safedep/vet
1
0
Fork 0
mirror of https://github.com/safedep/vet.git synced 2025-12-10 00:22:08 -06:00
Code Issues Packages Projects Releases 68 Wiki Activity

Merge branch 'main' into develop

Browse Source
This commit is contained in:
abhisek 2023-03-29 09:55:54 +05:30
commit b338689814
No known key found for this signature in database
GPG Key ID: CB92A4990C02A88F
90 changed files with 2005 additions and 486 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

227
README.md
View File

@ -1,100 +1,62 @@
# vet
<h1 align="center">
vet
</h1>
<p align="center">
🙌 Refer to <b><a href="https://safedep.io/docs/">https://safedep.io/docs</a></b> for the documentation 📖
</p>
![License](https://img.shields.io/github/license/safedep/vet)
![Release](https://img.shields.io/github/v/release/safedep/vet)
[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/safedep/vet/badge)](https://api.securityscorecards.dev/projects/github.com/safedep/vet)
[![CodeQL](https://github.com/safedep/vet/actions/workflows/codeql.yml/badge.svg?branch=main)](https://github.com/safedep/vet/actions/workflows/codeql.yml)
[![Scorecard supply-chain security](https://github.com/safedep/vet/actions/workflows/scorecard.yml/badge.svg)](https://github.com/safedep/vet/actions/workflows/scorecard.yml)
**🙌 Refer to [https://safedep.io/docs](https://safedep.io/docs) for the documentation 📖**
![vet banner](docs/static/img/vet/vet-banner.png)
## Automate Open Source Package Vetting in CI/CD
`vet` is a tool for identifying risks in open source software supply chain. It
helps engineering and security teams to identify potential issues in their open
source dependencies and evaluate them against organizational policies.
[![Release](https://img.shields.io/github/v/release/safedep/vet.svg?logo=github&style=flat-square)](https://github.com/safedep/vet/releases)
[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/safedep/vet/badge)](https://api.securityscorecards.dev/projects/github.com/safedep/vet)
[![CodeQL](https://github.com/safedep/vet/actions/workflows/codeql.yml/badge.svg?branch=main)](https://github.com/safedep/vet/actions/workflows/codeql.yml)
[![Scorecard supply-chain security](https://github.com/safedep/vet/actions/workflows/scorecard.yml/badge.svg)](https://github.com/safedep/vet/actions/workflows/scorecard.yml)
## 🔥 vet in action
## Demo
![vet Demo](docs/images/vet-demo.gif)
## TL;DR
Scan a repository for OSS dependency risks with auto-detection of package
manifests
```bash
vet scan -D /path/to/repo
```
> **Note:** An API key is required for `vet` to fetch package metadata. Refer
> [Getting Started](#getting-started) on how to obtain an API key.
![vet Summary Demo](docs/images/vet-summary-demo.png)
[Example Security Gate](https://github.com/safedep/demo-client-java/pull/2)
using `vet` to prevent introducing new OSS dependency risk in an application.
![vet Demo](docs/static/img/vet/vet-demo.gif)
## Getting Started
### As Docker Container
- Download the binary file for your operating system/architecture from the [Official GitHub Releases](https://github.com/safedep/vet/releases)
Run `vet` as a docker container without any installation
```bash
docker run --rm -it -v /path/to/your/source:/target \
-e VET_API_KEY=... \
ghcr.io/safedep/vet:latest \
scan -D /target
```
### Build from Source
To build from source, install using `go get`
> Ensure `$(go env GOPATH)/bin` is in your `$PATH`
```bash
go install github.com/safedep/vet@latest
```
### Binary Release
Alternatively, look at [Releases](https://github.com/safedep/vet/releases) for
a pre-built binary for your platform. [SLSA Provenance](https://slsa.dev/provenance/v0.1) is published
along with each binary release.
### Obtain API Key
Get an API key for [Insights API](https://safedep.io/docs/concepts/raya-data-platform-overview) access
- Get an API key for the vet insights data access for performing the scan
```bash
vet auth trial --email john.doe@example.com
```
> A time limited API key will be sent over email.
![vet register trial](docs/static/img/vet/vet-register-trial.png)
Configure `vet` to use API Key to access [Insights API](https://safedep.io/docs/concepts/raya-data-platform-overview)
> A time limited trial API key will be sent over email.
- Configure `vet` to use API key to access the insights
```bash
vet auth configure
```
> Insights API is used to enrich OSS packages with metadata for rich query and policy
> decisions. Alternatively, the API key can be passed through environment
> variable `VET_API_KEY`
![vet configure](docs/static/img/vet/vet-configure.png)
Verify authentication token is valid
> Insights API is used to enrich OSS packages with metadata for rich query and policy decisions. Alternatively, the API key can be passed through environment variable `VET_API_KEY`
```bash
vet auth verify
```
### Basic Usage
Run `vet` to identify risks in a source repository
- Run `vet` to identify risks
```bash
vet scan -D /path/to/repository
```
or scan a specific (supported) package manifest
![vet scan directory](docs/static/img/vet/vet-scan-directory.png)
- You can also scan a specific (supported) package manifest
```bash
vet scan --lockfiles /path/to/pom.xml
@ -102,132 +64,23 @@ vet scan --lockfiles /path/to/requirements.txt
vet scan --lockfiles /path/to/package-lock.json
```
or scan a supported package manifest with a non-standard name
> [Example Security Gate](https://github.com/safedep/demo-client-java/pull/2) using `vet` to prevent introducing new OSS dependency risk in an application.
```bash
vet scan --lockfiles /path/to/gradle-compileOnly.lock --lockfile-as gradle.lockfile
```
> Use `vet scan parsers` to list supported package manifest parsers
## 📖 Documentation
The default scan uses an opinionated [Summary Reporter](#) which presents
a consolidated summary of findings. Thats NOT about it. Read more for
expression based filtering and policy evaluation.
- Refer to [https://safedep.io/docs](https://safedep.io/docs) for the detailed documentation
## Policy Control
[![vet docs](docs/static/img/vet-docs.png)](https://safedep.io/docs)
Policies are written using a DSL. A group of policies can be applied using
`vet` to build a security gate in CI/CD.
## 🎊 Community
Start by copying a sample policy
First of all, thank you so much for showing interest in `vet`, we appreciate it ❤️
```bash
curl -LO https://raw.githubusercontent.com/safedep/vet/main/samples/filter-suites/fs-generic.yml
```
- Join the server using the link - [https://rebrand.ly/safedep-community](https://rebrand.ly/safedep-community)
Run a scan with policies and configure the scanner to fail in case of policy
violation
[![SafeDep Discord](docs/static/img/safedep-discord.png)](https://rebrand.ly/safedep-community)
```bash
vet scan -D /path/to/dir --filter-suite fs-generic.yml --filter-fail
```
Read more about underlying capability using which policy control is implemented
in [filtering guide](docs/filtering.md)
## Exceptions Management
Projects may have legacy libraries that will fail any reasonable security policy.
Legacy libraries can be added as time bounded exceptions to the policies to place
strict control on any new library while legacy library can be upgraded over
time.
Exception rules can be generated using the `query` workflow to temporarily
ignore (or snooze) existing issues when using `vet` for the first time. This
helps in establishing security gating to prevent introduction of new security
issues while existing issues are being remediated.
Use exception rules during scan to ignore specific packages
```bash
vet scan -D /path/to/repo -e /path/to/exceptions.yml
```
For more information on generating exceptions,
refer to [exceptions guide](docs/exceptions.md)
The generated exceptions file, when combined with policy control, can be used
to setup a security gate to prevent introducing new issues while ignoring the
existing backlog for a period of time.
```bash
vet scan -D /path/to/dir \
--filter-suite fs-generic.yml --filter-fail
-e /path/to/exceptions.yml
```
## Exploring OSS Risks using Filters
Find dependencies that seems not very popular
```bash
vet scan --lockfiles /path/to/pom.xml --report-summary=false \
--filter='projects.exists(x, x.stars < 10)'
```
Find dependencies with a critical vulnerability
```bash
vet scan --lockfiles /path/to/pom.xml --report-summary=false \
--filter='vulns.critical.exists_one(x, true)'
```
> Use filtering along with `query` command for offline slicing and dicing of
> enriched package manifests. Read [filtering guide](docs/filtering.md)
Learn more about [filtering with vet](docs/filtering.md).
Look at [filter input spec](api/filter_input_spec.proto) on attributes
available to the filter expression.
## FAQ
### How do I disable the stupid banner?
Set environment variable `VET_DISABLE_BANNER=1`
### Can I use this tool without an API Key for Insight Service?
Probably no. All useful data (enrichments) for a detected package comes from
a backend service. The service is rate limited with quotas to prevent abuse.
Look at `api/insights-v1.yml`. It contains the contract expected for Insights
API. You can perhaps consider rolling out your own to avoid dependency with our
backend.
### Something is wrong! How do I debug this thing?
Run without the eye candy UI and enable log to file or to `stdout`.
Log to `stdout`:
```bash
vet scan -D /path/to/repo -s -l- -v
```
Log to file:
```bash
vet scan -D /path/to/repo -l /tmp/vet.log -v
```
### Which all ecosystems are supported?
* Java
* Go
* Javascript / NodeJS
* Python
## References
* https://github.com/google/osv-scanner
## 🔖 References
- [https://github.com/google/osv-scanner](https://github.com/google/osv-scanner)

23
docs/.gitignore vendored Normal file
View File

@ -0,0 +1,23 @@
# Dependencies
/node_modules
# Production
/build
# Generated files
.docusaurus
.cache-loader
# package-lock
package-lock.json
# Misc
.DS_Store
.env.local
.env.development.local
.env.test.local
.env.production.local
npm-debug.log*
yarn-debug.log*
yarn-error.log*

33
docs/README.md Normal file
View File

@ -0,0 +1,33 @@
# vet docs overview
This section contains documentation for `vet`. This documentation site is based on the Docusaurus framework.
## Getting Started
To start a local environment of this project docs, please do the following
- Clone the repository
```bash
git clone https://github.com/safedep/vet.git
```
- Navigate to the guide directory
```bash
cd vet/docs
```
- Install dependencies
```bash
npm install
```
- Start the development server
```bash
yarn start
```
- Navigate to [http://localhost:3000](http://localhost:3000) for accessing the `vet` documentation locally

3
docs/babel.config.js Normal file
View File

@ -0,0 +1,3 @@
module.exports = {
presets: [require.resolve('@docusaurus/core/lib/babel/preset')],
};

9
docs/docs/advanced/_category_.json Normal file
View File

@ -0,0 +1,9 @@
{
"label": "👀 Advanced Usage",
"position": 6,
"link": {
"type": "generated-index",
"description": "Advanced usage of vet for various workflows"
}
}

8
docs/docs/advanced/allow-list-deny-list.md Normal file
View File

@ -0,0 +1,8 @@
---
sidebar_position: 6
title: 🚫 Allow & Deny List
---
# 🚫 Vet - Allow & Deny List
In this section we will leverage the [Exceptions](./exceptions) to configure and design the entire workflows with allow & deny list.

