Merge pull request #35 from RHEcosystemAppEng/sbom-npm-mvn-api

feat: add SBOM data model and support for npm and maven

Author: zvigrinberg

.github/workflows/pr.yml

@@ -50,7 +50,7 @@ jobs:
 
       - name: Run integration tests
         working-directory: integration
-        run: bash ./run_its.sh
+        run: EXHORT_ITS_USE_REAL_API=true bash ./run_its.sh
 
       - name: Upload coverage reports
         if: ${{ matrix.node == env.MAIN_NODE_VER }}

README.md

@@ -121,6 +121,7 @@ $ exhort-javascript-api component pom.xml "$(</path/to/pom.xml)"
 <h3>Supported Ecosystems</h3>
 <ul>
 <li><a href="https://www.java.com/">Java</a> - <a href="https://maven.apache.org/">Maven</a></li>
+<li><a href="https://www.javascript.com//">JavaScript</a> - <a href="https://www.npmjs.com//">Npm</a></li>
 </ul>
 
 <h3>Excluding Packages</h3>
@@ -141,6 +142,34 @@ Excluding a package from any analysis can be achieved by marking the package for
 ```
 </li>
 
+</ul>
+<ul>
+<li>
+<em>Javascript NPM </em> users can add a root (key, value) pair with value of list of names (strings) to be ignored (without versions), and key called <b>exhortignore</b> in <em>package.json</em>,  example:
+
+```json
+{
+  "name": "sample",
+  "version": "1.0.0",
+  "description": "",
+  "main": "index.js",
+  "keywords": [],
+  "author": "",
+  "license": "ISC",
+  "dependencies": {
+    "dotenv": "^8.2.0",
+    "express": "^4.17.1",
+    "jsonwebtoken": "^8.5.1",
+    "mongoose": "^5.9.18"
+  },
+  "exhortignore": [
+    "jsonwebtoken"
+  ]
+}
+
+```
+</li>
+
 </ul>
 
 <h3>Customization</h3>
@@ -157,7 +186,8 @@ import fs from 'node:fs'
 
 let options = {
   'EXHORT_SNYK_TOKEN': 'my-secret-snyk-token',
-  'EXHORT_MVN_PATH': '/path/to/my/mvn'
+  'EXHORT_MVN_PATH': '/path/to/my/mvn',
+  'EXHORT_NPM_PATH': '/path/to/npm'
 }
 
 // Get stack analysis in JSON format
@@ -208,6 +238,12 @@ following keys for setting custom paths for the said executables.
 <td><em>mvn</em></td>
 <td>EXHORT_MVN_PATH</td>
 </tr>
+<tr>
+<td><a href="https://www.npmjs.com/">NPM</a></td>
+<td><em>npm</em></td>
+<td>EXHORT_NPM_PATH</td>
+</tr>
+
 </table>
 
 <!-- Badge links -->

generated/backend/DependencyReportRecommendation.ts

@@ -15,6 +15,10 @@
 * Trusted Content recommendation that is not related to any security vulnerability
 */
 export class DependencyReportRecommendation {
+    /**
+    * PackageURL identifier
+    */
+    'purl'?: string;
     /**
     * <groupId>:<artifactId> for Java packages
     */
@@ -27,6 +31,12 @@ export class DependencyReportRecommendation {
     static readonly discriminator: string | undefined = undefined;
 
     static readonly attributeTypeMap: Array<{name: string, baseName: string, type: string, format: string}> = [
+        {
+            "name": "purl",
+            "baseName": "purl",
+            "type": "string",
+            "format": ""
+        },
         {
             "name": "name",
             "baseName": "name",

generated/backend/PackageRef.ts

@@ -12,6 +12,10 @@
 
 
 export class PackageRef {
+    /**
+    * PackageURL identifier
+    */
+    'purl'?: string;
     /**
     * <groupId>:<artifactId> for Java packages
     */
@@ -24,6 +28,12 @@ export class PackageRef {
     static readonly discriminator: string | undefined = undefined;
 
     static readonly attributeTypeMap: Array<{name: string, baseName: string, type: string, format: string}> = [
+        {
+            "name": "purl",
+            "baseName": "purl",
+            "type": "string",
+            "format": ""
+        },
         {
             "name": "name",
             "baseName": "name",

integration/scenarios/maven/expected_component

@@ -5,8 +5,8 @@
       "transitive": 0
     },
     "vulnerabilities": {
-      "total": 7,
       "direct": 1,
+      "total": 7,
       "critical": 1,
       "high": 3,
       "medium": 2,
@@ -23,35 +23,7 @@
   },
   "dependencies": [
     {
-      "ref": {
-        "name": "log4j:log4j",
-        "version": "1.2.17"
-      },
-      "highestVulnerability": {
-        "id": "SNYK-JAVA-LOG4J-1300176",
-        "title": "Man-in-the-Middle (MitM)",
-        "source": "snyk",
-        "cvss": {
-          "attackVector": "Network",
-          "attackComplexity": "High",
-          "privilegesRequired": "None",
-          "userInteraction": "None",
-          "scope": "Unchanged",
-          "confidentialityImpact": "Low",
-          "integrityImpact": "None",
-          "availabilityImpact": "None",
-          "exploitCodeMaturity": null,
-          "remediationLevel": null,
-          "reportConfidence": null,
-          "cvss": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
-        },
-        "cvssScore": 3.7,
-        "severity": "LOW",
-        "cves": [
-          "CVE-2020-9488"
-        ],
-        "unique": false
-      },
+      "ref": "pkg:maven/log4j/[email protected]",
       "issues": [
         {
           "id": "SNYK-JAVA-LOG4J-572732",
@@ -230,8 +202,33 @@
         }
       ],
       "transitive": [],
+      "recommendation": null,
       "remediations": {},
-      "recommendation": null
+      "highestVulnerability": {
+        "id": "SNYK-JAVA-LOG4J-1300176",
+        "title": "Man-in-the-Middle (MitM)",
+        "source": "snyk",
+        "cvss": {
+          "attackVector": "Network",
+          "attackComplexity": "High",
+          "privilegesRequired": "None",
+          "userInteraction": "None",
+          "scope": "Unchanged",
+          "confidentialityImpact": "Low",
+          "integrityImpact": "None",
+          "availabilityImpact": "None",
+          "exploitCodeMaturity": null,
+          "remediationLevel": null,
+          "reportConfidence": null,
+          "cvss": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
+        },
+        "cvssScore": 3.7,
+        "severity": "LOW",
+        "cves": [
+          "CVE-2020-9488"
+        ],
+        "unique": false
+      }
     }
   ]
 }