@eurekadevsecops/radar 1.1.0 → 1.2.1

package/cli.js

@@ -2,8 +2,7 @@
 
 // require('dotenv').config()
 const path = require('node:path')
-const plugins = { scanners: require(path.join(__dirname, 'src', 'plugins', 'scanners')) }
-const cli = require(path.join(__dirname, 'src')).build({ plugins })
+const cli = require(path.join(__dirname, 'src')).build()
 
 // Check for updates (not in browsers).
 cli.checkForUpdates()

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@eurekadevsecops/radar",
-  "version": "1.1.0",
+  "version": "1.2.1",
   "description": "Radar is an open-source orchestrator of security scanners.",
   "homepage": "https://www.eurekadevsecops.com/radar",
   "keywords": [
@@ -30,6 +30,7 @@
     "@persistr/clif": "^1.11.0",
     "@persistr/clif-plugin-settings": "^2.3.1",
     "humanize-duration": "^3.33.0",
+    "luxon": "^3.7.1",
     "smol-toml": "^1.4.1",
     "tiny-spinner": "^2.0.5"
   },

package/scan.sarif

@@ -0,0 +1 @@
+{"version":"2.1.0","$schema":"https://json.schemastore.org/sarif-2.1.0.json","runs":[{"tool":{"driver":{"name":"gitleaks","semanticVersion":"v8.0.0","informationUri":"https://github.com/gitleaks/gitleaks","properties":{"officialName":"gitleaks"},"rules":[{"id":"generic-api-key","shortDescription":{"text":"Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}},{"id":"private-key","shortDescription":{"text":"Identified a Private Key, which may compromise cryptographic security and sensitive data encryption."}}]}},"results":[{"message":{"text":"generic-api-key has detected secret for file /app/app/services/key_service.ts."},"ruleId":"generic-api-key","locations":[{"physicalLocation":{"artifactLocation":{"uri":"/app/app/services/key_service.ts"},"region":{"startLine":10,"startColumn":44,"endLine":10,"endColumn":75,"snippet":{"text":"private_pkcs8.pem"}}}}],"properties":{"tags":[]}},{"message":{"text":"private-key has detected secret for file /app/keys/vdbe.private.pem."},"ruleId":"private-key","locations":[{"physicalLocation":{"artifactLocation":{"uri":"/app/keys/vdbe.private.pem"},"region":{"startLine":1,"startColumn":1,"endLine":28,"endColumn":26,"snippet":{"text":"-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDT5JLxkpJH2pkv\ntTmZgEduEHGVO8sv4xLpcBCKgSpVh9apBZnJJgDOl77m7zv2VDycjTQLq4dMk/CT\nBWt50kx+e/jHCP8f64UxbDPMxgDgrYj6YaAoho9coJeu6nG+6h2PNFXM941CrA9V\nddEc9K9piYXSLlr2bHBKeLeuH87Qpmx3bEr8jAXdA51zss2ZsUw5qRH6oWMcqWhC\n5CevbWmFXdoo2W8XfGAwpV2D251uUt6oS4qwU5VT/byR65lewxq3YqPvRpQa5plo\n3aTVypyaqy4l5T2jfLiywXpAuhVPzso4EeDx2Jtfvhh03Is59DFQkQwuXS9caqyY\nDtndupYZAgMBAAECggEADU+dn4laoSLtXp7e2HLDifmEeSCBeiekp39/uoO0uhzH\ncmTErWsyv8eumWlL9gSCrj78lwMWg8wDX+kGQGfioEt/bFl3VXUBMAKhGmsR4Qtl\nwHzjh8g0N1hrTvSxYpHoe3eJMFAY0qhmajL1iQEiB9o4yuRYmIRlZXhB6bFb16WP\nflFcGS/KKxXleco8aEZIu2+X3hXwS2/lDD1sIQua65qXhHZMpB4TfgR2B5r87P9Y\nv5Ilb53nDMWbWDCA8ZifG2fjl29X4bujlJy/fu6Y5UVZB5EIQymKDnnWvemZUFrw\nRtjrJJ9mhM8ON2bYI2LHTMhBixpa3OM3jLQc2FeGRQKBgQDzbv6M4zp8foDU+Ji9\nYlhe0wt6t1EMJQrTgS0h0gbm9ekVLXHDm/hMAUQss6YorXY4Iih/e9HEvNf1byx9\nsfVlkNHrlsNklMmG/jGhzs7xpMOgyq8uzzuY9o/gIFzT3LiuTnk23poGNtDAwNVV\nkaxWOiDtpKFiiFbhRW/pos01PwKBgQDe1MPmW7wnwKD34ee/GaTZpQZ4wH8jdTa1\nVM5xOQKGVyZ5zTc5ao7cR0KYN22ycCI/PwIWWaufDWAYuunRfJP1sWqKf4ENQd5P\nxh66uv3qxETOJ4jk2D8O8fysHLyQu8KvS5TvH/UzNiLRHVv9vfyywmWHOpVP5C1i\nvSiC4yqmpwKBgEEtZ7Q7Jq6shDwBb4vNaBHDeeBacrXIuTRV8sqKXFS8ZLLJ3xrb\niMh40lMRqpxbjTqMUsGHWmvNkBjjskrZOfX+p2XnkNs+RxMAvjMvlxL15XcIrYzf\n6XoUEgOVRqVnBH+O/T9mrGCbjpr9RmFJxpWzrJtUJ+2kyXY5TDSG5WCrAoGAaaFc\nmCemYwXKiJdbP1jNr6quDbHa0xkubPkdv8hxrPNFNvoUErCztjJFnFiyNKM5aNfa\ninPJimVRx4dbbcXrcc2/npXgvEMcOp7FVGluEsslfsB5AVqNUe1ehMw+izGmkWh3\n2n9Awh0Ili6fvAJC9w52CIu52hxlc2gN+zXqswMCgYEA7WfWRh+Rz/3RPlsDBuIu\nu78M6hZ5Uj2SneTtYhXOahMuSGQY4vVd8Z23PBudLVNjNvw05532cVJQvDLGrPeg\nMgig/vMURbQIN5TXVtL7vgyi4QXQgCdHET8YEJrPleyttv/lOJv3ZBUfzKtb9/2s\nK47YjsOczOFh0NbeYPXDZrY=\n-----END PRIVATE KEY-----"}}}}],"properties":{"tags":[]}}]}]}

