SQL Query Interface over SBOM using SafeDep Cloud

Announcements

SafeDep Team

• Oct 18, 2024 • 2 min read

Developer experience is often specialized. Apart from providing domain specific use-cases, ease of getting started and ample documentation, flexibility of use especially with custom integration is important. This allows developer and security engineers, who are often subject matter experts to use a solution as per their requirement instead of compromising and following the workflows enforced by the product. This is a key focus at SafeDep in our product development efforts. We want to provide the best experience to security and platform engineers in protecting themselves against malicious, vulnerable and risky open source components.

To enable this, we shipped a key building block required to find what you need. Instead of being restricted by UI and Tables, engineers can use their familiar SQL query language to find and export security risk related information from SafeDep Cloud. Here is a quick #build-in-public demo of this feature.

Example

Let’s find all the repositories on-boarded into SafeDep Cloud using vet

1
vet cloud query execute --sql \
2
  "select projects.name, projects.version from projects"

This produces

1
Query returned 3 results
2
┌───────────────────────────────────────────┬──────────────────┐
3
│ PROJECTS.NAME                             │ PROJECTS.VERSION │
4
├───────────────────────────────────────────┼──────────────────┤
5
│ https://github.com/safedep/vet .git       │ main             │
6
├───────────────────────────────────────────┼──────────────────┤
7
│ https://github.com/safedep/api.git        │ main             │
8
├───────────────────────────────────────────┼──────────────────┤
9
│ https://github.com/safedep/control.git    │ main             │
10
└───────────────────────────────────────────┴──────────────────┘

Leaking private repositories :-O

You can also use complex queries to filter across an organization wide SBOM

1
select vulnerabilities.cve_id, vulnerabilities.summary from projects
2
  where projects.name = 'safedep/demo-client-java'
3
  and projects.version = 'v1.2.3'
4
  and vulnerabilities.risk = 'CRITICAL'

Queries can be exported to file as CSV or Markdown

1
vet cloud query --sql $SQL --csv /path/to/out.csv

Build in Public Update

If you like what you see so far, check out a development walkthrough of what we are building at #SafeDep

SafeDep Cloud is currently at invite-only preview stage. You can register and get invited to our early adopter program.

Register for SafeDep Cloud

Leverage the power of SafeDep cloud to build an organization wide SBOM, export as CycloneDX and execute flexible queries to discover actionable risks.

Register

vet
sbom
sql
cloud

Author

SafeDep Team

safedep.io

Share

Malware

Malicious npm Package react-refresh-update Drops Cross-Platform Trojan on Developer Machines

A malicious npm package impersonating react-refresh, Meta's library with 42 million weekly downloads, was detected by SafeDep. The package injects a two-layer obfuscated dropper into runtime.js that...

Threat Modeling the AI-Native SDLC: Supply Chain Security in the Age of Coding Agents

AI agents are rewriting the software development lifecycle. From vibe coding to autonomous CI/CD, every phase now involves an LLM making decisions about your code and dependencies. Here is a threat...

How to Write Time-Based Security Policies in SafeDep vet

Protect against unknown malicious open source packages by enforcing a supply chain cooling-off period using the now() CEL function in SafeDep vet.

Malware

Malicious npm Package pino-sdk-v2 Exfiltrates Secrets to Discord

A malicious npm package impersonating the popular pino logger was detected by SafeDep. The package hides obfuscated code inside a legitimate library file to steal environment secrets and send them to...

View All Blogs