@conterra/vuln-scan 0.0.35 → 0.0.36
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +114 -0
- package/dist/add-project.js +453 -456
- package/dist/add-statement.js +454 -457
- package/dist/jira-reporter.js +19 -0
- package/dist/remove-project.js +434 -437
- package/dist/schema/jira-config-schema.json +71 -0
- package/dist/schema/summary-schema.json +152 -0
- package/package.json +8 -7
|
@@ -0,0 +1,71 @@
|
|
|
1
|
+
{
|
|
2
|
+
"$schema": "http://json-schema.org/draft-07/schema#",
|
|
3
|
+
"$id": "jira-config-schema.json",
|
|
4
|
+
"title": "JiraConfig",
|
|
5
|
+
"description": "Configuration file (jira.json) for the ct-vuln-jira-report tool. Defines how vulnerabilities from a scan-summary.json are routed to Jira projects.",
|
|
6
|
+
"type": "object",
|
|
7
|
+
"required": ["jiraUrl", "issues"],
|
|
8
|
+
"additionalProperties": false,
|
|
9
|
+
"properties": {
|
|
10
|
+
"$schema": {
|
|
11
|
+
"description": "Optional reference to the JSON Schema used to validate this file.",
|
|
12
|
+
"type": "string"
|
|
13
|
+
},
|
|
14
|
+
"jiraUrl": {
|
|
15
|
+
"description": "Base URL of the Jira instance. Example: \"https://myorg.atlassian.net\"",
|
|
16
|
+
"type": "string",
|
|
17
|
+
"format": "uri"
|
|
18
|
+
},
|
|
19
|
+
"issues": {
|
|
20
|
+
"description": "List of routing rules that map scan project identifiers to target Jira projects.",
|
|
21
|
+
"type": "array",
|
|
22
|
+
"minItems": 1,
|
|
23
|
+
"items": {
|
|
24
|
+
"$ref": "#/$defs/JiraIssueConfig"
|
|
25
|
+
}
|
|
26
|
+
}
|
|
27
|
+
},
|
|
28
|
+
"$defs": {
|
|
29
|
+
"JiraIssueConfig": {
|
|
30
|
+
"description": "A single routing rule: vulnerabilities affecting any of the listed project patterns will create an issue in the given Jira project.",
|
|
31
|
+
"type": "object",
|
|
32
|
+
"required": ["jiraProject", "issueType", "reportProjects"],
|
|
33
|
+
"additionalProperties": false,
|
|
34
|
+
"properties": {
|
|
35
|
+
"jiraProject": {
|
|
36
|
+
"description": "Jira project key where issues will be created, e.g. \"PLATFORM\".",
|
|
37
|
+
"type": "string"
|
|
38
|
+
},
|
|
39
|
+
"issueType": {
|
|
40
|
+
"description": "Jira issue type name, e.g. \"Bug\", \"CVE\" or \"Task\".",
|
|
41
|
+
"type": "string"
|
|
42
|
+
},
|
|
43
|
+
"issueLabels": {
|
|
44
|
+
"description": "Optional list of Jira labels to apply to every issue created by this rule. Example: [\"security\", \"cve\"].",
|
|
45
|
+
"type": "array",
|
|
46
|
+
"items": {
|
|
47
|
+
"type": "string"
|
|
48
|
+
}
|
|
49
|
+
},
|
|
50
|
+
"boardId": {
|
|
51
|
+
"description": "Jira Scrum board ID. Required when assignToActiveSprint is true. Used to look up the currently active sprint via the Jira Agile API.",
|
|
52
|
+
"type": "integer"
|
|
53
|
+
},
|
|
54
|
+
"assignToActiveSprint": {
|
|
55
|
+
"description": "When true and boardId is set, the created issue is assigned to the currently active sprint of that board. If no active sprint is found the issue is still created without a sprint assignment.",
|
|
56
|
+
"type": "boolean",
|
|
57
|
+
"default": false
|
|
58
|
+
},
|
|
59
|
+
"reportProjects": {
|
|
60
|
+
"description": "Glob patterns for project identifiers (name@version) whose vulnerabilities should be routed to this Jira project. Use \"*\" to match any string. Examples: \"mapapps@*\", \"smartfinder@4.*\", \"*\".",
|
|
61
|
+
"type": "array",
|
|
62
|
+
"minItems": 1,
|
|
63
|
+
"items": {
|
|
64
|
+
"type": "string",
|
|
65
|
+
"description": "Glob pattern for a project identifier. Example: \"mapapps@*\""
|
|
66
|
+
}
|
|
67
|
+
}
|
|
68
|
+
}
|
|
69
|
+
}
|
|
70
|
+
}
|
|
71
