Skip to content
This repository has been archived by the owner on Jul 23, 2020. It is now read-only.

[8] Generalize GithubDependencyTreeTask to support multiple ecosystems #2496

Closed
9 of 11 tasks
abs51295 opened this issue Mar 7, 2018 · 2 comments
Closed
9 of 11 tasks

[8] Generalize GithubDependencyTreeTask to support multiple ecosystems #2496

abs51295 opened this issue Mar 7, 2018 · 2 comments
Assignees
@abs51295
Labels
area/analytics status/completed team/analytics/insights team/analytics type/user-story
Milestone
Sprint 147

Comments

@abs51295
Copy link

abs51295 commented Mar 7, 2018
edited
Loading

Epic: #2326

User Story

As on OSIO user, I will be able to get vulnerabilities for all my direct and transitive dependencies so that I can refine my stack to remove the vulnerabilities.

Description

Currently GithubDependencyTreeTask identifies the direct and transitive dependencies for a given maven repository. Need to extend this to extract direct and transitive dependencies for node, python and go ecosystem.

Acceptance Criteria

  • Given a repository, the task should be able to identify the ecosystem and return the list of all direct and transitive dependencies.

Task list

  • Implement dependency parser for node ecosystem.
    • Identify the unique identifier that classifies the repository as a node repository.
    • Run mercator command and parse the output to get all the direct and transitive dependencies.
  • Implement dependency parser for python ecosystem.
    • Identify the unique identifier that classifies the repository as a python repository.
    • Run mercator command and parse the output to get all the direct and transitive dependencies.
  • Implement dependency parser for go ecosystem.
    • Identify the unique identifier that classifies the repository as a Go repository.
    • Run mercator command and parse the output to get all the direct and transitive dependencies.

Additional Task list

  • Deploy worker-api with osioAnalysisFlow on production.
  • Develop /scan endpoint to initiate osioAnalysisFlow.
@abs51295 abs51295 self-assigned this Mar 7, 2018
@abs51295 abs51295 added this to the Sprint 146 milestone Mar 7, 2018
@krishnapaparaju krishnapaparaju mentioned this issue Mar 7, 2018
Closed
41 tasks
@msrb
Copy link
Collaborator

msrb commented Mar 7, 2018

One thing to keep in mind here is that if parsing dependencies requires executing code from users' setup.py files, or if npm list command requires the dependencies to be installed first (and thus executing untrusted scripts), then this cannot be done in our current worker containers. Untrusted code could attempt to damage our infrastructure or to steal credentials as those are available in worker containers in environment variables.

@krishnapaparaju krishnapaparaju mentioned this issue Mar 27, 2018
Closed
56 tasks
@abs51295
Copy link
Author

This has to be moved to Sprint 147 since there were different priorities worked upon in 146. Thanks.
/cc @sivaavkd

@sivaavkd sivaavkd modified the milestones: Sprint 146, Sprint 147 Mar 28, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@abs51295 abs51295

Labels
area/analytics status/completed team/analytics/insights team/analytics type/user-story
Projects
None yet
Milestone
Sprint 147
Development

No branches or pull requests
3 participants
@msrb @abs51295 @sivaavkd