npm - @eurekadevsecops/radar - Versions diffs - 1.3.4 → 1.4.0 - Mend

@eurekadevsecops/radar 1.3.4 → 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@eurekadevsecops/radar",
-  "version": "1.3.4",
+  "version": "1.4.0",
   "description": "Radar is an open-source orchestrator of security scanners.",
   "homepage": "https://www.eurekadevsecops.com/radar",
   "keywords": [
@@ -30,6 +30,7 @@
     "@persistr/clif": "^1.11.0",
     "@persistr/clif-plugin-settings": "^2.3.1",
     "humanize-duration": "^3.33.0",
+    "jwt-decode": "^4.0.0",
     "luxon": "^3.7.1",
     "smol-toml": "^1.4.1",
     "tiny-spinner": "^2.0.5"

package/scanners/depscan/run.sh CHANGED Viewed

@@ -4,5 +4,5 @@
 # $3 - Path to the output folder where scan results should be stored
 set -e
-docker run --rm -v $1:/app -v $2:/input -v $3:/output ghcr.io/eurekadevsecops/radar-depscan 2>&1
+docker run --rm -u $(id -u):$(id -g) -v $1:/app -v $2:/input -v $3:/output ghcr.io/eurekadevsecops/radar-depscan 2>&1
 cp $3/depscan/depscan.sarif $3/depscan.sarif

package/scanners/gitleaks/run.sh CHANGED Viewed

@@ -4,4 +4,4 @@
 # $3 - Path to the output folder where scan results should be stored
 set -e
-docker run --rm -v $1:/app -v $2:/input -v $3:/output zricethezav/gitleaks dir --exit-code 0 -f sarif -r /output/gitleaks.sarif /app 2>&1
+docker run --rm -u $(id -u):$(id -g) -v $1:/app -v $2:/input -v $3:/output zricethezav/gitleaks dir --exit-code 0 -f sarif -r /output/gitleaks.sarif /app 2>&1

package/scanners/opengrep/run.sh CHANGED Viewed

@@ -4,4 +4,4 @@
 # $3 - Path to the output folder where scan results should be stored
 set -e
-docker run --rm -v $1:/app -v $2:/input -v $3:/output ghcr.io/eurekadevsecops/radar-opengrep 2>&1
+docker run --rm -u $(id -u):$(id -g) -v $1:/app -v $2:/input -v $3:/output ghcr.io/eurekadevsecops/radar-opengrep 2>&1

package/src/commands/scan.js CHANGED Viewed

@@ -1,3 +1,4 @@
+const crypto = require('node:crypto')
 const fs = require('node:fs')
 const path = require('node:path')
 const os = require('node:os')
@@ -124,7 +125,9 @@ module.exports = {
       return severity
     })
     const assets = path.join(__dirname, '..', '..', 'scanners') // scanner assets
-    const tmpdir = fs.mkdtempSync(path.join(os.tmpdir(), 'radar-')) // temporary output directory
+    const scansdir = path.join(os.homedir(), '.radar', 'scans')
+    const tmpdir = path.join(scansdir, crypto.randomUUID()) // temporary output directory
+    fs.mkdirSync(tmpdir, { recursive: true })
     const outfile = args.OUTPUT ? path.resolve(args.OUTPUT) : undefined // output file, if any
     // Validate scan parameters.
@@ -133,8 +136,7 @@ module.exports = {
     // Send telemetry: scan started.
     let scanID = undefined
-    const isTelemetryEnabled = telemetry.enabled()
-    if (isTelemetryEnabled) {
+    if (telemetry.enabled) {
       // TODO: Should pass scanID to the server; not read it from the server.
       try {
         const res = await telemetry.send(`scans/started`, {}, { scanners: scanners.map((s) => s.name) })
@@ -157,7 +159,7 @@ module.exports = {
     catch (error) {
       log(`\n${error}`)
       if (!args.QUIET) log('Scan NOT completed!')
-      if (telemetry.enabled()) await telemetry.send(`scans/:scanID/failed`, { scanID })
+      if (telemetry.enabled) await telemetry.send(`scans/:scanID/failed`, { scanID })
       fs.rmSync(tmpdir, { recursive: true, force: true }) // Clean up.
       return 0x10 // exit code
     }
@@ -170,13 +172,13 @@ module.exports = {
     if (outfile) fs.writeFileSync(outfile, JSON.stringify(results.sarif))
     // Send telemetry: scan results.
-    if (isTelemetryEnabled && scanID) {
+    if (telemetry.enabled && scanID) {
       await telemetry.sendSensitive(`scans/:scanID/results`, { scanID }, { findings: results.sarif, log: results.log })
     }
     // Analyze scan results: group findings by severity level.
     let summary
-    if (isTelemetryEnabled && scanID) {
+    if (telemetry.enabled && scanID) {
       const analysis = await telemetry.receiveSensitive(`scans/:scanID/summary`, { scanID })
       if (!analysis?.summary) throw new Error(`Failed to retrieve analysis summary for scan '${scanID}'`)
       summary = analysis.summary.findingsBySeverity
@@ -185,7 +187,7 @@ module.exports = {
     }
     // Send telemetry: scan summary.
-    if (isTelemetryEnabled && scanID) {
+    if (telemetry.enabled && scanID) {
       await telemetry.send(`scans/:scanID/completed`, { scanID }, summary)
     }

