Skip to content

Use vulnerabilities from Composer package repositories #4465

New issue
New issue
Open
#4515
Open
Use vulnerabilities from Composer package repositories#4465
#4515
Labels
enhancementNew feature or requestp2Non-critical bugs, and features that help organizations to identify and reduce risksize/MMedium effort
@valentijnscholten

Description

@valentijnscholten
valentijnscholten
opened on Dec 15, 2024

Current Behavior

As mentioned in #2337 (comment), Compose package repositories also provide vulnerability information for packages.

For some vulnerabilities this is the only way to get those vulnerabilities, for example SA-CONTRIB-2023-052. Neither OSS, NVD, GHSA, Snyk, OSV report this vulnerability. But for companies running lots of Drupal projects, it's important to have visibility of these vulnerabilities.

The composer package repository provides vulnerability information in two places:

The API part is unclear what the URL for the Drupal 8 composer repository is. The provided example url is from the main packagist repository. This doesn not return the vulnerability.

More info about the API (and other repo functions): https://packagist.org/apidoc#list-security-advisories

Proposed Behavior

There are multiple options Depenendcy Track can do:

  • During metadata processing in ComposerMetaAnalyzer the vulnerability information is already returned by the package repository. These vulnerabilities could be stored in Dependency Track and used by the Internal Analyzer. Currently this is not straightforward as meta data analysis runs in parallel with or possibly after vulnerability analysis. Downside is also that it could confuse users that the repository is also a vulnerability source (could be optional flag).

  • A new analyzer could be created i.e. ComposerVulnerabilityAnalyzer that uses the API to retrieve vulnerabilities. At the time of writing it's unclear if the Drupal specific package repository supports this API.

I am curious about other peoples thoughts.

Please note that the Composer Package Repository doesn't support PURL or CPE. But since Dependency Track already retrieves meta data by just group and name, it should be OK to do the same for vulnerabilities?

I think somewhere here on Slack or Github somebody pointed us towards a library that maps PURL/CPEs to namespace/group/name parts.

I also raised composer/packagist#1497

Checklist

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestp2Non-critical bugs, and features that help organizations to identify and reduce risksize/MMedium effort

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions