safedep/vet
1
0
Fork 0
mirror of https://github.com/safedep/vet.git synced 2025-12-10 13:43:01 -06:00
Code Issues Packages Projects Releases 68 Wiki Activity

Added support to prase sbom (cyclonedx) and scan the packages

Browse Source
This commit is contained in:
jc 2023-08-11 13:25:28 +05:30
parent e583c05d91
commit 0cf1afacf2
9 changed files with 44565 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
pkg/models/models.go
View File

@ -22,6 +22,7 @@ const (
EcosystemPackagist = "Packagist"
EcosystemHex = "Hex"
EcosystemPub = "Pub"
EcosystemCyDxSBOM = "CydxSbom"
)
// Represents a package manifest that contains a list

119
pkg/parser/cyclonedx_sbom.go Normal file
View File

@ -0,0 +1,119 @@
package parser
import (
"fmt"
// "errors"
"os"
"encoding/json"
"strings"
"github.com/google/osv-scanner/pkg/lockfile"
"github.com/safedep/vet/pkg/common/logger"
)
// Define the struct types that match the JSON structure
type Bom struct {
BomFormat string `json:"bomFormat"`
SpecVersion string `json:"specVersion"`
SerialNumber string `json:"serialNumber"`
Version int `json:"version"`
Metadata Metadata `json:"metadata"`
Components []Component `json:"components"`
Services []interface{} `json:"services"` // Assuming services is an array, but it's empty in the provided sample
// You can add more fields if needed...
}
type Metadata struct {
Timestamp string `json:"timestamp"`
Tools []Tool `json:"tools"`
Authors []Author `json:"authors"`
Component Component `json:"component"`
}
type Tool struct {
Vendor string `json:"vendor"`
Name string `json:"name"`
Version string `json:"version"`
}
type Author struct {
Name string `json:"name"`
Email string `json:"email"`
}
type Component struct {
Publisher string `json:"publisher"`
Group string `json:"group"`
Name string `json:"name"`
Version string `json:"version"`
Description string `json:"description"`
Purl string `json:"purl"`
Type string `json:"type"`
BomRef string `json:"bom-ref"`
// Add more fields if needed, for example, licenses
}
// https://packaging.python.org/en/latest/specifications/binary-distribution-format/
func parseCyclonedxSBOM(pathToLockfile string) ([]lockfile.PackageDetails, error) {
details := []lockfile.PackageDetails{}
var bom Bom
if vet_output_file_content, err := os.ReadFile(pathToLockfile); err != nil {
logger.Warnf("Error reading sbom file %v", err)
return nil, err
} else {
// Unmarshal the JSON string into the Bom struct
if err := json.Unmarshal([]byte(vet_output_file_content), &bom); err != nil {
logger.Warnf("Error parsing JSON: %v", err)
return nil, err
}
}
// fmt.Printf("%v", bom.Components)
for _, comp := range bom.Components {
if d, err := convertSbomComponent2LPD(&comp); err != nil {
// fmt.Println(err)
logger.Warnf("Failed Converting sbom to lockfile component. %v", err)
} else {
// fmt.Println(*d)
details = append(details, *d)
}
}
// fmt.Printf("%v", details)
return details, nil
}
func convertSbomComponent2LPD(comp *Component) (*lockfile.PackageDetails, error) {
var name string
if comp.Group != "" {
name = fmt.Sprintf("%s:%s", comp.Group, comp.Name)
} else {
name = comp.Name
}
var ecosysystem lockfile.Ecosystem
if eco, err := convertBomRefAsEcosystem(comp.BomRef); err != nil {
return nil, err
} else {
ecosysystem = eco
}
d := lockfile.PackageDetails{
Name: name,
Version: comp.Version,
Ecosystem: ecosysystem,
CompareAs: ecosysystem,
}
return &d, nil
}
func convertBomRefAsEcosystem(bomref string) (lockfile.Ecosystem, error) {
if strings.Contains(bomref, "pkg:pypi") {
return lockfile.PipEcosystem, nil
} else if strings.Contains(bomref, "pkg:npm") {
return lockfile.NpmEcosystem, nil
} else {
return lockfile.NpmEcosystem, fmt.Errorf("Failed parsing %s to ecosystem", bomref)
}
}

