Discovering your open source dependencies using twigs
Twigs is an essential tool for devops security to ensure that your open source dependencies are evaluated and tracked for vulnerabilities.
As described in the earlier blog article – Getting started with twigs, one of the discovery modes supported by twigs is the discovery of open source dependencies as assets using the ‘repo’ mode. In this mode, twigs will collect required metadata from a given local or remote code repository to determine vulnerabilities in the open source dependencies across a range of application stacks including NodeJS, Angular, Java, Ruby, Python, Perl, Microsoft .NET and others.
The general usage is as follows:
$ twigs repo --repo <local or remote repository> [--type pip|ruby|yarn|nuget|npm|maven|gradle|dll]
The simplest way to discovery open source dependencies for a local code repository is as follows:
$ twigs repo --repo /home/joe/myrepo
This will discover all open source dependencies for all possible application stacks and report them as a single asset to the ThreatWatch instance.
If the repository is a remote repository accessible over http or from Github itself, just replace the –repo location to with the http location
$ twigs repo --repo https://github.com/SomeRepo/myrepo.git
If the repository has dependencies from more than one application stack and you want to track dependencies for each track separately, then you can use the –type option to specify a specific application/build management type.
$ twigs repo --repo https://github.com/SomeRepo/myrepo.git --type pip
Supported application/build management types are pip, ruby, yarn, nuget, npm, maven and gradle. In addition, Microsoft dll versions can also be tracked for vulnerabilities using the type ‘dll’.
All these sample commands given above assume that you have provided the ‘–handle’, ‘–token’ and ‘–instance’ options to the twigs command line through environment variables. These can be provided on the twigs command line as well.
$ twigs --scan full --email_report repo --repo https://github.com/SomeRepo/myrepo.git --type pip