Pipe cyclonedx sbom to std_out #194
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…n be picked up by other scanners
added 2 commits
May 1, 2020 13:57
…irp -> [email protected] to [email protected] due to a security vuln failing our dogfood scan
DarthHater
reviewed
May 5, 2020
package.json
Outdated
| @@ -91,6 +91,7 @@ | |||
| "node-fetch": "^2.6.0", | |||
| "node-persist": "^3.0.5", | |||
| "ora": "^4.0.3", | |||
| "package-lock.json": "^1.0.0", | |||
There was a problem hiding this comment.
i did pin the minimist transitive dependency but idk if that's related...
There was a problem hiding this comment.
yeah i removed it and it brought minimist back in
There was a problem hiding this comment.
https://www.npmjs.com/package/package-lock
looks like it lets you build from the package-lock and i had to use it to pin the dependency
ButterB0wl
commented
May 5, 2020
…Command already had it as false so it didn't change IQ scan times. Might be worth stripping everything but the purls to keep it standard with the boms of the other tools
…tions are going to differ locally
|
🎉 This PR is included in version 4.0.15 🎉 The release is available on: Your semantic-release bot 📦🚀 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adding the 'sbom' subcommand to pipe the CycloneDx bom that gets submitted to IQ to std_out so that we can generate a portable bom file that can be ingested by scanners and IQ servers disconnected from the build environment.
This command will be standard for all the Sonatype DevEx scanners that generate a CycloneDx bom
Tested successfully with no internet connection on a built project
Are there any arguments to the sbom command that we want to make standard? Should we allow the DevEx scanners to append to existing sboms? That would be a little harder but it covers the use case of an app with multiple ecosystems in it. Should we allow AuditJS to submit a bom to IQ directly without resolving the dependencies?
I think first step for MVP is to just output to the console for each tool and they can do whatever with that, but I would like to define a standard way of handling these exported reports across our tooling
cc @bhamail / @DarthHater / @allenhsieh / @ken-duck