search

CycloneDX / cdxgen

Creates CycloneDX Bill of Materials (BOM) for your projects from source and container images. Supports many languages and package managers. Integrate in your CI/CD pipeline with automatic submission to Dependency Track server. Discord: https://discord.gg/DP657ACYEZ
https://cyclonedx.github.io/cdxgen/
Apache License 2.0
564 stars 157 forks source link

pass cdxgen to input a ready file with "gradlew dependencies -q --console > dep.txt" #171

Open 2013kaa opened 1 year ago

2013kaa commented 1 year ago

Hi If I understand correctly, when scanning projects with gradle, cdxgen launches its task "gradlew dependencies -q --console" and then analyzes the dependencies. Is it possible to pass cdxgen to input a ready file with "gradlew dependencies -q --console > dep.txt" ?

prabhu commented 1 year ago

@2013kaa It's a good request. Let me think about this.

2013kaa commented 1 year ago

@prabhu I think this would be a great idea for companies with a lot of development teams. Let me explain a little about my problem and how I arrived at it. All the SCA scanners I've looked at work either through a builder plugin (cyclonedx-gradle-plugin example) or as an audit of build files (build.gradle example). Moreover, the first option is more preferable, as it gives the most complete report. It's normal when you have the ci\cd templating standard and all commands use the same version of gradle and java. You run a separate job in the pipeline with cyclonedx-gradle-plugin and enjoy the resulting bom.json. But in my case this is not so)))) Different commands, different versions of gradle\java\npm\nodejs, there are not at all non-standard pipelines using werf. I tried to create a universal security_pipeline for this, but I realized that this is not a feasible task. But I can ask my favorite developers and devops to dump the results of "gradlew dependencies -q --console > dep.txt" as an artifact from the build stage and pass it as input to your application. After all, all collector plugins still run this task and analyze its result. It seems to me that this will save time, will keep bom.json reports redundant and will be a universal solution. Just in case, as test data you have:

2013kaa commented 1 year ago

@prabhu Do you have any ideas about my proposal?))that would be super!

prabhu commented 1 year ago

@2013kaa Not yet. Busy with adding containers and os scans. Any idea how much time we will likely trim for you with this caching? One idea could be to add support for reading from stdin so you can run gradle and pipe it to cdxgen.

2013kaa commented 1 year ago

@prabhu each assembly of sbom.xml takes us from 5 to 10 minutes * 300 projects in gitlab!. It's more about convenience and ease of use. Developers can send me the output of "gradlew dependencies" or pass between tasks ci\cd as an artifact, instead of each time reusing their image and environment to re-run "gradlew dependencies"

prabhu commented 1 year ago

@2013kaa Would you prefer support for the gradle lock file? https://docs.gradle.org/current/userguide/dependency_locking.html#lock_state_location_and_format

Could you find out from your dev teams if they could create and maintain the lock files in the repo? This is consistent with other languages that can automatically use lock files.

2013kaa commented 1 year ago

@prabhu unfortunately, our programmers are too lazy and there are too many of them for me to force them alone (( Still looking forward to the new feature))