

Is this ready for review?: YES

Reference

https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph

MaineK00n
MaineK00n reviewed Jan 17, 2023
View reviewed changes
kotakanbe
kotakanbe reviewed Jan 17, 2023
View reviewed changes
kotakanbe
kotakanbe reviewed Jan 17, 2023
View reviewed changes
@kl-sinclair
Copy link
Collaborator Author

Sample SBOM output

@kl-sinclair kl-sinclair marked this pull request as ready for review January 19, 2023 04:46
@kl-sinclair kl-sinclair requested review from kotakanbe and MaineK00n and removed request for kotakanbe and MaineK00n January 19, 2023 04:46
@kl-sinclair kl-sinclair changed the title [WIP] feat(report): Enhance scan result and cyclondex for supply chain security on Integration with GitHub Security Alerts feat(report): Include dependencies scan result and cyclondex for supply chain security on Integration with GitHub Security Alerts Jan 19, 2023
kotakanbe
kotakanbe approved these changes Jan 19, 2023
View reviewed changes
Copy link
Member

@kotakanbe kotakanbe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kl-sinclair kl-sinclair changed the title feat(report): Include dependencies scan result and cyclondex for supply chain security on Integration with GitHub Security Alerts feat(report): Include dependencies into scan result and cyclondex for supply chain security on Integration with GitHub Security Alerts Jan 19, 2023
@kl-sinclair kl-sinclair merged commit 22b85d8 into future-architect:master Jan 20, 2023
MaineK00n added a commit that referenced this pull request Jan 20, 2023
@kl-sinclair @MaineK00n
feat(report): Include dependencies into scan result and cyclondex for…
ca64d7f 
… supply chain security on Integration with GitHub Security Alerts (#1584)

* feat(report): Enhance scan result and cyclondex for supply chain security on Integration with GitHub Security Alerts

* derive ecosystem/version from dependency graph

* fix vars name && fetch manifest info on GSA && arrange ghpkgToPURL structure

* fix miscs

* typo in error message

* fix ecosystem equally to trivy

* miscs

* refactoring

* recursive dependency graph pagination

* change var name && update comments

* omit map type of ghpkgToPURL in signatures

* fix vars name

* goimports

* make fmt

* fix comment

Co-authored-by: MaineK00n <[email protected]>
@kl-sinclair kl-sinclair self-assigned this Jan 20, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MaineK00n MaineK00n MaineK00n left review comments

@kotakanbe kotakanbe kotakanbe approved these changes

Assignees

@kl-sinclair kl-sinclair

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kl-sinclair @kotakanbe @MaineK00n