@eurekadevsecops/radar 1.4.3 → 1.4.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.github/workflows/radar.yaml +47 -0
- package/depscan/depscan-universal.json +1 -0
- package/depscan/depscan.html +31 -0
- package/depscan/depscan.sarif +70 -0
- package/depscan/sbom-universal.json +1 -0
- package/depscan/sbom-universal.vdr.json +20938 -0
- package/depscan.sarif +70 -0
- package/package.json +1 -1
- package/src/commands/scan.js +1 -1
- package/src/util/sarif/visualizations/display_totals.js +2 -2
|
@@ -0,0 +1,47 @@
|
|
|
1
|
+
name: Eureka Radar
|
|
2
|
+
|
|
3
|
+
on:
|
|
4
|
+
workflow_dispatch:
|
|
5
|
+
pull_request:
|
|
6
|
+
types: [opened, synchronize, reopened, ready_for_review]
|
|
7
|
+
branches:
|
|
8
|
+
- main
|
|
9
|
+
|
|
10
|
+
jobs:
|
|
11
|
+
radar_scan:
|
|
12
|
+
# Radar scanner repo: https://github.com/EurekaDevSecOps/radarctl
|
|
13
|
+
name: Radar Scan
|
|
14
|
+
runs-on: ubuntu-latest
|
|
15
|
+
steps:
|
|
16
|
+
- name: Checkout repo
|
|
17
|
+
uses: actions/checkout@v4
|
|
18
|
+
|
|
19
|
+
- name: Setup Node.js
|
|
20
|
+
uses: actions/setup-node@v4
|
|
21
|
+
with:
|
|
22
|
+
node-version: "22"
|
|
23
|
+
|
|
24
|
+
# Cache npm's download cache to speed up global installs
|
|
25
|
+
- name: Get npm cache directory
|
|
26
|
+
id: npm-cache-dir
|
|
27
|
+
run: echo "dir=$(npm config get cache)" >> "$GITHUB_OUTPUT"
|
|
28
|
+
|
|
29
|
+
- name: Cache npm cache
|
|
30
|
+
uses: actions/cache@v4
|
|
31
|
+
with:
|
|
32
|
+
path: ${{ steps.npm-cache-dir.outputs.dir }}
|
|
33
|
+
key: ${{ runner.os }}-npm-radar-cache-v1
|
|
34
|
+
restore-keys: |
|
|
35
|
+
${{ runner.os }}-npm-radar-cache-
|
|
36
|
+
|
|
37
|
+
- name: Install Radar CLI
|
|
38
|
+
run: npm i -g @eurekadevsecops/radar
|
|
39
|
+
|
|
40
|
+
- name: Verify Radar install
|
|
41
|
+
run: radar && radar scanners
|
|
42
|
+
|
|
43
|
+
- name: Run Radar scan
|
|
44
|
+
env:
|
|
45
|
+
EUREKA_PROFILE: ${{ vars.EUREKA_PROFILE }}
|
|
46
|
+
EUREKA_AGENT_TOKEN: ${{ secrets.EUREKA_AGENT_TOKEN }}
|
|
47
|
+
run: radar scan
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"id": "CVE-2022-33987", "package": "npm:got", "purl": "pkg:npm/got@9.6.0", "package_type": "npm", "package_usage": "optional", "version": "9.6.0", "fix_version": "11.8.5", "severity": "MEDIUM", "cvss_score": "5.3", "short_description": "# Got allows a redirect to a UNIX socket\nThe got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.\nUpgrade to version 11.8.5 or later", "related_urls": [], "occurrence_count": 0, "reachable_flows": 0}
|
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
<!DOCTYPE html>
|
|
2
|
+
<html>
|
|
3
|
+
<head>
|
|
4
|
+
<meta charset="UTF-8">
|
|
5
|
+
<style>
|
|
6
|
+
.r1 {font-style: italic}
|
|
7
|
+
.r2 {color: #800080; text-decoration-color: #800080; font-weight: bold}
|
|
8
|
+
.r3 {color: #7c8082; text-decoration-color: #7c8082; font-style: italic}
|
|
9
|
+
.r4 {color: #00875f; text-decoration-color: #00875f}
|
|
10
|
+
.r6 {color: #ff753d; text-decoration-color: #ff753d; font-weight: bold}
|
|
11
|
+
body {
|
|
12
|
+
color: #000000;
|
|
13
|
+
background-color: #ffffff;
|
|
14
|
+
}
|
|
15
|
+
</style>
|
|
16
|
+
</head>
|
|
17
|
+
<body>
|
|
18
|
+
<pre style="font-family:Menlo,'DejaVu Sans Mono',consolas,'Courier New',monospace"><code style="font-family:inherit">
|
|
19
|
+
<span class="r1"> Dependency Scan Results (UNIVERSAL) </span>
|
|
20
|
+
╔══════════════════════════════════════════════════════╤════════════════════════════════════════╤══════════════════════╤═════════════════╤═══════════╗
