@eurekadevsecops/radar 1.4.6 → 1.5.0

package/depscan/scan.sarif

@@ -0,0 +1,70 @@
+{
+  "version": "2.1.0",
+  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "depscan",
+          "semanticVersion": "5.5.0",
+          "informationUri": "https://github.com/owasp-dep-scan/dep-scan",
+          "properties": {
+            "protocol_version": "v1.0.0",
+            "scanner_name": "depscan",
+            "scanner_version": "5.5.0",
+            "db": "https://github.com/AppThreat/vulnerability-db",
+            "scan_mode": "source"
+          },
+          "rules": [ 
+            {
+              "id": "CVE-2022-33987Y/pkg:npm/got@9.6.0",
+              "shortDescription": {
+                "text": "Vulnerable pkg: npm/got@9.6.0\nCVE: CVE-2022-33987\nFix: Update to 11.8.5 or later\n\ndepscan:insights: Indirect dependency\ndepscan:prioritized: false\naffectedVersionRange: got@<11.8.5\n"
+              },
+              "fullDescription": {
+                "text": "# Got allows a redirect to a UNIX socket\nThe got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.\nUpgrade to version 11.8.5 or later"
+              },
+              "help": {
+                "text": "Update to 11.8.5 or later"
+              },
+              "helpUri": "https://nvd.nist.gov/vuln/detail/CVE-2022-33987",
+              "properties": {
+                "tags": [
+                    "CVE-2022-33987"
+                ]
+              }
+            }
+            
+          ]
+        }
+      },
+      "results": [ 
+        {
+          "ruleId": "CVE-2022-33987Y/pkg:npm/got@9.6.0",
+          "level": "warning",
+                    "message": {
+            "text": "Vulnerability CVE-2022-33987 in pkg npm/got@9.6.0. Update to 11.8.5 or later"
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "package-lock.json",
+                  "uriBaseId": "%SRCROOT%"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              },
+              "message": {
+                "text": "Vulnerability CVE-2022-33987 in pkg npm/got@9.6.0. Update to 11.8.5 or later"
+              }
+            }
+          ]
+        }
+        
+        
+      ]
+    }
+  ]
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@eurekadevsecops/radar",
-  "version": "1.4.6",
+  "version": "1.5.0",
   "description": "Radar is an open-source orchestrator of security scanners.",
   "homepage": "https://www.eurekadevsecops.com/radar",
   "keywords": [
@@ -29,6 +29,7 @@
   "dependencies": {
     "@persistr/clif": "^1.11.0",
     "@persistr/clif-plugin-settings": "^2.3.1",
+    "hosted-git-info": "^9.0.0",
     "humanize-duration": "^3.33.0",
     "jwt-decode": "^4.0.0",
     "luxon": "^3.7.1",

package/src/commands/scan.js

@@ -87,7 +87,7 @@ module.exports = {
     '$ radar scan -f sarif -e warning,note ' + '(treat lower severities as errors)'.grey
   ],
   run: async (toolbox, args) => {
-    const { log, scanners: availableScanners, categories: availableCategories, telemetry } = toolbox
+    const { log, scanners: availableScanners, categories: availableCategories, telemetry, git } = toolbox
 
     // Set defaults for args and options.
     args.TARGET ??= process.cwd()
@@ -149,6 +149,13 @@ module.exports = {
       }
     }
 
+    // Send telemetry: git metadata.
+    if (telemetry.enabled && scanID) {
+      const metadata = git.metadata()
+      await telemetry.send(`scans/:scanID/metadata`, { scanID }, { metadata })
+      await telemetry.sendSensitive(`scans/:scanID/metadata`, { scanID }, { metadata })
+    }
+
     // Run scanners.
     log(`Running ${scanners.length} of ${availableScanners.length} scanners:`)
     let results = { /* log, sarif */ }
@@ -180,8 +187,8 @@ module.exports = {
     let summary
     if (telemetry.enabled && scanID) {
       const analysis = await telemetry.receiveSensitive(`scans/:scanID/summary`, { scanID })
-      if (!analysis?.summary) throw new Error(`Failed to retrieve analysis summary for scan '${scanID}'`)
-      summary = analysis.summary.findingsBySeverity
+      if (!analysis?.findingsBySeverity) throw new Error(`Failed to retrieve analysis summary for scan '${scanID}'`)
+      summary = analysis.findingsBySeverity
     } else {
       summary = await SARIF.analysis.summarize(results.sarif, target)
     }

package/src/index.js

@@ -6,6 +6,7 @@ const path = require('node:path')
 // Plugins.
 const plugins = {
   settings: require('@persistr/clif-plugin-settings'),
+  git: require(path.join(__dirname, 'plugins', 'git')),
   scanners: require(path.join(__dirname, 'plugins', 'scanners')),
   telemetry: require(path.join(__dirname, 'plugins', 'telemetry'))
 }

package/src/plugins/git.js

@@ -0,0 +1,6 @@
+const git = require('../util/git')
+module.exports = {
+  toolbox: {
+    git
+  }
+}

package/src/telemetry/index.js

@@ -83,6 +83,7 @@ class Telemetry {
     if (path === `scans/started`) return `${claims.aud}/scans/started`
     if (path === `scans/:scanID/completed`) return `${claims.aud}/scans/${params.scanID}/completed`
     if (path === `scans/:scanID/failed`) return `${claims.aud}/scans/${params.scanID}/completed`
+    if (path === `scans/:scanID/metadata`) return `${claims.aud}/scans/${params.scanID}/metadata`
     if (path === `scans/:scanID/results`) return `${claims.aud}/scans/${params.scanID}/results`
     throw new Error(`Internal Error: Unknown telemetry event: POST ${path}`)
   }
@@ -102,6 +103,7 @@ class Telemetry {
     if (path === `scans/started`) body = { ...body, timestamp: DateTime.now().toISO(), profile_id: process.env.EUREKA_PROFILE }
     if (path === `scans/:scanID/completed`) body = { ...this.#toFindings(body), timestamp: DateTime.now().toISO(), status: 'success', log: { sizeBytes: 0, warnings: 0, errors: 0, link: 'none' }, params: { id: '' }}
     if (path === `scans/:scanID/failed`) body = { ...body, timestamp: DateTime.now().toISO(), status: 'failure', findings: { total: 0, critical: 0, high: 0, med: 0, low: 0 }, log: { sizeBytes: 0, warnings: 0, errors: 0, link: 'none' }, params: { id: '' }}
+    if (path === `scans/:scanID/metadata`) body = { metadata: body.metadata, profileId: process.env.EUREKA_PROFILE }
     if (path === `scans/:scanID/results`) body = { findings: body.findings /* SARIF */, profileId: process.env.EUREKA_PROFILE, log: Buffer.from(body.log, 'utf8').toString('base64') }
     return JSON.stringify(body)
   }

package/src/util/git/index.js

@@ -0,0 +1,89 @@
+const { execSync } = require('node:child_process')
+const hostedGitInfo = require('hosted-git-info')
+
+function metadata() {
+  try {
+    // Determine if we're scanning a valid git repo.
+    const isGitRepo = execSync('git rev-parse --is-inside-work-tree').toString().trim()
+    if (isGitRepo !== 'true') {
+      return { type: 'folder' }
+    }
+
+    // Get the repo name and owner.
+    const originUrl = execSync('git config --get remote.origin.url').toString().trim()
+    const info = hostedGitInfo.fromUrl(originUrl, { noGitPlus: true })
+    const ownerPath = info.user.split('/')
+
+    // Get the branch name.
+    const branch = execSync('git rev-parse --abbrev-ref HEAD').toString().trim()
+
+    // Get the commit identifier and timestamp.
+    const shortCommitId = execSync('git rev-parse --short HEAD').toString().trim()
+    const fullCommitId = execSync('git rev-parse HEAD').toString().trim()
+    const commitTime = execSync('git show -s --format=%cI HEAD').toString().trim()
+
+    // Get the tags for the current commit.
+    let tags = execSync('git tag --points-at HEAD').toString().trim()
+    tags = '["' + tags.split('\n').join('","') + '"]'
+    tags = JSON.parse(tags).filter(tag => tag)
+
+    // Get the list of unique repo contributors (authors and committers).
+    const template = '"{\\\"name\\\":\\\"%cn\\\",\\\"email\\\":\\\"%ce\\\"}%n{\\\"name\\\":\\\"%an\\\",\\\"email\\\":\\\"%ae\\\"}"'
+    let contributors = execSync(`git log --pretty=${template} | sort -u`).toString().trim()
+    contributors = '[' + contributors.split('\n').join(',') + ']'
+    contributors = JSON.parse(contributors)
+
+    const script = `MAX_LENGTH=4;
+git rev-list --abbrev=4 --abbrev-commit --all | \
+  ( while read -r line; do
+      if [ \${#line} -gt $MAX_LENGTH ]; then
+        MAX_LENGTH=\${#line};
+      fi
+    done && printf %s\\\\n "$MAX_LENGTH"
+  )`
+    const abbrevs = Number(execSync(script).toString().trim())
+
+/*
+    // Get the total lines of code in the repo.
+    const loc = execSync('git ls-files -z ${1} | xargs -0 cat | wc -l').toString().trim()
+*/
+
+    // Return the repo metadata.
+    return {
+      type: 'git',
+      repo: {
+        url: {
+          origin: originUrl,
+          https: info.https()
+        },
+        source: {
+          type: info.type,
+          domain: info.domain
+        },
+        owner: ownerPath[0],
+        path: ownerPath.slice(1).join('/'),
+        name: info.project,
+        abbrevs,
+        contributors
+      },
+      commit: {
+        id: fullCommitId,
+        time: commitTime,
+        branch,
+        tags
+      }
+    }
+  } catch (error) {
+    return {
+      type: 'error',
+      error: {
+        code: 'E_GIT_METADATA',
+        details: error
+      }
+    }
+  }
+}
+
+module.exports = {
+  metadata
+}