Dependabot is a software supply chain security tool.
Software Supply Chain
The software supply chain consists of the 3rd party frameworks, tools, libraries etc. For example:
Spring Boot (Broadcom, formerly VMware)
you can find this in the Maven (Apache Foundation) or Gradle (IntelliJ) configs
more 3rd party configs like Thymeleaf will be pulled in transiently
Enterprise Java Beans (Oracle)
Fiori (SAP)
…
the JSON or XML parser (
)
Typically, even Micro Service can have 150+ dependencies. Important components (like Log4J) aren’t always obvious.
Dependabot will resolve the entire dependency tree, lookup known vulnerabilities in popular catalogs, and produce a report.
Features
Dependabot works with Gradle (pom.xml can be generated) and Maven, as well as NPM, Go etc. The support is expansive
Dependabot cannot resolve the imports to actual modules, meaning that it won’t know whether the scanned software project really uses a vulnerable function. Veracode’s SourceClear can do that
The reporting depends on GitHub
GraphQL API
GitHub services have a REST and a GraphQL API.
https://docs.github.com/en/graphqlSadly, for GH Security, they are not consistently developed.
Python
Assuming you have
Pandas (
response_dpis a DataFrame object in the following), which accepts API responses directlyrequests
Based on that, the following Python 3 code exemplifies how to generate a Software Bill Of Materials (SBOM) for a GitHub Advanced Enterprise Security enabled repository.
query = """
{
repository(name: "REPO", owner: "ORG") {
vulnerabilityAlerts(first: 100) {
nodes {
createdAt
dismissedAt
securityVulnerability {
package {
name
}
severity
advisory {
description
}
}
}
}
}
}
"""
query = query.replace("REPO", repo)
query = query.replace("ORG", org)
response_dp = requests.post(graphql_url, headers=hed, json={'query': query})
parsed_dp = response_dp.json()["data"]
if verbose:
print(parsed_dp)
An equivalent REST endpoint doesn’t seem to exist ( last time I checked )
This is equivalent for GH Cloud and on-premises Server variants