43
docs/docs/advanced/build-your-own-querie.md Normal file
View File

@ -0,0 +1,43 @@
---
sidebar_position: 2
title: ✍️ Build Your Own Queries
---
# ✍️ Build Your Own Queries (BYOQ)
## Query Workflow
Scanning a package manifest is a resource intensive process as it involves enriching package metadata by querying Insights API. However, filtering and reporting may be done multiple times on the same manifest. To speed up the process, we can dump the enriched data as JSON and load the same for filtering and reporting.
- Dump enriched JSON manifests to a directory (example)
```bash
vet scan --lockfile /path/to/package-lock.json --json-dump-dir /tmp/dump
vet scan -D /path/to/repository --json-dump-dir /tmp/dump-many
```
- Load the enriched metadata for filtering and reporting
```bash
vet query --from /tmp/dump --report-summary
vet query --from /tmp/dump --filter 'scorecard.score.Maintained == 0'
```
## Security Guardrails with Filters
A simple security guardrail (in CI) can be achieved using the filters. The `--filter-fail` argument tells the `Filter Analyzer` module to fail the command if any package matches the given filter.
- Example: If OpenSSF Scorecard not maintained project score is `0` then fail the build
```bash
vet query --from /path/to/json-dump \
--filter 'scorecard.scores.Maintained == 0' \
--filter-fail
```
- Subsequently, the command fails with `-1` exit code in case of match
```bash
➜ vet git:(develop) ✗ echo $?
255
```

88
docs/docs/advanced/exceptions.md Normal file
View File

@ -0,0 +1,88 @@
---
sidebar_position: 4
title: ❗ Exceptions
---
# ❗ Vet - Exceptions Management
Any security scanning tool may produce
1. False positive
2. Issues that are acceptable for a period of time
3. Issues that are ignored permanently
:::info
To support exceptions, we introduce the exception model defined in [exception spec](https://github.com/safedep/vet/blob/main/api/exceptions_spec.proto)
:::
## Use-case
As a user of `vet` tool, I want to add all existing packages or package versions as `exceptions` to make the scanner and filter analyses to ignore them while reporting issues so that I can deploy `vet` as a security guardrail to prevent introducing new packages with security issues
This workflow will allow users to
1. Accept the current issues as backlog to be mitigated over time
2. Deploy `vet` as a security gate in CI to prevent introducing new issues
### Security Risks
Exceptions management should handle the potential security risk of ignoring a package and its future issues. To mitigate this risk, we will ensure that issues can be ignored till an acceptable time window and not permanently.
## Workflow
### Generate Exceptions File
- Run a scan and dump raw data to a directory
```bash
vet scan -D /path/to/repo --json-dump-dir /path/to/dump
```
- Use `vet query` to generate exceptions for all existing packages
```bash
vet query --from /path/to/dump \
--exceptions-generate /path/to/exceptions.yml \
--exceptions-filter 'true' \ # Optional filter for packages to add
--exceptions-till '2023-12-12'
```
:::info
`--exceptions-till` is parsed as `YYYY-mm-dd` and will generate a timestamp of `00:00:00` in UTC timezone for the date in RFC3339 format
:::
### Customize Exceptions File
The generated exceptions file will add all packages, matching optional filter, into the `exceptions.yml` file. This file should be reviewed and customised as required before using it.
### Use Exceptions to Ignore Specific Packages
An exceptions file can be passed as a global flag to `vet`. It will be used for various commands such as `scan` or `query`.
```bash
./vet --exceptions /path/to/exceptions.yml scan -D /path/to/repo
```
:::caution
Do not pass this flag while generating exceptions list in query workflow to avoid incorrect exception list generation
:::
## Behavior
- All exceptions rules are applied only on a `Package`
- All comparisons will be case-insensitive except version
- Only `version` can have a value of `*` matching any version
- Exceptions are globally managed and will be shared across packages
- Exempted packages will be ignored by all analysers and reporters
- First match policy for exceptions matching
Anti-patterns that will NOT be implemented
- Exceptions will not be implemented for manifests because they will cause false negatives
- Exceptions will not be created without an expiry to avoid future false negatives on the package

125
docs/docs/advanced/filtering.md Normal file
View File

@ -0,0 +1,125 @@
---
sidebar_position: 1
title: 🔎 Filtering
---
# 🔎 Filtering
Filter command helps solve the problem of visibility for OSS dependencies in an application. To support various requirements, we adopt a generic [expressions language](https://github.com/google/cel-spec) for flexible filtering.
## Example
- The scan will list only packages that use the `MIT` license.
```bash
vet scan -D /path/to/repo \
--report-summary=false \
--filter 'licenses.exists(p, p == "MIT")'
```
- Find dependencies that seems not very popular
```bash
vet scan --lockfiles /path/to/pom.xml --report-summary=false \
--filter='projects.exists(x, x.stars < 10)'
```
- Find dependencies with a critical vulnerability
```bash
vet scan --lockfiles /path/to/pom.xml --report-summary=false \
--filter='vulns.critical.exists_one(x, true)'
```
## Input
Filter expressions work on packages (aka. dependencies) and evaluates to a boolean result. The package is included in the results table if the expression evaluates to `true`.
- Filter expressions get the following input data to work with
| Variable | Content |
|-------------|-------------------------------------------------------------|
| `_` | The root variable, holding other variables |
| `vulns` | Holds a map of vulnerabiliteis by severity |
| `scorecard` | Holds OpenSSF scorecard |
| `projects` | Holds a list of source projects associated with the package |
| `licenses` | Holds a list of liceses in SPDX license code format |
:::tip
Refer to [filter input spec](https://github.com/safedep/vet/blob/main/api/filter_input_spec.proto) for detailed structure of input messages.
:::
## Expressions
Expressions are [CEL](https://github.com/google/cel-spec) statements. While
CEL internals are not required, an [introductory](https://github.com/google/cel-spec/blob/master/doc/intro.md)
knowledge of CEL will help formulating queries. Expressions are logical
statements that evaluate to `true` or `false`.
### Example Queries
| Description | Query |
|----------------------------------------------|--------------------------------------|
| Find packages with a critical vulnerability | `vulns.critical.exists(x, true)` |
| Find unmaintained packages as per OpenSSF SC | `scorecard.scores.Maintained == 0` |
| Find packages with low stars | `projects.exists(x, x.stars < 10)` |
| Find packages with GPL-2.0 license | `licenses.exists(x, x == "GPL-2.0")`
:::tip
Refer to [scorecard checks](https://github.com/ossf/scorecard#checks-1) for a list of checks available from OpenSSF Scorecards project.
:::
## How does the filter input JSON look like?
```json
{
"pkg": {
"ecosystem": "npm",
"name": "lodash.camelcase",
"version": "4.3.0"
},
"vulns": {
"all": [],
"critical": [],
"high": [],
"medium": [],
"low": []
},
"scorecard": {
"scores": {
"Binary-Artifacts": 10,
"Branch-Protection": 0,
"CII-Best-Practices": 0,
"Code-Review": 8,
"Dangerous-Workflow": 10,
"Dependency-Update-Tool": 0,
"Fuzzing": 0,
"License": 10,
"Maintained": 0,
"Packaging": -1,
"Pinned-Dependencies": 9,
"SAST": 0,
"Security-Policy": 10,
"Signed-Releases": -1,
"Token-Permissions": 0,
"Vulnerabilities": 10
}
},
"projects": [
{
"name": "lodash/lodash",
"type": "GITHUB",
"stars": 55518,
"forks": 6787,
"issues": 464
}
],
"licenses": [
"MIT"
]
}
```

66
docs/docs/advanced/polic-as-code.md Normal file
View File

@ -0,0 +1,66 @@
---
sidebar_position: 3
title: 📜 Policy as Code
---
# 📜 Policy as Code (PaC)
## What is Policy as Code?
The idea of treating policy as code / config / rules that can be evaluated by tools to make runtime decisions. Generally, policy as code approach reduces ***cost of compliance*** by automating grunt work required to audit for policy violations.
## Why use Policy as Code?
Manual verification and approval of new software components is, to put it simply, tedious, contentious, error prone and incomplete. It is not possible to manually analyses a 3rd party dependency and its transitive dependencies. We believe organizational software supply chain policies should be codified so that tools can be build to automatically evaluate every 3rd party artifact for compliance against policies.
Examples of software supply chain policy may include:
- Dependencies must not have known critical vulnerabilities
- Dependencies must be maintained
- Dependencies must not be new / must have an extensive user base
- Publishers must follow security standards e.g. [SLSA](https://slsa.dev/)
## Filter Suite
A single filter is useful for identification of packages that meet some specific criteria. While it helps solve various use-cases, it is not entirely suitable for `security guardrails` where multiple filters may be required to express an organization's acceptable OSS usage policy.
- For example, an organization may define a filter to deny certain type of packages
1. Any package that has a high or critical vulnerability
2. Any package that does not match acceptable OSS licenses
3. Any package that has a low [OpenSSF scorecard score](https://github.com/ossf/scorecard)
- To express this policy, multiple filters are needed such as
```bash
vulns.critical.exists(p, true) ||
licenses.exists(p, (p != "MIT") && (p != "Apache-2.0")) ||
(scorecard.scores.Maintained == 0)
```
- To solve this problem, we introduce the concept of `Filter Suite`. It can be represented as an YAML file containing multiple filters to match:
```yaml
name: Generic Filter Suite
description: Example filter suite with canned filters
filters:
- name: critical-vuln
value: |
vulns.critical.exists(p, true)
- name: safe-licenses
value: |
licenses.exists(p, (p != "MIT") && (p != "Apache-2.0"))
- name: ossf-maintained
value: |
scorecard.scores.Maintained == 0
```
- A scan or query operation can be invoked using the filter suite:
```bash
vet scan -D /path/to/repo --filter-suite /path/to/filters.yml --filter-fail
```
- The filter suite will be evaluated as
- Ordered list of filters as given in the suite file
- Stop on first rule match for a given package