package/src/commands/scan.js

@@ -82,7 +82,7 @@ module.exports = {
     '$ radar scan -e warning,note ' + '(treat warnings and notes as errors)'.grey
   ],
   run: async (toolbox, args) => {
-    const { log, scanners: availableScanners } = toolbox
+    const { log, scanners: availableScanners, telemetry } = toolbox
 
     // Set defaults.
     args.TARGET = path.normalize(args.TARGET ?? process.cwd())
@@ -124,8 +124,19 @@ module.exports = {
     // At least one scanner must be selected in order to have a successful scan.
     if (scanners.length === 0) throw new Error('No available scanners selected.')
 
+    // Send telemetry: scan started.
+    let scanID = undefined
+    const isTelemetryEnabled = telemetry.enabled()
+    if (isTelemetryEnabled) {
+      // TODO: Should pass scanID to the server; not read it from the server.
+      const response = await telemetry.send(`scans/started`, {}, { scanners: scanners.map((scanner) => scanner.name) })
+      const data = await response.json()
+      scanID = data.scan_id
+    }
+
     // Run scanners.
     let isScanCompleted = true
+    let runLog = ''
     log(`Running ${scanners.length} of ${availableScanners.length} scanners:`)
     for (const scanner of scanners) {
       let label = scanner.name
@@ -148,7 +159,9 @@ module.exports = {
         cmd = cmd.replaceAll('${output}', outdir)
         /* eslint-enable no-template-curly-in-string */
 
-        /* const { stdout } = */ await exec(cmd)
+        const { stdout } = await exec(cmd)
+        runLog += stdout
+
         if (!args.QUIET) spinner.success(label)
       } catch (error) {
         isScanCompleted = false
@@ -213,16 +226,32 @@ module.exports = {
         fs.writeFileSync(outfile, JSON.stringify(sarif))
       }
 
-      // TODO: Upload SARIF to user's Eureka account.
-
       // Count findings by severity level.
       const summary = await sariftools.summarize(sarif, target)
 
