Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add "Black Duck" as advisor for known security vulnerabilities #8739

Open
fviernau opened this issue Jun 10, 2024 · 5 comments
Open

Add "Black Duck" as advisor for known security vulnerabilities #8739

fviernau opened this issue Jun 10, 2024 · 5 comments
Assignees
@fviernau
Labels
advisor About the advisor tool new feature Issues that are considered to be new features

Comments

@fviernau
Copy link
Member

fviernau commented Jun 10, 2024
edited
Loading

Black Duck amongst others is a data source for security vulnerabilities.
Goal of this ticket is to make that data source available by integrating Black Duck as a so called advisor into ORT.

Out of scope: Any other capability Black Duck has besides the security vulnerabilities,
such as scanning, e.g. for code snippets.

There is no public Black Duck instance, and the REST API docs seem to be available only via the actual instance, see also 1.
@fviernau fviernau added new feature Issues that are considered to be new features advisor About the advisor tool to triage Issues that need triaging labels Jun 10, 2024
@fviernau
Copy link
Member Author

fviernau commented Jun 10, 2024
edited
Loading

There is parties interested in having this, I'll potentially work on this soon.

@fviernau fviernau self-assigned this Jun 10, 2024
@sschuberth sschuberth removed the to triage Issues that need triaging label Jun 10, 2024
@sschuberth
Copy link
Member

sschuberth commented Jun 10, 2024
edited
Loading

Ping @porsche-rishisaxena and @porsche-rbieniek as you might be interested in this work. We should talk about our respective experiences here, esp. having @porsche-rbieniek's "client layer" work in mind that has been mentioned here.

@sschuberth sschuberth changed the title advisor: Add "Black Duck" as advisor for known security vulnerabilities Add "Black Duck" as advisor for known security vulnerabilities Jun 10, 2024
@sschuberth sschuberth mentioned this issue Jun 10, 2024
Closed
@porsche-rishisaxena
Copy link

@sschuberth: we already have Blackduck as vulnerability provider integrated with "Advisor Stage" in our Porsche Version where we transform the analyzer-result.yml into bdio format of Blackduck to look-up for the dependency and version. If found, we get the vulnerability information as per CVSS 3.x standard.
This solution is LIVE since 3 months now in Porsche Eco-System.

@sschuberth
Copy link
Member

This solution is LIVE since 3 months now in Porsche Eco-System.

Thanks for sharing this achievement! This could be of interest to a client that @fviernau is working for, I believe. I'm trying to bring together the community here in order to exchange knowledge / experience and not reinvent the wheel.

@sschuberth sschuberth moved this to Future in Roadmap Jun 25, 2024
This was referenced Dec 2, 2024
Merged
Merged
This was referenced Dec 23, 2024
Merged
Merged
Merged
Merged
Merged
@fviernau fviernau mentioned this issue Dec 31, 2024
Merged
@fviernau
Copy link
Member Author

fviernau commented Jan 16, 2025
edited
Loading

Related fixes in Black Duck libraries:

This was referenced Jan 16, 2025
Merged
Merged
@sschuberth sschuberth moved this from Future to Q1 2025 - Jan-Mar in Roadmap Jan 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fviernau fviernau

Labels
advisor About the advisor tool new feature Issues that are considered to be new features
Projects
Roadmap
Status: Q1 2025 - Jan-Mar
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sschuberth @fviernau @porsche-rishisaxena