Week 9

(July, 26 2024 - Aug 1, 2024)

Meeting 1

(July 31, 2024)

Attendees

• Rajul Jha
• Gaurav
• Shaheem Azmal
• Kaushlendra
• Avinal Kumar

Discussions

• Discussed potential issues that might arise with the approach we had in mind:
  • Current package-url python tool doesn’t support download urls for PyPi, PHP, and cocoapods package managers. They are working on providing the support in this PR and this issue
  • Similarly it also does not support golang packages download urls, however the repository urls are available. Since golang packaging is quite complicated. Here is where they are tracking it.
  • The GH Actions for some of the cyclone dx-tools uses outdated and unmaintained versions of their binaries.
• All the GH Actions just use their respective cli tools to generate the SBOM’s ultimately. We can remove dependency from it completely by using cli tools directly inside our environment. Since these dependencies might be unnecessary.
• Gaurav suggested we create our own Github Actions for generating the Software BOMs in a language dependant manner for the packages using cyclonedx tools under the hood.

Work Done

• Worked out a plan for how the dependencies scanning would be done inside the CI workflow.

• Started working on the new Github Action for scanning Python Dependencies using CycloneDX Python BOM tool

Planning for next week

• Complete testing the Github Action and successfully generate SBOMs for python projects.
• Need to figure out how to extract the download-urls from the generated BOMs.