@catladder/cli 1.135.0 → 1.136.0

package/package.json

@@ -52,7 +52,7 @@
     }
   ],
   "license": "MIT",
-  "version": "1.135.0",
+  "version": "1.136.0",
   "scripts": {
     "lint": "eslint \"src/**/*.ts\"",
     "lint:fix": "eslint \"src/**/*.ts\" --fix",
@@ -63,17 +63,16 @@
     "build:watch": "yarn tsc -w"
   },
   "bin": {
+    "catci": "./bin/catci",
     "catenv": "./bin/catenv",
     "catladder": "./bin/catladder"
   },
-  "dependencies": {
-    "ts-node": "^10.9.1"
-  },
   "engines": {
     "node": ">=12.0.0"
   },
   "devDependencies": {
-    "@catladder/pipeline": "1.135.0",
+    "@catladder/pipeline": "1.136.0",
+    "@gitbeaker/rest": "^39.28.0",
     "@kubernetes/client-node": "^0.16.2",
     "@tsconfig/node14": "^1.0.1",
     "@types/common-tags": "^1.8.0",
@@ -104,6 +103,8 @@
     "open": "^8.4.0",
     "prettier": "^2.5.1",
     "tmp-promise": "^2.0.2",
+    "ts-node": "^10.9.1",
+    "ts-results-es": "^4.1.0-alpha.1",
     "typescript": "^4.5.4",
     "vorpal": "^1.12.0"
   }

package/scripts/bundle

@@ -2,3 +2,5 @@
 ncc build dist/catenv.js -o dist/bundles/catenv -e 'ts-node' $( ((SHOULD_MINIFY == 1)) && printf %s '-m')
 
 ncc build dist/cli.js -o dist/bundles/cli -e 'ts-node' $( ((SHOULD_MINIFY == 1)) && printf %s '-m')
+
+ncc build dist/catci.js -o dist/bundles/catci -e 'ts-node' $( ((SHOULD_MINIFY == 1)) && printf %s '-m')

package/src/apps/catci/catci.ts

@@ -0,0 +1,20 @@
+import Vorpal from "vorpal";
+import packageInfo from "../../packageInfos";
+import securityCommands from "./commands/security/commands";
+
+export async function runCatCi() {
+  const vorpal = new Vorpal();
+
+  process.exitCode = 0;
+  vorpal.delimiter("catci $").history("catci").version(packageInfo.version);
+
+  securityCommands(vorpal);
+
+  const isInteractive = process.argv.length <= 2;
+  if (isInteractive) {
+    vorpal.log(`Catladder CI Tools 😻🔨 version ${packageInfo.version}`).show();
+  } else {
+    await vorpal.exec(process.argv.slice(2).join(" "));
+    process.exit();
+  }
+}

