cyclonedx-python
cyclonedx-python copied to clipboard
CycloneDX
[FEATURE] Include disclosed Vulnerability information from external sources
Currently using pypi's api feed on another project to extract vulnerability information
https://pypi.org/pypi/{quote(package_name)}/{quote(package_version)}/json https://warehouse.pypa.io/api-reference/json.html
spotted that the cyclonedx spec has place for dependency vulnerabilities https://cyclonedx.org/ext/vulnerability/
additionally the data feed has license data via the classifiers metadata which could be used to populate licenses when not using local environment but requirements or poetry etc
aim: was thinking of extending this library and then using it in the making of a pip-audit for python which operated in a similar way to "npm audit"
of course can just put the annonation into the pip-audit code instead
looking to see if this extension would be something desired in cyclonedx-python or it's core lib
Hi @Anthony-Mckale - many thanks for the idea. I did not know about this endpoint on PyPi!
Couple of questions in case you know the answers before I go searching:
- Do you have an example that has the
vulnerabilitieslist populated for a public project? - Do you know where PyPi.org is sourcing it's Vulnerability information from?
In principle, I'm very much open to this being added to the cyclonedx-python application once we understand a bit more about the stat, quality and provenance of the data pypi.org is providing if that makes sense?
@Anthony-Mckale - I've got the answer for 2 above (https://github.com/pypa/advisory-db).
Note that another source of vulnerabilities might be OSS Index?
- example https://pypi.org/pypi/Django/3.2.7/json
- from https://github.com/pypa/advisory-db
rather depressingly spotted my pip-audit idea has already been implemented by a project called pip-audit https://github.com/trailofbits/pip-audit/blob/main/pip_audit/_service/osv.py https://github.com/trailofbits/pip-audit/blob/main/pip_audit/_service/pypi.py
Thanks @Anthony-Mckale.
I still think this is a valid feature for cyclonedx-python - but we might consider supporting multiple sources for Vulnerability information.
We're due to release some major changes this week (CycloneDX 1.4 is coming!), so we'll dig into this more after we've concluded https://github.com/CycloneDX/cyclonedx-python/milestone/1.
brilliant, once you guys have 1.4 out the way, ping this ticket or me at "[email protected]" and i'll be happy to write up a pr with the extension
ps: the https://osv.dev/ feeds i think are actually fed from https://github.com/pypa/advisory-db, however i'll love to extend the rest of the cyclonedx language suite with the osv feeds
$ curl -X POST -d \
'{"version": "2.4.1", "package": {"name": "jinja2", "ecosystem": "PyPI"}}' \
"https://api.osv.dev/v1/query"
will close this issue. time went by and the world changed.
The requested feature is already done by external tools, like dependency-track, vexy, etc
Other tools can digest an SBOM file and may create VEX/VDR from it.
FYI: upcoming v4 might provide even more component identifiers, so that SBOM digesting tools have it easier to probe for VEX data.