Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Like bricks in a wall: Dependabot is a software supply chain security tool. If you have broken brick, your entire structure may degrade over time if you don’t fix it.

Software Supply Chain

The software supply chain consists of the 3rd party frameworks, tools, libraries etc. For example:

  • Spring Boot (Broadcom, formerly VMware)

    • you can find this in the Maven (Apache Foundation) or Gradle (IntelliJ) configs

    • more 3rd party configs like Thymeleaf will be pulled in transiently

  • Enterprise Java Beans (Oracle)

  • Fiori (SAP)

  • the JSON or XML parser ((question))

Typically, even Micro Service can have 150+ dependencies. Important components (like Log4J) aren’t always obvious.

Dependabot will resolve the entire dependency tree, lookup known vulnerabilities in popular catalogs, and produce a report.

Features

  • Dependabot works with Gradle (pom.xml can be generated) and Maven, as well as NPM, Go etc. The support is expansive

  • Dependabot cannot resolve the imports to actual modules, meaning that it won’t know whether the scanned software project really uses a vulnerable function. Veracode’s SourceClear can do that

  • The reporting depends on GitHub

GraphQL API

GitHub services have a REST and a GraphQL API.

https://docs.github.com/en/graphql

Sadly, for GH Security, they are not consistently developed.

Python

Assuming you have

  • Pandas (response_dp is a DataFrame object in the following), which accepts API responses directly

  • requests

https://pandas.pydata.org/https://requests.readthedocs.io/en/latest/

Based on that, the following Python 3 code exemplifies how to generate a Software Bill Of Materials (SBOM) for a GitHub Advanced Enterprise Security enabled repository. 

query = """
    {
    repository(name: "REPO", owner: "ORG") {
        vulnerabilityAlerts(first: 100) {
            nodes {
                createdAt
                dismissedAt
                securityVulnerability {
                    package {
                        name
                    }
                  	severity
                    advisory {
                        description
                    }
                }
            }
        }
    }
    }
    """

query = query.replace("REPO", repo)
query = query.replace("ORG", org)

response_dp = requests.post(graphql_url, headers=hed, json={'query': query})
parsed_dp = response_dp.json()["data"]
if verbose:
  print(parsed_dp)

  • An equivalent REST endpoint doesn’t seem to exist ( last time I checked )

  • This is equivalent for GH Cloud and on-premises Server variants

  • No labels

Content by https://www.because-security.com/
📧 https://www.because-security.com/contact