SBOM View

[kemley76]

Adding ability to view SBOM results both in the main results table and in a new, separate SBOM specific view.

[sonarqubecloud]

Quality Gate failed

Failed conditions
1 New Code Smells (required ≤ 0)

See analysis details on SonarCloud

Catch issues before they fail your Quality Gate with our IDE extension SonarLint

[kemley76]

Status as of 8/16/24

Dependent on #5986

Features added

• SBOM view with component table and dependency tree
• ability to choose what columns to display in component table (name, description, version, number of dependencies, etc.)
• any vulnerabilities affecting a component appear in the table as a button for navigating back to results view
• each component has an expandable section that contains all the rest of the component information (properties, external references, licenses, vulnerabilities, dependencies, parents, etc.)
• ability to filter components by severity, bom-ref, and freeform search
• vulnerabilities that impact an SBOM component have a button to display them in the SBOM view's component table
• dependency tree view that shows the dependency relationships between components
• ability to navigate to components that match a given filter
• an indicator for if a component in the tree has any vulnerabilities

What is left to add

I think the SBOM view is functional as it is, but these are just what I would probably add if I had enough time

• it would be nice to display the vulnerabilities in the dependency tree view a bit better. Colored chips might be nice, but there can be any number of vulnerabilities present on a component, so that might be tricky. It would also be nice to indicate if a component has any vulnerabilities in any of its descendants.
• Information panels and tooltips in various menus (search bar, settings icon, filter icon, SBOM view as a whole) to explain how to use the SBOM view to its fullest.
• Automated frontend/Cypress tests. None of the SBOM view is being validated by tests at the moment. The tests should at the very least, load in a good sample file and ensure that the right amount of components load in the table and the filtering works.
• There seems to be a small issue with navigation in the tree view. Some components either aren't present in the dependency tree (might be an issue with the SBOM itself) or cannot be found with the filter navigation feature ("Go" chip that takes user to dependency tree view). I noticed this with the dropwizard-vulns sample file.
• A change over time view. This has not been started at all, so it can be a separate PR. It would allow users to compare multiple SBOMs of the same target and see how it evolved over time (packages added/removed, version updates, authorship changes, vulnerabilities/patches, etc.)

[mergify]

This pull request has a conflict. Could you fix it @kemley76?

[gitguardian]

⚠️ GitGuardian has uncovered 28 secrets following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secrets in your pull request

