Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New workflow to show reachable components #3181

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

New workflow to show reachable components #3181

wants to merge 4 commits into from

Conversation

prabhu
Copy link

@prabhu prabhu commented Nov 8, 2023
edited

Description

This adds a new workflow to generate an SBOM with evidences using cdxgen.

Below are some links to a sample execution

Component Evidence

https://github.com/prabhu/dependency-track/actions/runs/6797742105/job/18480486493#step:4:22410

Call Stack Evidence

https://github.com/prabhu/dependency-track/actions/runs/6797742105/job/18480486493#step:4:24079

Reachable components

https://github.com/prabhu/dependency-track/actions/runs/6797742105/job/18480486493#step:4:24559

Addressed Issue

Publishing a comprehensive SBOM with a research profile would help security researchers and AppSec stays a step ahead with vulnerabilities. For instance, below are the top 3 libraries that dependency track users could prioritize to ensure their server instance doesn't get attacked when a vulnerability becomes public.

╔═══════════════════════════════════════════════════════════════════════════════════════════╗
║                                   Reachable Components                                    ║
║                                Generated with ♥ by cdxgen                                 ║
╟─────────────────────────────────────────────────────────────────────────┬─────────────────╢
║ Package URL                                                             │ Reachable Flows ║
╟─────────────────────────────────────────────────────────────────────────┼─────────────────╢
║ pkg:maven/us.springett/alpine-infra@2.2.4-SNAPSHOT?type=jar             │ 229             ║
╟─────────────────────────────────────────────────────────────────────────┼─────────────────╢
║ pkg:maven/org.datanucleus/javax.jdo@3.2.1?type=jar                      │ 154             ║
╟─────────────────────────────────────────────────────────────────────────┼─────────────────╢
║ pkg:maven/javax.json/javax.json-api@1.1.4?type=jar                      │ 75              ║
╟─────────────────────────────────────────────────────────────────────────┼─────────────────╢

Additional Details

Related: DependencyTrack/frontend#644

Checklist

  • I have read and understand the contributing guidelines
  • This PR fixes a defect, and I have provided tests to verify that the fix is effective
  • This PR implements an enhancement, and I have provided tests to verify that it works as intended
  • This PR introduces changes to the database model, and I have added corresponding update logic
  • This PR introduces new or alters existing behavior, and I have updated the documentation accordingly

@prabhu
New workflow to show reachable components
4c456cd 
Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
@msymons msymons added the cdx-1.5 Related to CycloneDX specification v1.5 label Nov 8, 2023
@prabhu prabhu mentioned this pull request Nov 9, 2023
Merged
nscuro
nscuro requested changes Nov 13, 2023
View reviewed changes
.github/workflows/sbom-reachables.yaml Outdated Show resolved Hide resolved
.github/workflows/sbom-reachables.yaml Outdated Show resolved Hide resolved
.github/workflows/sbom-reachables.yaml Outdated Show resolved Hide resolved
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nscuro nscuro nscuro requested changes

Assignees
No one assigned
Labels
cdx-1.5 Related to CycloneDX specification v1.5
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@prabhu @nscuro @msymons