Application Portfolio Auditor is a tool assessing cloud readiness, quality, and security of large sets of apps. It gathers and aggregates insights of multiple software analyzers.
Home Page: https://tanzu.vmware.com/content/blog/introducing-application-portfolio-auditor
License: Apache License 2.0
CLOC is currently executed locally leveraging the client provided with its release.
To reduce requirements and accelerate analysis, its usage should be containerized leveraging read-only / delegated mounts.
check_latest_versions.shshould be upgraded to use a virtual pip environment.
i do follow the steps in the below article to get it worked. but im facing issue while running the audit setup command. its stating that the docker images having issues to fetch up. help me out on this.
Each application page points to invalid ARCHEO report and ARCHEO log files, for example
REPORT_ROOT/16__ARCHEO/myapp.war.html points to
REPORT_ROOT/16__ARCHEO/16__ARCHEO andREPORT_ROOT/16__ARCHEO/16__ARCHEO.logAnd it should point to:
REPORT_ROOT/16__ARCHEO andREPORT_ROOT/16__ARCHEO.logSome more significant changes are required to the scripts to upgrade OWASP DC to 9.x.x.
Hello,
we updated to Release 2.1.0 and --archeo seems to break the Kubernetes output.
if we use ./audit -a -g test -k no _K8 folder is generated.
[2024_02_26__15_46_02] 97__generate_reports.sh
[SUCCESS] Open this file for reviewing all generated reports: /home/cpduemke/application-portfolio-auditor/reports/2024_02_26__15_37_36__test/index.html
[INFO] Open this file for reviewing all generated reports: /home/cpduemke/application-portfolio-auditor/reports/2024_02_26__15_37_36__test/cloud.html
[INFO] Open this file for reviewing all generated reports: /home/cpduemke/application-portfolio-auditor/reports/2024_02_26__15_37_36__test/security.html
97__generate_reports.sh: line 833: /home/cpduemke/application-portfolio-auditor/reports/2024_02_26__15_37_36__test/16__ARCHEO/simple-ear-1.10.9.ear.html: No such file or directory
[cpduemke@acentos03 application-portfolio-auditor]$
if we run 2.1.0 with ./audit run -cwxlspm -g test -k the K8 folder is created again.
[2024_02_26__16_03_24] 99__package_reports.sh
[INFO] Packaging the reports - CF: false - K8: true - ZIP: false
[SUCCESS] K8 deployment succesfully created. Deploy by executing: 'cd /home/cpduemke/application-portfolio-auditor/reports/2024_02_26__16_01_18__test_CF; ./deploy-docker.sh; # ... OR...; ./deploy-k8.sh'
<<<<<<< [2024_02_26__16_03_27] 99__package_reports.sh
[cpduemke@acentos03 application-portfolio-auditor]$
Regards
cpduemke
The packaged reports for Kubernetes deployment need to be updated. They don't work since the containerization of CSA.
Especially on long Archeo reports, it is hard to get a high-level overview of the findings.
A header visualizing the following information for each Archeo report should be added:
PMD is currently executed locally, leveraging the client provided with its release.
To reduce requirements and accelerate analysis, its usage should be containerized, leveraging read-only / delegated mounts.
Similar to Trivy, the Grype reports would benefit from an additional header summarizing the findings.
CSA is currently executed locally, leveraging the client provided with its release. In addition, the "Bagger" Java client is leveraged locally to extract results from CSA reports.
To reduce requirements and accelerate analysis, their usage should be containerized leveraging read-only / delegated mounts.
Hello,
I have updated the auditor to the current version 2.2.3 and every run stops with the following error:
[2024_05_07__13_23_32] 98__generate_timeline.sh
date: invalid option -- 'j'
Try 'date --help' for more information.
[cpduemke@acentos03 application-portfolio-auditor]$
date -j -f is used in the script, but the -j parameter only exists in BSD Unix variants and not in Linux, at least as far as I looked into it.
I build the auditor on a Centos 9 VM and tried to run it on a Redhat 8 VM. In both date has no -j parameter and -f also seems to have also a different meaning.
Would it be possible to use the 98 script from an older release as a workaround?
Regards
Claus-Peter Dümke
Fernflower is currently executed locally, leveraging the client provided with its release.
To reduce requirements and accelerate analysis, its usage should be containerized, leveraging read-only / delegated mounts.
Unknown Spring library in Archeo tool:
[INFO] Unknown Spring library: org.springframework.vault:spring-vault-core:2.3.4
OSV reports are currently plain TXT files.
They should be parsed and turned into proper HTML reports (see Trivy reports).
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.