CDX sbom knows vulnerabilities via
packagist.org - composer's primary source - has an API to list known vulnerabilities per package.
see the docs: https://packagist.org/apidoc#list-security-advisories
implementation detail: the API might have a special handling for leading v in versions - or a special format for version-constraints(which might be handle-able by composers internal version-constraint-library)
summary of feedback/ ideas:
- IDEA: implement a switch to enable/disable the feature - since some CI/admins don't like unnoticed web traffic to some API
- IDEA: fetch these API data and add relevant information to the resulting SBOM.
- IDEA: As the tool is often used during build processes it might be good to have an optional non-zero exit code if a vulnerability is found. Makes it easy to “break the build” if that's what people want. (thanks @coderpatros )
if fetching data from API fails, simply prompt an error on the increased "verbosity"-log-level and dont add any vulns to the SBom result
CDX sbom knows vulnerabilities via
packagist.org - composer's primary source - has an API to list known vulnerabilities per package.
see the docs: https://packagist.org/apidoc#list-security-advisories
implementation detail: the API might have a special handling for leading
vin versions - or a special format for version-constraints(which might be handle-able by composers internal version-constraint-library)summary of feedback/ ideas:
if fetching data from API fails, simply prompt an error on the increased "verbosity"-log-level and dont add any vulns to the SBom result