65
docs/docs/advanced/shell-completion.md Normal file
View File

@ -0,0 +1,65 @@
---
sidebar_position: 9
title: ⏩ Shell Completion
---
# ⏩ Shell completion for vet
Command-line completion or Shell completion is a feature provided by shells like `bash` or `zsh` that lets you type commands in a fast and easy way. This functionality automatically fills in partially typed commands when the user press the `tab` key.
- To enable shell completion for `vet` for various shells follow the below steps
## 1. Identify your current environment shell
```bash
echo $SHELL
/bin/zsh
```
## 2. Generate the completion command for your shell
```zsh
vet completion zsh -h
Generate the autocompletion script for the zsh shell.
If shell completion is not already enabled in your environment you will need
to enable it. You can execute the following once:
echo "autoload -U compinit; compinit" >> ~/.zshrc
To load completions in your current shell session:
source <(vet completion zsh); compdef _vet vet
To load completions for every new session, execute once:
#### Linux:
vet completion zsh > "${fpath[1]}/_vet"
#### macOS:
vet completion zsh > $(brew --prefix)/share/zsh/site-functions/_vet
You will need to start a new shell for this setup to take effect.
```
## 3. Run the commands to setup completion
```zsh
echo "autoload -U compinit; compinit" >> ~/.zshrc
source <(vet completion zsh); compdef _vet vet
vet completion zsh > $(brew --prefix)/share/zsh/site-functions/_vet
```
## 4. Open new shell and you can see the completion activated
```zsh
vet [tab]
```
![vet autocomplete](/img/vet/vet-autocomplete.png)

10
docs/docs/architecture.md Normal file
View File

@ -0,0 +1,10 @@
---
sidebar_position: 5
title: 🏛️ Architecture
---
# 🏛️ Vet Architecture
Here is a very high-level overview of `vet` architecture from 10,000 foot view to solve your Open Source Risks. Vet has been create with powerful design & architecture to be scalable, efficient and extendable.
![Vet Architecture](/img/vet/vet-architecture.png)

12
docs/docs/community.md Normal file
View File

@ -0,0 +1,12 @@
---
sidebar_position: 17
title: 🎊 Community
---
# 🎊 Community
First of all, thank you so much for showing interest in `vet`, we appreciate it ❤️
**Join the server using the link - https://rebrand.ly/safedep-community**
[![SafeDep Discord](/img/safedep-discord.png)](https://rebrand.ly/safedep-community)

167
docs/docs/configure.md Normal file
View File

@ -0,0 +1,167 @@
---
sidebar_position: 4
title: 🧩 Configuration
---
# 🧩 Configuring Vet
`vet` comes with super powers 🚀, this section will help you to understand and explore some of them so that you can take your open source security to next level 😎
![vet command](/img/vet/vet-command.png)
## API Key
`vet` uses control plane API for the insights required to enrich the information of dependencies, and its information.
### Generating an API key
- You can run the following command with your email address to receive an API key. After running the following command, you will receive an email with the API key.
```bash
vet auth trial --email john.doe@example.com
```
![vet register trial](/img/vet/vet-register-trial.png)
### Configuring an API key
- You can configure the api key using the following command
```bash
vet auth configure
```
![vet configure](/img/vet/vet-configure.png)
- You can also pass the API key through environment variable using the variable `VET_API_KEY`
### Renewing an API key
- To renew an API key, you can re-register using the email. Even reach out to us at [contact@safedep.io](mailto:contact@safedep.io) and we would be happy to work with you
## Scanning
### Scanning Directories
- If you wanted to scan the whole directory & automatically parse the dependencies/lockfile, you can use the `-D` or `--directory` flag.
```bash
vet scan -D your-code/directory/path/
```
:::info
If you do not specify any directory, by default it takes present working directory as the input.
:::
### Scanning Files
- If you wanted to scan the specific file `lockfile` you can use the `-L` or `--lockfiles` flag.
```bash
vet scan -D your-code/directory/path/
```
:::info
If you do not specify any directory, by default it takes present working directory as the input.
:::
### Scanning Non-standard files
- Sometimes you might have non-standard filenames for the dependencies, lockfiles. You can scan them as a supported package manifest with a non-standard name using the following command
```bash
vet scan --lockfiles /path/to/gradle-compileOnly.lock --lockfile-as gradle.lockfile
```
### Scanning Multiple files
```bash
vet scan --lockfiles /path/to/gradle.lockfile --lockfiles requirements.txt
```
![vet scanning multiple files](/img/vet/scanning-multiple-files.png)
### Scanning Parsers
`vet` currently has 10 scanning parsers for various dependencies formats including Go, Python, Java, etc.
```bash
vet scan parsers
Available Lockfile Parsers
==========================
[0] buildscript-gradle.lockfile
[1] go.mod
[2] gradle.lockfile
[3] package-lock.json
[4] Pipfile.lock
[5] pnpm-lock.yaml
[6] poetry.lock
[7] pom.xml
[8] requirements.txt
[9] yarn.lock
```
## Scan Options
### Silent scan
- `vet` supports silent scan to prevent rendering UI using the following command with `-s` or `--silent` flag
```bash
vet scan -s --lockfiles demo-client-java/gradle.lockfile
```
![vet silent scan](/img/vet/silent-scan.png)
### Scan concurrency
- By default it set to `5`, you can increase or decrease using the `--concurrency` or `-C` flag
```bash
vet scan -C 10 --lockfiles demo-client-java/gradle.lockfile
Scanning packages ... done! [115 in 5.87s]
Scanning manifests ... done! [1 in 5.87s]
```
- You can see the difference between the above and below scan time with same file(s)
```bash
vet scan -C 1 --lockfiles demo-client-java/gradle.lockfile
Scanning packages ... done! [115 in 10.567s]
Scanning manifests ... done! [1 in 10.567s]
```
### Scanning transitive dependencies
- You can perform the transitive dependencies scan by running the following command with `--transitive` flag
```bash
vet scan --transitive --lockfiles demo-client-java/gradle.lockfile
```
![vet transitive scan default](/img/vet/vet-transitive-default.png)
- As you can see the above scan has found issues across `201` libraries
### Configuring transitive dependencies depth level
- You can change the transitive dependencies scan depth by running the following command with `--transitive-depth` flag
```bash
vet scan --transitive --transitive-depth 5 --lockfiles demo-client-java/gradle.lockfile
```
![vet transitive scan depth](/img/vet/vet-transitive-depth.png)
- As you can see the above scan has found issues across `237` libraries
:::info
By default if you don't specify the flag it takes `2` as depth
:::

9
docs/docs/ecosystem/_category_.json Normal file
View File

@ -0,0 +1,9 @@
{
"label": "🌐 Ecosystem",
"position": 15,
"link": {
"type": "generated-index",
"description": "🚧 Work-in-Progress (WIP): SafeDep's vet ecosystem"
}
}

7
docs/docs/ecosystem/artifactory.md Normal file
View File

@ -0,0 +1,7 @@
# Artifactory Systems
🚧 Work-in-Progress (WIP)
## JFrog
## Nexus

3
docs/docs/ecosystem/developer-tooling.md Normal file
View File

@ -0,0 +1,3 @@
# Developer Tooling
🚧 Work-in-Progress (WIP)

9
docs/docs/ecosystem/gateways.md Normal file
View File

@ -0,0 +1,9 @@
# Gateways
🚧 Work-in-Progress (WIP)
## Kong API Gateway
## AWS API Gateway
## Traefik Gateway

11
docs/docs/ecosystem/ide.md Normal file
View File

@ -0,0 +1,11 @@
# IDE
🚧 Work-in-Progress (WIP)
## VSCode
## JetBrains
## Vim
## NeoVim

9
docs/docs/ecosystem/integrations.md Normal file
View File

@ -0,0 +1,9 @@
# Integrations
🚧 Work-in-Progress (WIP)
## GitHub Actions
## Gitlab CI
## Bitbucket Pipelines

9
docs/docs/ecosystem/logging.md Normal file
View File

@ -0,0 +1,9 @@
# Logging & Monitoring Systems
🚧 Work-in-Progress (WIP)
## Elastic Stack
## Splunk
## DataDog

11
docs/docs/ecosystem/serivce-mesh.md Normal file
View File

@ -0,0 +1,11 @@
# Service Mesh
🚧 Work-in-Progress (WIP)
## Istio - Service Mesh
## LinkerD - Service Mesh
## Cilium - Service Mesh
## Kong - Service Mesh

11
docs/docs/ecosystem/systems.md Normal file
View File

@ -0,0 +1,11 @@
# Systems & Solutions
🚧 Work-in-Progress (WIP)
## Kubernetes
## Nomad
## AWS Fargate
## Google Cloud Run

35
docs/docs/faq.md Normal file
View File

@ -0,0 +1,35 @@
---
sidebar_position: 20
title: 🙋 FAQ
---
# 🙋 FAQ - Vet
### How do I disable the stupid banner?
- Set environment variable `VET_DISABLE_BANNER=1`
### Can I use this tool without an API Key for Insight Service?
- Probably no. All useful data (enrichments) for a detected package comes from
a backend service. The service is rate limited with quotas to prevent abuse.
- Look at `api/insights-v1.yml`. It contains the contract expected for Insights
API. You can perhaps consider rolling out your own to avoid dependency with our
backend.
### Something is wrong! How do I debug this thing?
- Run without the eye candy UI and enable log to file or to `stdout`.
Log to `stdout`:
```bash
vet scan -D /path/to/repo -s -l- -v
```
Log to file:
```bash
vet scan -D /path/to/repo -l /tmp/vet.log -v
```

8
docs/docs/guides/_category_.json Normal file
View File

@ -0,0 +1,8 @@
{
"label": "📖 Guides",
"position": 8,
"link": {
"type": "generated-index",
"description": "Guides for various use-cases"
}
}