package/src/plugins/telemetry.js CHANGED Viewed

@@ -1,6 +1,6 @@
-const telemetry = require('../telemetry')
+const { Telemetry } = require('../telemetry')
 module.exports = {
   toolbox: {
-    telemetry
+    telemetry: new Telemetry()
   }
 }

package/src/telemetry/index.js CHANGED Viewed

@@ -1,111 +1,125 @@
-const package = require('../../package.json')
+const pkg = require('../../package.json')
 const { DateTime } = require("luxon")
+const { jwtDecode } = require('jwt-decode')
-const EWA_URL = process.env.EWA_URL ?? 'https://bff.eurekadevsecops.com'
-const VDBE_URL = process.env.VDBE_URL ?? 'https://vulns.eurekadevsecops.com'
+class Telemetry {
+  #EUREKA_AGENT_TOKEN = process.env.EUREKA_AGENT_TOKEN
+  #USER_AGENT = `RadarCLI/${pkg.version} (${pkg.pkgname}@${pkg.version}; ${process?.platform}-${process?.arch}; ${process?.release?.name}-${process?.version})`
+  #EWA_URL
-const USER_AGENT = `Radar/${package.version} (${package.pkgname}@${package.version}; ${process?.platform}-${process?.arch}; ${process?.release?.name}-${process?.version})`
+  constructor() {
+    this.enabled = !!this.#EUREKA_AGENT_TOKEN
+    this.#EWA_URL = this.#claims(this.#EUREKA_AGENT_TOKEN).aud
+  }
-const enabled = () => {
-  if (process.env.EUREKA_AGENT_TOKEN) return true
-  return false
-}
+  async send(path, params, body, token) {
+    return fetch(this.#toPostURL(path, params, token), {
+      method: 'POST',
+      headers: {
+        'Authorization': `Bearer ${token ?? this.#EUREKA_AGENT_TOKEN}`,
+        'Content-Type': this.#toContentType(path),
+        'User-Agent': this.#USER_AGENT,
+        'Accept': 'application/json'
+      },
+      body: this.#toBody(path, body)
+    })
+    .then(async (res) => {
+//TODO: Display this on stdout only if --debug option is selected on the cmd line.
+//if (!res.ok) console.log(`POST ${this.#toPostURL(path, params, token)} [${res.status}] ${res.statusText}: ${await res.text()}`)
+      return res
+    })
+  }
-const receive = async (path, params, token) => {
-  return fetch(toReceiveURL(path, params), {
-    method: 'GET',
-    headers: {
-      'Authorization': `Bearer ${token ?? process.env.EUREKA_AGENT_TOKEN}`,
-      'User-Agent': USER_AGENT,
-      'Accept': 'application/json'
-    }
-  }).then(async (res) => {
-      const responseJson = await res.json();
-      return responseJson;
+  async sendSensitive(path, params, body) {
+    return this.send(path, params, body, await this.#token())
+  }
+  async receive(path, params, token) {
+    return fetch(this.#toReceiveURL(path, params, token), {
+      method: 'GET',
+      headers: {
+        'Authorization': `Bearer ${token ?? this.#EUREKA_AGENT_TOKEN}`,
+        'User-Agent': this.#USER_AGENT,
+        'Accept': 'application/json'
+      }
+    }).then(async (res) => {
+//TODO: Display this on stdout only if --debug option is selected on the cmd line.
+//if (!res.ok) console.log(`GET ${this.#toReceiveURL(path, params, token)} [${res.status}] ${res.statusText}`)
+      return await res.json()
     })
   }
-const receiveSensitive = async (path, params) => {
-  return receive(path, params, await token())
-}