package/src/apps/catci/commands/security/auditDocument.ts

@@ -0,0 +1,150 @@
+import topicsJson from "./topics.json";
+
+type Topic = {
+  description: string;
+  responsibles: number;
+  more: string;
+};
+
+const allTopics: Topic[] = topicsJson;
+
+const checkYes = "✅";
+const checkNo = "❌";
+
+const checkPlaceholder = `${checkYes}/${checkNo}`;
+const responsiblePlaceholder = "@...";
+const rows = [
+  ["Responsible", checkPlaceholder, "Description", "Note", "More Information"],
+].concat(
+  allTopics.map((t) => [
+    Array(t.responsibles).fill(responsiblePlaceholder).join(", "),
+    checkPlaceholder,
+    t.description,
+    "",
+    t.more,
+  ])
+);
+
+function makeTable(rows: string[][]) {
+  const colWidths = calculateColumnWidths(rows);
+
+  return `
+${makeRow(rows[0], colWidths, " ")}
+${makeRow(
+  rows[0].map(() => ""),
+  colWidths,
+  "-"
+)}
+${rows
+  .slice(1)
+  .map((row) => makeRow(row, colWidths, " "))
+  .join("\n")}
+`;
+}
+
+function calculateColumnWidths(rows: string[][]) {
+  const columnCount = rows[0].length;
+  return Array.from({ length: columnCount }, (_, i) => i).map((columnIndex) =>
+    Math.max(...rows.map((row) => row[columnIndex].length))
+  );
+}
+
+function makeRow(row: string[], colWidths: number[], fillString: string) {
+  return `| ${row
+    .map((cell, i) => cell.padEnd(colWidths[i], fillString))
+    .join(" | ")} |`;
+}
+
+export function makeTemplate() {
+  return `
+# Security Audit Report
+
+A security audit report document is a comprehensive assessment of an application's security posture, containing security topics that auditors can mark to indicate the state of various security aspects.
+
+It serves as a structured guide for security team to evaluate different security factors such as authentication, authorization, data encryption, input validation, and more.
+
+## General Information
+
+- Project Owner is @...
+- Dev team:
+  - @...
+  - @...
+  - @...
+
+## Project Security
+
+${makeTable(rows)}
+
+`;
+}
+
+export type SecurityEvaluation = {
+  topics: {
+    description: string;
+    responsibles: string[];
+    note: string;
+    isUnknown: boolean;
+    isAnswered: boolean;
+    isSecured: boolean;
+  }[];
+  score: {
+    rating: number;
+    totalTopics: number;
+    answeredTopics: number;
+    securedTopics: number;
+    unknownTopics: number;
+  };
+};
+
+export function evaluateDocument(document: string): SecurityEvaluation {
+  const rawRows =
+    document.match(/^\s*\|.*?\|\s*$/gm)?.map((row) => row.trim()) ?? [];
+  const matchedRows = rawRows
+    .map((row) => row.split("|").map((col) => col.trim()))
+    .slice(2);
+  const knownTopics = new Set(allTopics.map((t) => t.description));
+
+  const topics = matchedRows.map((col) => {
+    const responsibles = col[1].split(", ");
+    const answer = col[2];
+    const description = col[3];
+    const note = col[4];
+
+    const isUnknown = !knownTopics.has(description);
+    const isAnswered =
+      !isUnknown &&
+      !answer.includes(checkPlaceholder) &&
+      !responsibles.some((responsible) =>
+        responsible.includes(responsiblePlaceholder)
+      );
+    const isSecured = !isUnknown && isAnswered && answer.includes(checkYes);
+
+    return {
+      responsibles,
+      answer,
+      description,
+      note,
+      isUnknown,
+      isAnswered,
+      isSecured,
+    };
+  });
+
+  const totalTopics = allTopics.length;
+  const answeredTopics = topics.filter((t) => t.isAnswered).length;
+  const securedTopics = topics.filter((t) => t.isSecured).length;
+  const unknownTopics = topics.filter((t) => t.isUnknown).length;
+
+  const rating = Math.round((securedTopics / totalTopics) * 100);
+
+  return {
+    topics,
+    score: {
+      rating,
+      totalTopics,
+      answeredTopics,
+      securedTopics,
+      unknownTopics,
+    },
+  };
+}

