npm - @eurekadevsecops/radar - Versions diffs - 1.4.2 → 1.4.4 - Mend

@eurekadevsecops/radar 1.4.2 → 1.4.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/.github/workflows/radar.yaml +47 -0
package/depscan/depscan-universal.json +1 -0
package/depscan/depscan.html +31 -0
package/depscan/depscan.sarif +70 -0
package/depscan/sbom-universal.json +1 -0
package/depscan/sbom-universal.vdr.json +20938 -0
package/depscan.sarif +70 -0
package/package.json +1 -1
package/scanners/depscan/run.sh +0 -2
package/src/commands/scan.js +1 -1
package/src/util/sarif/visualizations/display_totals.js +2 -2

package/depscan.sarif ADDED Viewed

@@ -0,0 +1,70 @@
+{
+  "version": "2.1.0",
+  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "owasp-depscan",
+          "semanticVersion": "5.5.0",
+          "informationUri": "https://github.com/owasp-dep-scan/dep-scan",
+          "properties": {
+            "protocol_version": "v1.0.0",
+            "scanner_name": "owasp-depscan",
+            "scanner_version": "5.5.0",
+            "db": "https://github.com/AppThreat/vulnerability-db",
+            "scan_mode": "source"
+          },
+          "rules": [
+            {
+              "id": "CVE-2022-33987/pkg:npm/got@9.6.0",
+              "shortDescription": {
+                "text": "Vulnerable pkg: npm/got@9.6.0\nCVE: CVE-2022-33987\nFix: Update to 11.8.5 or later\n\ndepscan:insights: Indirect dependency\ndepscan:prioritized: false\naffectedVersionRange: got@<11.8.5\n"
+              },
+              "fullDescription": {
+                "text": "# Got allows a redirect to a UNIX socket\nThe got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.\nUpgrade to version 11.8.5 or later"
+              },
+              "help": {
+                "text": "Update to 11.8.5 or later"
+              },
+              "helpUri": "https://nvd.nist.gov/vuln/detail/CVE-2022-33987",
+              "properties": {
+                "tags": [
+                    "CVE-2022-33987"
+                ]
+              }
+            }
+          ]
+        }
+      },
+      "results": [
+        {
+          "ruleId": "CVE-2022-33987/pkg:npm/got@9.6.0",
+          "level": "warning",
+                    "message": {
+            "text": "Vulnerability CVE-2022-33987 in pkg npm/got@9.6.0"
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "lockfile",
+                  "uriBaseId": "%SRCROOT%"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              },
+              "message": {
+                "text": "Vulnerability CVE-2022-33987 in pkg npm/got@9.6.0"
+              }
+            }
+          ]
+        }
+      ]
+    }
+  ]
+}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@eurekadevsecops/radar",
-  "version": "1.4.2",
+  "version": "1.4.4",
   "description": "Radar is an open-source orchestrator of security scanners.",
   "homepage": "https://www.eurekadevsecops.com/radar",
   "keywords": [

package/scanners/depscan/run.sh CHANGED Viewed

@@ -5,5 +5,3 @@
 set -e
 docker run --rm -v $1:/app -v $2:/input -v $3:/output ghcr.io/eurekadevsecops/radar-depscan 2>&1
-cp $3/depscan/depscan.sarif $3/depscan.sarif
-rm -rf $3/depscan/

package/src/commands/scan.js CHANGED Viewed

@@ -196,7 +196,7 @@ module.exports = {
       log()
       SARIF.visualizations.display_findings(summary, args.FORMAT, log)
       if (outfile) log(`Findings exported to ${outfile}`)
-      SARIF.visualizations.display_totals(summary, args.FORMAT, log)
+      SARIF.visualizations.display_totals(summary, args.FORMAT, log, telemetry.enabled && scanID)
     }
     // Determine the correct exit code.

package/src/util/sarif/visualizations/display_totals.js CHANGED Viewed

@@ -1,5 +1,5 @@
 const levels = require('../../localization/levels')
-module.exports = async (summary, format, log) => {
+module.exports = async (summary, format, log, baselined) => {
   const total = summary.errors.length + summary.warnings.length + summary.notes.length
-  log(`${total} ${total === 1 ? levels[format].total.issue : levels[format].total.issues}: ${summary.errors.length} ` + `${levels[format].total.error}`.red.bold + `, ${summary.warnings.length} ` + `${levels[format].total.warning}`.yellow.bold + `, ${summary.notes.length} ` + `${levels[format].total.note}` + '.')
+  log(`${total} ` + `${baselined ? 'new ' : ''}`.bold + `${total === 1 ? levels[format].total.issue : levels[format].total.issues}: ${summary.errors.length} ` + `${levels[format].total.error}`.red.bold + `, ${summary.warnings.length} ` + `${levels[format].total.warning}`.yellow.bold + `, ${summary.notes.length} ` + `${levels[format].total.note}` + '.')
 }