Closed mcombuechen closed 1 year ago
Bit of a big PR already, since it pulls a lot of the CycloneDX code into its own files. So far parlay snyk enrich has been extended with support for SPDX 2.3 (JSON), I'm leaving it at this for now so we can add it to other commands in upcoming PRs.
parlay snyk enrich
Works as such:
SNYK_TOKEN=asdf ./parlay snyk enrich ./testing/sbom.spdx-2.3.json | jq ".packages[3]" { "name": "minimatch", "SPDXID": "SPDXRef-4-minimatch-3.0.0", "versionInfo": "3.0.0", "downloadLocation": "NOASSERTION", "filesAnalyzed": true, "copyrightText": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/minimatch@3.0.0" }, { "referenceCategory": "SECURITY", "referenceType": "advisory", "referenceLocator": "https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-3050818", "comment": "Regular Expression Denial of Service (ReDoS)" }, { "referenceCategory": "SECURITY", "referenceType": "advisory", "referenceLocator": "https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-1019388", "comment": "Regular Expression Denial of Service (ReDoS)" }, { "referenceCategory": "SECURITY", "referenceType": "advisory", "referenceLocator": "https://security.snyk.io/vuln/npm:minimatch:20160620", "comment": "Regular Expression Denial of Service (ReDoS)" } ] }
Let me know if we should split this up into smaller chunks, since there is a lot happening in this diff.
Bit of a big PR already, since it pulls a lot of the CycloneDX code into its own files. So far
parlay snyk enrichhas been extended with support for SPDX 2.3 (JSON), I'm leaving it at this for now so we can add it to other commands in upcoming PRs.Works as such:
Let me know if we should split this up into smaller chunks, since there is a lot happening in this diff.