1
docs/docs/guides/dependency-cost.md Normal file
View File

@ -0,0 +1 @@
# Dependency Cost

1
docs/docs/guides/dependency-inventory.md Normal file
View File

@ -0,0 +1 @@
# Dependency Inventory

1
docs/docs/guides/dependency-scanning.md Normal file
View File

@ -0,0 +1 @@
# Dependency Scanning

1
docs/docs/guides/drift-analysis.md Normal file
View File

@ -0,0 +1 @@
# Drift Analysis

1
docs/docs/guides/health-status.md Normal file
View File

@ -0,0 +1 @@
# Health Status

1
docs/docs/guides/licenses-scanning.md Normal file
View File

@ -0,0 +1 @@
# License Scanning

69
docs/docs/index.md Normal file
View File

@ -0,0 +1,69 @@
---
slug: /
sidebar_position: 1
title: 👋 Welcome
---
# 👋 Welcome to vet
![Vet](/img/vet/vet-banner.png)
## 👉 About vet
`vet` is a tool for identifying risks in open source software supply chain. It helps engineering and security teams to identify potential issues in their open source dependencies and evaluate them against organizational policies.
```bash
vet
.----------------. .----------------. .----------------.
| .--------------. || .--------------. || .--------------. |
| | ____ ____ | || | _________ | || | _________ | |
| ||_ _| |_ _| | || | |_ ___ | | || | | _ _ | | |
| | \ \ / / | || | | |_ \_| | || | |_/ | | \_| | |
| | \ \ / / | || | | _| _ | || | | | | |
| | \ ' / | || | _| |___/ | | || | _| |_ | |
| | \_/ | || | |_________| | || | |_____| | |
| | | || | | || | | |
| '--------------' || '--------------' || '--------------' |
'----------------' '----------------' '----------------'
[ Establish trust in open source software supply chain ]
Usage:
vet [OPTIONS] COMMAND [ARG...] [flags]
vet [command]
Available Commands:
auth Configure and verify Insights API authentication
completion Generate the autocompletion script for the specified shell
help Help about any command
query Query JSON dump and run filters or render reports
scan Scan and analyse package manifests
version Show version and build information
Flags:
-d, --debug Show debug logs
-e, --exceptions string Load exceptions from file
-h, --help help for vet
-l, --log string Write command logs to file
-v, --verbose Show verbose logs
Use "vet [command] --help" for more information about a command.
```
## 🤔 Why vet?
> It has been estimated that Free and Open Source Software (FOSS) constitutes 70-90% of any given piece of modern software solutions.
### 👉 Problem space
Product security practices target software developed and deployed internally. They do not cover software consumed from external sources in form of libraries from the Open Source ecosystem. The growing risk of vulnerable, unmaintained and malicious dependencies establishes the need for product security teams to vet 3rd party dependencies before consumption.
### 👉 Current state
Vetting open source packages is largely a manual and opinionated process involving engineering teams as the requester and security teams as the service provider. A typical OSS vetting process involves auditing dependencies to ensure security, popularity, license compliance, trusted publisher etc. The manual nature of this activity increases cycle time and slows down engineering velocity, especially for evolving products.
### 🚀 What vet aims to solve
`vet` solves the problem of OSS dependency vetting by providing a policy driven automated analysis of libraries. It can be seamlessly integrated with any CI tool or used in developer / security engineer's local environment.
## 🤩 Vet in Action
![Vet Showcase](/img/vet/vet-demo.gif)

119
docs/docs/installation.mdx Normal file
View File

@ -0,0 +1,119 @@
---
sidebar_position: 3
slug: /installation
title: ⚡ Installation
---
# ⚡ Installing Vet
Here you can find different ways of installing `vet`. It covers various platforms, various architectures and the package managers.
## Install Official GitHub Release Binary
- Download the binary file for your operating system/architecture from the [Official GitHub Releases](https://github.com/safedep/vet/releases)
import Tabs from '@theme/Tabs';
import TabItem from '@theme/TabItem';
<Tabs
defaultValue="linux"
values={[
{label: 'Linux', value: 'linux'},
{label: 'Mac M1/M2', value: 'macm'},
{label: 'Mac Intel', value: 'maci'},
{label: 'Windows', value: 'windows'},
]}>
<TabItem value="linux">
<code>
curl -L https://github.com/safedep/vet/releases/download/v0.0.7-dev/vet_Linux_x86_64.tar.gz -o vet.tar.gz
</code>
</TabItem>
<TabItem value="macm">
<code>
curl -L https://github.com/safedep/vet/releases/download/v0.0.7-dev/vet_Darwin_arm64.tar.gz -o vet.tar.gz
</code>
</TabItem>
<TabItem value="maci">
<code>
curl -L https://github.com/safedep/vet/releases/download/v0.0.7-dev/vet_Darwin_x86_64.tar.gz -o vet.tar.gz
</code>
</TabItem>
<TabItem value="windows">
<code>
TBD
</code>
</TabItem>
</Tabs>
- Unpack the downloaded archive using the following command `tar -xvzf vet.tar.gz`
- Make sure the binary has execution bit turned on `chmod +x ./vet`
- Move the binary in your system $PATH `mv ./vet /usr/local/bin/`
:::tip
- You can also verify the checksum using the [checksum.txt](https://github.com/safedep/vet/releases/latest)
- [SLSA Provenance](https://slsa.dev/provenance/v0.1) is published along with each binary release.
:::
## Install using `go get`
:::note
Ensure `$(go env GOPATH)/bin` is in your `$PATH`
:::
```bash
go install github.com/safedep/vet@latest
```
## Install using Container Image
- You can pull the vet official container image using `docker pull ghcr.io/safedep/vet:latest`
- For scanning using vet container us the following command. Make sure to replace the `yourcode-in-host` with your local code directory which needs to be scanned
```bash
docker run --rm -it -v yourcode-in-host:/code -e VET_API_KEY=YOUR_API_KEY ghcr.io/safedep/vet scan -D /code
```
## Install using Package Manager
### RHEL/CentOS
TBD
### Debian/Ubuntu
TBD
### Homebrew
TBD
### Arch Linux
TBD
### MacPorts
TBD
### Nix/NixOS
TBD
## Install from source
- You can install the vet from the source by cloning the official repository and building locally
```bash
git clone --depth 1 --branch main https://github.com/safedep/vet
cd vet
go install
```

9
docs/docs/integrations/_category_.json Normal file
View File

@ -0,0 +1,9 @@
{
"label": "⚙️ Integrations",
"position": 9,
"link": {
"type": "generated-index",
"description": "Integrations for various continuous integration & delivery systems"
}
}

8
docs/docs/integrations/aws-codebuild.md Normal file
View File

@ -0,0 +1,8 @@
---
sidebar_position: 6
title: 🔁 AWS CodeBuild
---
# 🔁 AWS CodeBuild Workflow - Vet
TBD

8
docs/docs/integrations/bitbucket-pipelines.md Normal file
View File

@ -0,0 +1,8 @@
---
sidebar_position: 5
title: 🔁 Bitbucket Pipelines
---
# 🔁 Bitbucket Pipelines Workflow - Vet
TBD

8
docs/docs/integrations/circle-ci.md Normal file
View File

@ -0,0 +1,8 @@
---
sidebar_position: 3
title: 🔁 Circle CI
---
# 🔁 Circle CI Workflow - Vet
TBD

81
docs/docs/integrations/github-actions.md Normal file
View File

@ -0,0 +1,81 @@
---
sidebar_position: 1
title: 🔁 Github Actions
---
# 🔁 Github Actions Workflow - Vet
- Make sure to get the registration key as `VET_INSIGHTS_API_KEY` and store in the Github Secrets of the repository
![Github Action Secret](/img/vet/github-action-secret-add.png)
- The following is the Github actions workflow file
```yml title=".github/workflows/vet.yml"
name: OSS Vet
on:
pull_request:
types: [opened, synchronize, reopened]
branches: [ main ]
jobs:
vet:
name: Vet OSS Security
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Run Vet
run: |
docker run \
-u $(id -u ${USER}):$(id -g ${USER}) \
-e VET_INSIGHTS_API_KEY=${{ secrets.VET_INSIGHTS_API_KEY }} \
-v `pwd`:/code \
ghcr.io/safedep/vet:latest \
scan -s -D /code \
--exceptions /code/.vet/exceptions.yml \
--filter-suite /code/.vet/oss-risk-pack.yml \
--filter-fail \
--report-markdown=/code/vet.md
- name: Add Vet Report to Summary
run: cat vet.md >> $GITHUB_STEP_SUMMARY
```
- The policy pack applied is as following [OSS Best Practices](../packs/oss-risk-pack.md)
:::tip
- We have many policy packs available at [Query Packs](../packs/)
- You can also write your custom policy as a code, refer to [PaaC](../advanced/polic-as-code.md)
:::
```yml title=".vet/oss-risk-pack.yml"
name: General Purpose OSS Best Practices
description: |
This filter suite contains rules for implementing general purpose OSS
consumption best practices for an organization.
filters:
- name: critical-or-high-vulns
value: |
vulns.critical.exists(p, true) || vulns.high.exists(p, true)
- name: low-popularity
value: |
projects.exists(p, (p.type == "GITHUB") && (p.stars < 10))
- name: risky-oss-licenses
value: |
licenses.exists(p, p == "GPL-2.0") ||
licenses.exists(p, p == "GPL-3.0")
- name: ossf-unmaintained
value: |
scorecard.scores["Maintained"] == 0
- name: ossf-dangerous-workflow
value: |
scorecard.scores["Dangerous-Workflow"] == 0
```
## 🚀 Real-world example of vet in action
- The following is the example of how `vet` can be leveraged to enable security guardrails for your pipelines and continuous workflows using security packs [https://github.com/safedep/demo-client-java/pull/2](https://github.com/safedep/demo-client-java/actions/runs/4249672653/jobs/7390102023) for an insecure dependency
![github action real-world example](/img/vet/vet-github-action-real-world.png)