package/src/apps/catci/commands/security/commands.ts

@@ -0,0 +1,146 @@
+import type Vorpal from "vorpal";
+import {
+  evaluateSecurityAudit,
+  makeSecurityAuditOverview,
+} from "./evaluateSecurityAudit";
+import { Gitlab } from "@gitbeaker/rest";
+import {
+  SECURITY_AUDIT_FILE_NAME,
+  createSecurityAuditMergeRequest,
+} from "./createSecurityAuditMergeRequest";
+
+const GITLAB_HOST = "https://git.panter.ch";
+
+export default function (vorpal: Vorpal) {
+  commandCiJob(vorpal);
+  commandEvaluate(vorpal);
+  commandCreate(vorpal);
+}
+
+async function commandCiJob(vorpal: Vorpal) {
+  vorpal
+    .command(
+      "security-audit-ci-job <path> <token> <mainBranch> <projectId> <userId>",
+      `Evaluates security audit document. If the document can't be evaluated or does not exist, creates a new MR with security audit document template.
+
+<path> root path of a project with security audit document (${SECURITY_AUDIT_FILE_NAME})
+<token> gitlab token with 'api' scopes and permissions to create a new branch
+<main-branch> main branch name
+<project-id> project id to create security audit for
+<user-id> gitlab user id that will be assignee of the audit
+`
+    )
+    .action(async (args) => {
+      const evaluation = await evaluateSecurityAudit({ path: args.path });
+
+      if (evaluation.isErr()) {
+        console.log("could not evaluate security audit document");
+        console.log(
+          "creating new merge request with security audit template..."
+        );
+
+        const { token, mainBranch, projectId, userId } = args;
+        const api = new Gitlab({
+          host: GITLAB_HOST,
+          token,
+        });
+
+        const mr = await createSecurityAuditMergeRequest({
+          api,
+          mainBranch,
+          projectId,
+          userId: parseInt(userId),
+        });
+
+        if (mr.isErr()) {
+          console.error(
+            `could not create merge request with security audit template: ${mr.error}`
+          );
+          process.exitCode = 1;
+          return;
+        }
+
+        console.log("security audit merge request created successfully");
+        console.log(
+          `please finish the MR by updating SECURITY.md document: ${mr.value.web_url}`
+        );
+        process.exitCode = 1;
+        return;
+      }
+
+      if (evaluation.value.score.answeredTopics === 0) {
+        console.error("audit document has no answered topics");
+        console.error(
+          `please answer security topics in ${SECURITY_AUDIT_FILE_NAME} by adding responsible people and check/cross in the table`
+        );
+        process.exitCode = 1;
+        return;
+      }
+
+      process.exitCode = 0;
+      console.log(makeSecurityAuditOverview(evaluation.value));
+    });
+}
+
+async function commandEvaluate(vorpal: Vorpal) {
+  vorpal
+    .command(
+      "security-audit-evaluate <path>",
+      "Evaluates security audit document in given <path>"
+    )
+    .action(async (args) => {
+      console.log("evaluating security audit document...");
+
+      const result = await evaluateSecurityAudit({ path: args.path });
+      if (result.isErr()) {
+        console.error(result.error);
+        console.error(
+          `please make sure the security audit document ${SECURITY_AUDIT_FILE_NAME} is in the repository`
+        );
+        process.exitCode = 1;
+      } else {
+        console.log(makeSecurityAuditOverview(result.value));
+      }
+    });
+}
+
+async function commandCreate(vorpal: Vorpal) {
+  vorpal
+    .command(
+      "security-audit-create <token> <mainBranch> <projectId> <userId>",
+      `Creates a MR in given project with the latest security audit template document
+
+<token> gitlab token with 'api' scopes and permissions to create a new branch
+<main-branch> main branch name
+<project-id> project id to create security audit for
+<user-id> gitlab user id that will be assignee of the audit
+`
+    )
+    .action(async (args) => {
+      const { token, mainBranch, projectId, userId } = args;
+
+      const api = new Gitlab({
+        host: GITLAB_HOST,
+        token,
+      });
+
+      const result = await createSecurityAuditMergeRequest({
+        api,
+        mainBranch,
+        projectId,
+        userId: parseInt(userId),
+      });
+
+      if (result.isErr()) {
+        console.error(
+          `could not create security audit merge request: ${result.error}`
+        );
+        process.exitCode = 1;
+      } else {
+        console.log("security audit merge request created successfully");
+        console.log(
+          `please finish the MR by updating SECURITY.md document: ${result.value.web_url}`
+        );
+      }
+    });
+}

package/src/apps/catci/commands/security/createSecurityAuditMergeRequest.ts

@@ -0,0 +1,98 @@
+import type { Gitlab } from "@gitbeaker/core";
+import { Err, Result } from "ts-results-es";
+import { makeTemplate } from "./auditDocument";
+
+function makeDatedBranchName(branchName: string) {
+  const date = new Date().toISOString().slice(0, -5).replaceAll(/[:.T]/g, "-");
+  return `${branchName}-${date}`;
+}
+
+const MR_TITLE = "Draft: chore(security): add security audit document";
+export const SECURITY_AUDIT_FILE_NAME = "SECURITY.md" as const;
+
+export async function createSecurityAuditMergeRequest({
+  projectId,
+  mainBranch,
+  userId,
+  api,
+}: {
+  projectId: string;
+  mainBranch: string;
+  userId: number;
+  api: Gitlab;
+}) {
+  const mrs = (
+    await Result.wrapAsync(() =>
+      api.MergeRequests.all({
+        state: "opened",
+        wip: "yes",
+        labels: "security-audit",
+      })
+    )
+  ).mapErr(() => `could not search for existing merge requests` as const);
+  if (mrs.isErr()) return mrs;
+
+  const existingMr = mrs.value[0];
+  if (existingMr)
+    return Err(
+      `open merge request with security audit already exists: ${existingMr.web_url}`
+    );
+
+  const auditTemplate = Result.wrap(() => makeTemplate()).mapErr(
+    () => "could not make security audit template document" as const
+  );
+  if (auditTemplate.isErr()) return auditTemplate;
+
+  const branch = (
+    await Result.wrapAsync(() =>
+      api.Branches.create(
+        projectId,
+        makeDatedBranchName("chore/security-audit"),
+        mainBranch
+      )
+    )
+  ).mapErr((e) => {
+    console.log(e);
+    return "could not create branch" as const;
+  });
+  if (branch.isErr()) return branch;
+
+  const commit = (
+    await Result.wrapAsync(() =>
+      api.Commits.create(
+        projectId,
+        branch.value.name,
+        "chore(security): add empty security audit document template",
+        [
+          {
+            action: "create",
+            filePath: SECURITY_AUDIT_FILE_NAME,
+            content: auditTemplate.value,
+            encoding: "text",
+          },
+        ]
+      )
+    )
+  ).mapErr(() => "could not create commit" as const);
+  if (commit.isErr()) return commit;
+
+  const mr = (
+    await Result.wrapAsync(() =>
+      api.MergeRequests.create(
+        projectId,
+        branch.value.name,
+        mainBranch,
+        MR_TITLE,
+        {
+          description: `Please follow and update security audit document in \`${SECURITY_AUDIT_FILE_NAME}\`.`,
+          assigneeId: userId,
+          squash: true,
+          labels: "security-audit",
+          removeSourceBranch: true,
+        }
+      )
+    )
+  ).mapErr(() => "could not create merge request" as const);
+
+  return mr;
+}