|
|
21
|
+
║<span class="r2"> Dependency Tree </span>│<span class="r2"> Insights </span>│<span class="r2"> Fix Version </span>│<span class="r2"> Severity </span>│<span class="r2"> Score </span>║
|
|
22
|
+
╟──────────────────────────────────────────────────────┼────────────────────────────────────────┼──────────────────────┼─────────────────┼───────────╢
|
|
23
|
+
║ <span class="r3">package-json@6.5.0 </span> │ <span class="r4">📓 Indirect dependency</span> │ 11.8.5 │ MEDIUM │ 5.3 ║
|
|
24
|
+
║ <span class="r5">└── </span><span class="r6">got@9.6.0 ⬅ CVE-2022-33987 </span> │ │ │ │ ║
|
|
25
|
+
╚══════════════════════════════════════════════════════╧════════════════════════════════════════╧══════════════════════╧═════════════════╧═══════════╝
|
|
26
|
+
╭─────────────────────────────────────────────────────────── Recommendation ───────────────────────────────────────────────────────────╮
|
|
27
|
+
│ ✅ No package requires immediate attention since the major vulnerabilities are found only in dev packages and indirect dependencies. │
|
|
28
|
+
╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
|
|
29
|
+
</code></pre>
|
|
30
|
+
</body>
|
|
31
|
+
</html>
|
|
@@ -0,0 +1,70 @@
|
|
|
1
|
+
{
|
|
2
|
+
"version": "2.1.0",
|
|
3
|
+
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
|
|
4
|
+
"runs": [
|
|
5
|
+
{
|
|
6
|
+
"tool": {
|
|
7
|
+
"driver": {
|
|
8
|
+
"name": "owasp-depscan",
|
|
9
|
+
"semanticVersion": "5.5.0",
|
|
10
|
+
"informationUri": "https://github.com/owasp-dep-scan/dep-scan",
|
|
11
|
+
"properties": {
|
|
12
|
+
"protocol_version": "v1.0.0",
|
|
13
|
+
"scanner_name": "owasp-depscan",
|
|
14
|
+
"scanner_version": "5.5.0",
|
|
15
|
+
"db": "https://github.com/AppThreat/vulnerability-db",
|
|
16
|
+
"scan_mode": "source"
|
|
17
|
+
},
|
|
18
|
+
"rules": [
|
|
19
|
+
{
|
|
20
|
+
"id": "CVE-2022-33987/pkg:npm/got@9.6.0",
|
|
21
|
+
"shortDescription": {
|
|
22
|
+
"text": "Vulnerable pkg: npm/got@9.6.0\nCVE: CVE-2022-33987\nFix: Update to 11.8.5 or later\n\ndepscan:insights: Indirect dependency\ndepscan:prioritized: false\naffectedVersionRange: got@<11.8.5\n"
|
|
23
|
+
},
|
|
24
|
+
"fullDescription": {
|
|
25
|
+
"text": "# Got allows a redirect to a UNIX socket\nThe got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.\nUpgrade to version 11.8.5 or later"
|
|
26
|
+
},
|
|
27
|
+
"help": {
|
|
28
|
+
"text": "Update to 11.8.5 or later"
|
|
29
|
+
},
|
|
30
|
+
"helpUri": "https://nvd.nist.gov/vuln/detail/CVE-2022-33987",
|
|
31
|
+
"properties": {
|
|
32
|
+
"tags": [
|
|
33
|
+
"CVE-2022-33987"
|
|
34
|
+
]
|
|
35
|
+
}
|
|
36
|
+
}
|
|
37
|
+
|
|
38
|
+
]
|
|
39
|
+
}
|
|
40
|
+
},
|
|
41
|
+
"results": [
|
|
42
|
+
{
|
|
43
|
+
"ruleId": "CVE-2022-33987/pkg:npm/got@9.6.0",
|
|
44
|
+
"level": "warning",
|
|
45
|
+
"message": {
|
|
46
|
+
"text": "Vulnerability CVE-2022-33987 in pkg npm/got@9.6.0. Update to 11.8.5 or later"
|
|
47
|
+
},
|
|
48
|
+
"locations": [
|
|
49
|
+
{
|
|
50
|
+
"physicalLocation": {
|
|
51
|
+
"artifactLocation": {
|
|
52
|
+
"uri": "package-lock.json",
|
|
53
|
+
"uriBaseId": "%SRCROOT%"
|
|
54
|
+
},
|
|
55
|
+
"region": {
|
|
56
|
+
"startLine": 1
|
|
57
|
+
}
|
|
58
|
+
},
|
|
59
|
+
"message": {
|
|
60
|
+
"text": "Vulnerability CVE-2022-33987 in pkg npm/got@9.6.0. Update to 11.8.5 or later"
|
|
61
|
+
}
|
|
62
|
+
}
|
|
63
|
+
]
|
|
64
|
+
}
|
|
65
|
+
|
|
66
|
+
|
|
67
|
+
]
|
|
68
|
+
}
|
|
69
|
+
]
|
|
70
|
+
}
|