GitGuardian id	GitGuardian status	Secret	Commit	Filename
22339941	Triggered	RSA Private Key	9de0b80	libs/hdf-converters/sample_jsons/trufflehog_mapper/trufflehog-docker-hdf.json	View secret
22339942	Triggered	Elliptic Curve Private Key	9de0b80	libs/hdf-converters/sample_jsons/trufflehog_mapper/trufflehog-docker-hdf-withraw.json	View secret
22339943	Triggered	RSA Private Key	9de0b80	libs/hdf-converters/sample_jsons/trufflehog_mapper/trufflehog-docker-hdf-withraw.json	View secret
22339944	Triggered	RSA Private Key	9de0b80	libs/hdf-converters/sample_jsons/trufflehog_mapper/trufflehog-docker-hdf-withraw.json	View secret
22339945	Triggered	RSA Private Key	633b637	libs/hdf-converters/sample_jsons/trufflehog_mapper/sample_input_report/trufflehog_docker_example.json	View secret
22339946	Triggered	RSA Private Key	633b637	libs/hdf-converters/sample_jsons/trufflehog_mapper/trufflehog-docker-hdf-withraw.json	View secret
22339947	Triggered	Elliptic Curve Private Key	9de0b80	libs/hdf-converters/sample_jsons/trufflehog_mapper/trufflehog-docker-hdf.json	View secret
22339948	Triggered	Elliptic Curve Private Key	633b637	libs/hdf-converters/sample_jsons/trufflehog_mapper/sample_input_report/trufflehog_docker_example.json	View secret
22339949	Triggered	Basic Auth String	9de0b80	libs/hdf-converters/sample_jsons/trufflehog_mapper/trufflehog-docker-hdf-withraw.json	View secret
22339950	Triggered	RSA Private Key	633b637	libs/hdf-converters/sample_jsons/trufflehog_mapper/trufflehog-docker-hdf-withraw.json	View secret
22339951	Triggered	RSA Private Key	633b637	libs/hdf-converters/sample_jsons/trufflehog_mapper/trufflehog-docker-hdf-withraw.json	View secret
22339952	Triggered	Elliptic Curve Private Key	633b637	libs/hdf-converters/sample_jsons/trufflehog_mapper/trufflehog-docker-hdf-withraw.json	View secret
22339953	Triggered	RSA Private Key	633b637	libs/hdf-converters/sample_jsons/trufflehog_mapper/trufflehog-docker-hdf.json	View secret
22339954	Triggered	RSA Private Key	633b637	libs/hdf-converters/sample_jsons/trufflehog_mapper/trufflehog-docker-hdf.json	View secret
22339955	Triggered	Basic Auth String	9de0b80	libs/hdf-converters/sample_jsons/trufflehog_mapper/trufflehog-docker-hdf-withraw.json	View secret
22339956	Triggered	RSA Private Key	9de0b80	libs/hdf-converters/sample_jsons/trufflehog_mapper/trufflehog-docker-hdf-withraw.json	View secret
22339957	Triggered	RSA Private Key	633b637	libs/hdf-converters/sample_jsons/trufflehog_mapper/trufflehog-docker-hdf-withraw.json	View secret
22339958	Triggered	Generic Password	c5f5178	apps/frontend/public/static/samples/small_overrides_hdf.json	View secret
22339959	Triggered	Elliptic Curve Private Key	633b637	libs/hdf-converters/sample_jsons/trufflehog_mapper/sample_input_report/trufflehog_docker_example.json	View secret
22339960	Triggered	RSA Private Key	9de0b80	libs/hdf-converters/sample_jsons/trufflehog_mapper/trufflehog-saf-hdf-withraw.json	View secret
22339961	Triggered	RSA Private Key	9de0b80	libs/hdf-converters/sample_jsons/trufflehog_mapper/trufflehog-docker-hdf-withraw.json	View secret
22339962	Triggered	RSA Private Key	9de0b80	libs/hdf-converters/sample_jsons/trufflehog_mapper/sample_input_report/trufflehog_docker_example.json	View secret
22339963	Triggered	RSA Private Key	9de0b80	libs/hdf-converters/sample_jsons/trufflehog_mapper/trufflehog-saf-hdf.json	View secret
22339964	Triggered	RSA Private Key	9de0b80	libs/hdf-converters/sample_jsons/trufflehog_mapper/trufflehog-saf-hdf.json	View secret
22339965	Triggered	RSA Private Key	633b637	libs/hdf-converters/sample_jsons/trufflehog_mapper/trufflehog-saf-hdf-withraw.json	View secret
22339966	Triggered	RSA Private Key	9de0b80	libs/hdf-converters/sample_jsons/trufflehog_mapper/trufflehog-docker-hdf.json	View secret
22339967	Triggered	Basic Auth String	9de0b80	libs/hdf-converters/sample_jsons/trufflehog_mapper/sample_input_report/trufflehog_docker_example.json	View secret
22339968	Triggered	RSA Private Key	9de0b80	libs/hdf-converters/sample_jsons/trufflehog_mapper/trufflehog-docker-hdf.json	View secret

🛠 Guidelines to remediate hardcoded secrets

1. Understand the implications of revoking this secret by investigating where it is used in your code.
2. Replace and store your secrets safely. Learn here the best practices.
3. Revoke and rotate these secrets.
4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider

• following these best practices for managing and storing secrets including API keys and other credentials
• install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.

---

^{🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.}

[sonarqubecloud]

Quality Gate failed

Failed conditions
5 New Code Smells (required ≤ 0)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE