Custom Supply Chain Advisories¶

First lets import and load our dependency (in our test case, log4j-core)

from ghastoolkit import Advisories, Advisory, Dependency

# Load Dependency from PURL
dependency = Dependency.fromPurl(
    "pkg:maven/org.apache.logging/log4j:log4j-core@1.12.0"
)

Then we want to create and load our advisories (in our case, log4shell / CVE-2021-44228)

# create a new list of Advisories
advisories = Advisories()
# load advisories from path
advisories.loadAdvisories(".")

print(f"Advisories :: {len(advisories)}")

Another option is to have your advisories in a repository and pull them from GitHub using SecurityAdvisories.

# initialise SecurityAdvisories
security_advisories = SecurityAdvisories()
# get all the remote advisories
advisories = security_advisories.getAdvisories()

print(f"Advisories :: {len(advisories)}")

Now lets find and display the advisory to make sure its found.

# find an advisories by GHSA ID ('CVE-2021-44228' would be the same)
log4shell: Advisory = advisories.find("GHSA-jfh8-c2jp-5v3q")

print(f"Advisory({log4shell.ghsa_id}, {log4shell.severity})")

Finally, lets check to see if the dependency has a known advisories associated with it.

print(f"Dependency :: {dependency.name} ({dependency.version})")

# check in the advisories list if dependency is affected
print("Advisories Found::")
for adv in advisories.check(dependency):
    # display GHSA ID and aliases
    print(f" >>> Advisory({adv.ghsa_id}, `{','.join(adv.aliases)}`)")

In our case, it shows the following:

Dependency :: log4j:log4j-core (1.12.0)
Advisories Found:
 >>> Advisory(GHSA-jfh8-c2jp-5v3q, `CVE-2021-44228`)

See all examples here

Custom Supply Chain Advisories¶

GHAS Toolkit

Navigation

Related Topics