Open rseddon opened 3 years ago
Leaving some info for whoever picks this up:
Something you'll need to figure out, is how to represent a commit via an SBOM. There are some candidates, I'm trying to figure out the best way, but if I don't, that would be what you want to look at. The full spec is here: https://cyclonedx.org/docs/1.2/ (and of note, we are using 1.1 at the moment)
From there I imagine it's fairly easy? You'll need to discover the local git hash, etc... and I think there are a plethora of JS libraries for doing that (https://www.npmjs.com/package/simple-git is one)
After talking with Steve, the best place to describe this seems as follows:
bom->metadata->component->pedigree->commits->commit
We would put together a bare bones component that describes the local project (name and version we can likely get from the local package.json, for the record, as well as scope if it exists), and then populate the minimal pedigree information that is necessary per the schema.
Examples of the use of metadata are here: https://cyclonedx.org/use-cases/#packaging-and-distribution
Pedigree is here: https://cyclonedx.org/use-cases/#pedigree
IQ will obviously need to do something with this data, but we have a path to describe it (which is half the battle!)
Create automated pull requests from the auditjs scanner.
Automated Pull Requests
The AuditJS scanner needs to collect the git commit hash and submit it along with the rest of the scan data.
cc @bhamail / @DarthHater / @allenhsieh / @ken-duck