|
+
}
|
|
@@ -0,0 +1,152 @@
|
|
|
1
|
+
{
|
|
2
|
+
"$schema": "http://json-schema.org/draft-07/schema#",
|
|
3
|
+
"$id": "summary-schema.json",
|
|
4
|
+
"title": "ScanSummary",
|
|
5
|
+
"description": "Output schema for the CVE vulnerability scan summary (scan-summary.json)",
|
|
6
|
+
"type": "object",
|
|
7
|
+
"required": [
|
|
8
|
+
"errors",
|
|
9
|
+
"vulnerabilities",
|
|
10
|
+
"vulnerabilityToProject",
|
|
11
|
+
"projectToVulnerability",
|
|
12
|
+
"noLongerDetectedVulnerabilities"
|
|
13
|
+
],
|
|
14
|
+
"additionalProperties": false,
|
|
15
|
+
"properties": {
|
|
16
|
+
"$schema": {
|
|
17
|
+
"description": "Optional reference to the JSON Schema used to validate this file.",
|
|
18
|
+
"type": "string"
|
|
19
|
+
},
|
|
20
|
+
"errors": {
|
|
21
|
+
"description": "Scan errors that occurred per project during the scan run.",
|
|
22
|
+
"type": "array",
|
|
23
|
+
"items": {
|
|
24
|
+
"$ref": "#/$defs/ProjectError"
|
|
25
|
+
}
|
|
26
|
+
},
|
|
27
|
+
"vulnerabilities": {
|
|
28
|
+
"description": "Map of CVE/vulnerability ID to its details. Only covers newly detected vulnerabilities.",
|
|
29
|
+
"type": "object",
|
|
30
|
+
"additionalProperties": {
|
|
31
|
+
"$ref": "#/$defs/ShortVulnInfo"
|
|
32
|
+
}
|
|
33
|
+
},
|
|
34
|
+
"vulnerabilityToProject": {
|
|
35
|
+
"description": "Map of CVE/vulnerability ID to the list of affected project identifiers (name@version).",
|
|
36
|
+
"type": "object",
|
|
37
|
+
"additionalProperties": {
|
|
38
|
+
"type": "array",
|
|
39
|
+
"items": {
|
|
40
|
+
"type": "string"
|
|
41
|
+
}
|
|
42
|
+
}
|
|
43
|
+
},
|
|
44
|
+
"projectToVulnerability": {
|
|
45
|
+
"description": "Map of project identifier (name@version) to the list of CVE/vulnerability IDs detected in that project.",
|
|
46
|
+
"type": "object",
|
|
47
|
+
"additionalProperties": {
|
|
48
|
+
"type": "array",
|
|
49
|
+
"items": {
|
|
50
|
+
"type": "string"
|
|
51
|
+
}
|
|
52
|
+
}
|
|
53
|
+
},
|
|
54
|
+
"noLongerDetectedVulnerabilities": {
|
|
55
|
+
"description": "Map of CVE/vulnerability ID to the list of project identifiers (name@version) where the vulnerability was declared but is no longer detected.",
|
|
56
|
+
"type": "object",
|
|
57
|
+
"additionalProperties": {
|
|
58
|
+
"type": "array",
|
|
59
|
+
"items": {
|
|
60
|
+
"type": "string"
|
|
61
|
+
}
|
|
62
|
+
}
|
|
63
|
+
}
|
|
64
|
+
},
|
|
65
|
+
"$defs": {
|
|
66
|
+
"Severity": {
|
|
67
|
+
"description": "Severity level of a vulnerability.",
|
|
68
|
+
"type": "string",
|
|
69
|
+
"enum": ["UNKNOWN", "LOW", "MEDIUM", "HIGH", "CRITICAL"]
|
|
70
|
+
},
|
|
71
|
+
"ComponentNode": {
|
|
72
|
+
"description": "A node in the reverse dependency tree identifying a component by its purl.",
|
|
73
|
+
"type": "object",
|
|
74
|
+
"required": ["purl", "usedBy"],
|
|
75
|
+
"additionalProperties": false,
|
|
76
|
+
"properties": {
|
|
77
|
+
"purl": {
|
|
78
|
+
"description": "Package URL (purl) of the component.",
|
|
79
|
+
"type": "string"
|
|
80
|
+
},
|
|
81
|
+
"usedBy": {
|
|
82
|
+
"description": "Components that depend on this component. An empty array means this is a root/direct dependency.",
|
|
83
|
+
"type": "array",
|
|
84
|
+
"items": {
|
|
85
|
+
"$ref": "#/$defs/ComponentNode"
|
|
86
|
+
}
|
|
87
|
+
}
|
|
88
|
+
}
|
|
89
|
+
},
|
|
90
|
+
"ShortVulnInfo": {
|
|
91
|
+
"description": "Condensed vulnerability information for a single CVE/vulnerability.",
|
|
92
|
+
"type": "object",
|
|
93
|
+
"required": ["id", "severity", "title", "description", "components", "componentTree", "refs"],
|
|
94
|
+
"additionalProperties": false,
