Feature/vulnerability scanning integration #325
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…sing, large-payload handling, and stable OSI healthcheck
- OSIController: accept multipart/form-data; parse `toolNames` JSON string into List with fallback to project tools; rename final SBOM to `ProjectName-OSI-{CDX14|SPDX23}-{JSON|XML|TAGVALUE}-yyyyMMdd-HHmmss.{json|xml|spdx}`.
- ParserController: align naming to `ProjectName-PARSERS-...`; correct extension mapping for SPDX TAGVALUE (.spdx), SPDX JSON (.json), CDX JSON (.json), CDX XML (.xml).
- SBOMFileService: add `rename(id, newName)` helper.
- OSIService: raise Jackson max string length for OSI `/generate` JSON (supports large base64 payloads).
- compose.yaml / compose.dev.yaml: fix OSI healthcheck (use Python to GET `/tools`), increase start period/timeout/retries for reliability.
Refs: ensure UI-provided `toolNames` as JSON array is parsed consistently; final filenames are human-readable and searchable.
Raised MySQL's max_allowed_packet and innodb_redo_log_capacity to 1GB in both compose.dev.yaml and compose.yaml. Added JAVA_TOOL_OPTIONS to set higher heap and GC options for the relevant service, with different memory allocations for dev and prod.
- Introduce SBOMFileDTO to separate API responses from entity models - Configure Jackson to increase max nesting depth and handle self-references - Apply @JsonIgnore and @JsonBackReference to entity relationships - Update SBOMController and related tests to use DTOs - Improve filename extraction in UploadSBOMFileInput - Enhance robustness in NVDClient and OSVClient: - Filter out non-package files - Handle API failures gracefully - Add null checks for supplier fields in serializers and fix related logic
Added application.properties for configuring database, Hibernate, file upload limits, and OSI endpoint. Removed unused Hibernate OnDelete annotation from ConflictFile entity to simplify JPA mapping.
Added checks to skip dependencies and references that are null, missing, empty, or the string 'null' in both CDX14JSONDeserializer and CDX14XMLDeserializer. This prevents invalid relationships from being added during SBOM deserialization.
- Install vulnerability scanners in API container (Grype, Trivy, OSV Scanner) - Change Dockerfile base from Alpine to Debian for binary compatibility - Add scanner installation steps with version pinning - Implement VulnerabilityScanService for direct scanner execution - Run scanners in parallel via ProcessBuilder - Add --by-cve flag for Grype to prefer CVE over GHSA IDs - Add --scanners vuln flag for Trivy - Merge vulnerability results into SBOM JSON - Create vulnerability tracking system - Add VulnerabilityController with REST endpoints - Add VulnerabilityHistoryService for trend analysis - Add VulnerabilityAlertRepository for dashboard alerts - Add VulnerabilityHistory and VulnerabilityAlert entities - Fix VulnerabilityHistoryService.getAllProjects() to only return active SBOMs - Add JavaTimeModule to JacksonConfig for LocalDateTime serialization - Fix CDX14JSONSerializer by removing invalid releaseNotes string field - Fix OSVClient to handle missing JSON fields (aliases, published, affected) - Add VEX cache invalidation to auto-regenerate on errors - Update OSIController to run vulnerability scans and record history BREAKING CHANGE: Changes API container base image and adds new database entities
Scanning pipeline: orchestrate Trivy and Grype against uploaded SBOMs, merge findings, and store results in database Improves vulnerability scanning by normalizing SBOMs, extracting and re-adding vulnerabilities after merge, and supporting multiple scanner formats (CycloneDX, Grype, Trivy). Adds robust project preparation in the Python server to auto-generate lock files and metadata for various ecosystems before scanning. Updates dependency-check tool config for persistent data and improves dependency serialization in the CycloneDX serializer.
…github.com/hima700/SBOM-in-a-Box into feature/vulnerability-scanning-integration
map component identifiers to bom-ref during scan conversion and reattach cycles so CycloneDX vulnerabilities reference components correctly re-serialize merged SBOMs to the requested format, remap relationship targets, and default merge output to CycloneDX JSON raise JSON read limits and harden OSI dependency preparation/configs for larger SBOMs and richer dependency graphs add unit tests covering vulnerability reference remapping
Member
|
@hima700 Please update your description with a summary and details of your changes |
dlg1206
requested changes
Nov 20, 2025
Dockerfile
Outdated
Comment on lines
22
to
25
| ARG GRYPE_VERSION=0.84.0 | ||
| RUN curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin v${GRYPE_VERSION} | ||
| # Install Trivy | ||
| ARG TRIVY_VERSION=0.58.1 |
Member
There was a problem hiding this comment.
Please update to the latest versions of these tools
compose.dev.yaml
Outdated
| healthcheck: | ||
| test: ["CMD", "curl", "-f", "http://localhost:5000/healthcheck"] | ||
| start_period: 15s # small delay to let startup scripts finish | ||
| test: ["CMD-SHELL", "python3 -c \"import urllib.request,sys; urllib.request.urlopen('http://localhost:5000/tools', timeout=5); sys.exit(0)\""] |
Member
There was a problem hiding this comment.
Don't use inline python for health check, use curl
compose.yaml
Outdated
| healthcheck: | ||
| test: ["CMD", "curl", "-f", "http://localhost:5000/healthcheck"] | ||
| start_period: 15s # small delay to let startup scripts finish | ||
| test: ["CMD-SHELL", "python3 -c \"import urllib.request,sys; urllib.request.urlopen('http://localhost:5000/tools', timeout=5); sys.exit(0)\""] |
Member
There was a problem hiding this comment.
Don't use inline python for health check, use curl
osi/Dockerfile
Outdated
Comment on lines
41
to
43
| ARG TRIVY_VERSION=0.58.1 | ||
| ARG OSV_SCANNER_VERSION=1.9.2 | ||
| ARG DEPENDENCY_CHECK_VERSION=11.1.1 |
Member
There was a problem hiding this comment.
Ensure these are the latest versions
osi/osi/configs/tools/grype.yml
Outdated
Comment on lines
14
to
22
| - schema: "cyclonedx" | ||
| spec_version: "1.5" | ||
| format: "json" | ||
| languages: | ||
| - "All" | ||
| package_managers: | ||
| - "All" | ||
| commands: | ||
| - "grype sbom:$SBOM_OUT/merged-sbom.json -o cyclonedx-json@1.5 --file $SBOM_OUT/grype-vulns-cdx15.json" |
Member
There was a problem hiding this comment.
Remove for now since we only support 1.4
osi/osi/configs/tools/trivy.yml
Outdated
Comment on lines
14
to
22
| - schema: "cyclonedx" | ||
| spec_version: "1.5" | ||
| format: "json" | ||
| languages: | ||
| - "All" | ||
| package_managers: | ||
| - "All" | ||
| commands: | ||
| - "trivy sbom --format cyclonedx --scanners vuln --output $SBOM_OUT/trivy-vulns-cdx15.json $SBOM_OUT/merged-sbom.json" |
Member
There was a problem hiding this comment.
remove for now since we only support 1.4
| def _command_exists(command: str) -> bool: | ||
| return shutil.which(command) is not None | ||
|
|
||
| def _run_prepare_command(self, command: List[str], cwd: str, description: str) -> None: |
Member
There was a problem hiding this comment.
What is the purpose for installing the actual target project dependencies?
hima700
force-pushed
the
feature/vulnerability-scanning-integration
branch
2 times, most recently
from
456a531 to
c1f497d
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
-Wire SBOM uploads to vulnerability processing
Normalize bom-refs before running scanners so merged SBOMs retain stable references.
Run Grype/Trivy (or inline data when scanners disabled), merge the findings back into the SBOM, and persist per-project history + alerts for the dashboard.
Filter out CVSS v4-only ratings so severity cards stay consistent.
Record scanner metadata and surface it through the API for auditing.
-Stabilize the API & toolchain
Added a dedicated JacksonConfig (JavaTimeModule + higher stream limits) so LocalDateTime data serializes cleanly.
Upgraded the bundled scanners (Syft 1.38.0 / Grype 0.104.0 / Trivy 0.67.2 / OSV 2.3.0 / Dependency-Check 12.1.0).
Replaced the inline Python compose healthchecks with curl -f /healthcheck probes.
Added docstrings across controllers/services/serializer + documented why OSI installs project dependencies.
-Frontend Security Dashboard
New dashboard page with project picker, severity cards, active alerts, and historical trends fed by the new backend endpoints.
Improved alert acknowledgement workflow, severity filters, and toast UX.
Electron ZIP flow now skips node_modules/build output before uploading to OSI; Angular component-style budget bumped to 10kb to silence warnings.
-Testing
docker compose build sbox_api
npm run build
Manual verification: upload SBOM, watch vulnerabilities populate, toggle between projects/alerts.