25
docs/docs/integrations/gitlab-ci.md Normal file
View File

@ -0,0 +1,25 @@
---
sidebar_position: 2
title: 🔁 Gitlab CI/CD
---
# 🔁 Gitlab CI/CD Workflow - Vet
```yml
image:
name: ghcr.io/safedep/vet:latest
entrypoint: [""]
stages:
- vet
oss-vet-scan:
stage: vet
script:
- vet scan -s -D ${PWD} --report-markdown=${PWD}/vet-results.md
artifacts:
name: vet-results.md
paths:
- vet-results.md
when: always
```

8
docs/docs/integrations/jenkins.md Normal file
View File

@ -0,0 +1,8 @@
---
sidebar_position: 4
title: 🔁 Jenkins CI
---
# 🔁 Jenkins CI Workflow - Vet
TBD

8
docs/docs/integrations/travis-ci.md Normal file
View File

@ -0,0 +1,8 @@
---
sidebar_position: 5
title: 🔁 Travis CI
---
# 🔁 Travis CI Workflow - Vet
TBD

9
docs/docs/packs/_category_.json Normal file
View File

@ -0,0 +1,9 @@
{
"label": "📦 Packs",
"position": 11,
"link": {
"type": "generated-index",
"description": "Packs for various standards"
}
}

22
docs/docs/packs/cis-pack.md Normal file
View File

@ -0,0 +1,22 @@
---
sidebar_position: 2
title: 🧰 CIS Benchmarks
---
# 🧰 CIS Benchmarks
The following policy geared towards the CIS benchmarks based guidelines towards security risks on libraries, software and in general. You can use this `cis-risk-pack.yaml` to perform the CIS Benchmarks security checks.
```yaml title="cis-risk-pack.yaml"
name: CIS Benchmarks Security Risks & Best Practices
description: |
This filter suite contains rules for implementing based on CIS benchmarks
and best practices for an organization.
filters:
- name: critical-or-high-vulns
value: |
vulns.critical.exists(p, true) || vulns.high.exists(p, true)
- name: ossf-unmaintained
value: |
scorecard.scores["Maintained"] == 0
```

8
docs/docs/packs/mitre-pack.md Normal file
View File

@ -0,0 +1,8 @@
---
sidebar_position: 5
title: 🧰 MITRE
---
# 🧰 MITRE Best Practices
TBD

25
docs/docs/packs/openssf-pack.md Normal file
View File

@ -0,0 +1,25 @@
---
sidebar_position: 3
title: 🧰 OpenSSF Scorecard
---
# 🧰 OpenSSF Scorecard
The following policy geared towards the OpenSSF Scorecard best practices. So you can use this `openssf-risk-pack.yaml` to perform the generic security checks.
```yaml title="openssf-risk-pack.yaml"
name: OpenSSF Scorecard Practices Checks
description: |
This filter suite contains rules for implementing OpenSSF Scorecard
security checks and best practices for an organization.
filters:
- name: critical-or-high-vulns
value: |
vulns.critical.exists(p, true) || vulns.high.exists(p, true)
- name: ossf-unmaintained
value: |
scorecard.scores["Maintained"] == 0
- name: ossf-dangerous-workflow
value: |
scorecard.scores["Dangerous-Workflow"] == 0
```

32
docs/docs/packs/oss-risk-pack.md Normal file
View File

@ -0,0 +1,32 @@
---
sidebar_position: 1
title: 🧰 OSS Best Practices
---
# 🧰 OSS Best Practices
The following policy geared towards the generic OSS best practices. So you can use this `oss-risk-pack.yaml` to perform the generic security checks.
```yaml title="oss-risk-pack.yaml"
name: General Purpose OSS Best Practices
description: |
This filter suite contains rules for implementing general purpose OSS
consumption best practices for an organization.
filters:
- name: critical-or-high-vulns
value: |
vulns.critical.exists(p, true) || vulns.high.exists(p, true)
- name: low-popularity
value: |
projects.exists(p, (p.type == "GITHUB") && (p.stars < 10))
- name: risky-oss-licenses
value: |
licenses.exists(p, p == "GPL-2.0") ||
licenses.exists(p, p == "GPL-3.0")
- name: ossf-unmaintained
value: |
scorecard.scores["Maintained"] == 0
- name: ossf-dangerous-workflow
value: |
scorecard.scores["Dangerous-Workflow"] == 0
```

33
docs/docs/packs/safedep-pack.md Normal file
View File

@ -0,0 +1,33 @@
---
sidebar_position: 6
title: 🧰 SafeDep
---
# 🧰 SafeDep Best Practices
The following policy geared towards the SafeDep opinionated best practices. So you can use this `safedep-risk-pack.yaml` to perform the security checks.
```yaml title="safedep-risk-pack.yaml"
name: SafeDep Best Practices
description: |
This filter suite contains rules for implementing SafeDep
security checks and best practices for an organization.
filters:
- name: critical-or-high-vulns
value: |
vulns.critical.exists(p, true) || vulns.high.exists(p, true)
- name: low-popularity
value: |
projects.exists(p, (p.type == "GITHUB") && (p.stars < 50))
- name: risky-oss-licenses
value: |
licenses.exists(p, p == "GPL-2.0") ||
licenses.exists(p, p == "GPL-3.0") ||
licenses.exists(p, p == "AGPL-3.0")
- name: ossf-unmaintained
value: |
scorecard.scores["Maintained"] == 0
- name: ossf-dangerous-workflow
value: |
scorecard.scores["Dangerous-Workflow"] == 0
```

8
docs/docs/packs/slsa-pack.md Normal file
View File

@ -0,0 +1,8 @@
---
sidebar_position: 4
title: 🧰 SLSA
---
# 🧰 SLSA Best Practices
TBD

56
docs/docs/quick-start.md Normal file
View File

@ -0,0 +1,56 @@
---
sidebar_position: 2
title: 🚀 Quick Start
---
# 🚀 Quick Start
- Download the binary file for your operating system/architecture from the [Official GitHub Releases](https://github.com/safedep/vet/releases)
![vet Github Releases](/img/vet/vet-github-releases.png)
- Get an API key for the vet insights data access for performing the scan
```bash
vet auth trial --email john.doe@example.com
```
![vet register trial](/img/vet/vet-register-trial.png)
:::info
A time limited trial API key will be sent over email.
:::
- Configure `vet` to use API key to access the insights
```bash
vet auth configure
```
![vet configure](/img/vet/vet-configure.png)
:::tip
Insights API is used to enrich OSS packages with metadata for rich query and policy decisions. Alternatively, the API key can be passed through environment variable `VET_API_KEY`
:::
- Run `vet` to identify risks
```bash
vet scan -D /path/to/repository
```
![vet scan directory](/img/vet/vet-scan-directory.png)
- You can also scan a specific (supported) package manifest
```bash
vet scan --lockfiles /path/to/pom.xml
vet scan --lockfiles /path/to/requirements.txt
vet scan --lockfiles /path/to/package-lock.json
```
![vet scan files](/img/vet/vet-scan-files.png)