+  async receiveSensitive(path, params) {
+    return this.receive(path, params, await this.#token())
+  }
-const send = async (path, params, body, token) => {
-  return fetch(toPostURL(path, params), {
-    method: 'POST',
-    headers: {
-      'Authorization': `Bearer ${token ?? process.env.EUREKA_AGENT_TOKEN}`,
-      'Content-Type': toContentType(path),
-      'User-Agent': USER_AGENT,
-      'Accept': 'application/json'
-    },
-    body: toBody(path, body)
-  })
-  .then(async (res) => {
-    // TODO: Display this on stdout only if --debug option is selected on the cmd line.
-    // if (!res.ok) console.log(`POST ${toURL(path, params)} [${res.status}] ${res.statusText}: ${await res.text()}`)
-    return res
-  })
-}
+  //
+  // private
+  //
-const sendSensitive = async (path, params, body) => {
-  return send(path, params, body, await token())
-}
+  #claims(jwt) {
+    let claims = undefined
+    try { claims = jwtDecode(jwt) } catch (error) {}
+    return claims ?? {}
+  }
-const token = async () => {
-  const response = await fetch(`${EWA_URL}/vdbe/token`, {
-    method: 'POST',
-    headers: {
-      'Authorization': `Bearer ${process.env.EUREKA_AGENT_TOKEN}`,
-      'Content-Type': 'application/json',
-      'User-Agent': USER_AGENT,
-      'Accept': 'application/json'
-    }
-  })
-  if (!response.ok) throw new Error(`Internal Error: Failed to get VDBE auth token from EWA: ${response.statusText}: ${await response.text()}`)
-  const data = await response.json()
-  return data.token
-}
+  async #token() {
+    const response = await fetch(`${this.#EWA_URL}/vdbe/token`, {
+      method: 'POST',
+      headers: {
+        'Authorization': `Bearer ${this.#EUREKA_AGENT_TOKEN}`,
+        'Content-Type': 'application/json',
+        'User-Agent': this.#USER_AGENT,
+        'Accept': 'application/json'
+      }
+    })
+    if (!response.ok) throw new Error(`Internal Error: Failed to get VDBE auth token from EWA: ${response.statusText}: ${await response.text()}`)
+    const data = await response.json()
+    return data.token
+  }
-const toPostURL = (path, params) => {
-  if (path === `scans/started`) return `${EWA_URL}/scans/started`
-  if (path === `scans/:scanID/completed`) return `${EWA_URL}/scans/${params.scanID}/completed`
-  if (path === `scans/:scanID/failed`) return `${EWA_URL}/scans/${params.scanID}/completed`
-  if (path === `scans/:scanID/results`) return `${VDBE_URL}/scans/${params.scanID}/results`
-  throw new Error(`Internal Error: Unknown telemetry event: POST ${path}`)
-}
+  #toPostURL(path, params, token) {
+    const claims = this.#claims(token ?? this.#EUREKA_AGENT_TOKEN)
+    if (path === `scans/started`) return `${claims.aud}/scans/started`
+    if (path === `scans/:scanID/completed`) return `${claims.aud}/scans/${params.scanID}/completed`
+    if (path === `scans/:scanID/failed`) return `${claims.aud}/scans/${params.scanID}/completed`
+    if (path === `scans/:scanID/results`) return `${claims.aud}/scans/${params.scanID}/results`
+    throw new Error(`Internal Error: Unknown telemetry event: POST ${path}`)
+  }
-const toReceiveURL = (path, params) => {
-  if (path === `scans/:scanID/summary`) return `${VDBE_URL}/scans/${params.scanID}/summary?profileId=${process.env.EUREKA_PROFILE}`
-  throw new Error(`Internal Error: Unknown telemetry event: GET ${path}`)
-}
+  #toReceiveURL(path, params, token) {
+    const claims = this.#claims(token ?? this.#EUREKA_AGENT_TOKEN)
+    if (path === `scans/:scanID/summary`) return `${claims.aud}/scans/${params.scanID}/summary?profileId=${process.env.EUREKA_PROFILE}`
+    throw new Error(`Internal Error: Unknown telemetry event: GET ${path}`)
+  }
-const toContentType = (path) => {
-  if (path === `scans/:scanID/log`) return 'text/plain'
-  return 'application/json'
-}
+  #toContentType(path) {
+    if (path === `scans/:scanID/log`) return 'text/plain'
+    return 'application/json'
+  }
-const toBody = (path, body) => {
-  if (path === `scans/started`) body = { ...body, timestamp: DateTime.now().toISO(), profile_id: process.env.EUREKA_PROFILE }
-  if (path === `scans/:scanID/completed`) body = { ...toFindings(body), timestamp: DateTime.now().toISO(), status: 'success', log: { sizeBytes: 0, warnings: 0, errors: 0, link: 'none' }, params: { id: '' }}
-  if (path === `scans/:scanID/failed`) body = { ...body, timestamp: DateTime.now().toISO(), status: 'failure', findings: { total: 0, critical: 0, high: 0, med: 0, low: 0 }, log: { sizeBytes: 0, warnings: 0, errors: 0, link: 'none' }, params: { id: '' }}
-  if (path === `scans/:scanID/results`) body = { findings: body.findings /* SARIF */, profileId: process.env.EUREKA_PROFILE, log: Buffer.from(body.log, 'utf8').toString('base64') }
-  return JSON.stringify(body)
-}
+  #toBody(path, body) {
+    if (path === `scans/started`) body = { ...body, timestamp: DateTime.now().toISO(), profile_id: process.env.EUREKA_PROFILE }
+    if (path === `scans/:scanID/completed`) body = { ...this.#toFindings(body), timestamp: DateTime.now().toISO(), status: 'success', log: { sizeBytes: 0, warnings: 0, errors: 0, link: 'none' }, params: { id: '' }}
+    if (path === `scans/:scanID/failed`) body = { ...body, timestamp: DateTime.now().toISO(), status: 'failure', findings: { total: 0, critical: 0, high: 0, med: 0, low: 0 }, log: { sizeBytes: 0, warnings: 0, errors: 0, link: 'none' }, params: { id: '' }}
+    if (path === `scans/:scanID/results`) body = { findings: body.findings /* SARIF */, profileId: process.env.EUREKA_PROFILE, log: Buffer.from(body.log, 'utf8').toString('base64') }
+    return JSON.stringify(body)
+  }
-const toFindings = (summary) => ({
-  findings: {
-    total: summary.errors.length + summary.warnings.length + summary.notes.length,
-    critical: 0,
-    high: summary.errors.length,
-    med: summary.warnings.length,
-    low: summary.notes.length
+  #toFindings(summary) {
+    return {
+      findings: {
+        total: summary.errors.length + summary.warnings.length + summary.notes.length,
+        critical: 0,
+        high: summary.errors.length,
+        med: summary.warnings.length,
+        low: summary.notes.length
+      }
+    }
   }
-})
+}
 module.exports = {
-  enabled,
-  receive,
-  receiveSensitive,
-  send,
-  sendSensitive
+  Telemetry
 }