[Spike] investigate upstream CDX generator for Swift
Summary - Why is this spike needed?
At this time, we have two ways to access the Swift package information extraction from the code:
-
Use continuous integration scanning, which scans only the default branch and uses the cyclonDX file. -
We will create new features to track all the packages for Swift, and after it is complete, we will activate the security advisory matching. -
Other...
This spike should answer the questions related to this new feature
cdxgen
Tasks to Evaluate-
What is the output of this tool? -
Does this tool need internet connectivity? -> #454811 (comment 1890029144) -
Can we install it on Gemnesium Image? -> #454811 (comment 1890051326) -
Is it Support Fips -> #454811 (comment 1889996103) -
Can we use the CI/CD Component with this tool? -
Add output Examples -
What is the selected integration process for using this tool?
SYFT
Tasks to Evaluate-
What is the output of this tool? -
Does this tool need internet connectivity? -> -
Can we install it on Gemnesium Image? -> -
Is it Support Fips -> -
Can we use the CI/CD Component with this tool? -
Add output Examples -
What is the selected integration process for using this tool?
Expected Outcomes
-
Decide which way to take. -
Create new issues for the implementation plan
WWDC.git
Result Examples for Scanning GitHub RepoResult from Trivy
Result from CDXGEN
Result from SYFT
Edited by Miki Amos