add known vulnerabilities from packagist.org to the SBoM result #142
Description
CDX sbom knows vulnerabilities via
- schema extension: vulnerability
- XML schema: https://github.com/CycloneDX/specification/blob/master/schema/ext/vulnerability-1.0.xsd
- docs: https://cyclonedx.org/ext/vulnerability/
- example: https://cyclonedx.org/use-cases/#vulnerability-disclosure
- ✋ issue: there is no JSON port for this - see JSON Schema for vulnerability extension? specification#37
- 🚧 unless we have a valid json schema for it, it is impossible to properly implement for all SBoM results
- PROPOSAL: spec 1.4 - Added vulnerabilities as part of core spec specification#91
- PROPOSAL: Proposed evolution of the vulnerability schema for discussion specification#44
packagist.org - composer's primary source - has an API to list known vulnerabilities per package.
see the docs: https://packagist.org/apidoc#list-security-advisories
implementation detail: the API might have a special handling for leading v in versions - or a special format for version-constraints(which might be handle-able by composers internal version-constraint-library)
summary of feedback/ ideas:
- IDEA: implement a switch to enable/disable the feature - since some CI/admins don't like unnoticed web traffic to some API
- IDEA: fetch these API data and add relevant information to the resulting SBOM.
- IDEA: As the tool is often used during build processes it might be good to have an optional non-zero exit code if a vulnerability is found. Makes it easy to “break the build” if that's what people want. (thanks @coderpatros )
if fetching data from API fails, simply prompt an error on the increased "verbosity"-log-level and dont add any vulns to the SBom result