11
pkg/parser/parser.go
View File

@ -10,6 +10,7 @@ import (
const (
customParserTypePyWheel = "python-wheel"
customParserCycloneDXSBOM = "cydx-sbom"
)
// We are supporting only those ecosystems for which we have data
@ -20,10 +21,12 @@ var supportedEcosystems map[string]bool = map[string]bool{
models.EcosystemMaven: true,
models.EcosystemNpm: true,
models.EcosystemPyPI: true,
models.EcosystemCyDxSBOM: true,
}
var customExperimentalParsers map[string]lockfile.PackageDetailsParser = map[string]lockfile.PackageDetailsParser{
customParserTypePyWheel: parsePythonWheelDist,
customParserCycloneDXSBOM: parseCyclonedxSBOM,
}
type Parser interface {
@ -49,6 +52,10 @@ func List() []string {
supportedParsers = append(supportedParsers, p)
}
for p, _ := range customExperimentalParsers {
supportedParsers = append(supportedParsers, p)
}
return supportedParsers
}
@ -110,7 +117,11 @@ func (pw *parserWrapper) Ecosystem() string {
return models.EcosystemMaven
case customParserTypePyWheel:
return models.EcosystemPyPI
case customParserCycloneDXSBOM:
logger.Warnf("CDX lockfile-as %s. Skipping...", pw.parseAs)
return models.EcosystemCyDxSBOM
default:
logger.Debugf("Unsupported lockfile-as %s. Skipping...", pw.parseAs)
return ""
}
}

472
pkg/readers/fixtures/custom-lockfiles/sbom/bom-dpc-int1.json Normal file
View File

