Homebrew improvement

[Avgor46]

Hi!

Homebrew package in the SBOM is represented only by name, version, and PURL. The PURL, which looks like pkg:brew/package-name@version, does not provide enough information for vulnerability scanning. If possible, we could generate a Git repository URL for them. Homebrew packages are supplied with an sbom.spdx.json file that contains a downloadedLocation field, which is often a gitlab or github link to the source. The .rb file could also be parsed, as in Syft, to find the "url" entry.

Additional Git information could help for scanning brew packages since we can potentially query osv.dev with Git repo URL and tag to find vulnerabilities.

This could be implemented via generating generic github PURLs for brew packages if possible. Alternatively, we could add downloadedLocation field to package metadata and implement an annotator that parses it and creates source code identifiers.

Original issue.

Assign the issue to me if it is reasonable to implement such feature)

[erikvarga]

@another-rex can you weigh in on the OSV.dev side of this? Would we be able to query homebrew PURLs for vulns if we included the Git repo+tag in them?

[another-rex]

Yes, while homebrew doesn't seem to have a security advisory of their own for all the packages/casks, the idea here is to use OSV's list of advisories (mostly CVEs) on git repositories for vulnerability matching.

1. Extract homebrew package download locations (Place in homebrew specific metadata)
2. Do best effort transformation of the metadata into source repo identifiers (Maybe not enabled by default for osv-scalibr, though might be something we enable automatically in osv-scanner)
3. Use source repo identifier to do osvdev matching (Already implemented)

[erikvarga]

Thanks for confirming - Sounds good to me to work on this then @Avgor46
I see there's already a PR for step 1. that Rex described #1633

[Avgor46]

PR #1633 extracts Homebrew URLs and attempts to annotate packages with source code identifiers (repository only).

I see another consideration. What if I want to collect my sbom with osv-scalibr from multiple hosts and scan them for vulnerabilities elsewhere? According to this code, metadata is not saved anywhere in the CycloneDX file. Therefore, while scanning the CDX file, the osv-scanner will not be capable of using the Homebrew metadata to find vulnerabilities due to the lack of a Git repository. The same is true for the SPDX format. Metadata is saved in text and binary protobuf output formats, but I haven't found a way to use osv-scanner with them.

Maybe I'm missing something and there is a way to do this; if not, I think it would be valuable to save the metadata in a way that could be used by osv-scanner in the future. One solution could be to provide a way for osv-scanner to scan the proto files generated by osv-scalibr as lock files. There is already a function that converts a ScanResult proto to a struct, but it is not used. Another option, particularly for Homebrew packages, is to save the Git repository URL, head and mirrors in the component.properties field of the CDX sbom. This would make it possible to parse them with the CDX Extractor.

What do you think?