Skip to content

add known vulnerabilities from packagist.org to the SBoM result #142

Description

@jkowalleck

CDX sbom knows vulnerabilities via

packagist.org - composer's primary source - has an API to list known vulnerabilities per package.
see the docs: https://packagist.org/apidoc#list-security-advisories
implementation detail: the API might have a special handling for leading v in versions - or a special format for version-constraints(which might be handle-able by composers internal version-constraint-library)


summary of feedback/ ideas:

  • IDEA: implement a switch to enable/disable the feature - since some CI/admins don't like unnoticed web traffic to some API
  • IDEA: fetch these API data and add relevant information to the resulting SBOM.
  • IDEA: As the tool is often used during build processes it might be good to have an optional non-zero exit code if a vulnerability is found. Makes it easy to “break the build” if that's what people want. (thanks @coderpatros )

if fetching data from API fails, simply prompt an error on the increased "verbosity"-log-level and dont add any vulns to the SBom result

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions