-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pip_audit: initial SBOM support via CycloneDX #109
Conversation
XML support is "in", but is currently failing with:
...so I'm guessing there's a part of the Edit: Looks like a type error in CycloneDX. Creating a PR. |
Upstream bug: CycloneDX/cyclonedx-python-lib#61 |
Example XML output with an intentionally vulnerable requirements file: <?xml version="1.0" encoding="UTF-8"?>
<bom serialNumber="urn:uuid:5f03d520-4ca9-4025-8781-b0711cc98cda" version="1" xmlns="http://cyclonedx.org/schema/bom/1.3" xmlns:v="http://cyclonedx.org/schema/ext/vulnerability/1.0">
<metadata>
<timestamp>2021-11-09T18:46:43.718858+00:00</timestamp>
<tools>
<tool>
<vendor>CycloneDX</vendor>
<name>cyclonedx-python-lib</name>
<version>0.10.0</version>
</tool>
</tools>
</metadata>
<components>
<component bom-ref="pkg:pypi/docker-py@1.2.3" type="library">
<name>docker-py</name>
<version>1.2.3</version>
<purl>pkg:pypi/docker-py@1.2.3</purl>
</component>
<component bom-ref="pkg:pypi/certifi@2021.10.8" type="library">
<name>certifi</name>
<version>2021.10.8</version>
<purl>pkg:pypi/certifi@2021.10.8</purl>
</component>
<component bom-ref="pkg:pypi/charset-normalizer@2.0.7" type="library">
<name>charset-normalizer</name>
<version>2.0.7</version>
<purl>pkg:pypi/charset-normalizer@2.0.7</purl>
</component>
<component bom-ref="pkg:pypi/idna@3.3" type="library">
<name>idna</name>
<version>3.3</version>
<purl>pkg:pypi/idna@3.3</purl>
</component>
<component bom-ref="pkg:pypi/pip@21.3.1" type="library">
<name>pip</name>
<version>21.3.1</version>
<purl>pkg:pypi/pip@21.3.1</purl>
</component>
<component bom-ref="pkg:pypi/requests@2.26.0" type="library">
<name>requests</name>
<version>2.26.0</version>
<purl>pkg:pypi/requests@2.26.0</purl>
</component>
<component bom-ref="pkg:pypi/setuptools@40.6.2" type="library">
<name>setuptools</name>
<version>40.6.2</version>
<purl>pkg:pypi/setuptools@40.6.2</purl>
</component>
<component bom-ref="pkg:pypi/six@1.16.0" type="library">
<name>six</name>
<version>1.16.0</version>
<purl>pkg:pypi/six@1.16.0</purl>
</component>
<component bom-ref="pkg:pypi/urllib3@1.26.7" type="library">
<name>urllib3</name>
<version>1.26.7</version>
<purl>pkg:pypi/urllib3@1.26.7</purl>
</component>
<component bom-ref="pkg:pypi/pyyaml@5.3" type="library">
<name>pyyaml</name>
<version>5.3</version>
<purl>pkg:pypi/pyyaml@5.3</purl>
<v:vulnerabilities>
<v:vulnerability ref="pkg:pypi/pyyaml@5.3">
<v:id>PYSEC-2020-96</v:id>
<v:description>A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.</v:description>
<v:recommendations>
<v:recommendation>Upgrade</v:recommendation>
</v:recommendations>
<v:advisories>
<v:advisory>Upgrade: 5.3.1</v:advisory>
</v:advisories>
</v:vulnerability>
<v:vulnerability ref="pkg:pypi/pyyaml@5.3">
<v:id>PYSEC-2021-142</v:id>
<v:description>A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.</v:description>
<v:recommendations>
<v:recommendation>Upgrade</v:recommendation>
</v:recommendations>
<v:advisories>
<v:advisory>Upgrade: 5.4</v:advisory>
</v:advisories>
</v:vulnerability>
</v:vulnerabilities>
</component>
</components>
</bom> |
One notable thing: the CycloneDX JSON serialization format doesn't seem to include the vulnerability extension. I'm not sure what's up with that -- if it's a bug in the Python library or because the representation is only well specified in the XML schema(s). Will follow up with an upstream issue. Edit: Upstream: CycloneDX/cyclonedx-python-lib#62 |
Turns out vulnerability information is intentionally not supported in the current JSON output format. Version 1.4 of CycloneDX will resolve that by promoting vulnerability information from an extension to a full-fledged part of the spec. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome! LGTM.
The only remaining blocker here is CycloneDX/cyclonedx-python-lib#61. Once that's in, I'll merge this as an initial version and we can iterate on adding even more metadata. |
WIP; just pushing something up for visibility.TODO:
Relevant upstream tracking issues and PRs:
Closes #77.