package/src/apps/catci/commands/security/evaluateSecurityAudit.ts

@@ -0,0 +1,30 @@
+import { Result } from "ts-results-es";
+import { join } from "path";
+import { readFile } from "fs/promises";
+import { SECURITY_AUDIT_FILE_NAME } from "./createSecurityAuditMergeRequest";
+import type { SecurityEvaluation } from "./auditDocument";
+import { evaluateDocument } from "./auditDocument";
+
+export async function evaluateSecurityAudit({ path }: { path: string }) {
+  return (
+    await Result.wrapAsync(async () => {
+      const filePath = join(path, SECURITY_AUDIT_FILE_NAME);
+      const docData = await readFile(filePath);
+      const doc = docData.toString("utf-8");
+      return evaluateDocument(doc);
+    })
+  ).mapErr((e) => `could not evaluate ${SECURITY_AUDIT_FILE_NAME}: ${e}`);
+}
+
+export function makeSecurityAuditOverview(evaluation: SecurityEvaluation) {
+  const ratingToEmo = (r: number) => (r < 33 ? "🟥" : r < 66 ? "🟨" : "🟩");
+
+  return `Project security posture overview:
+ 🧐 Total topics: ${evaluation.score.totalTopics}
+ 🔒 Secured topics: ${evaluation.score.securedTopics}
+ 📢 Answered topics: ${evaluation.score.answeredTopics}
+ ❔ Unknown topics: ${evaluation.score.unknownTopics}
+ 📊 Rating: ${ratingToEmo(evaluation.score.rating)} ${
+    evaluation.score.rating
+  }/100`;
+}

