Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(report): tidy dependencies for multiple repo on integration with GSA #1593

Merged
merged 4 commits into from
Feb 7, 2023
Merged

fix(report): tidy dependencies for multiple repo on integration with GSA #1593

merged 4 commits into from
Feb 7, 2023

Conversation

kl-sinclair
Copy link
Collaborator

@kl-sinclair kl-sinclair commented Feb 6, 2023
edited
Loading

What did you implement:

In case of multiple repository scan, dependency graph is included INCORRECTLY, because last scanned repo overwrite the others.
This PR tidies dependency by repository and manifest file, and set which repo the component come from in SBOM.

Type of change

  • Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

$ vuls report -to-localfile -format-cyclonedx-json
or 
$ vuls report -to-localfile -format-cyclonedx-xml

Checklist:

You don't have to satisfy all of the following.

  • Write tests
  • Write documentation
  • Check that there aren't other open pull requests for the same issue/feature
  • Format your source code by make fmt
  • Pass the test by make test
  • Provide verification config / commands
  • Enable "Allow edits from maintainers" for this PR
  • Update the messages below

Is this ready for review?: YES

Reference

@kl-sinclair kl-sinclair self-assigned this Feb 6, 2023
@kl-sinclair kl-sinclair marked this pull request as ready for review February 7, 2023 10:15
@kl-sinclair kl-sinclair changed the title [WIP] fix(report): tidy dependencies for multiple repo on integration with GSA fix(report): tidy dependencies for multiple repo on integration with GSA Feb 7, 2023
@kl-sinclair kl-sinclair requested a review from kotakanbe February 7, 2023 10:16
@kl-sinclair
Copy link
Collaborator Author

kl-sinclair commented Feb 7, 2023
edited
Loading

Sample SBOM output

https://gist.github.com/kl-sinclair/de86af7174591df5ebae0b89ca541e5e

blob path as lockfile name

  "components": [
    ...
    {
      "bom-ref": "99d637f3-21e8-4d9b-bcd7-4c8ad552b76b",
      "type": "application",
      "name": "/future-architect/vuls/blob/master/go.sum",
      "properties": [
        {
          "name": "future-architect:vuls:Type",
          "value": "gomod"
        }
      ]
    },
    ...

repo url in purl qualifier

    ...
    {
      "bom-ref": "pkg:gomod/cloud.google.com%2Fgo@v0.105.0?repo_url=https:%2F%2Fgh.neting.cc%2Ffuture-architect%2Fvuls\u0026file_path=go.sum",
      "type": "library",
      "name": "cloud.google.com/go",
      "version": "v0.105.0",
      "purl": "pkg:gomod/cloud.google.com%2Fgo@v0.105.0?repo_url=https:%2F%2Fgh.neting.cc%2Ffuture-architect%2Fvuls\u0026file_path=go.sum"
    },
    ...

kotakanbe
kotakanbe approved these changes Feb 7, 2023
View reviewed changes
Copy link
Member

@kotakanbe kotakanbe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kotakanbe kotakanbe merged commit 1927ed3 into future-architect:master Feb 7, 2023
@kl-sinclair kl-sinclair deleted the gsa-deps-multi-repo branch February 7, 2023 11:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kotakanbe kotakanbe kotakanbe approved these changes

Assignees

@kl-sinclair kl-sinclair

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kl-sinclair @kotakanbe