Software Bill Of Materials as release asset
jkowalleck opened this issue · 9 comments
Background
I see you are shipping vendored dependencies here: https://github.com/digininja/DVWA/tree/master/external
I suppose there is a lot of other code that is bundled/vendored with this project, which might not be owned by this project. I can only guess. To be sure, I request the Software Bill Of Materials.
Reminder: I am talking about ownership, not licensing - this is a totally other topic.
User story
As a downstream user, I want to have (machine-readable) information of what this software package you provide is composed of.
Requirements
- provide a Software Bill Of Materials (SBOM) as an asset with every release,
so that users know what is in the Software you provide? - provided Software Bill Of Materials contains the corresponding version of DVWA that is applied to.
- provided Software Bill Of Materials is in CycloneDX format, so that users can feed it to scanner tools like DependencyTrack
- provided Software Bill Of Materials contains complete list of all shipped/vendored internal/external/transitive components
- For each component: provided Software Bill Of Materials contain the group/name, version, license, dist/source URL, checksum/reference
If you would like to write one then go for it and submit a PR, if not, I won't be creating one.
If you would like to write one then go for it
As I wrote in my original request: it is unclear to me where you took the code from.
This is why I am requesting the SBOM from you in the firs place, instead of writing it myself.
I would love t help and write the SBOM, if you could tell me the needed information:
- provided a complete list of all shipped/vendored internal/external/transitive components
- For each component: provided the group/name, version, license, dist/source URL, checksum/reference
It should be fairly obvious which is which.
Even if it was distinguishable, it would still be unclear what library it actually was, what's the group/name/version, where it stemmed from, whether it was modified?
Feel free to dig through and work it out
I tried, and I was unable to find all the information.
I have time to do.
No rush, take your time.
Maybe reopen this unresolved feature request and tag it as "help wanted" so community members like me could contribute.
Why do you want it?
Security analysis in general.
No need to create a new one. Could you just reopen this request?
All details are already in here, right?
What I want, and why, is exactly what is written here in that request: #540 (comment)
Please, read it. There is clearly written what the background story is, what my user story (problem) is, what I would consider as a possible solution, what I see as an acceptable solution and what kind of constraints I have and why I have them.
I can not give any example how to find the information, this is why I wrote this request in the first place.
If I knew the information, then I would not have asked for it.
Here is an example how this Software Bill Of Materials information could look like, in a human-readable form.
Writing this is pretty trivial, as I wrote exactly which information I am looking for.
version 2.1 of DVWA contains of
components
- Org/SomeLibrary
- version: 1.7.3
- sourced from: httts://whereever.com/download
- license: GPLv2
- modified: yes
- symfony/console
- version: 3.4.45
- sourced from: https://...
- checksum: MD5-912ec803b2ce49e4a541068d495ab570
- license: UNLICENSED
- symfony/debug
- version: 3.4.44
- sourced from: git+https://github.com/foo/bar.git
- reference: 2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae
- modified: yes
- license: MIT
- symfony/polyfill-mbstring
- version: 1.0.1
- sourced from: https://...
- checksum: sha1-95e0c0e09be59e04eb0e312e5daa11a2a830e526
- license: Apache-2.0
It would be great to have the information in a machine-readable form, but this would require to have the information gathered in the first place, which is not done.