Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ingest metadata.tools and make it available in CEL policies #588

Merged
merged 1 commit into from
Feb 29, 2024
Merged

Ingest metadata.tools and make it available in CEL policies #588

merged 1 commit into from
Feb 29, 2024

Commits on Feb 28, 2024

  1. Ingest metadata.tools from BOMs and make it available in CEL policies 

    The internal model is aligned with CycloneDX v1.5, in that it differentiates between tools that are components, and tools that are services: https://cyclonedx.org/docs/1.5/json/#tab-pane_metadata_tools_oneOf_i0

When ingesting BOMs following v1.4 or older of the CycloneDX specification, `metadata.tools` array items will be converted to `metadata.tools.components`.

For the time being, tools are persisted as JSON column in the `PROJECT_METADATA` table. As such, tools will not be analyzed for vulnerabilities or other kinds of risk.

Tool components and services are treated as subsets of the internal `Component` and `ServiceComponent` models. This subset property is enforced via Jackson's `@JsonView`s, such that only specific fields are considered when serializing and deserializing to and from JSON.

Tools are made available in CEL policy expressions under `project.metadata.tools.components`. Tool components use the existing `v1.Component` type, which means that functions like `matches_version` can be used on them.

Signed-off-by: nscuro <[email protected]>
    @nscuro
    nscuro committed Feb 28, 2024
    Configuration menu
    Copy the full SHA
    beb34ed View commit details
    Browse the repository at this point in the history