@eurekadevsecops/radar 1.0.2 → 1.2.0

package/cli.js

@@ -2,8 +2,7 @@
 
 // require('dotenv').config()
 const path = require('node:path')
-const plugins = { scanners: require(path.join(__dirname, 'src', 'plugins', 'scanners')) }
-const cli = require(path.join(__dirname, 'src')).build({ plugins })
+const cli = require(path.join(__dirname, 'src')).build()
 
 // Check for updates (not in browsers).
 cli.checkForUpdates()

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@eurekadevsecops/radar",
-  "version": "1.0.2",
+  "version": "1.2.0",
   "description": "Radar is an open-source orchestrator of security scanners.",
   "homepage": "https://www.eurekadevsecops.com/radar",
   "keywords": [
@@ -30,6 +30,7 @@
     "@persistr/clif": "^1.11.0",
     "@persistr/clif-plugin-settings": "^2.3.1",
     "humanize-duration": "^3.33.0",
+    "luxon": "^3.7.1",
     "smol-toml": "^1.4.1",
     "tiny-spinner": "^2.0.5"
   },

package/scanners/depscan/run.sh

@@ -4,5 +4,5 @@
 # $3 - Path to the output folder where scan results should be stored
 
 set -e
-docker run --rm -v $1:/app -v $2:/input -v $3:/output ghcr.io/owasp-dep-scan/dep-scan depscan --src /app --reports-dir /output/depscan --report-name depscan.sarif --report-template /input/sarif.j2 2>&1
+docker run --rm -v $1:/app -v $2:/input -v $3:/output ghcr.io/eurekadevsecops/radar-depscan 2>&1
 cp $3/depscan/depscan.sarif $3/depscan.sarif

package/scanners/opengrep/run.sh

@@ -4,4 +4,4 @@
 # $3 - Path to the output folder where scan results should be stored
 
 set -e
-docker run --rm -t -v $1:/app -v $2:/input -v $3:/home/output radar/opengrep:latest /app 2>&1
+docker run --rm -v $1:/app -v $2:/input -v $3:/output ghcr.io/eurekadevsecops/radar-opengrep 2>&1

package/src/commands/scan.js

@@ -46,11 +46,12 @@ module.exports = {
     some may belong to multiple categories. You could run all available SAST 
     scanners, for example, by passing in SAST as the value for the CATEGORIES
     option. Values are case-insensitive. Multiple values should be comma-separated.
-    Defaults to "SAST".
+    Defaults to "SAST", unless you use the SCANNERS option in which case the
+    default value for CATEGORIES is ignored. To run all scanners across all
+    categories, use the value "all" for CATEGORIES.
 
-    You can specify both SCANNERS and CATEGORIES at the same time. The list of
-    available scanners is filtered by the given SCANNERS and CATEGORIES on the
-    command line, and any matching scanners are then used for the scan.
+    You can specify both SCANNERS and CATEGORIES at the same time. This will run
+    all scanners provided in both options.
 
     By default, findings are displayed as high, moderate, and low. This is the
     'security' severity format. Findings can also be displayed as errors, warnings,
@@ -81,16 +82,22 @@ module.exports = {
     '$ radar scan -e warning,note ' + '(treat warnings and notes as errors)'.grey
   ],
   run: async (toolbox, args) => {
-    const { log, scanners: availableScanners } = toolbox
+    const { log, scanners: availableScanners, telemetry } = toolbox
 
     // Set defaults.
     args.TARGET = path.normalize(args.TARGET ?? process.cwd())
     args.FORMAT = args.FORMAT ?? 'security'
     if (args.FORMAT !== 'sarif' && args.FORMAT !== 'security') throw new Error('FORMAT must be one of \'sarif\' or \'security\'')
-    args.CATEGORIES = args.CATEGORIES ?? 'sast'
+    if (args.CATEGORIES && !['all', 'sca', 'sast', 'dast'].includes(args.CATEGORIES.toLowerCase())) throw new Error(`CATEGORIES must be one of 'all', 'SCA', 'SAST', or 'DAST'`)
+    if (!args.SCANNERS && !args.CATEGORIES) args.CATEGORIES = 'sast'
+    if (!args.SCANNERS && (args.CATEGORIES === 'all')) args.CATEGORIES = ''
+    if (args.SCANNERS) {
+      const unknownScanners = args.SCANNERS.split(',').filter(name => !availableScanners.find(scanner => scanner.name === name))
+      if (unknownScanners.length > 1) throw new Error(`Unknown scanners: ${unknownScanners.join(', ')}`)
+      else if (unknownScanners.length === 1) throw new Error(`Unknown scanner: ${unknownScanners[0]}`)
+    }
 
     // Set scan parameters.
-    // const target  = args.TARGET ? path.resolve(args.TARGET) : "$PWD"      // target to scan
     const target = path.resolve(args.TARGET) // target to scan
     const assets = path.join(__dirname, '..', '..', 'scanners') // scanner assets
     const outdir = fs.mkdtempSync(path.join(os.tmpdir(), 'radar-')) // output directory
@@ -114,8 +121,23 @@ module.exports = {
         return false
       })
 
+    // At least one scanner must be selected in order to have a successful scan.
+    if (scanners.length === 0) throw new Error('No available scanners selected.')
+
+    // Send telemetry: scan started.
+    let scanID = undefined
+    const isTelemetryEnabled = telemetry.enabled()
+    if (isTelemetryEnabled) {
+      // TODO: Should pass scanID to the server; not read it from the server.
+      const response = await telemetry.send(`scans/started`, {}, { scanners: scanners.map((scanner) => scanner.name) })
+      const data = await response.json()
+      scanID = data.scan_id
+    }
+
     // Run scanners.
     let isScanCompleted = true
+    let runLog = ''
+    log(`Running ${scanners.length} of ${availableScanners.length} scanners:`)
     for (const scanner of scanners) {
       let label = scanner.name
       const spinner = new Spinner()
@@ -137,7 +159,9 @@ module.exports = {
         cmd = cmd.replaceAll('${output}', outdir)
         /* eslint-enable no-template-curly-in-string */
 
-        /* const { stdout } = */ await exec(cmd)
+        const { stdout } = await exec(cmd)
+        runLog += stdout
+
         if (!args.QUIET) spinner.success(label)
       } catch (error) {
         isScanCompleted = false
@@ -202,11 +226,27 @@ module.exports = {
         fs.writeFileSync(outfile, JSON.stringify(sarif))
       }
 
-      // TODO: Upload SARIF to user's Eureka account.
-
       // Count findings by severity level.
       const summary = await sariftools.summarize(sarif, target)
 
+      // Send telemetry.
+      if (isTelemetryEnabled && scanID) {
+        // Scan completed.
+        telemetry.send(`scans/:scanID/completed`, { scanID }, {
+          findings: {
+            total: summary.errors.length + summary.warnings.length + summary.notes.length,
+            critical: 0,
+            high: summary.errors.length,
+            med: summary.warnings.length,
+            low: summary.notes.length
+          }
+        })
+
+        // Send sensitive telemetry: scan log and scan findings.
+        telemetry.sendSensitive(`scans/:scanID/log`, { scanID }, runLog)
+        telemetry.sendSensitive(`scans/:scanID/findings`, { scanID }, { findings: sarif })
+      }
+
       // Display summarized findings.
       if (!args.QUIET) {
         log()
@@ -227,6 +267,7 @@ module.exports = {
     } else {
       exitCode = 0x10
       if (!args.QUIET) log('Scan NOT completed!')
+      if (telemetry.enabled()) telemetry.send(`scans/:scanID/failed`, { scanID })
     }
 
     // Clean up.

package/src/index.js

@@ -1,10 +1,13 @@
 const { build } = require('@persistr/clif')
 const pkg = require('../package.json')
 const commands = require('./commands')
+const path = require('node:path')
 
 // Plugins.
 const plugins = {
-  settings: require('@persistr/clif-plugin-settings')
+  settings: require('@persistr/clif-plugin-settings'),
+  scanners: require(path.join(__dirname, 'plugins', 'scanners')),
+  telemetry: require(path.join(__dirname, 'plugins', 'telemetry'))
 }
 
 module.exports = {

package/src/plugins/telemetry.js

@@ -0,0 +1,6 @@
+const telemetry = require('../telemetry')
+module.exports = {
+  toolbox: {
+    telemetry
+  }
+}

package/src/telemetry/README.md

@@ -0,0 +1,52 @@
+# TELEMETRY
+
+## How to use this module to send telemetry
+
+### Step 1: Import the module:
+```js
+const telemetry = require('./telemetry')
+```
+
+### Step 2: Call telemetry.send to send telemetry. Choose one of several telemetry events available.
+
+All available telemetry events:
+```js
+telemetry.send(`scans/:scanID/started`, { scanID }, { scanners })
+telemetry.send(`scans/:scanID/completed`, { scanID }, { status, findings, log })
+telemetry.sendSensitive(`scans/:scanID/log`, { scanID }, log)
+telemetry.sendSensitive(`scans/:scanID/findings`, { scanID }, sarif)
+```
+
+To send a telemetry event indicating that a scan has started:
+```js
+telemetry.send(`scans/:scanID/started`, { scanID }, { scanners })
+```
+
+To send a telemetry event indicating that a scan has completed:
+```js
+telemetry.send(`scans/:scanID/completed`, { scanID }, { status, findings, log })
+```
+
+To send a telemetry event with the scan console log:
+```js
+telemetry.sendSensitive(`scans/:scanID/log`, { scanID }, log)
+```
+
+To send a telemetry event with the scan vulnerability findings:
+```js
+telemetry.sendSensitive(`scans/:scanID/findings`, { scanID }, sarif)
+```
+
+### Step 3: (optional) You can await on telemetry.send to read the fetch response.
+
+```js
+const response = await telemetry.send(`scans/:scanID/started`, { scanID }, { scanners })
+console.log(response.statusCode)
+console.log(await response.json())
+```
+
+## Sensitive data in telemtry events
+
+NOTE: Telemetry events that contain vulnerability data are sent to the Vulnerability
+Data Backend (VDBE) which can be hosted by customers directly on their own infrastructure.
+These telemetry events must be sent using the `sendSensitive` function.

package/src/telemetry/index.js

@@ -0,0 +1,73 @@
+const package = require('../../package.json')
+const { DateTime } = require("luxon")
+
+const EWA_URL = process.env.EWA_URL ?? 'https://app.eurekadevsecops.com'
+const VDBE_URL = process.env.VDBE_URL ?? 'https://vulns.eurekadevsecops.com'
+
+const USER_AGENT = `Radar/${package.version} (${package.pkgname}@${package.version}; ${process?.platform}-${process?.arch}; ${process?.release?.name}-${process?.version})`
+
+const enabled = () => {
+  if (process.env.EUREKA_AGENT_TOKEN) return true
+  return false
+}
+
+const send = async (path, params, body, token) => {
+  return fetch(toURL(path, params), {
+    method: 'POST',
+    headers: {
+      'Authorization': `Bearer ${token ?? process.env.EUREKA_AGENT_TOKEN}`,
+      'Content-Type': toContentType(path),
+      'User-Agent': USER_AGENT,
+      'Accept': 'application/json'
+    },
+    body: toBody(path, body)
+  })
+}
+
+const sendSensitive = async (path, params, body) => {
+  return send(path, params, body, await token())
+}
+
+const token = async () => {
+  const response = await fetch(`${EWA_URL}/vdbe/token`, {
+    method: 'POST',
+    headers: {
+      'Authorization': `Bearer ${process.env.EUREKA_AGENT_TOKEN}`,
+      'Content-Type': 'application/json',
+      'User-Agent': USER_AGENT,
+      'Accept': 'application/json'
+    }
+  })
+  if (!response.ok) throw new Error(`Internal Error: Failed to get VDBE auth token from EWA: ${response.statusText}: ${await response.text()}`)
+  const data = await response.json()
+  return data.token
+}
+
+const toURL = (path, params) => {
+  if (path === `scans/started`) return `${EWA_URL}/scans/started`
+  if (path === `scans/:scanID/completed`) return `${EWA_URL}/scans/${params.scanID}/completed`
+  if (path === `scans/:scanID/failed`) return `${EWA_URL}/scans/${params.scanID}/completed`
+  if (path === `scans/:scanID/log`) return `${VDBE_URL}/scans/${params.scanID}/log`
+  if (path === `scans/:scanID/findings`) return `${VDBE_URL}/scans/${params.scanID}/findings`
+  throw new Error(`Internal Error: Unknown telemetry event: ${path}`)
+}
+
+const toContentType = (path) => {
+  if (path === `scans/:scanID/log`) return 'text/plain'
+  return 'application/json'
+}
+
+const toBody = (path, body) => {
+  if (path === `scans/:scanID/log`) return body
+  if (path === `scans/started`) body = { ...body, timestamp: DateTime.now().toISO(), profile_id: process.env.EUREKA_PROFILE }
+  if (path === `scans/:scanID/completed`) body = { ...body, timestamp: DateTime.now().toISO(), status: 'success', log: { sizeBytes: 0, warnings: 0, errors: 0, link: 'none' }, params: { id: '' }}
+  if (path === `scans/:scanID/failed`) body = { ...body, timestamp: DateTime.now().toISO(), status: 'failure', findings: { total: 0, critical: 0, high: 0, med: 0, low: 0 }, log: { sizeBytes: 0, warnings: 0, errors: 0, link: 'none' }, params: { id: '' }}
+  if (path === `scans/:scanID/findings`) body = { ...body, profileId: process.env.EUREKA_PROFILE }
+  return JSON.stringify(body)
+}
+
+module.exports = {
+  enabled,
+  send,
+  sendSensitive
+}

package/src/util/sarif/display_findings.js

@@ -1,6 +1,6 @@
 const levels = require('./levels')
 module.exports = async (summary, format, log) => {
-  for (const finding of summary.notes) log(`${finding.artifact.name}:${finding.artifact.line}: ` + `${levels[format].single.note}`.bold + `${levels[format].single.suffix}:` + ` ${finding.message}\n`)
-  for (const finding of summary.warnings) log(`${finding.artifact.name}:${finding.artifact.line}: ` + `${levels[format].single.warning}`.bold.yellow + `${levels[format].single.suffix}:` + ` ${finding.message}\n`)
-  for (const finding of summary.errors) log(`${finding.artifact.name}:${finding.artifact.line}: ` + `${levels[format].single.error}`.bold.red + `${levels[format].single.suffix}:` + ` ${finding.message}\n`)
+  for (const finding of summary.notes) log(`${finding.artifact.name}:${finding.artifact.line}: ` + `${levels[format].single.note}`.bold + `${levels[format].single.suffix}:` + ` ${finding.tool}:` + ` ${finding.message}\n`)
+  for (const finding of summary.warnings) log(`${finding.artifact.name}:${finding.artifact.line}: ` + `${levels[format].single.warning}`.bold.yellow + `${levels[format].single.suffix}:` + ` ${finding.tool}:` + ` ${finding.message}\n`)
+  for (const finding of summary.errors) log(`${finding.artifact.name}:${finding.artifact.line}: ` + `${levels[format].single.error}`.bold.red + `${levels[format].single.suffix}:` + ` ${finding.tool}:` + ` ${finding.message}\n`)
 }

package/src/util/sarif/merge.js

@@ -12,6 +12,7 @@ module.exports = {
 */
 
 const fs = require('node:fs')
+const path = require('node:path')
 module.exports = async (files, outfile) => {
   const sarif = {
     version: '2.1.0',
@@ -25,14 +26,16 @@ module.exports = async (files, outfile) => {
     for (const run of scan.runs) {
       const tool = {
         driver: {
-          name: run.tool.driver.name,
+          name: path.parse(file).name,
           semanticVersion: run.tool.driver.semanticVersion,
           informationUri: run.tool.driver.informationUri,
-          properties: run.tool.driver.properties,
+          properties: run.tool.driver.properties ?? {},
           rules: []
         }
       }
 
+      tool.driver.properties.officialName = run.tool.driver.name
+
       const rules = new Map()
       for (const result of run.results) {
         rules.set(result.ruleId, true)
@@ -48,5 +51,20 @@ module.exports = async (files, outfile) => {
     }
   }
 
