Get all vulnerabilities for a Component¶

Goal¶

Query all identified vulnerabilities within a Component using ODG API.

You will end up with¶

  • a list of CVEs

  • metadata like initial discovery date and datasources

  • package information where the CVEs have been detected in

Prerequisites¶

  • An ODG instance

  • a shell (like bash or zsh)

  • cURL, awk, jq

  • A GitHub token privileged to read-access the ODG instance

Actions¶

Preparing Environment¶

export ODG_API='https://delivery-service.demo.ci.gardener.cloud'
export GH_TOKEN='github_pat_xxx'
export GH_API='https://api.github.com'

Authenticate against ODG instance¶

export ODG_TOKEN=$(curl -c - "${ODG_API}/auth?api_url=${GH_API}&access_token=${GH_TOKEN}" | awk '/bearer_token/ {print $NF}')

Fetch Vulnerabilities from API¶

curl -X POST -d '{"entries": [{"component_name": "acme.org/sovereign/postgres", "component_version": "1.0.0"}]}' -H "Authorization: Bearer ${ODG_TOKEN}" "${ODG_API}/artefacts/metadata/query?type=finding/vulnerability" | jq .