fix: make a purl DT can recognize, add CPE#57
fix: make a purl DT can recognize, add CPE#57djcrabhat wants to merge 13 commits intoCycloneDX:mainfrom
Conversation
![sonatype-lift[bot]](https://avatars.githubusercontent.com/in/9843?s=60&v=4){kind=small}
| } | ||
|
|
||
| try { | ||
| String downloadUrl = getPackageDownloadUrl(software); |
There was a problem hiding this comment.
SHELL_INJECTION: UserControlledString(BufferedReader.readLine()) in procedure UnixSBomGenerator.processListCmdOutput(...) at line 438 ~> ShellExec(ProcessBuilder.command(...)) in procedure RedHatSBomGenerator.getPackageDownloadUrl(...) at line 185.
ℹ️ Learn about @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
djcrabhat
force-pushed
the
feature/make-standard-purl
branch
2 times, most recently
from
614d963 to
c9a8d29
Compare
| * | ||
| * | ||
| * @param url | ||
| * @param name |
There was a problem hiding this comment.
💬 3 similar findings have been found in this PR
EmptyBlockTag: A block tag (@param, @return, @throws, @deprecated) has an empty description. Block tags without descriptions don't add much value for future readers of the code; consider removing the tag entirely or adding a description.
| * @param name | |
| * |
🔎 Expand here to view all instances of this finding
| File Path | Line Number |
|---|---|
| src/main/java/org/cyclonedx/contrib/com/lmco/efoss/unix/sbom/generator/SBomGenerator.java | 327 |
| src/main/java/org/cyclonedx/contrib/com/lmco/efoss/unix/sbom/generator/SBomGenerator.java | 324 |
| src/main/java/org/cyclonedx/contrib/com/lmco/efoss/unix/sbom/generator/SBomGenerator.java | 326 |
Visit the Lift Web Console to find more details in your report.
ℹ️ Learn about @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| return bom; | ||
| } | ||
|
|
||
| private String getCpe(String software, String version) { |
There was a problem hiding this comment.
💬 6 similar findings have been found in this PR
UnusedVariable: The parameter 'version' is never read.
| private String getCpe(String software, String version) { | |
| cpe = getCpe(software); |
🔎 Expand here to view all instances of this finding
| File Path | Line Number |
|---|---|
| src/main/java/org/cyclonedx/contrib/com/lmco/efoss/unix/sbom/generator/SBomGenerator.java | 333 |
| src/main/java/org/cyclonedx/contrib/com/lmco/efoss/unix/sbom/generator/SBomGenerator.java | 333 |
| src/main/java/org/cyclonedx/contrib/com/lmco/efoss/unix/sbom/generator/SBomGenerator.java | 333 |
| src/main/java/org/cyclonedx/contrib/com/lmco/efoss/unix/sbom/generator/RedHatSBomGenerator.java | 115 |
| src/main/java/org/cyclonedx/contrib/com/lmco/efoss/unix/sbom/generator/SBomGenerator.java | 333 |
| src/main/java/org/cyclonedx/contrib/com/lmco/efoss/unix/sbom/generator/SBomGenerator.java | 333 |
Visit the Lift Web Console to find more details in your report.
ℹ️ Learn about @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
djcrabhat
force-pushed
the
feature/make-standard-purl
branch
from
54abff6 to
dbf5b28
Compare
djcrabhat
changed the title
Signed-off-by: djcrabhat <djcrabhat@sosimplerecords.com>
Signed-off-by: djcrabhat <djcrabhat@sosimplerecords.com>
Signed-off-by: djcrabhat <djcrabhat@sosimplerecords.com>
Signed-off-by: djcrabhat <djcrabhat@sosimplerecords.com>
Signed-off-by: djcrabhat <djcrabhat@sosimplerecords.com>
…enerator/RedHatSBomGenerator.java Co-authored-by: sonatype-lift[bot] <37194012+sonatype-lift[bot]@users.noreply.github.com> Signed-off-by: djcrabhat <djcrabhat@sosimplerecords.com>
Signed-off-by: djcrabhat <djcrabhat@sosimplerecords.com>
Signed-off-by: djcrabhat <djcrabhat@sosimplerecords.com>
Signed-off-by: djcrabhat <djcrabhat@sosimplerecords.com>
Signed-off-by: djcrabhat <djcrabhat@sosimplerecords.com>
Signed-off-by: djcrabhat <djcrabhat@sosimplerecords.com>
djcrabhat
force-pushed
the
feature/make-standard-purl
branch
from
2fd70ce to
15970d1
Compare
|
Can somebody merge this PR please? |
2 participants
Make the
purlthat is output align with what DependencyTrack expects. I understand this could potentially be breaking for those who expect the purl to be where the package was downloaded from. Added a details mapDownload-Urlkey for that old value.Reference: https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#rpm
But I know that purl's don't seem that well supported for OS packages. So I'm also adding CPEs for RedHat. (I'm gonna trick DependencyTrack in to recognizing vulnerable packages, if by hook or by crook! 😆)
Closes #11