-
-
Notifications
You must be signed in to change notification settings - Fork 590
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use vulnerabilities from Composer package repositories #4465
Comments
Agree with this assessment. Also in general the repository meta analysis is a lot slower than vulnerability analysis, since no repository supports batch request (does Composer?). Trying to somehow couple repo meta and vuln analysis is impractical. I'd say we make this another vulnerability scanner that can be enabled, or is even enabled by default. It is a bit unfortunate that we'd end up querying the API endpoints more than once for the same component, but I don't see a better option. Is there any rate limiting imposed on this API? |
From their docs
In another spot they mention:
Something even more incremental is also possible:
I haven't looked at the DT data model for this yet, but maybe we can store (or deduce) a value for However, the |
If concurrent requests become a requirement, we could look at https://resilience4j.readme.io/docs/bulkhead to rate limit on our end. We already use resilience4j elsewhere for retries etc. |
I have looked into this some more and it's not straightforward. The packagist repo has an api to retrieve vulnerabilities: A colleague of mine was trying to implement the same functionality in a custom built SCA tool, but ran into the same problems.
The Do we really want to mimic and maintain all this in Dependency Track? Wouldn't it be a lot easier/more reliable if we could just ingest the output from
When looking at the VEX functionality in Dependency Track I noticed that it cannot be used to add new vulnerabilities to DependencyTrack. It can only apply analysises to vulnerabilities already present in Dependency Track and attributed to the Project where the VEX is being applied. I understand importing/trusting vulnerabilities from outside Dependency Track doesn't really fit in the model of using the SBOM as source of truth and do all scanning inside DependencyTrack. But this way it might impossible to even get the same results as these scanners/audit tools native to the ecosystems. EDIT: I am not aware of any Composer Repository Proxy / Aggregator that could be used to achieve the same. It looks like Nexus has some support for Composer repositories. I doubt it supports all the vulnerability related stuff. Even if it would, it would be quite an extra requirement for users to have a Nexus install available. What possibly could work is to make a little wrapper around the |
Usually vulnerableCode is quite extensive with this sort of thing, but it doesn't look like they support PHP / Drupal either: https://github.com/aboutcode-org/vulnerablecode/tree/main/vulnerabilities/importers
Is it possible to download all data, or does the whole thing depend on ad-hoc queries for each package? If the former, you could just write a mirror task similar to the OSV one. Even if it's non-trivial, I feel like it'd still be better than writing a bespoke external service that users would then need to deploy and operate. It would also fit the agenda of #4122.
We won't be supporting ingest of tool output like Defect Dojo does, but if you were to transform this into a CycloneDX VDR file we could import that, see below.
It doesn't currently work because it simply was not implemented yet, not because we don't want to support it. There's even a placeholder / TODO for it here: dependency-track/src/main/java/org/dependencytrack/tasks/BomUploadProcessingTask.java Lines 272 to 276 in 45982a2
That being said, until #4122 lands, we need to be a bit careful when it comes to vulnerability sources. We wouldn't want VDR imports to overwrite CVE data if it has already been mirrored from the NVD. And |
In theory it should be able to mirror all the vulnerabilities. At least the main packagist.com has APIs to do that incrementally, even providing a feed with new/changed advisories since a certain timestamp that can be provided as a parameter. In theory we could also mirror all the metadata for all packages. There is a I am currently looking at which vulnerability identifiers we can expect. There will be vulnerabilities that have an ID generated by the composer auditor (example There maybe more sources as Magento, Shopware may have their own IDs as well. Every new sources means a new column in the Aliases table unfortunately. As we don't know all possible sources, some of them will have to be stored under |
Turns out there's a lot of stuff happening in https://packages.drupal.org/8/packages.json
This specifies where security advisories can be obtained (or not). https://wpackagist.org/packages.json doesn't provide a security advisory endpoint:
The Some repositories such as wpackagits also do not provide a metadata endpoint. I haven't looked into that, just focussing on the vulnerability aspects here. In theory it's possible to use the security advisory API to build a complete mirror. I'm unsure if we can run into problems if we combine the vulnerabilitiy data from multiple repositories into one SOURCE / mirror on the DT side. |
The vulnerabilities coming in from the composer repostiories do not have a I also see code in Strange thing is that in my deptrack databases I can see lots of
|
|
Ah, I there are rows in my databases that do have the PURL column populated, guess that put me on the wrong foot. It's only 96k rows I checked just now :-) So what do you think would be the best option @nscuro. Going for a new external analyzer which is easier to implement and can be enabled/disabled or going for a full mirror that is more work and needs more safeguarding to make sure it doesn't fail too often and doesn't miss any vulnerabilities. Currently there's also the downside that once mirrored, the Internal Analyzer will keep detecting/reporting the vulnerabilities, even after the mirroring is disabled. |
Current Behavior
As mentioned in #2337 (comment), Compose package repositories also provide vulnerability information for packages.
For some vulnerabilities this is the only way to get those vulnerabilities, for example SA-CONTRIB-2023-052. Neither OSS, NVD, GHSA, Snyk, OSV report this vulnerability. But for companies running lots of Drupal projects, it's important to have visibility of these vulnerabilities.
The composer package repository provides vulnerability information in two places:
The API part is unclear what the URL for the Drupal 8 composer repository is. The provided example url is from the main packagist repository. This doesn not return the vulnerability.
More info about the API (and other repo functions): https://packagist.org/apidoc#list-security-advisories
Proposed Behavior
There are multiple options Depenendcy Track can do:
During metadata processing in
ComposerMetaAnalyzer
the vulnerability information is already returned by the package repository. These vulnerabilities could be stored in Dependency Track and used by the Internal Analyzer. Currently this is not straightforward as meta data analysis runs in parallel with or possibly after vulnerability analysis. Downside is also that it could confuse users that the repository is also a vulnerability source (could be optional flag).A new analyzer could be created i.e.
ComposerVulnerabilityAnalyzer
that uses the API to retrieve vulnerabilities. At the time of writing it's unclear if the Drupal specific package repository supports this API.I am curious about other peoples thoughts.
Please note that the Composer Package Repository doesn't support PURL or CPE. But since Dependency Track already retrieves meta data by just
group
andname
, it should be OK to do the same for vulnerabilities?I think somewhere here on Slack or Github somebody pointed us towards a library that maps PURL/CPEs to namespace/group/name parts.
I also raised composer/packagist#1497
Checklist
The text was updated successfully, but these errors were encountered: