Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add github dependency analysis #197

Open
wants to merge 22 commits into
base: main
Choose a base branch
from
Open

add github dependency analysis #197

wants to merge 22 commits into from

Conversation

yazgoo
Copy link
Contributor

@yazgoo yazgoo commented Jun 14, 2024

This adds a new command for interactive usage:

githubAnalyzeDependencies usage:
  githubAnalyzeDependencies [get|list|alerts|cves] [pattern]   Analyze the dependencies based on a search pattern:
  get: search for a pattern in the dependencies (requires githubGenerateSnapshot)
  list: list all dependencies matching a pattern (requires githubGenerateSnapshot)
  alerts: download and display CVEs alerts from Github (use hub or gh local config or GIT_TOKEN env var to authenticate)
  cves: analyze CVEs alerts against the dependencies (requires githubGenerateSnapshot and githubAnalyzeDependencies alerts

This aims at making dependency analysis easier and more in sync with what the snapshot actually contains.

Here is an example of session on this repo https://github.com/yazgoo/scala-meetup-june-2024

sbt:scala-meetup-june-2024> githubGenerateSnapshot
[info] Dependency snapshot written to /tmp/dependency-snapshot-1170344267975636835.json

retrieve github alerts

sbt:scala-meetup-june-2024> githubAnalyzeDependencies alerts
Extract token from /home/yazgoo/.config/gh-yazgoo/hosts.yml
[info] Downloading alerts from https://api.github.com/repos/yazgoo/scala-meetup-june-2024/dependabot/alerts
software.amazon.ion:ion-java [ < 1.10.5 ] fixed:  high
com.fasterxml.jackson.core:jackson-databind [ >= 2.4.0-rc1, < 2.12.7.1 ] fixed: 2.12.7.1 high
com.fasterxml.jackson.core:jackson-databind [ >= 2.10.0, < 2.12.6 ] fixed: 2.12.6 high
com.fasterxml.jackson.core:jackson-databind [ < 2.12.7.1 ] fixed: 2.12.7.1 high
com.fasterxml.jackson.core:jackson-databind [ <= 2.12.6.0 ] fixed: 2.12.6.1 high

check snapshot against alerts

sbt:scala-meetup-june-2024> githubAnalyzeDependencies cves
software.amazon.ion:ion-java [ < 1.10.5 ] fixed:  high
    🔴 1.0.2
com.fasterxml.jackson.core:jackson-databind [ >= 2.4.0-rc1, < 2.12.7.1 ] fixed: 2.12.7.1 high
    🟢 2.15.1
    🔴 2.12.3
com.fasterxml.jackson.core:jackson-databind [ >= 2.10.0, < 2.12.6 ] fixed: 2.12.6 high
    🟢 2.15.1
    🔴 2.12.3
com.fasterxml.jackson.core:jackson-databind [ < 2.12.7.1 ] fixed: 2.12.7.1 high
    🟢 2.15.1
    🔴 2.12.3
com.fasterxml.jackson.core:jackson-databind [ <= 2.12.6.0 ] fixed: 2.12.6.1 high
    🟢 2.15.1
    🔴 2.12.3

list versions of libs in snapshot:

sbt:scala-meetup-june-2024> githubAnalyzeDependencies list jackson-databind
com.fasterxml.jackson.core:jackson-databind:2.15.1
com.fasterxml.jackson.core:jackson-databind:2.12.3

find what pulls the broken dependency

sbt:scala-meetup-june-2024> githubAnalyzeDependencies get jackson-databind:2.12.3
📁 default:scala-meetup-june-2024_3:0.1
  com.fasterxml.jackson.core:jackson-databind:2.12.3
  com.fasterxml.jackson.core:jackson-databind:2.12.3
  com.fasterxml.jackson.core:jackson-databind:2.12.3
    com.amazonaws:aws-java-sdk-core:1.12.148
      com.amazonaws:aws-java-sdk-secretsmanager:1.12.148
    com.amazonaws:aws-java-sdk-core:1.12.148

@adpi2
Copy link
Member

adpi2 commented Jun 17, 2024

Thanks @yazgoo. That looks like a great improvement. I'll take a closer look at it soon.

@yazgoo
Copy link
Contributor Author

yazgoo commented Jul 3, 2024

Hi @adpi2 , is there something I can do to improve this PR ?

@adpi2
Copy link
Member

adpi2 commented Jul 3, 2024

Sorry, I did not get the time to review it yet. But it is near the top of my todo list. I will probably have time to review it next week.

@adpi2
Copy link
Member

adpi2 commented Jul 9, 2024

@yazgoo here is my feedback. I think that githubAnalyzeDependencies is useful but too powerful/flexible, which makes it hard to use. For me its main value is to download the CVEs and to compare them with local dependencies. The rest of it (list and get) is not really specific to Github and is already available in other plugins.

So I suggest that githubAnalyzeDependencies should be a single command that downloads CVEs, and print a report based on the current snapshot.

To find what pulls the vulnerable dependencies, one can use whatDependsOn from the sbt-dependency-graph plugin.

@yazgoo
Copy link
Contributor Author

yazgoo commented Jul 10, 2024

The issue with sbt-dependency-graph (and other dependency/CVE analysis tools I used) is that I don't get the same exact results as this plugin, this is why I implemented those functionalities.

Another possibility is that I write a separate plugin with these functionaliities, but I'd like to use the snapshot in sbt state for this.

group "alerts" and "cve" command in one command to make it easier to
use.
@yazgoo
Copy link
Contributor Author

yazgoo commented Oct 29, 2024

@adpi2 does it look good to you with these latest changes ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants