@eurekadevsecops/radar 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (23) hide show
  1. package/CONTRIBUTING.md +61 -0
  2. package/LICENSE +674 -0
  3. package/README.md +43 -0
  4. package/cli.js +15 -0
  5. package/package.json +36 -0
  6. package/scanners/depscan/run.sh +8 -0
  7. package/scanners/depscan/sarif.j2 +90 -0
  8. package/scanners/gitleaks/run.sh +7 -0
  9. package/scanners/opengrep/rules.yaml +69031 -0
  10. package/scanners/opengrep/run.sh +7 -0
  11. package/scanners/scanners.toml +20 -0
  12. package/src/commands/index.js +5 -0
  13. package/src/commands/scan.js +237 -0
  14. package/src/commands/scanners.js +15 -0
  15. package/src/index.js +21 -0
  16. package/src/plugins/scanners.js +12 -0
  17. package/src/util/humanize.js +23 -0
  18. package/src/util/sarif/display_findings.js +6 -0
  19. package/src/util/sarif/display_totals.js +5 -0
  20. package/src/util/sarif/index.js +6 -0
  21. package/src/util/sarif/levels.js +32 -0
  22. package/src/util/sarif/merge.js +52 -0
  23. package/src/util/sarif/summarize.js +40 -0
package/README.md ADDED
@@ -0,0 +1,43 @@
1
+ <pre>
2
+ _
3
+ _ __ __ _ __| | __ _ _ __
4
+ | '__/ _` |/ _` |/ _` | '__|
5
+ | | | (_| | (_| | (_| | |
6
+ |_| \__,_|\__,_|\__,_|_|
7
+ </pre>
8
+
9
+ # Introduction
10
+
11
+ radarctl is a command-line interface for Radar, an open-source orchestrator of security scanners. Radar is part of the Eureka DevSecOps platform.
12
+
13
+ ## Installation
14
+
15
+ ## Using a Package Manager
16
+
17
+ #### [NPM](https://npmjs.com) (macOS, Linux, WSL)
18
+
19
+ ```bash
20
+ npm install -g radar
21
+ ```
22
+
23
+ ## Downloading from GitHub
24
+
25
+ Download the appropriate version from the [Releases](https://github.com/eurekadevsecops/radarctl/releases) page of the `radarctl` GitHub repository.
26
+
27
+ ## Getting Started
28
+
29
+ Get familiar with built-in radar help pages:
30
+
31
+ ```bash
32
+ radar help
33
+ ```
34
+
35
+ Run a scan on the source code in the current working directory:
36
+
37
+ ```bash
38
+ radar scan
39
+ ```
40
+
41
+ ## Contributing guide
42
+
43
+ See [CONTRIBUTING.md](./CONTRIBUTING.md)
package/cli.js ADDED
@@ -0,0 +1,15 @@
1
+ #!/usr/bin/env node
2
+
3
+ // require('dotenv').config()
4
+ const path = require('node:path')
5
+ const plugins = { scanners: require(path.join(__dirname, 'src', 'plugins', 'scanners')) }
6
+ const cli = require(path.join(__dirname, 'src')).build({ plugins })
7
+
8
+ // Check for updates (not in browsers).
9
+ cli.checkForUpdates()
10
+
11
+ // Export the configured CLI module.
12
+ module.exports = cli
13
+
14
+ // Run the command given on the command line.
15
+ cli.run().then((exitCode) => { process.exitCode = exitCode ?? 0 })
package/package.json ADDED
@@ -0,0 +1,36 @@
1
+ {
2
+ "name": "@eurekadevsecops/radar",
3
+ "version": "1.0.0",
4
+ "description": "Radar is an open-source orchestrator of security scanners.",
5
+ "homepage": "https://www.eurekadevsecops.com/radar",
6
+ "keywords": [
7
+ "eureka",
8
+ "devsecops",
9
+ "radar",
10
+ "security",
11
+ "scanner",
12
+ "asoc",
13
+ "aspm"
14
+ ],
15
+ "license": "GPL-3.0-only",
16
+ "author": "Sasa Djolic <s.djolic@eurekadevsecops.com> (https://www.linkedin.com/in/sasadjolic/)",
17
+ "type": "commonjs",
18
+ "main": "cli.js",
19
+ "scripts": {
20
+ "test": "standard"
21
+ },
22
+ "repository": {
23
+ "type": "git",
24
+ "url": "https://github.com/EurekaDevSecOps/radarctl.git"
25
+ },
26
+ "dependencies": {
27
+ "@persistr/clif": "^1.11.0",
28
+ "@persistr/clif-plugin-settings": "^2.3.1",
29
+ "humanize-duration": "^3.33.0",
30
+ "smol-toml": "^1.4.1",
31
+ "tiny-spinner": "^2.0.5"
32
+ },
33
+ "devDependencies": {
34
+ "standard": "*"
35
+ }
36
+ }
package/scanners/depscan/run.sh ADDED
@@ -0,0 +1,8 @@
1
+ # Parameters:
2
+ # $1 - Path to the source code folder that should be scanned
