refactor: remove GraphQL-based GitHub detection, add Dependency.PURL (#2502)

* refactor: remove GitHub GraphQL dependency graph detection logic and add PURL field

* go mod tidy

* fix: remove GitHub config template from discover command

Author: RyoYamagishi

config/config.go

@@ -247,7 +247,6 @@ type ServerInfo struct {
 	Containers         map[string]ContainerSetting `toml:"containers,omitempty" json:"containers,omitempty"`
 	IgnoreCves         []string                    `toml:"ignoreCves,omitempty" json:"ignoreCves,omitempty"`
 	IgnorePkgsRegexp   []string                    `toml:"ignorePkgsRegexp,omitempty" json:"ignorePkgsRegexp,omitempty"`
-	GitHubRepos        map[string]GitHubConf       `toml:"githubs" json:"githubs,omitempty"` // key: owner/repo
 	UUIDs              map[string]string           `toml:"uuids,omitempty" json:"uuids,omitempty"`
 	Memo               string                      `toml:"memo,omitempty" json:"memo,omitempty"`
 	Enablerepo         []string                    `toml:"enablerepo,omitempty" json:"enablerepo,omitempty"` // For CentOS, Alma, Rocky, RHEL, Amazon
@@ -294,12 +293,6 @@ func (cnf WordPressConf) IsZero() bool {
 	return cnf.OSUser == "" && cnf.DocRoot == "" && cnf.CmdPath == ""
 }
 
-// GitHubConf is used for GitHub Security Alerts
-type GitHubConf struct {
-	Token                 string `json:"-"`
-	IgnoreGitHubDismissed bool   `json:"ignoreGitHubDismissed,omitempty"`
-}
-
 // GetServerName returns ServerName if this serverInfo is about host.
 // If this serverInfo is about a container, returns containerID@ServerName
 func (s ServerInfo) GetServerName() string {

config/tomlloader.go

@@ -115,15 +115,6 @@ func (c TOMLLoader) Load(pathToToml string) error {
 			}
 		}
 
-		for ownerRepo, githubSetting := range server.GitHubRepos {
-			if ss := strings.Split(ownerRepo, "/"); len(ss) != 2 {
-				return xerrors.Errorf("Failed to parse GitHub owner/repo: %s in %s", ownerRepo, name)
-			}
-			if githubSetting.Token == "" {
-				return xerrors.Errorf("GitHub owner/repo: %s in %s token is empty", ownerRepo, name)
-			}
-		}
-
 		if len(server.Enablerepo) == 0 {
 			server.Enablerepo = Conf.Default.Enablerepo
 		}

detector/detector.go

@@ -191,11 +191,6 @@ func Detect(rs []models.ScanResult, dir string) ([]models.ScanResult, error) {
 			return nil, xerrors.Errorf("Failed to detect CVE of `%s`: %w", cpeURIs, err)
 		}
 
-		repos := config.Conf.Servers[r.ServerName].GitHubRepos
-		if err := DetectGitHubCves(&r, repos); err != nil {
-			return nil, xerrors.Errorf("Failed to detect GitHub Cves: %w", err)
-		}
-
 		if err := DetectWordPressCves(&r, config.Conf.WpScan); err != nil {
 			return nil, xerrors.Errorf("Failed to detect WordPress Cves: %w", err)
 		}
@@ -392,33 +387,6 @@ func isPkgCvesDetactable(r *models.ScanResult) bool {
 	}
 }
 
-// DetectGitHubCves fetches CVEs from GitHub Security Alerts
-func DetectGitHubCves(r *models.ScanResult, githubConfs map[string]config.GitHubConf) error {
-	if len(githubConfs) == 0 {
-		return nil
-	}
-
-	r.GitHubManifests = models.DependencyGraphManifests{}
-	for ownerRepo, setting := range githubConfs {
-		ss := strings.Split(ownerRepo, "/")
-		if len(ss) != 2 {
-			return xerrors.Errorf("Failed to parse GitHub owner/repo: %s", ownerRepo)
-		}
-		owner, repo := ss[0], ss[1]
-		n, err := DetectGitHubSecurityAlerts(r, owner, repo, setting.Token, setting.IgnoreGitHubDismissed)
-		if err != nil {
-			return xerrors.Errorf("Failed to access GitHub Security Alerts: %w", err)
-		}
-		logging.Log.Infof("%s: %d CVEs detected with GHSA %s/%s",
-			r.FormatServerName(), n, owner, repo)
-
-		if err = DetectGitHubDependencyGraph(r, owner, repo, setting.Token); err != nil {
-			return xerrors.Errorf("Failed to access GitHub Dependency graph: %w", err)
-		}
-	}
-	return nil
-}
-
 // DetectWordPressCves detects CVEs of WordPress
 func DetectWordPressCves(r *models.ScanResult, wpCnf config.WpScanConf) error {
 	if len(r.WordPressPackages) == 0 {