# security

We manage our _software supply chain_ using an open-source stack.

## Software Bill of Materials

When building software, [syft](https://github.com/anchore/syft) creates an SBOM of the newly created artefact.
This file is stored as workflow artefact during regular builds, and stored as release artefact when creating a release. 

It stores version information about packages and libraries found in the produced artefact.

## Vulnerability scanning

Using the previously created SBOM, [grype](https://github.com/anchore/grype) is used to issue a vulnerability scan looking for vulnerable packages or libraries.
The result of this scan is stored as workflow artefact and release artefact.

> _In the event of a finding with severity _critical_ this workflow will **fail**._

Any findings are returned in a PR comment on GitHub.
This message contains a visual _hint_ should the findings contain any _critical_ or _high_ severity vulnerabilities.

To **ignore** specific findings in packages or by CVE label, consult the documentation available [here](https://github.com/anchore/grype#specifying-matches-to-ignore).
This can be achieved through addition of a configuration file in the [security-gates](https://github.com/TinkaTech/security-gates) repo.

## Code analysis

During code builds, [semgrep](https://semgrep.dev/) scans code for weaknesses. It does so using their [default](https://semgrep.dev/p/default) ruleset.
The results of this scan are attached as workflow and release artefacts.

> _In the event of a finding with level _error_ this workflow will **fail**._

Any findings will be displayed in a comment in a PR, annotating flagged lines of code. Only code that is changed during the current PR will be reported.

In the event of a false-positive, please consult the upstream documentation available [here](https://semgrep.dev/docs/ignoring-files-folders-code/).
This details how to add annotations to have `semgrep` ignore certain functions or specific lines of code.

Additional documentation:
- [getting started](https://semgrep.dev/docs/getting-started/) - on how to run it using Docker
- [extensions](https://semgrep.dev/docs/extensions/) - on how to use it in JetBrains, VSCode, Vim or as a pre-commit hook
- [support-languages](https://semgrep.dev/docs/supported-languages/) - on what is supported beyond Java, Scala or Javascript

## Data collection

These files are all downloaded [daily](https://tinka-universe.cloud.databricks.com/?o=3837413113023844#job/301490140853670), and added to Databricks Delta tables:

- software_supply_chain_v2.sbom
- software_supply_chain_v2.sca
- software_supply_chain_v2.vulnerability_reports

Data analysis notebooks can be found [here](https://github.com/TinkaTech/infosec-tools/tree/master/notebooks).

We only download workflow artefacts and these expire at GitHub after 30 days.

All raw files are stored in the following S3 bucket: `/dbfs/mnt/nl-lacent-data-sandbox-lacent/harmw/software-supply-chain`