@ -0,0 +1,472 @@
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"serialNumber": "urn:uuid:8161abe9-1e8b-4456-ba4f-4d847267b76a",
"version": 1,
"metadata": {
"timestamp": "2023-08-11T06:45:11.368Z",
"tools": [
{
"vendor": "cyclonedx",
"name": "cdxgen",
"version": "8.0.4"
}
],
"authors": [
{
"name": "Prabhu Subramanian",
"email": "prabhu@appthreat.com"
}
],
"component": {
"group": "",
"name": "tmp",
"version": "",
"type": "application"
}
},
"components": [
{
"publisher": "",
"group": "",
"name": "google-cloud-pubsub",
"version": "2.0",
"description": "",
"licenses": [],
"purl": "pkg:pypi/google-cloud-pubsub@2.0",
"type": "library",
"bom-ref": "pkg:pypi/google-cloud-pubsub@2.0"
},
{
"publisher": "",
"group": "",
"name": "knowledge-graph",
"version": "3.12.0",
"description": "",
"licenses": [],
"purl": "pkg:pypi/knowledge-graph@3.12.0",
"type": "library",
"bom-ref": "pkg:pypi/knowledge-graph@3.12.0"
},
{
"publisher": "",
"group": "",
"name": "deepc_exceptions",
"version": "0.4.3",
"description": "",
"licenses": [],
"purl": "pkg:pypi/deepc-exceptions@0.4.3",
"type": "library",
"bom-ref": "pkg:pypi/deepc-exceptions@0.4.3"
},
{
"publisher": "",
"group": "",
"name": "deepc-models",
"version": "3.48.6",
"description": "",
"licenses": [],
"purl": "pkg:pypi/deepc-models@3.48.6",
"type": "library",
"bom-ref": "pkg:pypi/deepc-models@3.48.6"
},
{
"publisher": "",
"group": "",
"name": "deepc-utils",
"version": "6.54.32",
"description": "",
"licenses": [],
"purl": "pkg:pypi/deepc-utils@6.54.32",
"type": "library",
"bom-ref": "pkg:pypi/deepc-utils@6.54.32"
},
{
"publisher": "",
"group": "",
"name": "deepc-convertor",
"version": "0.62.2",
"description": "",
"licenses": [],
"purl": "pkg:pypi/deepc-convertor@0.62.2",
"type": "library",
"bom-ref": "pkg:pypi/deepc-convertor@0.62.2"
},
{
"publisher": "",
"group": "",
"name": "deepc_dorks",
"version": "0.4",
"description": "",
"licenses": [],
"purl": "pkg:pypi/deepc-dorks@0.4",
"type": "library",
"bom-ref": "pkg:pypi/deepc-dorks@0.4"
},
{
"publisher": "",
"group": "",
"name": "deepc_social",
"version": "0.2",
"description": "",
"licenses": [],
"purl": "pkg:pypi/deepc-social@0.2",
"type": "library",
"bom-ref": "pkg:pypi/deepc-social@0.2"
},
{
"publisher": "",
"group": "",
"name": "di_client",
"version": "1.4.5",
"description": "",
"licenses": [],
"purl": "pkg:pypi/di-client@1.4.5",
"type": "library",
"bom-ref": "pkg:pypi/di-client@1.4.5"
},
{
"publisher": "",
"group": "",
"name": "exploration-events",
"version": "3.4",
"description": "",
"licenses": [],
"purl": "pkg:pypi/exploration-events@3.4",
"type": "library",
"bom-ref": "pkg:pypi/exploration-events@3.4"
},
{
"publisher": "",
"group": "",
"name": "nessus-client",
"version": "0.13.12",
"description": "",
"licenses": [],
"purl": "pkg:pypi/nessus-client@0.13.12",
"type": "library",
"bom-ref": "pkg:pypi/nessus-client@0.13.12"
},
{
"publisher": "",
"group": "",
"name": "vulners",
"version": "1.5.0",
"description": "",
"licenses": [],
"purl": "pkg:pypi/vulners@1.5.0",
"type": "library",
"bom-ref": "pkg:pypi/vulners@1.5.0"
},
{
"publisher": "",
"group": "",
"name": "ipwhois",
"version": "1.1.0",
"description": "",
"licenses": [],
"purl": "pkg:pypi/ipwhois@1.1.0",
"type": "library",
"bom-ref": "pkg:pypi/ipwhois@1.1.0"
},
{
"publisher": "",
"group": "",
"name": "gpapi",
"version": "0.4.4",
"description": "",
"licenses": [],
"purl": "pkg:pypi/gpapi@0.4.4",
"type": "library",
"bom-ref": "pkg:pypi/gpapi@0.4.4"
},
{
"publisher": "",
"group": "",
"name": "PyGithub",
"version": "1.54.1",
"description": "",
"licenses": [],
"purl": "pkg:pypi/pygithub@1.54.1",
"type": "library",
"bom-ref": "pkg:pypi/pygithub@1.54.1"
},
{
"publisher": "",
"group": "",
"name": "python-whois",
"version": "0.7.3",
"description": "",
"licenses": [],
"purl": "pkg:pypi/python-whois@0.7.3",
"type": "library",
"bom-ref": "pkg:pypi/python-whois@0.7.3"
},
{
"publisher": "",
"group": "",
"name": "sh",
"version": "1.14.1",
"description": "",
"licenses": [],
"purl": "pkg:pypi/sh@1.14.1",
"type": "library",
"bom-ref": "pkg:pypi/sh@1.14.1"
},
{
"publisher": "",
"group": "",
"name": "OTXv2",
"version": "1.5.10",
"description": "",
"licenses": [],
"purl": "pkg:pypi/otxv2@1.5.10",
"type": "library",
"bom-ref": "pkg:pypi/otxv2@1.5.10"
},
{
"publisher": "",
"group": "",
"name": "certstream",
"version": "1.11",
"description": "",
"licenses": [],
"purl": "pkg:pypi/certstream@1.11",
"type": "library",
"bom-ref": "pkg:pypi/certstream@1.11"
},
{
"publisher": "",
"group": "",