|
|
95
|
+
"properties": {
|
|
96
|
+
"id": {
|
|
97
|
+
"description": "Unique identifier of the vulnerability (e.g. CVE-2024-12345).",
|
|
98
|
+
"type": "string"
|
|
99
|
+
},
|
|
100
|
+
"severity": {
|
|
101
|
+
"$ref": "#/$defs/Severity"
|
|
102
|
+
},
|
|
103
|
+
"title": {
|
|
104
|
+
"description": "Short human-readable title of the vulnerability.",
|
|
105
|
+
"type": "string"
|
|
106
|
+
},
|
|
107
|
+
"description": {
|
|
108
|
+
"description": "Detailed description of the vulnerability.",
|
|
109
|
+
"type": "string"
|
|
110
|
+
},
|
|
111
|
+
"components": {
|
|
112
|
+
"description": "List of affected component purls.",
|
|
113
|
+
"type": "array",
|
|
114
|
+
"items": {
|
|
115
|
+
"type": "string"
|
|
116
|
+
}
|
|
117
|
+
},
|
|
118
|
+
"componentTree": {
|
|
119
|
+
"description": "Reverse dependency tree nodes showing how affected components are used.",
|
|
120
|
+
"type": "array",
|
|
121
|
+
"items": {
|
|
122
|
+
"$ref": "#/$defs/ComponentNode"
|
|
123
|
+
}
|
|
124
|
+
},
|
|
125
|
+
"refs": {
|
|
126
|
+
"description": "List of reference URLs (advisories, NVD entries, etc.).",
|
|
127
|
+
"type": "array",
|
|
128
|
+
"items": {
|
|
129
|
+
"type": "string",
|
|
130
|
+
"format": "uri"
|
|
131
|
+
}
|
|
132
|
+
}
|
|
133
|
+
}
|
|
134
|
+
},
|
|
135
|
+
"ProjectError": {
|
|
136
|
+
"description": "An error that occurred while scanning a specific project.",
|
|
137
|
+
"type": "object",
|
|
138
|
+
"required": ["project", "error"],
|
|
139
|
+
"additionalProperties": false,
|
|
140
|
+
"properties": {
|
|
141
|
+
"project": {
|
|
142
|
+
"description": "Project identifier in the form name@version.",
|
|
143
|
+
"type": "string"
|
|
144
|
+
},
|
|
145
|
+
"error": {
|
|
146
|
+
"description": "Error message describing what went wrong during the scan.",
|
|
147
|
+
"type": "string"
|
|
148
|
+
}
|
|
149
|
+
}
|
|
150
|
+
}
|
|
151
|
+
}
|
|
152
|
+
}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@conterra/vuln-scan",
|
|
3
|
-
"version": "0.0.
|
|
3
|
+
"version": "0.0.36",
|
|
4
4
|
"description": "con terra vulnerability scan process",
|
|
5
5
|
"author": "con terra GmbH",
|
|
6
6
|
"license": "Apache-2.0",
|
|
@@ -15,7 +15,8 @@
|
|
|
15
15
|
"ct-vuln-add-vex": "dist/add-statement.js",
|
|
16
16
|
"ct-vuln-add-project": "dist/add-project.js",
|
|
17
17
|
"ct-vuln-remove-project": "dist/remove-project.js",
|
|
18
|
-
"ct-vuln-add-project-to-vex": "dist/add-project-to-vex.js"
|
|
18
|
+
"ct-vuln-add-project-to-vex": "dist/add-project-to-vex.js",
|
|
19
|
+
"ct-vuln-jira-report": "dist/jira-reporter.js"
|
|
19
20
|
},
|
|
20
21
|
"engines": {
|
|
21
22
|
"node": ">= 20",
|
|
@@ -37,19 +38,19 @@
|
|
|
37
38
|
"@types/escape-html": "1.0.4",
|
|
38
39
|
"@types/sarif": "^2.1.7",
|
|
39
40
|
"copyfiles": "2.4.1",
|
|
40
|
-
"esbuild": "0.27.
|
|
41
|
+
"esbuild": "0.27.3",
|
|
41
42
|
"escape-html": "1.0.3",
|
|
42
|
-
"eslint-plugin-headers": "1.3.
|
|
43
|
+
"eslint-plugin-headers": "1.3.4",
|
|
43
44
|
"eslint": "^9.39.1",
|
|
44
45
|
"globals": "17.3.0",
|
|
45
46
|
"json-schema-to-typescript": "15.0.4",
|
|
46
47
|
"node-sarif-builder": "3.4.0",
|
|
47
48
|
"prettier": "^3.8.1",
|
|
48
|
-
"rimraf": "6.1.
|
|
49
|
+
"rimraf": "6.1.3",
|
|
49
50
|
"typescript": "5.9.3",
|
|
50
|
-
"typescript-eslint": "8.
|
|
51
|
+
"typescript-eslint": "8.56.1",
|
|
51
52
|
"vitest": "4.0.18",
|
|
52
|
-
"@inquirer/prompts": "8.
|
|
53
|
+
"@inquirer/prompts": "8.3.0"
|
|
53
54
|
},
|
|
54
55
|
"scripts": {
|
|
55
56
|
"full-build": "pnpm run clean && pnpm run type-check && pnpm run lint && pnpm run prod",
|