cofe

command module
v0.0.0-...-6addaf6 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 27, 2023 License: Apache-2.0 Imports: 1 Imported by: 0

README

SafeDep Cofe

Welcome to Cofe

Prioritize OSS vulnerabilities beyond CVSS score, using dependency graph and vulnerability exploitability

What is it?

It is Safedep/Vet on Steroids, a powerful tool designed to prioritize library and dependency upgrades in your software projects. It uses various heuristics, such as exploitability, reachability, and distinction between internal and external libraries, to make informed decisions about what to upgrade first.

A typical application has 1k+ direct and transitive dependencies. Typically, OSV scanner tools report vulnerabilities prioritized by CVSS score. Cofe assists security engineers and developers in finding the path from the application to the vulnerable location and helps in prioritization.

Original Graph Cofe Magic

A typical dependency graph

A typical dependency graph

Quick Start

Install Cofe

To install, simply run the following command:

go install github.com/safedep/cofe@main
Install and Configure Vet

Currently, Cofe supports Safedep/Vet as the default dependency scanner. You need to install at least vet community edition to get the vet working.

go install github.com/safedep/vet@main
vet auth configure --community

For other installation options, please refer to Safedep/Vet

Run It

To get started with Safedep/Vet on Steroids, run:

cofe scan -D <Changeme>/<yourproject>/
Sample Output

cofe-output-20dec2023

Demo

cofe-demo

Advanced Usage

Scan Your Internal Repository

Cofe allows you to scan your internal repositories with packages in your private artifact repositories. Here are some examples to scan a python project.

cofe scan -D <Changeme>/<yourproject>/ --read-std-conf
Visualization
Via Graphviz Tool
cofe scan -D <Changeme>/<yourproject>/ --graphviz g.dot --read-std-conf
Open the dot file using xdot utility on ubuntu:
xdot g.dot
Via Chosmosgraph App (Online visualization tool)
cofe scan -D <Changeme>/<yourproject>/ --csv g.csv --read-std-conf

The above command will generate a few sets of files

  • g.csv - containing edges of the dependency graph after the graph is reduced via various techniques such as reachability analysis
  • g.csv.metadata.csv - containing metadata related to nodes, such as score and color useful for visualization
  • g.csv.orig.csv: Initial Graph without any optimization
  • g.csv.orig.metadata.csv: related metadata of the initial graph

Use Cosmosgraph app to upload edge and metadata to visualize

Sample Graphs
Original Graph Cofe Magic
Demo App Original Graph Demo App Graph After Reduction
Langchain Original Graph Langchain Graph after Reduction

How Does It Work?

Cofe Architecture

Supported Ecosystems

Currently, Cofe supports the following ecosystem:

  • Pypi / Python

Roadmap

Future updates and expansions planned for Safedep/Vet on Steroids:

  1. Add support for Java.
  2. Integrate with Neo4j.
  3. Expand to support NPM packages.
  4. Support VEX output

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis
pkg
core/models
graph/deps
pm/http_manager
pm/pypi
vet
vet/auth

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.