+      // Send telemetry.
+      if (isTelemetryEnabled && scanID) {
+        // Scan completed.
+        telemetry.send(`scans/:scanID/completed`, { scanID }, {
+          findings: {
+            total: summary.errors.length + summary.warnings.length + summary.notes.length,
+            critical: 0,
+            high: summary.errors.length,
+            med: summary.warnings.length,
+            low: summary.notes.length
+          }
+        })
+
+        // Send sensitive telemetry: scan log and scan findings.
+        telemetry.sendSensitive(`scans/:scanID/log`, { scanID }, runLog)
+        telemetry.sendSensitive(`scans/:scanID/findings`, { scanID }, { findings: sarif })
+      }
+
       // Display summarized findings.
       if (!args.QUIET) {
         log()
         sariftools.display_findings(summary, args.FORMAT, log)
-        if (outfile) log(`Findings exported to ${consolidated}`)
+        if (outfile) log(`Findings exported to ${outfile}`)
         sariftools.display_totals(summary, args.FORMAT, log)
       }
 
@@ -238,6 +267,7 @@ module.exports = {
     } else {
       exitCode = 0x10
       if (!args.QUIET) log('Scan NOT completed!')
+      if (telemetry.enabled()) telemetry.send(`scans/:scanID/failed`, { scanID })
     }
 
     // Clean up.

package/src/index.js

@@ -1,10 +1,13 @@
 const { build } = require('@persistr/clif')
 const pkg = require('../package.json')
 const commands = require('./commands')
+const path = require('node:path')
 
 // Plugins.
 const plugins = {
-  settings: require('@persistr/clif-plugin-settings')
+  settings: require('@persistr/clif-plugin-settings'),
+  scanners: require(path.join(__dirname, 'plugins', 'scanners')),
+  telemetry: require(path.join(__dirname, 'plugins', 'telemetry'))
 }
 
 module.exports = {

package/src/plugins/telemetry.js

@@ -0,0 +1,6 @@
+const telemetry = require('../telemetry')
+module.exports = {
+  toolbox: {
+    telemetry
+  }
+}

package/src/telemetry/README.md

@@ -0,0 +1,52 @@
+# TELEMETRY
+
+## How to use this module to send telemetry
+
+### Step 1: Import the module:
+```js
+const telemetry = require('./telemetry')
+```
+
+### Step 2: Call telemetry.send to send telemetry. Choose one of several telemetry events available.
+
+All available telemetry events:
+```js
+telemetry.send(`scans/:scanID/started`, { scanID }, { scanners })
+telemetry.send(`scans/:scanID/completed`, { scanID }, { status, findings, log })
+telemetry.sendSensitive(`scans/:scanID/log`, { scanID }, log)
+telemetry.sendSensitive(`scans/:scanID/findings`, { scanID }, sarif)
+```
+
+To send a telemetry event indicating that a scan has started:
+```js
+telemetry.send(`scans/:scanID/started`, { scanID }, { scanners })
+```
+
+To send a telemetry event indicating that a scan has completed:
+```js
+telemetry.send(`scans/:scanID/completed`, { scanID }, { status, findings, log })
+```
+
+To send a telemetry event with the scan console log:
+```js
+telemetry.sendSensitive(`scans/:scanID/log`, { scanID }, log)
+```
+
+To send a telemetry event with the scan vulnerability findings:
+```js
+telemetry.sendSensitive(`scans/:scanID/findings`, { scanID }, sarif)
+```
+
+### Step 3: (optional) You can await on telemetry.send to read the fetch response.
+
+```js
+const response = await telemetry.send(`scans/:scanID/started`, { scanID }, { scanners })
+console.log(response.statusCode)
+console.log(await response.json())
+```
+
+## Sensitive data in telemtry events
+
+NOTE: Telemetry events that contain vulnerability data are sent to the Vulnerability
+Data Backend (VDBE) which can be hosted by customers directly on their own infrastructure.
+These telemetry events must be sent using the `sendSensitive` function.