340
docs/docs/reporting.md Normal file
View File

@ -0,0 +1,340 @@
---
sidebar_position: 7
title: 📝 Reporting
---
# 📝 Vet Reporting
`vet` default scan uses an opinionated [Summary Reporter](https://github.com/safedep/vet/blob/main/pkg/reporter/markdown.template.md) which presents a consolidated summary of findings. Thats NOT about it. Read more for expression based filtering and policy evaluation.
## Summary Report
- The default output format for the `vet` is console with summary. You can run the following command to get the summary report `--report-summary` flag. Which is basically a summary report with actionable advice.
```bash
vet scan --report-summary -D demo-client-java
```
![vet summary report](/img/vet/vet-report-summary.png)
## Console
- You can run the console output format for the `vet` using `--report-console` flag. Which returns the whole report of the scan in detailed format in the terminal or console.
```bash
vet scan --report-console -D demo-client-java
```
```bash
vet scan --report-console -D demo-client-java
Scanning packages ... 95.7% [######################.] [110 in 6.401304s]
Scanning manifests ... 0.0% [.......................] [0 in 6.401344s]
Manifest: /Users/madhuakula/vet/demo-client-java/gradle.lockfile
┌──────────────────────────────────────────────────────────────────────────────────┬────────────────┬───────────────────┐
│ PACKAGE │ ATTRIBUTE │ SUMMARY │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ antlr:antlr/2.7.7 │ │ │
│ │ Version Drift │ 2.7.7 > 20030911 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ com.fasterxml.jackson.core:jackson-databind/2.13.4 │ │ │
│ │ Vulnerability │ Critical:0 High:1 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ com.sun.activation:jakarta.activation/1.2.2 │ │ │
│ │ Version Drift │ 1.2.2 > 2.0.1 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ com.sun.istack:istack-commons-runtime/3.0.12 │ │ │
│ │ Low Popularity │ Stars:9 Issues:2 │
│ │ Version Drift │ 3.0.12 > 4.1.1 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ com.zaxxer:HikariCP/4.0.3 │ │ │
│ │ Version Drift │ 4.0.3 > 5.0.1 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ commons-fileupload:commons-fileupload/1.4 │ │ │
│ │ Vulnerability │ Critical:0 High:1 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ io.github.openfeign:feign-core/11.8 │ │ │
│ │ Version Drift │ 11.8 > 12.2 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ io.github.openfeign:feign-slf4j/11.8 │ │ │
│ │ Version Drift │ 11.8 > 12.2 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ io.github.resilience4j:resilience4j-annotations/1.7.0 │ │ │
│ │ Version Drift │ 1.7.0 > 2.0.2 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ io.github.resilience4j:resilience4j-circuitbreaker/1.7.0 │ │ │
│ │ Version Drift │ 1.7.0 > 2.0.2 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ io.github.resilience4j:resilience4j-circularbuffer/1.7.0 │ │ │
│ │ Version Drift │ 1.7.0 > 2.0.2 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ io.github.resilience4j:resilience4j-consumer/1.7.0 │ │ │
│ │ Version Drift │ 1.7.0 > 2.0.2 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ io.github.resilience4j:resilience4j-core/1.7.0 │ │ │
│ │ Version Drift │ 1.7.0 > 2.0.2 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ io.github.resilience4j:resilience4j-framework-common/1.7.0 │ │ │
│ │ Version Drift │ 1.7.0 > 2.0.2 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ io.github.resilience4j:resilience4j-micrometer/1.7.0 │ │ │
│ │ Version Drift │ 1.7.0 > 2.0.2 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ io.github.resilience4j:resilience4j-ratelimiter/1.7.0 │ │ │
│ │ Version Drift │ 1.7.0 > 2.0.2 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ io.github.resilience4j:resilience4j-retry/1.7.0 │ │ │
│ │ Version Drift │ 1.7.0 > 2.0.2 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ io.github.resilience4j:resilience4j-spring-boot2/1.7.0 │ │ │
│ │ Version Drift │ 1.7.0 > 2.0.2 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ io.github.resilience4j:resilience4j-spring/1.7.0 │ │ │
│ │ Version Drift │ 1.7.0 > 2.0.2 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ io.github.resilience4j:resilience4j-timelimiter/1.7.0 │ │ │
│ │ Version Drift │ 1.7.0 > 2.0.2 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ jakarta.annotation:jakarta.annotation-api/1.3.5 │ │ │
│ │ Version Drift │ 1.3.5 > 2.1.1 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ jakarta.persistence:jakarta.persistence-api/2.2.3 │ │ │
│ │ Version Drift │ 2.2.3 > 3.1.0 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ jakarta.transaction:jakarta.transaction-api/1.3.3 │ │ │
│ │ Version Drift │ 1.3.3 > 2.0.1 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ jakarta.validation:jakarta.validation-api/2.0.2 │ │ │
│ │ Version Drift │ 2.0.2 > 3.0.2 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ jakarta.xml.bind:jakarta.xml.bind-api/2.3.3 │ │ │
│ │ Version Drift │ 2.3.3 > 4.0.0 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ net.minidev:json-smart/2.4.8 │ │ │
│ │ Vulnerability │ Critical:0 High:1 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.apache.tomcat.embed:tomcat-embed-core/9.0.65 │ │ │
│ │ Version Drift │ 9.0.65 > 10.1.7 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.apache.tomcat.embed:tomcat-embed-el/9.0.65 │ │ │
│ │ Version Drift │ 9.0.65 > 10.1.7 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.apache.tomcat.embed:tomcat-embed-websocket/9.0.65 │ │ │
│ │ Version Drift │ 9.0.65 > 10.1.7 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.glassfish.jaxb:jaxb-runtime/2.3.6 │ │ │
│ │ Version Drift │ 2.3.6 > 4.0.2 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.glassfish.jaxb:txw2/2.3.6 │ │ │
│ │ Version Drift │ 2.3.6 > 4.0.2 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.slf4j:jul-to-slf4j/1.7.36 │ │ │
│ │ Version Drift │ 1.7.36 > 2.0.7 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.slf4j:slf4j-api/1.7.36 │ │ │
│ │ Version Drift │ 1.7.36 > 2.0.7 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework.boot:spring-boot-autoconfigure/2.7.4 │ │ │
│ │ Version Drift │ 2.7.4 > 3.0.4 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework.boot:spring-boot-configuration-processor/2.7.4 │ │ │
│ │ Version Drift │ 2.7.4 > 3.0.4 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework.boot:spring-boot-devtools/2.7.4 │ │ │
│ │ Version Drift │ 2.7.4 > 3.0.4 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework.boot:spring-boot-starter-aop/2.7.4 │ │ │
│ │ Version Drift │ 2.7.4 > 3.0.4 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework.boot:spring-boot-starter-data-jpa/2.7.4 │ │ │
│ │ Version Drift │ 2.7.4 > 3.0.4 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework.boot:spring-boot-starter-data-rest/2.7.4 │ │ │
│ │ Version Drift │ 2.7.4 > 3.0.4 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework.boot:spring-boot-starter-jdbc/2.7.4 │ │ │
│ │ Version Drift │ 2.7.4 > 3.0.4 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework.boot:spring-boot-starter-json/2.7.4 │ │ │
│ │ Version Drift │ 2.7.4 > 3.0.4 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework.boot:spring-boot-starter-logging/2.7.4 │ │ │
│ │ Version Drift │ 2.7.4 > 3.0.4 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework.boot:spring-boot-starter-oauth2-resource-server/2.7.4 │ │ │
│ │ Version Drift │ 2.7.4 > 3.0.4 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework.boot:spring-boot-starter-security/2.7.4 │ │ │
│ │ Version Drift │ 2.7.4 > 3.0.4 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework.boot:spring-boot-starter-tomcat/2.7.4 │ │ │
│ │ Version Drift │ 2.7.4 > 3.0.4 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework.boot:spring-boot-starter-validation/2.7.4 │ │ │
│ │ Version Drift │ 2.7.4 > 3.0.4 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework.boot:spring-boot-starter-web/2.7.4 │ │ │
│ │ Version Drift │ 2.7.4 > 3.0.4 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework.boot:spring-boot-starter/2.7.4 │ │ │
│ │ Version Drift │ 2.7.4 > 3.0.4 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework.boot:spring-boot/2.7.4 │ │ │
│ │ Version Drift │ 2.7.4 > 3.0.4 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework.cloud:spring-cloud-circuitbreaker-resilience4j/2.1.4 │ │ │
│ │ Version Drift │ 2.1.4 > 3.0.0 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework.cloud:spring-cloud-commons/3.1.4 │ │ │
│ │ Version Drift │ 3.1.4 > 4.0.1 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework.cloud:spring-cloud-context/3.1.4 │ │ │
│ │ Version Drift │ 3.1.4 > 4.0.1 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework.cloud:spring-cloud-openfeign-core/3.1.4 │ │ │
│ │ Version Drift │ 3.1.4 > 4.0.1 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework.cloud:spring-cloud-starter-circuitbreaker-resilience4j/2.1.4 │ │ │
│ │ Version Drift │ 2.1.4 > 3.0.0 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework.cloud:spring-cloud-starter-openfeign/3.1.4 │ │ │
│ │ Version Drift │ 3.1.4 > 4.0.1 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework.cloud:spring-cloud-starter/3.1.4 │ │ │
│ │ Version Drift │ 3.1.4 > 4.0.1 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework.data:spring-data-commons/2.7.3 │ │ │
│ │ Version Drift │ 2.7.3 > 3.0.4 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework.data:spring-data-jpa/2.7.3 │ │ │
│ │ Version Drift │ 2.7.3 > 3.0.4 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework.data:spring-data-rest-core/3.7.3 │ │ │
│ │ Version Drift │ 3.7.3 > 4.0.4 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework.data:spring-data-rest-webmvc/3.7.3 │ │ │
│ │ Version Drift │ 3.7.3 > 4.0.4 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework.hateoas:spring-hateoas/1.5.2 │ │ │
│ │ Version Drift │ 1.5.2 > 2.0.3 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework.security:spring-security-config/5.7.3 │ │ │
│ │ Version Drift │ 5.7.3 > 6.0.2 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework.security:spring-security-core/5.7.3 │ │ │
│ │ Vulnerability │ Critical:1 High:0 │
│ │ Version Drift │ 5.7.3 > 6.0.2 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework.security:spring-security-crypto/5.7.3 │ │ │
│ │ Version Drift │ 5.7.3 > 6.0.2 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework.security:spring-security-oauth2-core/5.7.3 │ │ │
│ │ Version Drift │ 5.7.3 > 6.0.2 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework.security:spring-security-oauth2-jose/5.7.3 │ │ │
│ │ Version Drift │ 5.7.3 > 6.0.2 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework.security:spring-security-oauth2-resource-server/5.7.3 │ │ │
│ │ Version Drift │ 5.7.3 > 6.0.2 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework.security:spring-security-web/5.7.3 │ │ │
│ │ Version Drift │ 5.7.3 > 6.0.2 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework:spring-aop/5.3.23 │ │ │
│ │ Version Drift │ 5.3.23 > 6.0.7 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework:spring-aspects/5.3.23 │ │ │
│ │ Version Drift │ 5.3.23 > 6.0.7 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework:spring-beans/5.3.23 │ │ │
│ │ Version Drift │ 5.3.23 > 6.0.7 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework:spring-context/5.3.23 │ │ │
│ │ Version Drift │ 5.3.23 > 6.0.7 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework:spring-core/5.3.23 │ │ │
│ │ Version Drift │ 5.3.23 > 6.0.7 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework:spring-expression/5.3.23 │ │ │
│ │ Version Drift │ 5.3.23 > 6.0.7 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework:spring-jcl/5.3.23 │ │ │
│ │ Version Drift │ 5.3.23 > 6.0.7 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework:spring-jdbc/5.3.23 │ │ │
│ │ Version Drift │ 5.3.23 > 6.0.7 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework:spring-orm/5.3.23 │ │ │
│ │ Version Drift │ 5.3.23 > 6.0.7 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework:spring-tx/5.3.23 │ │ │
│ │ Version Drift │ 5.3.23 > 6.0.7 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework:spring-web/5.3.23 │ │ │
│ │ Version Drift │ 5.3.23 > 6.0.7 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.springframework:spring-webmvc/5.3.23 │ │ │
│ │ Version Drift │ 5.3.23 > 6.0.7 │
├──────────────────────────────────────────────────────────────────────────────────┼────────────────┼───────────────────┤
│ org.yaml:snakeyaml/1.30 │ │ │
│ │ Vulnerability │ Critical:0 High:2 │
Scanning packages ... done! [115 in 6.422s]
Scanning manifests ... done! [1 in 6.422s]
** Summary of Findings
** 1 critical, 5 high and 5 other vulnerabilities were identified
** 1 potentially unpopular library identified as direct dependency
** 78 libraries are out of date with major version drift in direct dependencies
** across 115 libraries in 1 manifest(s)
Consider upgrading the following libraries for maximum impact:
┌─────────────────────────────────────────────────────────┬───────────┬────────┐
│ PACKAGE │ UPDATE TO │ IMPACT │
├─────────────────────────────────────────────────────────┼───────────┼────────┤
│ org.yaml:snakeyaml@1.30 │ 2.0 │ 13 │
│ vulnerability drift │ │ │
├─────────────────────────────────────────────────────────┼───────────┼────────┤
│ org.springframework.security:spring-security-core@5.7.3 │ 6.0.2 │ 7 │
│ vulnerability drift │ │ │
├─────────────────────────────────────────────────────────┼───────────┼────────┤
│ com.sun.istack:istack-commons-runtime@3.0.12 │ 4.1.1 │ 4 │
│ low popularity drift │ │ │
├─────────────────────────────────────────────────────────┼───────────┼────────┤
│ commons-fileupload:commons-fileupload@1.4 │ 1.5 │ 3 │
│ vulnerability │ │ │
├─────────────────────────────────────────────────────────┼───────────┼────────┤
│ net.minidev:json-smart@2.4.8 │ 2.4.10 │ 3 │
│ vulnerability │ │ │
└─────────────────────────────────────────────────────────┴───────────┴────────┘
There are 77 more libraries that should be upgraded to reduce risk
Run vet with `--report-markdown=/path/to/report.md` for details
Run with `vet --filter="..."` for custom filters to identify risky libraries
For more details https://github.com/safedep/vet
```
## Markdown
- You can run the Markdown output format for the `vet` using `--report-markdown` flag. Which it generates consolidated markdown report to file.
```bash
vet scan --report-markdown=vet-markdown-report.md -D demo-client-java
```
![vet markdown report file](/img/vet/vet-markdown-report-file.png)
## SARIF
🚧 Work-in-Progress (WIP)
## JSON
🚧 Work-in-Progress (WIP)
## CSV
🚧 Work-in-Progress (WIP)

