Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use vdr bom as basis for jinja reports #189

Merged
merged 1 commit into from
Dec 21, 2023
Merged

Use vdr bom as basis for jinja reports #189

merged 1 commit into from
Dec 21, 2023

Conversation

heubeck
Copy link
Collaborator

@heubeck heubeck commented Dec 15, 2023
edited
Loading

That's effectively a breaking change, but the adoption of that feature might be quite low so far.

prabhu
prabhu approved these changes Dec 15, 2023
View reviewed changes
Copy link
Member

@prabhu prabhu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

cerrussell
cerrussell requested changes Dec 19, 2023
View reviewed changes
depscan/cli.py Show resolved Hide resolved
depscan/lib/utils.py Outdated
with open(vdr_file, "r", encoding="utf-8") as f:
bom = json.load(f)
else:
bom = None
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@heubeck Here you could fall back to loading the bom_file - just add the same thing you have for vdr_file in the else block.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

great idea, thx. will do that

depscan/lib/utils.py Outdated
with open(template_file, "r", encoding="utf-8") as tmpl_file:
template = tmpl_file.read()
jinja_env = Environment(autoescape=False)
jinja_tmpl = jinja_env.from_string(template)
report_result = jinja_tmpl.render(
vulnerabilities=json_report,
metadata=bom['metadata'] if bom else None,
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@heubeck I suggest doing this using the dictionary get method (e.g. bom.get('metadata', None)) and check for bom separately (or load the data from bom_file). If you think using the bom_file as a fallback seems reasonable, you'd definitely want to do this as the regular bom file will not include the vulnerabilities key.

    report_result = jinja_tmpl.render(
        metadata=bom.get('metadata', None),
        vulnerabilities=bom.get('vulnerabilities', None),
        components=bom.get('components', None),

... and so on

@heubeck
Use vdr bom as basis for jinja reports
cf73c25 
Signed-off-by: Florian Heubeck <heubeck@mediamarktsaturn.com>
cerrussell
cerrussell approved these changes Dec 20, 2023
View reviewed changes
Copy link
Collaborator

@cerrussell cerrussell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fantastic!

@prabhu prabhu merged commit 4543f99 into owasp-dep-scan:master Dec 21, 2023
39 checks passed
@heubeck heubeck deleted the custom-report-based-on-vdr branch December 21, 2023 09:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@prabhu prabhu prabhu approved these changes

@cerrussell cerrussell cerrussell approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@heubeck @prabhu @cerrussell