"name": "colorama",
"version": "0.4.1",
"description": "",
"licenses": [],
"purl": "pkg:pypi/colorama@0.4.1",
"type": "library",
"bom-ref": "pkg:pypi/colorama@0.4.1"
},
{
"publisher": "",
"group": "",
"name": "ipaddress",
"version": "1.0.22",
"description": "",
"licenses": [],
"purl": "pkg:pypi/ipaddress@1.0.22",
"type": "library",
"bom-ref": "pkg:pypi/ipaddress@1.0.22"
},
{
"publisher": "",
"group": "",
"name": "packaging",
"version": "19.2",
"description": "",
"licenses": [],
"purl": "pkg:pypi/packaging@19.2",
"type": "library",
"bom-ref": "pkg:pypi/packaging@19.2"
},
{
"publisher": "",
"group": "",
"name": "prettytable",
"version": "0.7.2",
"description": "",
"licenses": [],
"purl": "pkg:pypi/prettytable@0.7.2",
"type": "library",
"bom-ref": "pkg:pypi/prettytable@0.7.2"
},
{
"publisher": "",
"group": "",
"name": "pyfiglet",
"version": "0.8.post1",
"description": "",
"licenses": [],
"purl": "pkg:pypi/pyfiglet@0.8.post1",
"type": "library",
"bom-ref": "pkg:pypi/pyfiglet@0.8.post1"
},
{
"publisher": "",
"group": "",
"name": "requests",
"version": "2.22.0",
"description": "",
"licenses": [],
"purl": "pkg:pypi/requests@2.22.0",
"type": "library",
"bom-ref": "pkg:pypi/requests@2.22.0"
},
{
"publisher": "",
"group": "",
"name": "termcolor",
"version": "1.1.0",
"description": "",
"licenses": [],
"purl": "pkg:pypi/termcolor@1.1.0",
"type": "library",
"bom-ref": "pkg:pypi/termcolor@1.1.0"
},
{
"publisher": "",
"group": "",
"name": "beautifulsoup4",
"version": "4.8.1",
"description": "",
"licenses": [],
"purl": "pkg:pypi/beautifulsoup4@4.8.1",
"type": "library",
"bom-ref": "pkg:pypi/beautifulsoup4@4.8.1"
},
{
"publisher": "",
"group": "",
"name": "fcwhispers",
"version": "2.1.7",
"description": "",
"licenses": [],
"purl": "pkg:pypi/fcwhispers@2.1.7",
"type": "library",
"bom-ref": "pkg:pypi/fcwhispers@2.1.7"
},
{
"publisher": "",
"group": "",
"name": "gvm-tools",
"version": "21.6.0",
"description": "",
"licenses": [],
"purl": "pkg:pypi/gvm-tools@21.6.0",
"type": "library",
"bom-ref": "pkg:pypi/gvm-tools@21.6.0"
},
{
"publisher": "",
"group": "",
"name": "cloud_ip_info",
"version": "1.3.3",
"description": "",
"licenses": [],
"purl": "pkg:pypi/cloud-ip-info@1.3.3",
"type": "library",
"bom-ref": "pkg:pypi/cloud-ip-info@1.3.3"
},
{
"publisher": "",
"group": "",
"name": "Jinja2",
"version": "3.0.3",
"description": "",
"licenses": [],
"purl": "pkg:pypi/jinja2@3.0.3",
"type": "library",
"bom-ref": "pkg:pypi/jinja2@3.0.3"
},
{
"publisher": "",
"group": "",
"name": "configobj",
"version": "5.0.6",
"description": "",
"licenses": [],
"purl": "pkg:pypi/configobj@5.0.6",
"type": "library",
"bom-ref": "pkg:pypi/configobj@5.0.6"
},
{
"publisher": "",
"group": "",
"name": "cloud_recon",
"version": "0.2.7",
"description": "",
"licenses": [],
"purl": "pkg:pypi/cloud-recon@0.2.7",
"type": "library",
"bom-ref": "pkg:pypi/cloud-recon@0.2.7"
},
{
"publisher": "",
"group": "",
"name": "credovergeneric",
"version": "1.6.7",
"description": "",
"licenses": [],
"purl": "pkg:pypi/credovergeneric@1.6.7",
"type": "library",
"bom-ref": "pkg:pypi/credovergeneric@1.6.7"
},
{
"publisher": "",
"group": "",
"name": "pycryptodome",
"version": "3.12.0",
"description": "",
"licenses": [],
"purl": "pkg:pypi/pycryptodome@3.12.0",
"type": "library",
"bom-ref": "pkg:pypi/pycryptodome@3.12.0"
},
{
"publisher": "",
"group": "",
"name": "azure-mgmt-resource",
"version": "20.0.0",
"description": "",
"licenses": [],
"purl": "pkg:pypi/azure-mgmt-resource@20.0.0",
"type": "library",
"bom-ref": "pkg:pypi/azure-mgmt-resource@20.0.0"
},
{
"publisher": "",
"group": "",
"name": "fc-cloud-storage-client",
"version": "0.0.14",
"description": "",
"licenses": [],
"purl": "pkg:pypi/fc-cloud-storage-client@0.0.14",
"type": "library",
"bom-ref": "pkg:pypi/fc-cloud-storage-client@0.0.14"
},
{
"publisher": "",
"group": "",
"name": "azure-identity",
"version": "1.7.1",
"description": "",
"licenses": [],
"purl": "pkg:pypi/azure-identity@1.7.1",
"type": "library",
"bom-ref": "pkg:pypi/azure-identity@1.7.1"
},
{
"publisher": "",
"group": "",
"name": "dnsdb",
"version": "0.2.5",
"description": "",
"licenses": [],
"purl": "pkg:pypi/dnsdb@0.2.5",
"type": "library",
"bom-ref": "pkg:pypi/dnsdb@0.2.5"
},
{
"publisher": "",
"group": "",
"name": "fc_kb_auth_proxy_client",
"version": "0.0.3",
"description": "",
"licenses": [],
"purl": "pkg:pypi/fc-kb-auth-proxy-client@0.0.3",
"type": "library",
"bom-ref": "pkg:pypi/fc-kb-auth-proxy-client@0.0.3"
}
],
"services": [],
"dependencies": []
}