14
docs/docs/resources.md Normal file
View File

@ -0,0 +1,14 @@
---
sidebar_position: 18
title: 🔖 Resources
---
# 🔖 Resources
Here are some of the great references & resources 🙌
- [https://slsa.dev](https://slsa.dev)
- [https://osv.dev](https://osv.dev)
- [https://github.com/google/osv-scanner](https://github.com/google/osv-scanner)
- [https://deps.dev](https://deps.dev)
- [https://securityscorecards.dev](https://securityscorecards.dev)

9
docs/docs/scenarios/_category_.json Normal file
View File

@ -0,0 +1,9 @@
{
"label": "📚 Scenarios",
"position": 16,
"link": {
"type": "generated-index",
"description": "Various real-world scenarios mapping back to vet"
}
}

1
docs/docs/scenarios/intentional-vulnerabilities-backdoors.md Normal file
View File

@ -0,0 +1 @@
# Intentional vulnerabilities and backdoors

5
docs/docs/scenarios/mitigating-dependency-confusion.md Normal file
View File

@ -0,0 +1,5 @@
# Dependency Confusion - package substitution attacks
:::info
This article is work in progress
:::

3
docs/docs/scenarios/typosquatting.md Normal file
View File

@ -0,0 +1,3 @@
# Typosquatting
A malicious actor creates a malicious package that is similar in name to a popular OSS component to trick developers into downloading it

1
docs/docs/scenarios/vulnerability-not-fixed-by-upstream-maintainer-in-desired-timeframe.md Normal file
View File

@ -0,0 +1 @@
# Vulnerability not fixed by upstream maintainer in desired timeframe

125
docs/docusaurus.config.js Normal file
View File

@ -0,0 +1,125 @@
// @ts-check
// Note: type annotations allow type checking and IDEs autocompletion
const lightCodeTheme = require('prism-react-renderer/themes/github');
const darkCodeTheme = require('prism-react-renderer/themes/dracula');
const BASE_URL = '/docs/';
/** @type {import('@docusaurus/types').Config} */
const config = {
title: 'vet',
tagline: 'Identify Open Source Risks',
url: 'https://safedep.io',
baseUrl: `${BASE_URL}`,
onBrokenLinks: 'throw',
onBrokenMarkdownLinks: 'warn',
favicon: 'img/vet.png',
organizationName: 'SafeDep',
projectName: 'vet',
trailingSlash: false,
deploymentBranch: 'main',
// Even if you don't use internalization, you can use this field to set useful
// metadata like html lang. For example, if your site is Chinese, you may want
// to replace "en" with "zh-Hans".
i18n: {
defaultLocale: 'en',
locales: ['en'],
},
presets: [
[
'classic',
/** @type {import('@docusaurus/preset-classic').Options} */
({
docs: {
routeBasePath: '/',
sidebarPath: require.resolve('./sidebars.js'),
// Please change this to your repo.
// Remove this to remove the "edit this page" links.
editUrl:
'https://github.com/safedep/vet/tree/main/docs',
},
theme: {
customCss: require.resolve('./src/css/custom.css'),
},
}),
],
],
themeConfig:
/** @type {import('@docusaurus/preset-classic').ThemeConfig} */
({
navbar: {
title: 'Vet ⚡️ SafeDep',
logo: {
alt: 'SafeDep Vet',
src: 'img/vet.png',
},
items: [
// {
// type: 'doc',
// docId: 'quickstart',
// position: 'left',
// label: 'Quick Start',
// },
// {
// type: 'doc',
// docId: 'overview',
// position: 'left',
// label: 'Documentation',
// },
// {to: '/blog', label: 'Blog', position: 'left'},
{
href: 'https://github.com/safedep/vet',
label: 'GitHub',
position: 'right',
}
],
},
footer: {
// links: [
// {
// title: 'Website',
// items: [
// {
// label: 'SafeDep',
// href: 'https://safedep.io',
// },
// ],
// },
// {
// title: 'Community',
// items: [
// {
// label: 'Discord',
// href: '#',
// },
// ],
// },
// {
// title: 'More',
// items: [
// {
// label: 'Blog',
// to: '/blog',
// },
// {
// label: 'GitHub',
// href: 'https://github.com/safedep/',
// },
// ],
// },
// ],
copyright: `Copyright © ${new Date().getFullYear()} - <a href="https://safedep.io" target = "_blank" rel = "noopener" >SafeDep</a>`,
},
prism: {
theme: lightCodeTheme,
darkTheme: darkCodeTheme,
},
}),
};
module.exports = config;

84
docs/exceptions.md
View File

@ -1,84 +0,0 @@
# Exceptions Management
Any security scanning tool may produce
1. False positive
2. Issues that are acceptable for a period of time
3. Issues that are ignored permanently
To support exceptions, we introduce the exception model defined in [exception
spec](../api/exceptions_spec.proto)
## Use-case
> As a user of `vet` tool, I want to add all existing packages or package
> versions as `exceptions` to make the scanner and filter analyser to ignore
> them while reporting issues so that I can deploy `vet` as a security gate to
> prevent introducing new packages with security issues
This workflow will allow users to
1. Accept the current issues as backlog to be mitigated over time
2. Deploy `vet` as a security gate in CI to prevent introducing new issues
### Security Risks
Exceptions management should handle the potential security risk of ignoring a
package and its future issues. To mitigate this risk, we will ensure that issues
can be ignored till an acceptable time window and not permanently.
## Workflow
### Generate Exceptions File
Run a scan and dump raw data to a directory
```bash
vet scan -D /path/to/repo --json-dump-dir /path/to/dump
```
Use `vet query` to generate exceptions for all existing packages
```bash
vet query --from /path/to/dump \
--exceptions-generate /path/to/exceptions.yml \
--exceptions-filter 'true' \ # Optional filter for packages to add
--exceptions-till '2023-12-12'
```
> `--exceptions-till` is parsed as `YYYY-mm-dd` and will generate a timestamp
> of `00:00:00` in UTC timezone for the date in RFC3339 format
### Customize Exceptions File
The generated exceptions file will add all packages, matching optional filter,
into the `exceptions.yml` file. This file should be reviewed and customised as
required before using it.
### Use Exceptions to Ignore Specific Packages
An exceptions file can be passed as a global flag to `vet`. It will be used for
various commands such as `scan` or `query`.
```bash
./vet --exceptions /path/to/exceptions.yml scan -D /path/to/repo
```
> **Note:** Do not pass this flag while generating exceptions list in query
> workflow to avoid incorrect exception list generation
## Behaviour
* All exceptions rules are applied only on a `Package`
* All comparisons will be case-insensitive except version
* Only `version` can have a value of `*` matching any version
* Exceptions are globally managed and will be shared across packages
* Exempted packages will be ignored by all analysers and reporters
* First match policy for exceptions matching
Anti-patterns that will NOT be implemented
* Exceptions will not be implemented for manifests because they will cause
false negatives
* Exceptions will not be created without an expiry to avoid future false
negatives on the package

