@eurekadevsecops/radar 1.0.2 → 1.1.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@eurekadevsecops/radar",
-  "version": "1.0.2",
+  "version": "1.1.0",
   "description": "Radar is an open-source orchestrator of security scanners.",
   "homepage": "https://www.eurekadevsecops.com/radar",
   "keywords": [

package/scanners/depscan/run.sh

@@ -4,5 +4,5 @@
 # $3 - Path to the output folder where scan results should be stored
 
 set -e
-docker run --rm -v $1:/app -v $2:/input -v $3:/output ghcr.io/owasp-dep-scan/dep-scan depscan --src /app --reports-dir /output/depscan --report-name depscan.sarif --report-template /input/sarif.j2 2>&1
+docker run --rm -v $1:/app -v $2:/input -v $3:/output ghcr.io/eurekadevsecops/radar-depscan 2>&1
 cp $3/depscan/depscan.sarif $3/depscan.sarif

package/scanners/opengrep/run.sh

@@ -4,4 +4,4 @@
 # $3 - Path to the output folder where scan results should be stored
 
 set -e
-docker run --rm -t -v $1:/app -v $2:/input -v $3:/home/output radar/opengrep:latest /app 2>&1
+docker run --rm -v $1:/app -v $2:/input -v $3:/output ghcr.io/eurekadevsecops/radar-opengrep 2>&1

package/src/commands/scan.js

@@ -46,11 +46,12 @@ module.exports = {
     some may belong to multiple categories. You could run all available SAST 
     scanners, for example, by passing in SAST as the value for the CATEGORIES
     option. Values are case-insensitive. Multiple values should be comma-separated.
-    Defaults to "SAST".
+    Defaults to "SAST", unless you use the SCANNERS option in which case the
+    default value for CATEGORIES is ignored. To run all scanners across all
+    categories, use the value "all" for CATEGORIES.
 
-    You can specify both SCANNERS and CATEGORIES at the same time. The list of
-    available scanners is filtered by the given SCANNERS and CATEGORIES on the
-    command line, and any matching scanners are then used for the scan.
+    You can specify both SCANNERS and CATEGORIES at the same time. This will run
+    all scanners provided in both options.
 
     By default, findings are displayed as high, moderate, and low. This is the
     'security' severity format. Findings can also be displayed as errors, warnings,
@@ -87,10 +88,16 @@ module.exports = {
     args.TARGET = path.normalize(args.TARGET ?? process.cwd())
     args.FORMAT = args.FORMAT ?? 'security'
     if (args.FORMAT !== 'sarif' && args.FORMAT !== 'security') throw new Error('FORMAT must be one of \'sarif\' or \'security\'')
-    args.CATEGORIES = args.CATEGORIES ?? 'sast'
+    if (args.CATEGORIES && !['all', 'sca', 'sast', 'dast'].includes(args.CATEGORIES.toLowerCase())) throw new Error(`CATEGORIES must be one of 'all', 'SCA', 'SAST', or 'DAST'`)
+    if (!args.SCANNERS && !args.CATEGORIES) args.CATEGORIES = 'sast'
+    if (!args.SCANNERS && (args.CATEGORIES === 'all')) args.CATEGORIES = ''
+    if (args.SCANNERS) {
+      const unknownScanners = args.SCANNERS.split(',').filter(name => !availableScanners.find(scanner => scanner.name === name))
+      if (unknownScanners.length > 1) throw new Error(`Unknown scanners: ${unknownScanners.join(', ')}`)
+      else if (unknownScanners.length === 1) throw new Error(`Unknown scanner: ${unknownScanners[0]}`)
+    }
 
     // Set scan parameters.
-    // const target  = args.TARGET ? path.resolve(args.TARGET) : "$PWD"      // target to scan
     const target = path.resolve(args.TARGET) // target to scan
     const assets = path.join(__dirname, '..', '..', 'scanners') // scanner assets
     const outdir = fs.mkdtempSync(path.join(os.tmpdir(), 'radar-')) // output directory
@@ -114,8 +121,12 @@ module.exports = {
         return false
       })
 
+    // At least one scanner must be selected in order to have a successful scan.
+    if (scanners.length === 0) throw new Error('No available scanners selected.')
+
     // Run scanners.
     let isScanCompleted = true
+    log(`Running ${scanners.length} of ${availableScanners.length} scanners:`)
     for (const scanner of scanners) {
       let label = scanner.name
       const spinner = new Spinner()

package/src/util/sarif/display_findings.js

@@ -1,6 +1,6 @@
 const levels = require('./levels')
 module.exports = async (summary, format, log) => {
-  for (const finding of summary.notes) log(`${finding.artifact.name}:${finding.artifact.line}: ` + `${levels[format].single.note}`.bold + `${levels[format].single.suffix}:` + ` ${finding.message}\n`)
-  for (const finding of summary.warnings) log(`${finding.artifact.name}:${finding.artifact.line}: ` + `${levels[format].single.warning}`.bold.yellow + `${levels[format].single.suffix}:` + ` ${finding.message}\n`)
-  for (const finding of summary.errors) log(`${finding.artifact.name}:${finding.artifact.line}: ` + `${levels[format].single.error}`.bold.red + `${levels[format].single.suffix}:` + ` ${finding.message}\n`)
+  for (const finding of summary.notes) log(`${finding.artifact.name}:${finding.artifact.line}: ` + `${levels[format].single.note}`.bold + `${levels[format].single.suffix}:` + ` ${finding.tool}:` + ` ${finding.message}\n`)
+  for (const finding of summary.warnings) log(`${finding.artifact.name}:${finding.artifact.line}: ` + `${levels[format].single.warning}`.bold.yellow + `${levels[format].single.suffix}:` + ` ${finding.tool}:` + ` ${finding.message}\n`)
+  for (const finding of summary.errors) log(`${finding.artifact.name}:${finding.artifact.line}: ` + `${levels[format].single.error}`.bold.red + `${levels[format].single.suffix}:` + ` ${finding.tool}:` + ` ${finding.message}\n`)
 }