package/src/telemetry/index.js

@@ -0,0 +1,73 @@
+const package = require('../../package.json')
+const { DateTime } = require("luxon")
+
+const EWA_URL = process.env.EWA_URL ?? 'https://app.eurekadevsecops.com'
+const VDBE_URL = process.env.VDBE_URL ?? 'https://vulns.eurekadevsecops.com'
+
+const USER_AGENT = `Radar/${package.version} (${package.pkgname}@${package.version}; ${process?.platform}-${process?.arch}; ${process?.release?.name}-${process?.version})`
+
+const enabled = () => {
+  if (process.env.EUREKA_AGENT_TOKEN) return true
+  return false
+}
+
+const send = async (path, params, body, token) => {
+  return fetch(toURL(path, params), {
+    method: 'POST',
+    headers: {
+      'Authorization': `Bearer ${token ?? process.env.EUREKA_AGENT_TOKEN}`,
+      'Content-Type': toContentType(path),
+      'User-Agent': USER_AGENT,
+      'Accept': 'application/json'
+    },
+    body: toBody(path, body)
+  })
+}
+
+const sendSensitive = async (path, params, body) => {
+  return send(path, params, body, await token())
+}
+
+const token = async () => {
+  const response = await fetch(`${EWA_URL}/vdbe/token`, {
+    method: 'POST',
+    headers: {
+      'Authorization': `Bearer ${process.env.EUREKA_AGENT_TOKEN}`,
+      'Content-Type': 'application/json',
+      'User-Agent': USER_AGENT,
+      'Accept': 'application/json'
+    }
+  })
+  if (!response.ok) throw new Error(`Internal Error: Failed to get VDBE auth token from EWA: ${response.statusText}: ${await response.text()}`)
+  const data = await response.json()
+  return data.token
+}
+
+const toURL = (path, params) => {
+  if (path === `scans/started`) return `${EWA_URL}/scans/started`
+  if (path === `scans/:scanID/completed`) return `${EWA_URL}/scans/${params.scanID}/completed`
+  if (path === `scans/:scanID/failed`) return `${EWA_URL}/scans/${params.scanID}/completed`
+  if (path === `scans/:scanID/log`) return `${VDBE_URL}/scans/${params.scanID}/log`
+  if (path === `scans/:scanID/findings`) return `${VDBE_URL}/scans/${params.scanID}/findings`
+  throw new Error(`Internal Error: Unknown telemetry event: ${path}`)
+}
+
+const toContentType = (path) => {
+  if (path === `scans/:scanID/log`) return 'text/plain'
+  return 'application/json'
+}
+
+const toBody = (path, body) => {
+  if (path === `scans/:scanID/log`) return body
+  if (path === `scans/started`) body = { ...body, timestamp: DateTime.now().toISO(), profile_id: process.env.EUREKA_PROFILE }
+  if (path === `scans/:scanID/completed`) body = { ...body, timestamp: DateTime.now().toISO(), status: 'success', log: { sizeBytes: 0, warnings: 0, errors: 0, link: 'none' }, params: { id: '' }}
+  if (path === `scans/:scanID/failed`) body = { ...body, timestamp: DateTime.now().toISO(), status: 'failure', findings: { total: 0, critical: 0, high: 0, med: 0, low: 0 }, log: { sizeBytes: 0, warnings: 0, errors: 0, link: 'none' }, params: { id: '' }}
+  if (path === `scans/:scanID/findings`) body = { ...body, profileId: process.env.EUREKA_PROFILE }
+  return JSON.stringify(body)
+}
+
+module.exports = {
+  enabled,
+  send,
+  sendSensitive
+}

package/src/util/sarif/merge.js

@@ -51,5 +51,20 @@ module.exports = async (files, outfile) => {
     }
   }
 
+  // Clean up the SARIF object, to conform to the SARIF schema.
+  for (const run of sarif.runs) {
+    for (const result of run.results) {
+      const partialFingerprints = result.partialFingerprints
+      if (partialFingerprints) {
+        if (!partialFingerprints.commitSha) delete partialFingerprints.commitSha
+        if (!partialFingerprints.email) delete partialFingerprints.email
+        if (!partialFingerprints.author) delete partialFingerprints.author
+        if (!partialFingerprints.date) delete partialFingerprints.date
+        if (!partialFingerprints.commitMessage) delete partialFingerprints.commitMessage
+        if (Object.keys(partialFingerprints).length === 0) delete result.partialFingerprints
+      }
+    }
+  }
+
   fs.writeFileSync(outfile, JSON.stringify(sarif))
 }