+  // Clean up the SARIF object, to conform to the SARIF schema.
+  for (const run of sarif.runs) {
+    for (const result of run.results) {
+      const partialFingerprints = result.partialFingerprints
+      if (partialFingerprints) {
+        if (!partialFingerprints.commitSha) delete partialFingerprints.commitSha
+        if (!partialFingerprints.email) delete partialFingerprints.email
+        if (!partialFingerprints.author) delete partialFingerprints.author
+        if (!partialFingerprints.date) delete partialFingerprints.date
+        if (!partialFingerprints.commitMessage) delete partialFingerprints.commitMessage
+        if (Object.keys(partialFingerprints).length === 0) delete result.partialFingerprints
+      }
+    }
+  }
+
   fs.writeFileSync(outfile, JSON.stringify(sarif))
 }

package/scanners/depscan/sarif.j2

@@ -1,90 +0,0 @@
-{
-  "version": "2.1.0",
-  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
-  "runs": [
-    {
-      "tool": {
-        "driver": {
-          "name": "{{ metadata.tools.components[1].name }}",
-          "semanticVersion": "{{ metadata.tools.components[1].version }}",
-          "informationUri": "https://github.com/owasp-dep-scan/dep-scan",
-          "properties": {
-            "protocol_version": "v1.0.0",
-            "scanner_name": "{{ metadata.tools.components[1].name }}",
-            "scanner_version": "{{ metadata.tools.components[1].version }}",
-            "db": "https://github.com/AppThreat/vulnerability-db",
-            "scan_mode": "source"
-          },
-          "rules": [ {% for vuln in vulnerabilities %}{% set package = vuln['bom-ref'].split(':')[1] %}
-            {
-              "id": "{{ vuln['bom-ref'] }}",
-              "shortDescription": {
-                "text": "Vulnerable pkg: {{ package }}\nCVE: {{ vuln.id }}\nFix: {{ vuln.recommendation }}\n\n{% for prop in vuln.properties %}{{ prop.name }}: {{ prop.value }}\n{% endfor %}"
-              },
-              "fullDescription": {
-                "text": {{ vuln.description | tojson }}
-              },
-              "help": {
-                "text": "{{ vuln.recommendation }}"
-              },
-              "helpUri": "{% if vuln.source and vuln.source.url %}{{ vuln.source.url }}{% elif vuln.id and 'NPM-' in vuln.id %}https://osv.dev/vulnerability/{{ vuln.id.split('/')[0] }}{% else %}https://unknownhelpuri.com{% endif %}",
-              "properties": {
-                "tags": [
-                    {% for prop in vuln.properties %}{% if 'Used' in prop.value -%}
-                    "{{ 'Used' }}",
-                    {% endif -%}{% if 'Reachable' in prop.value -%}
-                    "{{ 'Reachable' }}",
-                    {% endif -%}{% if 'Confirmed' in prop.value -%}
-                    "{{ 'Confirmed' }}",
-                    {% endif -%}{% if 'Exploits' in prop.value -%}
-                    "{{ 'Exploits' }}",
-                    {% endif -%}{% if 'PoC' in prop.value -%}
-                    "{{ 'PoC' }}",                   
-                    {% endif -%}{% if 'true' in prop.value and 'prioritized' in prop.name -%}
-                    "{{ 'Prioritized' }}",
-                    {% endif -%}{% endfor %}{% if 'MAL-' in vuln.id -%}
-                    "{{ 'Malware' }}",
-                    {% endif -%}"{{ vuln['id'] }}"
-                ]
-              }
-            }{% if not loop.last %},{% endif %}
-            {% endfor %}
-          ]
-        }
-      },
-      "results": [ {% for vuln in vulnerabilities %}{% set package = vuln['bom-ref'].split(':')[1] %}
-        {
-          "ruleId": "{{ vuln['bom-ref'] }}",
-          "level": {% if vuln.ratings[0].severity in ['critical','high'] -%}
-                    "{{ 'error' }}",
-                    {% endif -%}{% if vuln.ratings[0].severity in ['medium'] -%}
-                    "{{ 'warning' }}",
-                    {% endif -%}{% if vuln.ratings[0].severity in ['low'] -%}
-                    "{{ 'note' }}",
-                    {% endif -%}
-          "message": {
-            "text": "Vulnerability {{ vuln.id }} in pkg {{ package }}"
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "lockfile",
-                  "uriBaseId": "%SRCROOT%"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "message": {
-                "text": "Vulnerability {{ vuln.id }} in pkg {{ package }}"
-              }
-            }
-          ]
-        }
-        {% if not loop.last %},{% endif %}
-        {% endfor %}
-      ]
-    }
-  ]
-}