search

sonatype-nexus-community / scan-gradle-plugin

Gradle plugin that scans the dependencies of a Gradle project using Sonatype platforms: OSS Index and Nexus IQ Server.
Apache License 2.0
77 stars 21 forks source link

CycloneDX to generate a JSON result for OSS Index #113

Closed guillermo-varela closed 2 years ago

guillermo-varela commented 2 years ago

Allows to generate a JSON file using the CycloneDX 1.4 JSON format with both components and vulnerabilities on the SBOM.

In this first step, no dependency relationship is made so we can deliver this feature a bit faster (the issue requesting this has been around for quite a while) and hopefully such relationship can be developed later.

An example:

{
  "bomFormat" : "CycloneDX",
  "specVersion" : "1.4",
  "serialNumber" : "urn:uuid:87db34d1-5a5c-44ff-b1d8-061fd429d40c",
  "version" : 1,
  "metadata" : {
    "timestamp" : "2022-06-10T00:16:48Z",
    "tools" : [
      {
        "vendor" : "Sonatype",
        "name" : "Scan Gradle Plugin (aka Sherlock Trunks)",
        "version" : "2.4.0-SNAPSHOT"
      }
    ],
    "component" : {
      "group" : "org.sonatype",
      "name" : "test-artifact",
      "version" : "0.0.1",
      "type" : "library"
    }
  },
  "components" : [
    {
      "group" : "com.squareup.retrofit2",
      "name" : "retrofit",
      "version" : "2.9.0",
      "purl" : "pkg:maven/com.squareup.retrofit2/retrofit@2.9.0",
      "type" : "library",
      "bom-ref" : "pkg:maven/com.squareup.retrofit2/retrofit@2.9.0"
    },
    {
      "group" : "com.squareup.okhttp3",
      "name" : "okhttp",
      "version" : "3.14.9",
      "purl" : "pkg:maven/com.squareup.okhttp3/okhttp@3.14.9",
      "type" : "library",
      "bom-ref" : "pkg:maven/com.squareup.okhttp3/okhttp@3.14.9"
    },
    {
      "group" : "com.squareup.okio",
      "name" : "okio",
      "version" : "1.17.2",
      "purl" : "pkg:maven/com.squareup.okio/okio@1.17.2",
      "type" : "library",
      "bom-ref" : "pkg:maven/com.squareup.okio/okio@1.17.2"
    }
  ],
  "vulnerabilities" : [
    {
      "id" : "CVE-2021-0341",
      "source" : {
        "name" : "OSS Index",
        "url" : "https://ossindex.sonatype.org/vulnerability/CVE-2021-0341?component-type=maven&component-name=com.squareup.okhttp3%2Fokhttp&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1"
      },
      "ratings" : [
        {
          "score" : 7.5,
          "severity" : "high",
          "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
        }
      ],
      "cwes" : [
        295
      ],
      "description" : "In verifyHostName of OkHostnameVerifier.java, there is a possible way to accept a certificate for the wrong domain due to improperly used crypto. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-171980069",
      "advisories" : [
        {
          "url" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-0341"
        },
        {
          "url" : "https://github.com/square/okhttp/pull/6353"
        },
        {
          "url" : "https://source.android.com/security/bulletin/2021-02-01#android-runtime"
        }
      ],
      "tools" : [
        {
          "vendor" : "Sonatype",
          "name" : "OSS Index"
        }
      ],
      "affects" : [
        {
          "ref" : "pkg:maven/com.squareup.okhttp3/okhttp@3.14.9"
        }
      ]
    }
  ]
}

It relates to the following issue #s:

cc @bhamail / @DarthHater / @shaikhu

stevespringett commented 2 years ago

Good work @guillermo-varela . One minor correction though. The vulnerability -> bom-ref is the unique identifier of the vulnerability. If you want to represent the component that is affected by a vulnerability, see https://cyclonedx.org/docs/1.4/json/#vulnerabilities_items_affects_items_ref

So it should read:

{
  "bomFormat" : "CycloneDX",
  "specVersion" : "1.4",
  "version" : 1,
  "components" : [
    {
      "group" : "com.squareup.retrofit2",
      "name" : "retrofit",
      "version" : "2.9.0",
      "purl" : "pkg:maven/com.squareup.retrofit2/retrofit@2.9.0",
      "type" : "library",
      "bom-ref" : "pkg:maven/com.squareup.retrofit2/retrofit@2.9.0"
    },
    {
      "group" : "com.squareup.okhttp3",
      "name" : "okhttp",
      "version" : "3.14.9",
      "purl" : "pkg:maven/com.squareup.okhttp3/okhttp@3.14.9",
      "type" : "library",
      "bom-ref" : "pkg:maven/com.squareup.okhttp3/okhttp@3.14.9"
    },
    {
      "group" : "com.squareup.okio",
      "name" : "okio",
      "version" : "1.17.2",
      "purl" : "pkg:maven/com.squareup.okio/okio@1.17.2",
      "type" : "library",
      "bom-ref" : "pkg:maven/com.squareup.okio/okio@1.17.2"
    }
  ],
  "vulnerabilities" : [
    {
      "id" : "CVE-2021-0341",
      "source" : {
        "name" : "OSS Index",
        "url" : "https://ossindex.sonatype.org/vulnerability/CVE-2021-0341?component-type=maven&component-name=com.squareup.okhttp3%2Fokhttp&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1"
      },
      "references" : [
        {
          "id" : "CVE-2021-0341"
        },
        {
          "source" : {
            "url" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-0341"
          }
        },
        {
          "source" : {
            "url" : "https://github.com/square/okhttp/pull/6353"
          }
        },
        {
          "source" : {
            "url" : "https://source.android.com/security/bulletin/2021-02-01#android-runtime"
          }
        }
      ],
      "ratings" : [
        {
          "score" : 7.5,
          "severity" : "high",
          "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
        }
      ],
      "description" : "In verifyHostName of OkHostnameVerifier.java, there is a possible way to accept a certificate for the wrong domain due to improperly used crypto. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-171980069",
      "tools" : [
        {
          "vendor" : "Sonatype",
          "name" : "Scan Gradle Plugin (aka Sherlock Trunks)",
          "version" : "2.4.0-SNAPSHOT"
        }
      ],
      "affects": [
        {
          "ref": "pkg:maven/com.squareup.okhttp3/okhttp@3.14.9"
        }
      ]
    }
  ]
}
guillermo-varela commented 2 years ago

One minor correction though. The vulnerability -> bom-ref is the unique identifier of the vulnerability. If you want to represent the component that is affected by a vulnerability, see https://cyclonedx.org/docs/1.4/json/#vulnerabilities_items_affects_items_ref

Thank you @stevespringett for your feedback! Also thanks to @amy-keibler who also helped improving this PR with her observations

I updated the JSON sample in the PR description and it now passes the validation against the JSON schema at https://github.com/CycloneDX/specification/blob/master/schema/bom-1.4.schema.json

guillermo-varela commented 2 years ago

This feature has been published on version 2.4.0 https://github.com/sonatype-nexus-community/scan-gradle-plugin/releases/tag/2.4.0