373
pkg/readers/fixtures/custom-lockfiles/sbom/bom-du.json Normal file
View File

@ -0,0 +1,373 @@
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"serialNumber": "urn:uuid:52d87f2e-93ce-4fd6-96d4-071f97ce61a6",
"version": 1,
"metadata": {
"timestamp": "2023-08-11T04:54:21.340Z",
"tools": [
{
"vendor": "cyclonedx",
"name": "cdxgen",
"version": "8.0.4"
}
],
"authors": [
{
"name": "Prabhu Subramanian",
"email": "prabhu@appthreat.com"
}
],
"component": {
"group": "",
"name": "app",
"version": "",
"type": "application"
}
},
"components": [
{
"publisher": "",
"group": "",
"name": "food-exceptions",
"version": "0.4.4",
"description": "",
"licenses": [],
"purl": "pkg:pypi/food-exceptions@0.4.4",
"type": "library",
"bom-ref": "pkg:pypi/food-exceptions@0.4.4"
},
{
"publisher": "",
"group": "",
"name": "food-models",
"version": "3.3.1",
"description": "",
"licenses": [],
"purl": "pkg:pypi/food-models@3.3.1",
"type": "library",
"bom-ref": "pkg:pypi/food-models@3.3.1"
},
{
"publisher": "",
"group": "",
"name": "dateutils",
"version": "0.6.6",
"description": "",
"licenses": [],
"purl": "pkg:pypi/dateutils@0.6.6",
"type": "library",
"bom-ref": "pkg:pypi/dateutils@0.6.6"
},
{
"publisher": "",
"group": "",
"name": "publicsuffixlist",
"version": "0.6.2",
"description": "",
"licenses": [],
"purl": "pkg:pypi/publicsuffixlist@0.6.2",
"type": "library",
"bom-ref": "pkg:pypi/publicsuffixlist@0.6.2"
},
{
"publisher": "",
"group": "",
"name": "dnspython",
"version": "1.15.0",
"description": "",
"licenses": [],
"purl": "pkg:pypi/dnspython@1.15.0",
"type": "library",
"bom-ref": "pkg:pypi/dnspython@1.15.0"
},
{
"publisher": "",
"group": "",
"name": "netaddr",
"version": "0.7.18",
"description": "",
"licenses": [],
"purl": "pkg:pypi/netaddr@0.7.18",
"type": "library",
"bom-ref": "pkg:pypi/netaddr@0.7.18"
},
{
"publisher": "",
"group": "",
"name": "validators",
"version": "0.12.2",
"description": "",
"licenses": [],
"purl": "pkg:pypi/validators@0.12.2",
"type": "library",
"bom-ref": "pkg:pypi/validators@0.12.2"
},
{
"publisher": "",
"group": "",
"name": "fqdn",
"version": "1.1.0",
"description": "",
"licenses": [],
"purl": "pkg:pypi/fqdn@1.1.0",
"type": "library",
"bom-ref": "pkg:pypi/fqdn@1.1.0"
},
{
"publisher": "",
"group": "",
"name": "tld",
"version": "0.9.1",
"description": "",
"licenses": [],
"purl": "pkg:pypi/tld@0.9.1",
"type": "library",
"bom-ref": "pkg:pypi/tld@0.9.1"
},
{
"publisher": "",
"group": "",
"name": "cchardet",
"version": "2.1.4",
"description": "",
"licenses": [],
"purl": "pkg:pypi/cchardet@2.1.4",
"type": "library",
"bom-ref": "pkg:pypi/cchardet@2.1.4"
},
{
"publisher": "",
"group": "",
"name": "urllib3",
"version": "1.22",
"description": "",
"licenses": [],
"purl": "pkg:pypi/urllib3@1.22",
"type": "library",
"bom-ref": "pkg:pypi/urllib3@1.22"
},
{
"publisher": "",
"group": "",
"name": "tldextract",
"version": "2.2.0",
"description": "",
"licenses": [],
"purl": "pkg:pypi/tldextract@2.2.0",
"type": "library",
"bom-ref": "pkg:pypi/tldextract@2.2.0"
},
{
"publisher": "",
"group": "",
"name": "iptools",
"version": "0.7.0",
"description": "",
"licenses": [],
"purl": "pkg:pypi/iptools@0.7.0",
"type": "library",
"bom-ref": "pkg:pypi/iptools@0.7.0"
},
{
"publisher": "",
"group": "",
"name": "parsedatetime",
"version": "2.4",
"description": "",
"licenses": [],
"purl": "pkg:pypi/parsedatetime@2.4",
"type": "library",
"bom-ref": "pkg:pypi/parsedatetime@2.4"
},
{
"publisher": "",
"group": "",
"name": "beautifulsoup4",
"version": "4.7.1",