215
docs/filtering.md
View File

@ -1,215 +0,0 @@
# Filtering
Filter command helps solve the problem of visibility for OSS dependencies in an
application. To support various requirements, we adopt a generic [expressions
language](https://github.com/google/cel-spec) for flexible filtering.
## Example
```bash
vet scan -D /path/to/repo \
--report-summary=false \
--filter 'licenses.exists(p, p == "MIT")'
```
The scan will list only packages that use the `MIT` license.
Find dependencies that seems not very popular
```bash
vet scan --lockfiles /path/to/pom.xml --report-summary=false \
--filter='projects.exists(x, x.stars < 10)'
```
Find dependencies with a critical vulnerability
```bash
vet scan --lockfiles /path/to/pom.xml --report-summary=false \
--filter='vulns.critical.exists_one(x, true)'
```
## Input
Filter expressions work on packages (aka. dependencies) and evaluates to
a boolean result. The package is included in the results table if the
expression evaluates to `true`.
Filter expressions get the following input data to work with
| Variable | Content |
|-------------|-------------------------------------------------------------|
| `_` | The root variable, holding other variables |
| `vulns` | Holds a map of vulnerabiliteis by severity |
| `scorecard` | Holds OpenSSF scorecard |
| `projects` | Holds a list of source projects associated with the package |
| `licenses` | Holds a list of liceses in SPDX license code format |
Refer to [filter input spec](../api/filter_input_spec.proto) for detailed
structure of input messages.
## Expressions
Expressions are [CEL](https://github.com/google/cel-spec) statements. While
CEL internals are not required, an [introductory](https://github.com/google/cel-spec/blob/master/doc/intro.md)
knowledge of CEL will help formulating queries. Expressions are logical
statements that evaluate to `true` or `false`.
### Example Queries
| Description | Query |
|----------------------------------------------|--------------------------------------|
| Find packages with a critical vulnerability | `vulns.critical.exists(x, true)` |
| Find unmaintained packages as per OpenSSF SC | `scorecard.scores.Maintained == 0` |
| Find packages with low stars | `projects.exists(x, x.stars < 10)` |
| Find packages with GPL-2.0 license | `licenses.exists(x, x == "GPL-2.0")`
Refer to [scorecard checks](https://github.com/ossf/scorecard#checks-1) for
a list of checks available from OpenSSF Scorecards project.
## Query Workflow
Scanning a package manifest is a resource intensive process as it involves
enriching package metadata by queryin [Insights API](https://safedep.io/docs/concepts/raya-data-platform-overview).
However, filtering and reporting may be done multiple times on the same
manifest. To speed up the process, we can dump the enriched data as JSON and
load the same for filtering and reporting.
Dump enriched JSON manifests to a directory (example)
```bash
vet scan --lockfile /path/to/package-lock.json --json-dump-dir /tmp/dump
vet scan -D /path/to/repository --json-dump-dir /tmp/dump-many
```
Load the enriched metadata for filtering and reporting
```bash
vet query --from /tmp/dump --report-summary
vet query --from /tmp/dump --filter 'scorecard.score.Maintained == 0'
```
## Security Gating with Filters
A simple security gate (in CI) can be achieved using the filters. The
`--filter-fail` argument tells the `Filter Analyzer` module to fail the command
if any package matches the given filter.
Example:
```bash
vet query --from /path/to/json-dump \
--filter 'scorecard.scores.Maintained == 0' \
--filter-fail
```
Subsequently, the command fails with `-1` exit code in case of match
```bash
➜ vet git:(develop) ✗ echo $?
255
```
## Filter Suite
A single filter is useful for identification of packages that meet some
specific criteria. While it helps solve various use-cases, it is not entirely
suitable for `security gating` where multiple filters may be required to
express an organization's acceptable OSS usage policy.
For example, an organization may define a filter to deny certain type of
packages:
1. Any package that has a high or critical vulnerability
2. Any package that does not match acceptable OSS licenses
3. Any package that has a low [OpenSSF scorecard score](https://github.com/ossf/scorecard)
To express this policy, multiple filters are needed such as:
```
vulns.critical.exists(p, true) ||
licenses.exists(p, (p != "MIT") && (p != "Apache-2.0")) ||
(scorecard.scores.Maintained == 0)
```
To solve this problem, we introduce the concept of `Filter Suite`. It can be
represented as an YAML file containing multiple filters to match:
```yaml
name: Generic Filter Suite
description: Example filter suite with canned filters
filters:
- name: critical-vuln
value: |
vulns.critical.exists(p, true)
- name: safe-licenses
value: |
licenses.exists(p, (p != "MIT") && (p != "Apache-2.0"))
- name: ossf-maintained
value: |
scorecard.scores.Maintained == 0
```
A scan or query operation can be invoked using the filter suite:
```bash
vet scan -D /path/to/repo --filter-suite /path/to/filters.yml --filter-fail
```
The filter suite will be evaluated as:
* Ordered list of filters as given in the suite file
* Stop on first rule match for a given package
## FAQ
### How does the filter input JSON look like?
```json
{
"pkg": {
"ecosystem": "npm",
"name": "lodash.camelcase",
"version": "4.3.0"
},
"vulns": {
"all": [],
"critical": [],
"high": [],
"medium": [],
"low": []
},
"scorecard": {
"scores": {
"Binary-Artifacts": 10,
"Branch-Protection": 0,
"CII-Best-Practices": 0,
"Code-Review": 8,
"Dangerous-Workflow": 10,
"Dependency-Update-Tool": 0,
"Fuzzing": 0,
"License": 10,
"Maintained": 0,
"Packaging": -1,
"Pinned-Dependencies": 9,
"SAST": 0,
"Security-Policy": 10,
"Signed-Releases": -1,
"Token-Permissions": 0,
"Vulnerabilities": 10
}
},
"projects": [
{
"name": "lodash/lodash",
"type": "GITHUB",
"stars": 55518,
"forks": 6787,
"issues": 464
}
],
"licenses": [
"MIT"
]
}
```

BIN
docs/images/vet-summary-demo.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 82 KiB

43
docs/package.json Normal file
View File

@ -0,0 +1,43 @@
{
"name": "vet",
"version": "0.0.0",
"private": true,
"scripts": {
"docusaurus": "docusaurus",
"start": "docusaurus start",
"build": "docusaurus build",
"swizzle": "docusaurus swizzle",
"deploy": "docusaurus deploy",
"clear": "docusaurus clear",
"serve": "docusaurus serve",
"write-translations": "docusaurus write-translations",
"write-heading-ids": "docusaurus write-heading-ids"
},
"dependencies": {
"@docusaurus/core": "^2.4.0",
"@docusaurus/preset-classic": "^2.4.0",
"@mdx-js/react": "^1.6.22",
"clsx": "^1.2.1",
"prism-react-renderer": "^1.3.5",
"react": "^17.0.2",
"react-dom": "^17.0.2"
},
"devDependencies": {
"@docusaurus/module-type-aliases": "^2.4.0"
},
"browserslist": {
"production": [
">0.5%",
"not dead",
"not op_mini all"
],
"development": [
"last 1 chrome version",
"last 1 firefox version",
"last 1 safari version"
]
},
"engines": {
"node": ">=16.14"
}
}

33
docs/sidebars.js Normal file
View File

@ -0,0 +1,33 @@
/**
* Creating a sidebar enables you to:
- create an ordered group of docs
- render a sidebar for each doc of that group
- provide next/previous navigation
The sidebars can be generated from the filesystem, or explicitly defined here.
Create as many sidebars as you want.
*/
// @ts-check
/** @type {import('@docusaurus/plugin-content-docs').SidebarsConfig} */
const sidebars = {
// By default, Docusaurus generates a sidebar from the docs folder structure
tutorialSidebar: [{type: 'autogenerated', dirName: '.'}],
// But you can create a sidebar manually
/*
tutorialSidebar: [
'intro',
'hello',
{
type: 'category',
label: 'Tutorial',
items: ['tutorial-basics/create-a-document'],
},
],
*/
};
module.exports = sidebars;

50
docs/src/css/custom.css Normal file
View File

@ -0,0 +1,50 @@
/**
* Any CSS included here will be global. The classic template
* bundles Infima by default. Infima is a CSS framework designed to
* work well for content-centric websites.
*/
/* You can override the default Infima variables here. */
/* :root {
--ifm-color-primary: #2e8555;
--ifm-color-primary-dark: #29784c;
--ifm-color-primary-darker: #277148;
--ifm-color-primary-darkest: #205d3b;
--ifm-color-primary-light: #33925d;
--ifm-color-primary-lighter: #359962;
--ifm-color-primary-lightest: #3cad6e;
--ifm-code-font-size: 95%;
--docusaurus-highlighted-code-line-bg: rgba(0, 0, 0, 0.1);
} */
@import url('https://fonts.googleapis.com/css2?family=Zen+Maru+Gothic:wght@500;700;900&display=swap');
:root {
--ifm-color-primary: #343793;
--ifm-color-primary-dark: #2f3184;
--ifm-color-primary-darker: #2c2f7d;
--ifm-color-primary-darkest: #242667;
--ifm-color-primary-light: #393ca2;
--ifm-color-primary-lighter: #3c3fa9;
--ifm-color-primary-lightest: #4549bd;
--ifm-code-font-size: 95%;
--ifm-font-family-base: 'Zen Maru Gothic', sans-serif;
}
/* For readability concerns, you should choose a lighter palette in dark mode. */
[data-theme='dark'] {
--ifm-color-primary: #8488f5;
--ifm-color-primary-dark: #6166f2;
--ifm-color-primary-darker: #5055f1;
--ifm-color-primary-darkest: #1b23ec;
--ifm-color-primary-light: #a7aaf8;
--ifm-color-primary-lighter: #b8bbf9;
--ifm-color-primary-lightest: #ededfe;
--ifm-background-color: #000000;
}
.img-center {
display: flex;
justify-content: center;
width: 100%,
}

23
docs/src/pages/index.module.css Normal file
View File

@ -0,0 +1,23 @@
/**
* CSS files with the .module.css suffix will be treated as CSS modules
* and scoped locally.
*/
.heroBanner {
padding: 4rem 0;
text-align: center;
position: relative;
overflow: hidden;
}
@media screen and (max-width: 996px) {
.heroBanner {
padding: 2rem;
}
}
.buttons {
display: flex;
align-items: center;
justify-content: center;
}

0
docs/static/.nojekyll vendored Normal file
View File

BIN
docs/static/img/favicon.ico vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 11 KiB

BIN
docs/static/img/safedep-discord.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 166 KiB

BIN
docs/static/img/vet-docs.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 489 KiB

BIN
docs/static/img/vet.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 27 KiB

BIN
docs/static/img/vet/github-action-secret-add.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 91 KiB

BIN
docs/static/img/vet/scanning-multiple-files.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 351 KiB

BIN
docs/static/img/vet/silent-scan.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 93 KiB

BIN
docs/static/img/vet/vet-architecture.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 810 KiB

BIN
docs/static/img/vet/vet-auth-configure.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 174 KiB

BIN
docs/static/img/vet/vet-autocomplete.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 208 KiB

BIN
docs/static/img/vet/vet-banner.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 382 KiB

BIN
docs/static/img/vet/vet-command.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 592 KiB

BIN
docs/static/img/vet/vet-configure.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 69 KiB

0
docs/images/vet-demo.gif → docs/static/img/vet/vet-demo.gif vendored
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 1.6 MiB

After

Width:  |  Height:  |  Size: 1.6 MiB

BIN
docs/static/img/vet/vet-github-action-real-world.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 386 KiB

BIN
docs/static/img/vet/vet-github-releases.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 153 KiB

BIN
docs/static/img/vet/vet-markdown-report-file.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 500 KiB

BIN
docs/static/img/vet/vet-register-trial.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 179 KiB

BIN
docs/static/img/vet/vet-report-summary.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 350 KiB

BIN
docs/static/img/vet/vet-scan-directory.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 346 KiB

BIN
docs/static/img/vet/vet-scan-files.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 324 KiB

BIN
docs/static/img/vet/vet-scan-prasers.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 181 KiB

BIN
docs/static/img/vet/vet-transitive-default.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 300 KiB

BIN
docs/static/img/vet/vet-transitive-depth.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 316 KiB

2
docs/static/robots.txt vendored Normal file
View File

@ -0,0 +1,2 @@
User-agent: *
Disallow: