A sample vulnerability definition using the WIP CycloneDX Vulnerability extension changes in CycloneDX/specification#44
Gareth Rushgrove garethr
garethr
/ purl2snyk.py
Last active
February 25, 2022 13:06
A quick example of a shim for PURL for the Snyk APIs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| This python scipt is a basic demonstration of providing a shim for the Snyk test APIs for PURL. | |
| This provides a nicer, higher level interface. It was predominantly written to demonstrate | |
| the simplicity of mapping (most of) PURL to the existing Snyk test APIs. | |
| Usage | |
| > purl2snyk test pkg:pypi/django@1.11.1 | |
| > purl2snyk test pkg:maven/org.apache.logging.log4j/log4j-core@2.14.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| This is free and unencumbered software released into the public domain. | |
| Anyone is free to copy, modify, publish, use, compile, sell, or | |
| distribute this software, either in source code form or as a compiled | |
| binary, for any purpose, commercial or non-commercial, and by any | |
| means. | |
| In jurisdictions that recognize copyright laws, the author or authors | |
| of this software dedicate any and all copyright interest in the | |
| software to the public domain. We make this dedication for the benefit |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "id": "SPDXRef-todo-list", | |
| "name": "todo-list", | |
| "specVersion": "SPDX-3.0", | |
| "profile": [ | |
| "base", | |
| "vulnerabilities" | |
| ], | |
| "dataLicense": "CC0-1.0", | |
| "creator": "Organization: Snyk Ltd", |
garethr
/ 0_README.md
Last active
January 2, 2021 10:48
A set of hello world applications, mainly used for demonstraing Snyk. Although the applications themselves are trivial, each repository contains a toolchain using a variety of Cloud Native tools for building container images and deploying to Kubernetes or other platforms. The current set of applications consists of:
A demo of all the different Snyk products (nearly):
- Java
- Maven
- SpringBoot
- Kubernetes
If you want to test your deployed Google App Engine applications (ie. not just the code you have in your source respository) you can do so with Snyk by downloading the artifacts from Google Cloud Storage. The following demostrates a proof-of-concept of doing so.
You'll need to setup a few Google Cloud tools
garethr
/ 0_README.md
Created
January 1, 2020 11:13
Pondering on a generic bill of materials for software applications.
Ponderings on a generic bill of materials for software applications.
Package management manifests have some of this information but:
- Focus only on what's needed by the software packaging system
- Vary between languages
- Aren't typically shipped as part of the application
This gist is intended as a thought experiment, looking at what a generic bill of materials might look like.
garethr
/ _README.md
Created
December 7, 2019 11:21
using Snyk with a remote Docker daemon running in Kubernetes
Start a Docker cluster running on Kubernetes using the provided deployment file. Note this is intended to demonstrate what's possible and hardcodes a few values. The cluster is also set to run without TLS, which in production you would probably want to configure.
kubectl apply -f docker-deployment.yaml
This should give you a running Docker engine and service.
One of the neat things about the CNAB invocation images is that they are just Docker images. That means tools build to work with Docker images work nicely with CNAB. Snyk is one such tool, which can be used to determine vulnerabilities in Docker images.
With a little jq and xargs we can easily test our CNAB invocation images for a loaded bundle with Duffle like so.
$ duffle bundle show helloworld | jq .invocationImages[].image | xargs -L1 -I'{}' snyk test --docker {} 1081ms Tue 12 Nov 20:26:02 2019
Testing deislabs/helloworld-cnab:e9beebb5ff3fdadbeb6c4eb8ce240f4ccc077183...
garethr
/ gist:6a517651b62cb43ac3c8a0f9c4ab561d
Created
November 6, 2019 14:23
Testinga Clojure project with Snyk
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ lein new reagent-frontend myproject | |
| Retrieving reagent-frontend/lein-template/0.1.55/lein-template-0.1.55.pom from clojars | |
| Retrieving reagent-frontend/lein-template/0.1.55/lein-template-0.1.55.jar from clojars | |
| Generating fresh 'lein new' Reagent frontend project. | |
| $ cd myproject | |
| $ lein pom | |
| Retrieving lein-cljsbuild/lein-cljsbuild/1.1.7/lein-cljsbuild-1.1.7.pom from clojars | |
| Retrieving fs/fs/1.1.2/fs-1.1.2.pom from clojars | |
| Retrieving lein-figwheel/lein-figwheel/0.5.19/lein-figwheel-0.5.19.pom from clojars |
NewerOlder