Project description

Bogrod

Automatically update release notes with vulnerabilities information (VEX) from, and merge with, SBOM in cyclonedx format.

Format

The release notes format is simply a YAML file with a security section:

# notes.yaml
# security:
#  - <CVE#> severity status [comment]
security:
- CVE-2022-999999 high open will fix in next release 
- CVE-2022-999989 high fixed will fix in next release

This is a superset of the release notes format used by reno, the release notes tools.

Adding Vulnerability Exploit information (VEX)

Bogrod can extract vulnerability exploit information from the release notes or from a vex.yaml file (--vex-file)::

# vex.yaml
CVE-2022-999999:
    state: open
    response: will fix in next release     
    detail: affects only if debug flag is set
    justification: in normal operation this is not an issue

The vex.yaml file is used to update the "analysis" part of the CycloneDX sbom when the -x flag is specified. If --vex-file is not specified the information from the security section in the notes is used to set the analysis 'state' and 'response' fields.

Syntax

Run as a command line utility:

$ bogrod -h
usage: bogrod [-h] [-n NOTES] [-o OUTPUT] [-s SEVERITIES] [-x] [--vex-file VEX_FILE] [-m] [-w] sbom

positional arguments:
  sbom                  /path/to/cyclonedx-sbom.json

optional arguments:
  -h, --help            show this help message and exit
  -n NOTES, --notes NOTES
                        /path/to/notes.yaml
  -o OUTPUT, --output OUTPUT
                        output format [table,json,yaml,raw]
  -s SEVERITIES, --severities SEVERITIES
                        list of serverities in critical,high,medium,low
  -x, --vex             update vex information in sbom
  --vex-file VEX_FILE   /path/to/vex.yaml
  -m, --merge-vex       Merge vex data back to sbom
  -w, --write-notes     update notes according to sbom (add new, mark fixed)

Pipeline with grype and reno

reno => create release notes
grype => scan image and create sbom
bogrod => update release notes with vulns found in sbom
reno report => build release notes

Tools

Syft https://github.com/anchore/syft
Grype https://github.com/anchore/grype
Trivy https://aquasecurity.github.io/trivy/
SBOM diff https://github.com/CycloneDX/cyclonedx-cli
Reno https://docs.openstack.org/reno/latest/

Specification

browser https://cyclonedx.org/docs/1.4/json/
jsonschema https://github.com/CycloneDX/specification/releases

Project details

These details have not been verified by PyPI

Project links

Homepage

GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Release history Release notifications | RSS feed

0.4.1

Apr 27, 2024

0.4.1.dev1 pre-release

Apr 27, 2024

0.4.0

Apr 23, 2024

This version

0.3.0

Apr 21, 2023

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

bogrod-0.3.0.tar.gz (6.5 kB view hashes)

Uploaded Apr 21, 2023 Source

Built Distribution

bogrod-0.3.0-py3-none-any.whl (7.2 kB view hashes)

Uploaded Apr 21, 2023 Python 3

Hashes for bogrod-0.3.0.tar.gz

Hashes for bogrod-0.3.0.tar.gz
Algorithm	Hash digest
SHA256	`521b8261cb2637f10f76903e938dccb33b626a85d23babc6b6602ec375a3be4e`
MD5	`546418913cc09233ea54c86e0f3c508f`
BLAKE2b-256	`abf0d2c033cc38c90a9a75fdbad38128cfafd1803a82af73aa44568f256b9871`

Hashes for bogrod-0.3.0-py3-none-any.whl

Hashes for bogrod-0.3.0-py3-none-any.whl
Algorithm	Hash digest
SHA256	`869f83408c88af55bcc11c9fcb21c2dd4bf4a48f486759b8e810bc62996da732`
MD5	`20aa836ae0bd6ff1e2c1734f5b543c1f`
BLAKE2b-256	`35a2c2ec2dd8a67bea53bc8de72d2c14d308109a13b31b7da020b70e7ceddef2`