package/src/apps/catci/commands/security/topics.json

@@ -0,0 +1,120 @@
+[
+  {
+    "description": "No API keys or secrets are stored in repository",
+    "responsibles": 1,
+    "more": ""
+  },
+  {
+    "description": "The app does not provide password login",
+    "responsibles": 1,
+    "more": ""
+  },
+  {
+    "description": "Passwords are not stored",
+    "responsibles": 1,
+    "more": ""
+  },
+  {
+    "description":
+      "Passwords are stored hashed with salt and salt is not stored in the repository",
+    "responsibles": 1,
+    "more": "[guide](https://git.panter.ch/panter/security-guide/-/blob/main/docs/audit/hash.md)"
+  },
+  {
+    "description": "Input that ends up in DOM is properly sanitized",
+    "responsibles": 1,
+    "more": "[guide](https://git.panter.ch/panter/security-guide/-/blob/main/docs/audit/xss.md)"
+  },
+  {
+    "description": "All user inputs have reasonable validations",
+    "responsibles": 1,
+    "more": "[guide](https://git.panter.ch/panter/security-guide/-/blob/main/docs/audit/validation.md)"
+  },
+  {
+    "description": "The app is not using cookies",
+    "responsibles": 1,
+    "more": "[guide](https://git.panter.ch/panter/security-guide/-/blob/main/docs/audit/cookies.md)"
+  },
+  {
+    "description": "The app is using cookies and cookies are properly configured",
+    "responsibles": 1,
+    "more": "[guide](https://git.panter.ch/panter/security-guide/-/blob/main/docs/audit/cookies.md)"
+  },
+  {
+    "description":
+      "The app uses JWT with a secret and the secret is not stored in the repository",
+    "responsibles": 1,
+    "more": "[guide](https://git.panter.ch/panter/security-guide/-/blob/main/docs/audit/cookies.md)"
+  },
+  {
+    "description": "Authorization and user roles (RBAC) were reviewed thoroughly",
+    "responsibles": 2,
+    "more": "[guide](https://git.panter.ch/panter/security-guide/-/blob/main/docs/audit/authorization.md)"
+  },
+  {
+    "description": "CORS headers do not use `*`",
+    "responsibles": 1,
+    "more": "[guide](https://git.panter.ch/panter/security-guide/-/blob/main/docs/audit/cors.md)"
+  },
+  {
+    "description":
+      "CSP headers are properly configured (no `unsafe-inline` or `unsafe-eval`)",
+    "responsibles": 1,
+    "more": "[guide](https://git.panter.ch/panter/security-guide/-/blob/main/docs/audit/csp.md)"
+  },
+  {
+    "description": "DoS defense mechanism is implemented",
+    "responsibles": 1,
+    "more": "[guide](https://git.panter.ch/panter/security-guide/-/blob/main/docs/audit/dos.md)"
+  },
+  {
+    "description":
+      "YAML/XML parsing is not used or used YAML/XML parsers have disabled DTD",
+    "responsibles": 1,
+    "more": "[guide](https://git.panter.ch/panter/security-guide/-/blob/main/docs/audit/dos.md)"
+  },
+  {
+    "description": "The app implements CSRF prevention",
+    "responsibles": 1,
+    "more": "[guide](https://git.panter.ch/panter/security-guide/-/blob/main/docs/audit/csrf.md)"
+  },
+  {
+    "description": "The app has a rate limitter",
+    "responsibles": 1,
+    "more": ""
+  },
+  {
+    "description":
+      "The app has disabled GraphQL introspection and schema registry",
+    "responsibles": 1,
+    "more": "[guide](https://git.panter.ch/panter/security-guide/-/blob/main/docs/audit/graphql.md)"
+  },
+  {
+    "description": "The app has set GraphQL complexity query limits",
+    "responsibles": 1,
+    "more": "[guide](https://git.panter.ch/panter/security-guide/-/blob/main/docs/audit/graphql.md)"
+  },
+  {
+    "description": "`sitemap.xml` does not leak any routes with sensitive data",
+    "responsibles": 1,
+    "more": ""
+  },
+  {
+    "description":
+      "Cloud storage is (private) configured to not leak any sensitive data publicly",
+    "responsibles": 1,
+    "more": ""
+  },
+  {
+    "description":
+      "Security Dashboard checks weekly vulnerable dependencies https://dep.panter.swiss/",
+    "responsibles": 1,
+    "more": ""
+  },
+  {
+    "description":
+      "The app has `.well-known/security.txt` https://securitytxt.org/",
+    "responsibles": 1,
+    "more": ""
+  }
+]

package/src/apps/cli/commands/project/commandSecurityEvaluate.ts

@@ -0,0 +1,26 @@
+import type Vorpal from "vorpal";
+import {
+  evaluateSecurityAudit,
+  makeSecurityAuditOverview,
+} from "../../../catci/commands/security/evaluateSecurityAudit";
+import { getGitRoot } from "../../../../utils/projects";
+
+export default async (vorpal: Vorpal) => {
+  vorpal
+    .command(
+      "project-security-evaluate",
+      "evaluate project's security audit document"
+    )
+    .action(async function () {
+      const gitRoot = await getGitRoot();
+      const result = await evaluateSecurityAudit({ path: gitRoot });
+      if (result.isErr()) {
+        console.error(
+          "Could not evaluate security audit document:",
+          result.error
+        );
+      } else {
+        console.log(makeSecurityAuditOverview(result.value));
+      }
+    });
+};

package/src/apps/cli/commands/project/index.ts

@@ -26,6 +26,7 @@ import commandTriggerCronjob from "./commandTriggerCronjob";
 import commandOpenGrafanaPod from "./commandOpenGrafanaPod";
 import commandSecretsClearBackups from "./commandSecretsClearBackups";
 import commandProjectRestoreDb from "./cloudSql/commandProjectRestoreDb";
+import commandSecurityEvaluate from "./commandSecurityEvaluate";
 
 export default async (vorpal: Vorpal) => {
   commandSetup(vorpal);
@@ -61,4 +62,5 @@ export default async (vorpal: Vorpal) => {
 
   commandGetMyTotalWorktime(vorpal);
   commandMigrateHelm3(vorpal);
+  commandSecurityEvaluate(vorpal);
 };

package/src/catci.ts

@@ -0,0 +1,3 @@
+import { runCatCi } from "./apps/catci/catci";
+
+runCatCi();