Discovering your open source dependencies using twigs

by Ketan Nilangekar

Twigs is an essential tool for devops security to ensure that your open source dependencies are evaluated and tracked for vulnerabilities.

As described in the earlier blog article – Getting started with twigs, one of the discovery modes supported by twigs is the discovery of open source dependencies as assets using the ‘repo’ mode. In this mode, twigs will collect required metadata from a given local or remote code repository to determine vulnerabilities in the open source dependencies across a range of application stacks including NodeJS, Angular, Java, Ruby, Python, Perl, Microsoft .NET and others.

The general usage is as follows:

$ twigs repo --repo <local or remote repository> [--type pip|ruby|yarn|nuget|npm|maven|gradle|dll]

The simplest way to discovery open source dependencies for a local code repository is as follows:

$ twigs repo --repo /home/joe/myrepo

This will discover all open source dependencies for all possible application stacks and report them as a single asset to the ThreatWatch instance.
If the repository is a remote repository accessible over http or from Github itself, just replace the –repo location to with the http location

$ twigs repo --repo https://github.com/SomeRepo/myrepo.git

If the repository has dependencies from more than one application stack and you want to track dependencies for each track separately, then you can use the –type option to specify a specific application/build management type.

$ twigs repo --repo https://github.com/SomeRepo/myrepo.git --type pip

Supported application/build management types are pip, ruby, yarn, nuget, npm, maven and gradle. In addition, Microsoft dll versions can also be tracked for vulnerabilities using the type ‘dll’.

All these sample commands given above assume that you have provided the ‘–handle’, ‘–token’ and ‘–instance’ options to the twigs command line through environment variables. These can be provided on the twigs command line as well.

In addition twigs options like ‘–scan’ and ‘–email_report’ can also be provided to kick off a baseline assessment of the newly tracked open source asset. For e.g.
$ twigs --scan full --email_report repo --repo https://github.com/SomeRepo/myrepo.git --type pip
This twigs command line can be used to integrate with any CI/CD pipeline based on Jenkins/JFrog or even with development environments.
An executable version of twigs is also available for use on Microsoft Windows environment.

Leave a Reply

Your email address will not be published. Required fields are marked *