3
+ # $2 - Path to the assets folder
4
+ # $3 - Path to the output folder where scan results should be stored
5
+
6
+ set -e
7
+ docker run --rm -v $1:/app -v $2:/input -v $3:/output ghcr.io/owasp-dep-scan/dep-scan depscan --src /app --reports-dir /output/depscan --report-name depscan.sarif --report-template /input/sarif.j2 2>&1
8
+ cp $3/depscan/depscan.sarif $3/depscan.sarif
package/scanners/depscan/sarif.j2 ADDED
@@ -0,0 +1,90 @@
1
+ {
2
+ "version": "2.1.0",
3
+ "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
4
+ "runs": [
5
+ {
6
+ "tool": {
7
+ "driver": {
8
+ "name": "{{ metadata.tools.components[1].name }}",
9
+ "semanticVersion": "{{ metadata.tools.components[1].version }}",
10
+ "informationUri": "https://github.com/owasp-dep-scan/dep-scan",
11
+ "properties": {
12
+ "protocol_version": "v1.0.0",
13
+ "scanner_name": "{{ metadata.tools.components[1].name }}",
14
+ "scanner_version": "{{ metadata.tools.components[1].version }}",
15
+ "db": "https://github.com/AppThreat/vulnerability-db",
16
+ "scan_mode": "source"
17
+ },
18
+ "rules": [ {% for vuln in vulnerabilities %}{% set package = vuln['bom-ref'].split(':')[1] %}
19
+ {
20
+ "id": "{{ vuln['bom-ref'] }}",
21
+ "shortDescription": {
22
+ "text": "Vulnerable pkg: {{ package }}\nCVE: {{ vuln.id }}\nFix: {{ vuln.recommendation }}\n\n{% for prop in vuln.properties %}{{ prop.name }}: {{ prop.value }}\n{% endfor %}"
23
+ },
24
+ "fullDescription": {
25
+ "text": {{ vuln.description | tojson }}
26
+ },
27
+ "help": {
28
+ "text": "{{ vuln.recommendation }}"
29
+ },
30
+ "helpUri": "{% if vuln.source and vuln.source.url %}{{ vuln.source.url }}{% elif vuln.id and 'NPM-' in vuln.id %}https://osv.dev/vulnerability/{{ vuln.id.split('/')[0] }}{% else %}https://unknownhelpuri.com{% endif %}",
31
+ "properties": {
32
+ "tags": [
33
+ {% for prop in vuln.properties %}{% if 'Used' in prop.value -%}
34
+ "{{ 'Used' }}",
35
+ {% endif -%}{% if 'Reachable' in prop.value -%}
36
+ "{{ 'Reachable' }}",
37
+ {% endif -%}{% if 'Confirmed' in prop.value -%}
38
+ "{{ 'Confirmed' }}",
39
+ {% endif -%}{% if 'Exploits' in prop.value -%}
40
+ "{{ 'Exploits' }}",
41
+ {% endif -%}{% if 'PoC' in prop.value -%}
42
+ "{{ 'PoC' }}",
43
+ {% endif -%}{% if 'true' in prop.value and 'prioritized' in prop.name -%}
44
+ "{{ 'Prioritized' }}",
45
+ {% endif -%}{% endfor %}{% if 'MAL-' in vuln.id -%}
46
+ "{{ 'Malware' }}",
47
+ {% endif -%}"{{ vuln['id'] }}"
48
+ ]
49
+ }
50
+ }{% if not loop.last %},{% endif %}
51
+ {% endfor %}
52
+ ]
53
+ }
54
+ },
55
+ "results": [ {% for vuln in vulnerabilities %}{% set package = vuln['bom-ref'].split(':')[1] %}
56
+ {
57
+ "ruleId": "{{ vuln['bom-ref'] }}",
58
+ "level": {% if vuln.ratings[0].severity in ['critical','high'] -%}
59
+ "{{ 'error' }}",
60
+ {% endif -%}{% if vuln.ratings[0].severity in ['medium'] -%}
61
+ "{{ 'warning' }}",
62
+ {% endif -%}{% if vuln.ratings[0].severity in ['low'] -%}
63
+ "{{ 'note' }}",
64
+ {% endif -%}
65
+ "message": {
66
+ "text": "Vulnerability {{ vuln.id }} in pkg {{ package }}"
67
+ },
68
+ "locations": [
69
+ {
70
+ "physicalLocation": {
71
+ "artifactLocation": {
72
+ "uri": "lockfile",
73
+ "uriBaseId": "%SRCROOT%"
74
+ },
75
+ "region": {
76
+ "startLine": 1
77
+ }
78
+ },
79
+ "message": {
80
+ "text": "Vulnerability {{ vuln.id }} in pkg {{ package }}"
81
+ }
82
+ }
83
+ ]
84
+ }
85
+ {% if not loop.last %},{% endif %}
86
+ {% endfor %}
87
+ ]
88
+ }
89
+ ]
90
+ }
package/scanners/gitleaks/run.sh ADDED
@@ -0,0 +1,7 @@
1
+ # Parameters:
2
+ # $1 - Path to the source code folder that should be scanned
3
+ # $2 - Path to the assets folder
4
+ # $3 - Path to the output folder where scan results should be stored
5
+
6
+ set -e
7
+ docker run --rm -v $1:/app -v $2:/input -v $3:/output zricethezav/gitleaks dir -f sarif -r /output/gitleaks.sarif /app 2>&1