"description": "",
"licenses": [],
"purl": "pkg:pypi/beautifulsoup4@4.7.1",
"type": "library",
"bom-ref": "pkg:pypi/beautifulsoup4@4.7.1"
},
{
"publisher": "",
"group": "",
"name": "filetype",
"version": "1.0.5",
"description": "",
"licenses": [],
"purl": "pkg:pypi/filetype@1.0.5",
"type": "library",
"bom-ref": "pkg:pypi/filetype@1.0.5"
},
{
"publisher": "",
"group": "",
"name": "pyunpack",
"version": "0.1.2",
"description": "",
"licenses": [],
"purl": "pkg:pypi/pyunpack@0.1.2",
"type": "library",
"bom-ref": "pkg:pypi/pyunpack@0.1.2"
},
{
"publisher": "",
"group": "",
"name": "patool",
"version": "1.12",
"description": "",
"licenses": [],
"purl": "pkg:pypi/patool@1.12",
"type": "library",
"bom-ref": "pkg:pypi/patool@1.12"
},
{
"publisher": "",
"group": "",
"name": "wordninja",
"version": "2.0.0",
"description": "",
"licenses": [],
"purl": "pkg:pypi/wordninja@2.0.0",
"type": "library",
"bom-ref": "pkg:pypi/wordninja@2.0.0"
},
{
"publisher": "",
"group": "",
"name": "iocextract",
"version": "1.13.1",
"description": "",
"licenses": [],
"purl": "pkg:pypi/iocextract@1.13.1",
"type": "library",
"bom-ref": "pkg:pypi/iocextract@1.13.1"
},
{
"publisher": "",
"group": "",
"name": "pyparsing",
"version": "3.0.8",
"description": "",
"licenses": [],
"purl": "pkg:pypi/pyparsing@3.0.8",
"type": "library",
"bom-ref": "pkg:pypi/pyparsing@3.0.8"
},
{
"publisher": "",
"group": "",
"name": "titlecase",
"version": "0.12.0",
"description": "",
"licenses": [],
"purl": "pkg:pypi/titlecase@0.12.0",
"type": "library",
"bom-ref": "pkg:pypi/titlecase@0.12.0"
},
{
"publisher": "",
"group": "",
"name": "furl",
"version": "2.1.0",
"description": "",
"licenses": [],
"purl": "pkg:pypi/furl@2.1.0",
"type": "library",
"bom-ref": "pkg:pypi/furl@2.1.0"
},
{
"publisher": "",
"group": "",
"name": "pathlib2",
"version": "2.3.3",
"description": "",
"licenses": [],
"purl": "pkg:pypi/pathlib2@2.3.3",
"type": "library",
"bom-ref": "pkg:pypi/pathlib2@2.3.3"
},
{
"publisher": "",
"group": "",
"name": "lxml",
"version": "4.5.0",
"description": "",
"licenses": [],
"purl": "pkg:pypi/lxml@4.5.0",
"type": "library",
"bom-ref": "pkg:pypi/lxml@4.5.0"
},
{
"publisher": "",
"group": "",
"name": "fuzzywuzzy",
"version": "0.18.0",
"description": "",
"licenses": [],
"purl": "pkg:pypi/fuzzywuzzy@0.18.0",
"type": "library",
"bom-ref": "pkg:pypi/fuzzywuzzy@0.18.0"
},
{
"publisher": "",
"group": "",
"name": "PySocks",
"version": "1.7.0",
"description": "",
"licenses": [],
"purl": "pkg:pypi/pysocks@1.7.0",
"type": "library",
"bom-ref": "pkg:pypi/pysocks@1.7.0"
},
{
"publisher": "",
"group": "",
"name": "truffleHogRegexes",
"version": "0.0.7",
"description": "",
"licenses": [],
"purl": "pkg:pypi/trufflehogregexes@0.0.7",
"type": "library",
"bom-ref": "pkg:pypi/trufflehogregexes@0.0.7"
},
{
"publisher": "",
"group": "",
"name": "soupsieve",
"version": "1.9.1",
"description": "",
"licenses": [],
"purl": "pkg:pypi/soupsieve@1.9.1",
"type": "library",
"bom-ref": "pkg:pypi/soupsieve@1.9.1"
},
{
"publisher": "",
"group": "actions",
"name": "checkout",
"version": "v2",
"description": "",
"licenses": [],
"purl": "pkg:github/actions/checkout@v2",
"type": "application",
"bom-ref": "pkg:github/actions/checkout@v2"
},
{
"publisher": "",
"group": "actions",
"name": "setup-python",
"version": "v2",
"description": "",
"licenses": [],
"purl": "pkg:github/actions/setup-python@v2",
"type": "application",
"bom-ref": "pkg:github/actions/setup-python@v2"
}
],
"services": [],
"dependencies": []
}

