Skip to content

fix: make a purl DT can recognize, add CPE #57

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
djcrabhat wants to merge 13 commits into
base: main
Choose a base branch
from
Open

fix: make a purl DT can recognize, add CPE #57

djcrabhat wants to merge 13 commits into from

Conversation

@djcrabhat
Copy link

@djcrabhat djcrabhat commented Sep 4, 2022
edited
Loading

Make the purl that is output align with what DependencyTrack expects. I understand this could potentially be breaking for those who expect the purl to be where the package was downloaded from. Added a details map Download-Url key for that old value.

Reference: https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#rpm

But I know that purl's don't seem that well supported for OS packages. So I'm also adding CPEs for RedHat. (I'm gonna trick DependencyTrack in to recognizing vulnerable packages, if by hook or by crook! 😆)

Closes #11

sonatype-lift[bot]
sonatype-lift bot reviewed Sep 4, 2022
View reviewed changes
src/main/java/org/cyclonedx/contrib/com/lmco/efoss/unix/sbom/generator/RedHatSBomGenerator.java
}

try {
String downloadUrl = getPackageDownloadUrl(software);
Copy link

@sonatype-lift sonatype-lift bot Sep 4, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SHELL_INJECTION: UserControlledString(BufferedReader.readLine()) in procedure UnixSBomGenerator.processListCmdOutput(...) at line 438 ~> ShellExec(ProcessBuilder.command(...)) in procedure RedHatSBomGenerator.getPackageDownloadUrl(...) at line 185.

ℹ️ Learn about @sonatype-lift commands

You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.

Command Usage
@sonatype-lift ignore Leave out the above finding from this PR
@sonatype-lift ignoreall Leave out all the existing findings from this PR
@sonatype-lift exclude <file|issue|path|tool> Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file

Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.

Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]

@djcrabhat djcrabhat force-pushed the feature/make-standard-purl branch 2 times, most recently from 614d963 to c9a8d29 Compare September 4, 2022 21:12
sonatype-lift[bot]
sonatype-lift bot reviewed Sep 4, 2022
View reviewed changes
src/main/java/org/cyclonedx/contrib/com/lmco/efoss/unix/sbom/generator/SBomGenerator.java
*
*
* @param url
* @param name
Copy link

@sonatype-lift sonatype-lift bot Sep 4, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💬 3 similar findings have been found in this PR

EmptyBlockTag: A block tag (@param, @return, @throws, @deprecated) has an empty description. Block tags without descriptions don't add much value for future readers of the code; consider removing the tag entirely or adding a description.

Suggested change
* @param name
*
🔎 Expand here to view all instances of this finding
File Path Line Number
src/main/java/org/cyclonedx/contrib/com/lmco/efoss/unix/sbom/generator/SBomGenerator.java 327
src/main/java/org/cyclonedx/contrib/com/lmco/efoss/unix/sbom/generator/SBomGenerator.java 324
src/main/java/org/cyclonedx/contrib/com/lmco/efoss/unix/sbom/generator/SBomGenerator.java 326

Visit the Lift Web Console to find more details in your report.

ℹ️ Learn about @sonatype-lift commands

You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.

Command Usage
@sonatype-lift ignore Leave out the above finding from this PR
@sonatype-lift ignoreall Leave out all the existing findings from this PR
@sonatype-lift exclude <file|issue|path|tool> Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file

Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.

Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]

sonatype-lift[bot]
sonatype-lift bot reviewed Sep 4, 2022
View reviewed changes
src/main/java/org/cyclonedx/contrib/com/lmco/efoss/unix/sbom/generator/RedHatSBomGenerator.java Outdated
return bom;
}

private String getCpe(String software, String version) {
Copy link

@sonatype-lift sonatype-lift bot Sep 4, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💬 6 similar findings have been found in this PR

UnusedVariable: The parameter 'version' is never read.

Suggested change
private String getCpe(String software, String version) {
cpe = getCpe(software);
🔎 Expand here to view all instances of this finding
File Path Line Number
src/main/java/org/cyclonedx/contrib/com/lmco/efoss/unix/sbom/generator/SBomGenerator.java 333
src/main/java/org/cyclonedx/contrib/com/lmco/efoss/unix/sbom/generator/SBomGenerator.java 333
src/main/java/org/cyclonedx/contrib/com/lmco/efoss/unix/sbom/generator/SBomGenerator.java 333
src/main/java/org/cyclonedx/contrib/com/lmco/efoss/unix/sbom/generator/RedHatSBomGenerator.java 115
src/main/java/org/cyclonedx/contrib/com/lmco/efoss/unix/sbom/generator/SBomGenerator.java 333
src/main/java/org/cyclonedx/contrib/com/lmco/efoss/unix/sbom/generator/SBomGenerator.java 333

Visit the Lift Web Console to find more details in your report.

ℹ️ Learn about @sonatype-lift commands

You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.

Command Usage
@sonatype-lift ignore Leave out the above finding from this PR
@sonatype-lift ignoreall Leave out all the existing findings from this PR
@sonatype-lift exclude <file|issue|path|tool> Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file

Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.

Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]

@djcrabhat djcrabhat force-pushed the feature/make-standard-purl branch from 54abff6 to dbf5b28 Compare September 4, 2022 21:59
@djcrabhat djcrabhat changed the title fix: make a purl DT can recognize fix: make a purl DT can recognize, add CPE Sep 4, 2022
djcrabhat and others added 13 commits September 4, 2022 17:11
@djcrabhat
fix: make a purl DT can recognize
2b923e0 
Signed-off-by: djcrabhat <[email protected]>
@djcrabhat
add artifact to maven build
032278a 
Signed-off-by: djcrabhat <[email protected]>
@djcrabhat
use PackageUrl class
d5cc53a 
Signed-off-by: djcrabhat <[email protected]>
@djcrabhat
fix tests
d9c226d 
Signed-off-by: djcrabhat <[email protected]>
@djcrabhat
add download_url detail
b351028 
Signed-off-by: djcrabhat <[email protected]>
@djcrabhat
try parsing component
ab5f1a8 
Signed-off-by: djcrabhat <[email protected]>
@djcrabhat @sonatype-lift
Update src/main/java/org/cyclonedx/contrib/com/lmco/efoss/unix/sbom/g…
0dd331d 
…enerator/RedHatSBomGenerator.java

Co-authored-by: sonatype-lift[bot] <37194012+sonatype-lift[bot]@users.noreply.github.com>
Signed-off-by: djcrabhat <[email protected]>
@djcrabhat
cleanup, make purl sonatype expects
b0484da 
Signed-off-by: djcrabhat <[email protected]>
@djcrabhat
set CPE of master OS component
5be1a1f 
Signed-off-by: djcrabhat <[email protected]>
@djcrabhat
carve out cpe
f18951a 
Signed-off-by: djcrabhat <[email protected]>
@djcrabhat
add cpe for redhat packages
66158ba 
Signed-off-by: djcrabhat <[email protected]>
@djcrabhat
* vendor
d9a651b 
Signed-off-by: djcrabhat <[email protected]>
@djcrabhat
go back to repeating package name
15970d1 
Signed-off-by: djcrabhat <[email protected]>
@djcrabhat djcrabhat force-pushed the feature/make-standard-purl branch from 2fd70ce to 15970d1 Compare September 5, 2022 00:11
@stephan-wolf-ais
Copy link

stephan-wolf-ais commented Apr 27, 2023

Can somebody merge this PR please?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@sonatype-lift sonatype-lift[bot] sonatype-lift[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Using generated SBOMs in DependencyTrack

2 participants

@djcrabhat @stephan-wolf-ais