auditjs
auditjs copied to clipboard
sonatype-nexus-community
Feature Request: add support for automated pull requests
- What are you trying to do?*
Create automated pull requests from the auditjs scanner.
- What feature or behavior is this required for?
- How could we solve this issue? (Not knowing is okay!)
The AuditJS scanner needs to collect the git commit hash and submit it along with the rest of the scan data.
- Anything else?
cc @bhamail / @DarthHater / @allenhsieh / @ken-duck
Leaving some info for whoever picks this up:
- AuditJS uses the IQ Server Third Party API, in which we create an SBOM and send that up
Something you'll need to figure out, is how to represent a commit via an SBOM. There are some candidates, I'm trying to figure out the best way, but if I don't, that would be what you want to look at. The full spec is here: https://cyclonedx.org/docs/1.2/ (and of note, we are using 1.1 at the moment)
- IQ Server will need to take that info and do something with it! We will need to talk to @mr-zepol or others to kinda make sure it's gonna work
From there I imagine it's fairly easy? You'll need to discover the local git hash, etc... and I think there are a plethora of JS libraries for doing that (https://www.npmjs.com/package/simple-git is one)
After talking with Steve, the best place to describe this seems as follows:
bom->metadata->component->pedigree->commits->commit
We would put together a bare bones component that describes the local project (name and version we can likely get from the local package.json, for the record, as well as scope if it exists), and then populate the minimal pedigree information that is necessary per the schema.
Examples of the use of metadata are here: https://cyclonedx.org/use-cases/#packaging-and-distribution
Pedigree is here: https://cyclonedx.org/use-cases/#pedigree
IQ will obviously need to do something with this data, but we have a path to describe it (which is half the battle!)