43583
pkg/readers/fixtures/custom-lockfiles/sbom/bom-npm1.json Normal file
View File

File diff suppressed because it is too large Load Diff

4
pkg/reporter/markdown.go
View File

@ -121,7 +121,7 @@ func (r *markdownReportGenerator) Finish() error {
if _, ok := summaries[mp]; !ok {
summaries[mp] = markdownTemplateInputResultSummary{
Ecosystem: s.pkg.Manifest.Ecosystem,
Ecosystem: string(s.pkg.Ecosystem),
PackageCount: len(s.pkg.Manifest.Packages),
}
} else {
@ -139,7 +139,7 @@ func (r *markdownReportGenerator) Finish() error {
}
violations = append(violations, markdownTemplateInputViolation{
Ecosystem: v.Manifest.Ecosystem,
Ecosystem: string(v.Package.Ecosystem),
PkgName: fmt.Sprintf("%s@%s", v.Package.Name, v.Package.Version),
Message: msg,
})

2
pkg/reporter/summary.go
View File

@ -248,7 +248,7 @@ func (r *summaryReporter) renderRemediationAdvice() {
insight := utils.SafelyGetValue(sp.pkg.Insights)
tbl.AppendRow(table.Row{
sp.pkg.Manifest.Ecosystem,
string(sp.pkg.Ecosystem),
r.packageNameForRemediationAdvice(sp.pkg),
utils.SafelyGetValue(insight.PackageCurrentVersion),
sp.score,

4
pkg/scanner/enrich.go
View File

@ -57,7 +57,9 @@ func (e *insightsBasedPackageEnricher) Enrich(pkg *models.Package,
pkg.PackageDetails.Name, pkg.PackageDetails.Version)
res, err := e.client.GetPackageVersionInsightWithResponse(context.Background(),
pkg.Manifest.Ecosystem, pkg.Name, pkg.Version)
// pkg.Manifest.Ecosystem,
string(pkg.PackageDetails.Ecosystem),
pkg.Name, pkg.Version)
if err != nil {
logger.Errorf("Failed to enrich package: %v", err)
return err