What can you do with an enriched SBOM? A parlay quickstart guide

1$ snyk sbom --format cyclonedx1.4+json | jq | wc -l
2    262
3$ snyk sbom --format cyclonedx1.4+json | parlay e enrich - | jq | wc -l
4    1169

1package main
2
3name = input.metadata.component.name
4
5licenses_to_deny = [
6  "LGPL",
7]
8
9licenses_to_warn = [
10  "MIT"
11]
12
13deny[msg] {
14  component := input.components[_]
15  expression := component.licenses[_].expression
16  startswith(expression, licenses_to_deny[_])
17  msg := sprintf("%s is using %s which is licensed with an %s license", [name, component.name, expression])
18}
19
20warn[msg] {
21    component := input.components[_]
22    expression := component.licenses[_].expression
23    startswith(expression, licenses_to_warn[_])
24    msg := sprintf("%s is using %s which is licensed with an %s license", [name, component.name, expression])
25}

1WARN - - main - snykit is using diff-lcs which is licensed with an MIT license
2WARN - - main - snykit is using mustermann which is licensed with an MIT license
3WARN - - main - snykit is using nio4r which is licensed with an MIT license
4WARN - - main - snykit is using puma-metrics which is licensed with an MIT license
5WARN - - main - snykit is using rack which is licensed with an MIT license
6WARN - - main - snykit is using rack-protection which is licensed with an MIT license
7WARN - - main - snykit is using rack-test which is licensed with an MIT license
8WARN - - main - snykit is using rake which is licensed with an MIT license
9WARN - - main - snykit is using rspec which is licensed with an MIT license
10WARN - - main - snykit is using rspec-core which is licensed with an MIT license
11WARN - - main - snykit is using rspec-expectations which is licensed with an MIT license
12WARN - - main - snykit is using rspec-mocks which is licensed with an MIT license
13WARN - - main - snykit is using rspec-support which is licensed with an MIT license
14WARN - - main - snykit is using sinatra which is licensed with an MIT license
15WARN - - main - snykit is using tilt which is licensed with an MIT license
16
1716 tests, 1 passed, 15 warnings, 0 failures, 0 exceptions

1deny[msg] {
2  vulnerability := input.vulnerabilities[_]
3  rating := vulnerability.ratings[_]
4  rating.source.name == "Snyk"
5  rating.score > max_cvss_score
6  component := input.components[_]
7  bom_ref = vulnerability["bom-ref"]
8  component["bom-ref"] == bom_ref
9
10  root = input.metadata.component["bom-ref"]
11
12  dependency := input.dependencies[_]
13  dependency.ref == root
14
15  direct := dependency.dependsOn[_]
16  direct == bom_ref
17
18  msg := sprintf("%s version %s has a vulnerability with a CVSS score of %s", [component.name, component.version, round(rating.score)])
19}
20
21round(n) = f {
22  f := sprintf("%.2f", [n])
23  contains(f, ".") # Ensure that it was a float
24}
25
26round(n) = f {
27  not contains(sprintf("%.2f", [n]), ".") # Test if it wasn't a float
28  f := sprintf("%v.00", [n]) # Fudge the decimals for integer values
29}

1snyk sbom --format cyclonedx1.4+json | parlay s enrich - | conftest test -
2FAIL - - main - puma version 4.2.1 has a vulnerability with a CVSS score of 9.10
3
43 tests, 2 passed, 0 warnings, 1 failure, 0 exceptions

1$ snyk sbom --format cyclonedx1.4+json | parlay e enrich - | jq -r '(.components[] | [.name, .author]) | @tsv' | awk '{print $1; $1=""; print}'
2nio4r
3 Socketry
4puma
5 Puma
6prometheus-client
7 Prometheus
8puma-metrics
9
10rack
11 Official Rack repositories
12rack-test
13 Official Rack repositories
14rake
15 The Ruby Programming Language
16rspec-support
17 RSpec
18rspec-core
19 RSpec
20diff-lcs
21 Austin Ziegler
22rspec-expectations
23 RSpec
24rspec-mocks
25 RSpec
26rspec
27 RSpec
28ruby2_keywords
29 The Ruby Programming Language
30mustermann
31 Sinatra
32rack-protection
33 Sinatra
34tilt
35 Jeremy Evans
36sinatra
37 Sinatra