search

Santandersecurityresearch / cryptobom-forge

Tools and utilities needed to parse GitHub Multi-Repository Variant Analysis output
MIT License
8 stars 1 forks source link

What type of query to run for Sarif file generation #14

Open shafr opened 2 weeks ago

shafr commented 2 weeks ago

Can you please clarify if there is specific query that is used for sarif file generation of this would be enough:

 codeql database create java-db --language=java
 codeql database analyze java-db--format=sarif-latest --output=java-jb-output
#would run `codeql/java-queries` codeql queries
cryptobom generate java-jb-output --output-file cbom.json

This does not produces any info except for the wrapper:

{
    "dependencies": [
        {
            "ref": "91a6a25a-73c6-41bb-9ea7-62c8949bcf1f"
        }
    ],
    "metadata": {
        "component": {
            "bom-ref": "91a6a25a-73c6-41bb-9ea7-62c8949bcf1f",
            "name": "root",
            "type": "application"
        },
        "timestamp": "2024-08-27T17:05:25.098877+00:00",
        "tools": [
            {
                "externalReferences": [
                    {
                        "type": "build-system",
                        "url": "https://github.com/CycloneDX/cyclonedx-python-lib/actions"
                    },
                    {
                        "type": "distribution",
                        "url": "https://pypi.org/project/cyclonedx-python-lib/"
                    },
                    {
                        "type": "documentation",
                        "url": "https://cyclonedx.github.io/cyclonedx-python-lib/"
                    },
                    {
                        "type": "issue-tracker",
                        "url": "https://github.com/CycloneDX/cyclonedx-python-lib/issues"
                    },
                    {
                        "type": "license",
                        "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE"
                    },
                    {
                        "type": "release-notes",
                        "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md"
                    },
                    {
                        "type": "vcs",
                        "url": "https://github.com/CycloneDX/cyclonedx-python-lib"
                    },
                    {
                        "type": "website",
                        "url": "https://cyclonedx.org"
                    }
                ],
                "name": "cyclonedx-python-lib",
                "vendor": "CycloneDX",
                "version": "4.2.2"
            },
            {
                "name": "CodeQL",
                "vendor": "GitHub",
                "version": "2.18.2"
            }
        ]
    },
    "serialNumber": "urn:uuid:049c2a82-ac92-4839-8be7-4d2cd0f8a9de",
    "version": 1,
    "$schema": "https://raw.githubusercontent.com/IBM/CBOM/main/bom-1.4-cbom-1.0.schema.json",
    "bomFormat": "CBOM",
    "specVersion": "1.4-cbom-1.0"
}
shafr commented 2 weeks ago

So apparently research paper and examples in slides mostly works for Python, and queries are here: https://github.com/github/codeql/tree/main/python/ql/src/experimental/cryptography/inventory/new_models