Add Packagist security advisories parser
See original GitHub issueThe Current Behaviour
section assumes that https://github.com/DependencyTrack/dependency-track/pull/796 is already merged.
Current Behaviour:
When a BOM is parsed which contains Composer-type packages, there is no check if there is a reported vulnerability for the given package versions in Packagist.
Proposed Behaviour:
As per https://packagist.org/apidoc#list-security-advisories (bottom of the page) Packagist exposes an API endpoint which could be used to check if there are any security advisories for the packages in the BOM. This API could be utilised similarly to the NPM audit advisories which is already implemented. The difference to NPM is that specific package names need to be used with Packagist, so the security advisories would only be pulled when a BOM/dependency is added.
Additional note:
This is already being implemented but a PR will only be opened when https://github.com/DependencyTrack/dependency-track/pull/796 actually gets merged.
Issue Analytics
- State:
- Created 3 years ago
- Reactions:5
- Comments:14 (11 by maintainers)
Top GitHub Comments
Good. Yes, regardless, I think having more analyzers is a good thing as it gives the community choice and reduces the reliance on a single source.
DT supports severity of critical, high, medium, low, info, and unassigned. Since Packagist advisories do not support severity, then for advisories with a CVE the severity can be derived from the CVE. For advisories without a CVE, the severity will be unassigned.
Unassigned severity has the same risk score as high severity.
The UI will not be impacted. It already supports unassigned severity.