package/src/util/sarif/merge.js

@@ -12,6 +12,7 @@ module.exports = {
 */
 
 const fs = require('node:fs')
+const path = require('node:path')
 module.exports = async (files, outfile) => {
   const sarif = {
     version: '2.1.0',
@@ -25,14 +26,16 @@ module.exports = async (files, outfile) => {
     for (const run of scan.runs) {
       const tool = {
         driver: {
-          name: run.tool.driver.name,
+          name: path.parse(file).name,
           semanticVersion: run.tool.driver.semanticVersion,
           informationUri: run.tool.driver.informationUri,
-          properties: run.tool.driver.properties,
+          properties: run.tool.driver.properties ?? {},
           rules: []
         }
       }
 
+      tool.driver.properties.officialName = run.tool.driver.name
+
       const rules = new Map()
       for (const result of run.results) {
         rules.set(result.ruleId, true)

package/scanners/depscan/sarif.j2

@@ -1,90 +0,0 @@
-{
-  "version": "2.1.0",
-  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
-  "runs": [
-    {
-      "tool": {
-        "driver": {
-          "name": "{{ metadata.tools.components[1].name }}",
-          "semanticVersion": "{{ metadata.tools.components[1].version }}",
-          "informationUri": "https://github.com/owasp-dep-scan/dep-scan",
-          "properties": {
-            "protocol_version": "v1.0.0",
-            "scanner_name": "{{ metadata.tools.components[1].name }}",
-            "scanner_version": "{{ metadata.tools.components[1].version }}",
-            "db": "https://github.com/AppThreat/vulnerability-db",
-            "scan_mode": "source"
-          },
-          "rules": [ {% for vuln in vulnerabilities %}{% set package = vuln['bom-ref'].split(':')[1] %}
-            {
-              "id": "{{ vuln['bom-ref'] }}",
-              "shortDescription": {
-                "text": "Vulnerable pkg: {{ package }}\nCVE: {{ vuln.id }}\nFix: {{ vuln.recommendation }}\n\n{% for prop in vuln.properties %}{{ prop.name }}: {{ prop.value }}\n{% endfor %}"
-              },
-              "fullDescription": {
-                "text": {{ vuln.description | tojson }}
-              },
-              "help": {
-                "text": "{{ vuln.recommendation }}"
-              },
-              "helpUri": "{% if vuln.source and vuln.source.url %}{{ vuln.source.url }}{% elif vuln.id and 'NPM-' in vuln.id %}https://osv.dev/vulnerability/{{ vuln.id.split('/')[0] }}{% else %}https://unknownhelpuri.com{% endif %}",
-              "properties": {
-                "tags": [
-                    {% for prop in vuln.properties %}{% if 'Used' in prop.value -%}
-                    "{{ 'Used' }}",
-                    {% endif -%}{% if 'Reachable' in prop.value -%}
-                    "{{ 'Reachable' }}",
-                    {% endif -%}{% if 'Confirmed' in prop.value -%}
-                    "{{ 'Confirmed' }}",
-                    {% endif -%}{% if 'Exploits' in prop.value -%}
-                    "{{ 'Exploits' }}",
-                    {% endif -%}{% if 'PoC' in prop.value -%}
-                    "{{ 'PoC' }}",                   
-                    {% endif -%}{% if 'true' in prop.value and 'prioritized' in prop.name -%}
-                    "{{ 'Prioritized' }}",
-                    {% endif -%}{% endfor %}{% if 'MAL-' in vuln.id -%}
-                    "{{ 'Malware' }}",
-                    {% endif -%}"{{ vuln['id'] }}"
-                ]
-              }
-            }{% if not loop.last %},{% endif %}
-            {% endfor %}
-          ]
-        }
-      },
-      "results": [ {% for vuln in vulnerabilities %}{% set package = vuln['bom-ref'].split(':')[1] %}
-        {
-          "ruleId": "{{ vuln['bom-ref'] }}",
-          "level": {% if vuln.ratings[0].severity in ['critical','high'] -%}
-                    "{{ 'error' }}",
-                    {% endif -%}{% if vuln.ratings[0].severity in ['medium'] -%}
-                    "{{ 'warning' }}",
-                    {% endif -%}{% if vuln.ratings[0].severity in ['low'] -%}
-                    "{{ 'note' }}",
-                    {% endif -%}
-          "message": {
-            "text": "Vulnerability {{ vuln.id }} in pkg {{ package }}"
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "lockfile",
-                  "uriBaseId": "%SRCROOT%"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "message": {
-                "text": "Vulnerability {{ vuln.id }} in pkg {{ package }}"
-              }
-            }
-          ]
-        }
-        {% if not loop.last %},{% endif %}
-        {% endfor %}
-      ]
-    }
-  ]
-}