Open shafr opened 2 weeks ago
Can you please clarify if there is specific query that is used for sarif file generation of this would be enough:
codeql database create java-db --language=java codeql database analyze java-db--format=sarif-latest --output=java-jb-output #would run `codeql/java-queries` codeql queries cryptobom generate java-jb-output --output-file cbom.json
This does not produces any info except for the wrapper:
{ "dependencies": [ { "ref": "91a6a25a-73c6-41bb-9ea7-62c8949bcf1f" } ], "metadata": { "component": { "bom-ref": "91a6a25a-73c6-41bb-9ea7-62c8949bcf1f", "name": "root", "type": "application" }, "timestamp": "2024-08-27T17:05:25.098877+00:00", "tools": [ { "externalReferences": [ { "type": "build-system", "url": "https://github.com/CycloneDX/cyclonedx-python-lib/actions" }, { "type": "distribution", "url": "https://pypi.org/project/cyclonedx-python-lib/" }, { "type": "documentation", "url": "https://cyclonedx.github.io/cyclonedx-python-lib/" }, { "type": "issue-tracker", "url": "https://github.com/CycloneDX/cyclonedx-python-lib/issues" }, { "type": "license", "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE" }, { "type": "release-notes", "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md" }, { "type": "vcs", "url": "https://github.com/CycloneDX/cyclonedx-python-lib" }, { "type": "website", "url": "https://cyclonedx.org" } ], "name": "cyclonedx-python-lib", "vendor": "CycloneDX", "version": "4.2.2" }, { "name": "CodeQL", "vendor": "GitHub", "version": "2.18.2" } ] }, "serialNumber": "urn:uuid:049c2a82-ac92-4839-8be7-4d2cd0f8a9de", "version": 1, "$schema": "https://raw.githubusercontent.com/IBM/CBOM/main/bom-1.4-cbom-1.0.schema.json", "bomFormat": "CBOM", "specVersion": "1.4-cbom-1.0" }
So apparently research paper and examples in slides mostly works for Python, and queries are here: https://github.com/github/codeql/tree/main/python/ql/src/experimental/cryptography/inventory/new_models
Can you please clarify if there is specific query that is used for sarif file generation of this would be enough:
This does not produces any info except for the wrapper: