dependency-track parser

api/proto/v1/issue.proto

@@ -65,6 +65,9 @@ message Issue {
 
   // optional string that allows producers to communicate relevant code/request segments
   optional string context_segment = 12;
+
+  // optionally the related CWE
+  optional string cwe = 13;
 }
 
 /* Represents an issue that has been enriched with metadata from the enrichment service */

components/producers/dependency-track/BUILD

@@ -0,0 +1,50 @@
+subinclude(
+    "//build/defs:buildkit",
+    "///k8s//build/defs:k8s",
+    "//build/defs:dracon",
+)
+
+go_binary(
+    name = "dependency-track-parser",
+    srcs = [
+        "main.go",
+    ],
+    deps = [
+        "//api/proto/v1",
+        "//components/producers",
+        "//pkg/context",
+    ],
+)
+
+go_test(
+    name = "dependency-track_test",
+    srcs = [
+        "main.go",
+        "main_test.go",
+    ],
+    deps = [
+        "//api/proto/v1",
+        "//components/producers",
+        "//pkg/context",
+        "//pkg/testutil",
+        "//third_party/go/github.com/stretchr/testify",
+    ],
+)
+
+buildkit_distroless_image(
+    name = "image",
+    srcs = [":dependency-track-parser"],
+    visibility = [
+        "//examples/...",
+    ],
+)
+
+dracon_component(
+    name = "dependency-track",
+    images = [
+        ":image",
+        "//third_party/docker/securego/gosec",
+    ],
+    task = "task.yaml",
+    visibility = ["//examples/pipelines/..."],
+)

components/producers/dependency-track/kustomization.yaml

@@ -0,0 +1,125 @@
+# DO NOT EDIT. Code generated by:
+# github.com/ocurity/dracon//build/tools/kustomize-component-generator.
+
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+resources:
+  - task.yaml
+patches:
+  # Add the Task to the Tekton Pipeline.
+  - patch: |
+      apiVersion: tekton.dev/v1beta1
+      kind: Pipeline
+      metadata:
+        name: unused
+      spec:
+        workspaces:
+          - name: source-code-ws
+        tasks:
+          - name: producer-dependency-track
+            taskRef:
+              name: producer-dependency-track
+            workspaces:
+              - name: source-code-ws
+                workspace: source-code-ws
+    target:
+      kind: Pipeline
+  # Add anchors to Task.
+  - patch: |
+      apiVersion: tekton.dev/v1beta1
+      kind: Task
+      metadata:
+        name: producer-dependency-track
+        labels:
+          v1.dracon.ocurity.com/component: producer
+      spec:
+        params:
+          - name: anchors
+            type: array
+            description: A list of tasks that this task depends on using their anchors.
+            default: []
+        results:
+          - name: anchor
+            description: An anchor to allow other tasks to depend on this task.
+        steps:
+          - name: anchor
+            image: docker.io/busybox:1.35.0
+            script: echo "$(context.task.name)" > "$(results.anchor.path)"
+    target:
+      kind: Task
+      name: producer-dependency-track
+  # If we have a `source` task in the pipeline (added by a `source` component),
+  # depend on the completion of that source by referencing its anchor.
+  - patch: |
+      apiVersion: tekton.dev/v1beta1
+      kind: Pipeline
+      metadata:
+        name: unused
+      spec:
+        tasks:
+          - name: producer-dependency-track
+            params:
+              - name: anchors
+                value:
+                  - $(tasks.source.results.anchor)
+    target:
+      kind: Pipeline
+      annotationSelector: v1.dracon.ocurity.com/has-source=true
+  # If we have a producer-aggregator task in the pipeline (added by the
+  # producer-aggregator component), make it depend on the completion of this
+  # producer.
+  - patch: |
+      apiVersion: tekton.dev/v1beta1
+      kind: Pipeline
+      metadata:
+        name: unused
+      spec:
+        tasks:
+          - name: producer-aggregator
+            params:
+              - name: anchors
+                value:
+                  - $(tasks.producer-dependency-track.results.anchor)
+    target:
+      kind: Pipeline
+      annotationSelector: v1.dracon.ocurity.com/has-producer-aggregator=true
+  # Add scan information to Task.
+  - patch: |
+      apiVersion: tekton.dev/v1beta1
+      kind: Task
+      metadata:
+        name: producer-dependency-track
+        labels:
+          v1.dracon.ocurity.com/component: producer
+      spec:
+        params:
+          - name: dracon_scan_id
+            type: string
+          - name: dracon_scan_start_time
+            type: string
+        steps:
+          - name: produce-issues
+            image: ghcr.io/ocurity/dracon/components/producers/dependency-track/image:latest
+            env:
+              - name: DRACON_SCAN_TIME
+                value: $(params.dracon_scan_start_time)
+              - name: DRACON_SCAN_ID
+                value: $(params.dracon_scan_id)
+    target:
+      kind: Task
+      name: producer-dependency-track
+  - patch: |
+      apiVersion: tekton.dev/v1beta1
+      kind: Pipeline
+      metadata:
+        name: unused
+      spec:
+        tasks:
+          - name: producer-dependency-track
+            params:
+              - name: dracon_scan_id
+                value: $(tasks.base.results.dracon-scan-id)
+              - name: dracon_scan_start_time
+                value: $(tasks.base.results.dracon-scan-start-time)
+    target:
+      kind: Pipeline