Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CDX 1.4, Initial support #126

Merged
merged 6 commits into from
Oct 3, 2024
Merged

CDX 1.4, Initial support #126

merged 6 commits into from
Oct 3, 2024

Conversation

jonringer
Copy link
Contributor

Get vulnerabilities enumerated for CDX 1.4 scans.

I did check this was CDX 1.4 compliant (which it is), but still missing a signatures field. However, a lot of CDX additions are optional. And support for signatures can be added later.

@jonringer
Copy link
Contributor Author

Not sure why this wasn't failing before, but one of the tests:

$ grype sbom:/tmp/vulnxscan_s3qknbz3.json --add-cpes-if-none --output json
 ✔ Vulnerability DB                [no update available]  
A newer version of grype is available for download: 0.81.0 (installed version is 0.74.7)
failed to catalog: unable to decode sbom: unable to decode cyclonedx json document: json: cannot unmarshal number into Go struct field Property.metadata.properties.value of type string

  "metadata": {
    "timestamp": "2024-09-30T11:52:25.233952-07:00",
    "properties": [
      {
        "name": "sbom_type",
        "value": "runtime_only"
      },
      {
        "name": "sbom_dependencies_depth",
        "value": 1
      }
    ],

This seems to align with the upstream spec: https://cyclonedx.org/docs/1.4/json/#metadata_properties_items_value

@henrirosten
Copy link
Collaborator

henrirosten commented Oct 1, 2024
edited
Loading

> Not sure why this wasn't failing before, but one of the tests:

I also notice grype doesn't like the vulnerabilities section in the input sbom.

Please see the two commits I added on top of yours in #129, which gets rid of this problem. Also, they fix the github tests and makes them check the schema matches cdx 1.4.

Feel free to cherry-pick or just copy the necessary parts of the changes from #129 to this PR if it helps.

@henrirosten henrirosten mentioned this pull request Oct 2, 2024
Closed
@jonringer
Copy link
Contributor Author

Yea, the commits look fine to me

jonringer and others added 6 commits October 2, 2024 17:20
@jonringer
Move _generate_sbom to vulnscan cli
10044f8 
This is to avoid strong cycles between sbomdb.py and vulnscan.py

Signed-off-by: Jonathan Ringer <jringer@anduril.com>
@jonringer
CDX 1.4
bf0ec74 
Signed-off-by: Jonathan Ringer <jringer@anduril.com>
@jonringer
Fix metadata.properties depth value
8c9abc2 
Signed-off-by: Jonathan Ringer <jringer@anduril.com>
@jonringer
Conditionally remove modified column
2be5da4 
Signed-off-by: Jonathan Ringer <jringer@anduril.com>
@henrirosten @jonringer
Test sbom matches cdx 1.4 schema
ee8e372 
Signed-off-by: Henri Rosten <henri.rosten@unikie.com>
@henrirosten @jonringer
Fix checks for PR#126
04e9382 
- Changes required to make the tests pass with the changes from PR#126
- Change the SbomDb so that vulnerabilities-section is added to the cdx
  sbom only if the argument `include_vulns` is set to True

Signed-off-by: Henri Rosten <henri.rosten@unikie.com>
@jonringer
Copy link
Contributor Author

Thanks for fixing up the tests, and making vulnerabilities optional :)

@jonringer jonringer changed the title Cdx 1.4 CDX 1.4, Initial support Oct 3, 2024
@henrirosten henrirosten merged commit f7d4da0 into tiiuae:main Oct 3, 2024
3 checks passed
@jonringer jonringer deleted the jringer/cdx-1.4 branch October 3, 2024 14:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@henrirosten henrirosten henrirosten approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jonringer @henrirosten