Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improved secure mode warnings #1609

Merged
merged 1 commit into from
Jan 29, 2025
Merged

Improved secure mode warnings #1609

merged 1 commit into from
Jan 29, 2025

Conversation

prabhu
Copy link
Collaborator

@prabhu prabhu commented Jan 29, 2025

No description provided.

prabhu
prabhu commented Jan 29, 2025
View reviewed changes
bin/cdxgen.js Outdated Show resolved Hide resolved
prabhu
prabhu commented Jan 29, 2025
View reviewed changes
bin/cdxgen.js
@@ -411,6 +411,10 @@ const options = Object.assign({}, args, {
noBabel: args.noBabel || args.babel === false,
project: args.projectId,
deep: args.deep || args.evidence,
output:
isSecureMode && args.output === "bom.json"
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we do this always or only in secure mode. Currently, the bom.json will be created in the current working directory.

prabhu
prabhu commented Jan 29, 2025
View reviewed changes
bin/cdxgen.js
@@ -419,6 +423,13 @@ if (process.argv[1].includes("cbom")) {
options.specVersion = 1.6;
options.deep = true;
}
if (process.argv[1].includes("cdxgen-secure")) {
console.log(
"NOTE: Secure mode only restricts cdxgen from performing certain activities such as package installation. It does not provide security guarantees in the presence of malicious code.",
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wondering if we this message is enough. Should we use a different word instead of secure?

@prabhu
Improved secure mode warnings
1aa6f07 
Signed-off-by: Prabhu Subramanian <[email protected]>
@prabhu prabhu force-pushed the feature/secure-mode-warnings branch from c58b676 to 1aa6f07 Compare January 29, 2025 18:52
@prabhu prabhu merged commit 6e066ee into master Jan 29, 2025
32 checks passed
@prabhu prabhu deleted the feature/secure-mode-warnings branch January 29, 2025 20:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Ready for QA security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@prabhu