vmware-tanzu / application-portfolio-auditor Goto Github PK

CSA is currently executed locally, leveraging the client provided with its release. In addition, the "Bagger" Java client is leveraged locally to extract results from CSA reports.

To reduce requirements and accelerate analysis, their usage should be containerized leveraging read-only / delegated mounts.

Some more significant changes are required to the scripts to upgrade OWASP DC to 9.x.x.

OSV reports are currently plain TXT files.

They should be parsed and turned into proper HTML reports (see Trivy reports).

CLOC is currently executed locally leveraging the client provided with its release.

To reduce requirements and accelerate analysis, its usage should be containerized leveraging read-only / delegated mounts.

Hello,

we updated to Release 2.1.0 and --archeo seems to break the Kubernetes output.

if we use ./audit -a -g test -k no _K8 folder is generated.

[2024_02_26__15_46_02] 97__generate_reports.sh
[SUCCESS] Open this file for reviewing all generated reports: /home/cpduemke/application-portfolio-auditor/reports/2024_02_26__15_37_36__test/index.html
[INFO] Open this file for reviewing all generated reports: /home/cpduemke/application-portfolio-auditor/reports/2024_02_26__15_37_36__test/cloud.html
[INFO] Open this file for reviewing all generated reports: /home/cpduemke/application-portfolio-auditor/reports/2024_02_26__15_37_36__test/security.html
97__generate_reports.sh: line 833: /home/cpduemke/application-portfolio-auditor/reports/2024_02_26__15_37_36__test/16__ARCHEO/simple-ear-1.10.9.ear.html: No such file or directory
[cpduemke@acentos03 application-portfolio-auditor]$

if we run 2.1.0 with ./audit run -cwxlspm -g test -k the K8 folder is created again.

[2024_02_26__16_03_24] 99__package_reports.sh
[INFO] Packaging the reports - CF: false - K8: true - ZIP: false
[SUCCESS] K8 deployment succesfully created. Deploy by executing: 'cd /home/cpduemke/application-portfolio-auditor/reports/2024_02_26__16_01_18__test_CF; ./deploy-docker.sh; # ... OR...; ./deploy-k8.sh'
<<<<<<< [2024_02_26__16_03_27] 99__package_reports.sh

[cpduemke@acentos03 application-portfolio-auditor]$

Regards
cpduemke

i do follow the steps in the below article to get it worked. but im facing issue while running the audit setup command. its stating that the docker images having issues to fetch up. help me out on this.

Unknown Spring library in Archeo tool:

[INFO] Unknown Spring library: org.springframework.vault:spring-vault-core:2.3.4

Fernflower is currently executed locally, leveraging the client provided with its release.

To reduce requirements and accelerate analysis, its usage should be containerized, leveraging read-only / delegated mounts.

Especially on long Archeo reports, it is hard to get a high-level overview of the findings.

A header visualizing the following information for each Archeo report should be added:

• Count of all libraries
• Supportable libraries
• Supported libraries
• Libraries with OSS support ending soon
• Libraries with only commercial support
• Unsupported libraries
• Undesirable libraries
• Duplicated libraries
• Count of archeo findings

Each application page points to invalid ARCHEO report and ARCHEO log files, for example

REPORT_ROOT/16__ARCHEO/myapp.war.html points to

• REPORT_ROOT/16__ARCHEO/16__ARCHEO and
• REPORT_ROOT/16__ARCHEO/16__ARCHEO.log

And it should point to:

• REPORT_ROOT/16__ARCHEO and
• REPORT_ROOT/16__ARCHEO.log

The packaged reports for Kubernetes deployment need to be updated. They don't work since the containerization of CSA.

PMD is currently executed locally, leveraging the client provided with its release.

To reduce requirements and accelerate analysis, its usage should be containerized, leveraging read-only / delegated mounts.

Similar to Trivy, the Grype reports would benefit from an additional header summarizing the findings.