@eurekadevsecops/radar 1.4.6 → 1.5.1

package/depscan/scan.sarif

@@ -0,0 +1,70 @@
+{
+  "version": "2.1.0",
+  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "depscan",
+          "semanticVersion": "5.5.0",
+          "informationUri": "https://github.com/owasp-dep-scan/dep-scan",
+          "properties": {
+            "protocol_version": "v1.0.0",
+            "scanner_name": "depscan",
+            "scanner_version": "5.5.0",
+            "db": "https://github.com/AppThreat/vulnerability-db",
+            "scan_mode": "source"
+          },
+          "rules": [ 
+            {
+              "id": "CVE-2022-33987Y/pkg:npm/got@9.6.0",
+              "shortDescription": {
+                "text": "Vulnerable pkg: npm/got@9.6.0\nCVE: CVE-2022-33987\nFix: Update to 11.8.5 or later\n\ndepscan:insights: Indirect dependency\ndepscan:prioritized: false\naffectedVersionRange: got@<11.8.5\n"
+              },
+              "fullDescription": {
+                "text": "# Got allows a redirect to a UNIX socket\nThe got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.\nUpgrade to version 11.8.5 or later"
+              },
+              "help": {
+                "text": "Update to 11.8.5 or later"
+              },
+              "helpUri": "https://nvd.nist.gov/vuln/detail/CVE-2022-33987",
+              "properties": {
+                "tags": [
+                    "CVE-2022-33987"
+                ]
+              }
+            }
+            
+          ]
+        }
+      },
+      "results": [ 
+        {
+          "ruleId": "CVE-2022-33987Y/pkg:npm/got@9.6.0",
+          "level": "warning",
+                    "message": {
+            "text": "Vulnerability CVE-2022-33987 in pkg npm/got@9.6.0. Update to 11.8.5 or later"
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "package-lock.json",
+                  "uriBaseId": "%SRCROOT%"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              },
+              "message": {
+                "text": "Vulnerability CVE-2022-33987 in pkg npm/got@9.6.0. Update to 11.8.5 or later"
+              }
+            }
+          ]
+        }
+        
+        
+      ]
+    }
+  ]
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@eurekadevsecops/radar",
-  "version": "1.4.6",
+  "version": "1.5.1",
   "description": "Radar is an open-source orchestrator of security scanners.",
   "homepage": "https://www.eurekadevsecops.com/radar",
   "keywords": [
@@ -29,6 +29,7 @@
   "dependencies": {
     "@persistr/clif": "^1.11.0",
     "@persistr/clif-plugin-settings": "^2.3.1",
+    "hosted-git-info": "^9.0.0",
     "humanize-duration": "^3.33.0",
     "jwt-decode": "^4.0.0",
     "luxon": "^3.7.1",

package/src/commands/import.js

@@ -0,0 +1,136 @@
+const crypto = require('node:crypto')
+const fs = require('node:fs')
+const path = require('node:path')
+const os = require('node:os')
+const SARIF = require('../util/sarif')
+const runner = require('../util/runner')
+module.exports = {
+  summary: 'import vulnerabilities',
+  args: {
+    INPUT: {
+      description: 'input SARIF file',
+      validate: INPUT => {
+        if (!fs.existsSync(path.normalize(INPUT))) throw new Error(`path doesn't exist: ${INPUT}`)
+      }
+    }
+  },
+  options: [
+    { name: 'ESCALATE', short: 'e', long: 'escalate', type: 'string', description: 'severities to treat as high/error' },
+    { name: 'FORMAT', short: 'f', long: 'format', type: 'string', description: 'severity format' },
+    { name: 'QUIET', short: 'q', long: 'quiet', type: 'boolean', description: 'suppress stdout logging' }
+  ],
+  description: `
+    Imports vulnerabilities from the input SARIF file given by INPUT argument.
+    The SARIF file must have been produced by scanners supported by Radar CLI.
+
+    When quiet mode is selected with the QUIET command-line option, most stdout
+    logs are ommitted except for errors that occur with the importing process.
+
+    By default, findings are displayed as high, moderate, and low. This is the
+    'security' severity format. Findings can also be displayed as errors, warnings,
+    and notes. This is the 'sarif' severity format.
+
+    Exit codes:
+         0 - Clean and successful import. No errors, warnings, or notes.
+         1 - Bad command, arguments, or options. Import not completed.
+        16 - Import aborted due to unexpected error.
+  `,
+  examples: [
+    '$ radar import scan.sarif ' + '(import findings from SARIF file)'.grey,
+    '$ radar import -f security scan.sarif ' + '(displays findings as high, moderate, and low)'.grey,
+    '$ radar import -f sarif scan.sarif ' + '(displays findings as error, warning, and note)'.grey,
+    '$ radar import -e moderate,low scan.sarif ' + '(treat lower severities as high)'.grey,
+    '$ radar import -f sarif -e warning,note scan.sarif ' + '(treat lower severities as errors)'.grey
+  ],
+  run: async (toolbox, args) => {
+    const { log, scanners: availableScanners, telemetry } = toolbox
+
+    // Set defaults for args and options.
+    args.FORMAT ??= 'security'
+
+    // Normalize and/or rewrite args and options.
+    args.INPUT = path.resolve(path.normalize(args.INPUT))
+
+    // Validate args and options.
+    if (args.FORMAT !== 'sarif' && args.FORMAT !== 'security') throw new Error('FORMAT must be one of \'sarif\' or \'security\'')
+    if (args.ESCALATE) args.ESCALATE.split(',').map(severity => {
+      if (args.FORMAT === 'security' && severity !== 'moderate' && severity !== 'low') throw new Error(`Severity to escalate must be 'moderate' or 'low'`)
+      if (args.FORMAT === 'sarif' && severity !== 'warning' && severity !== 'note') throw new Error(`Severity to escalate must be 'warning' or 'note'`)
+    })
+
+    // Derive scan parameters.
+    const escalations = args.ESCALATE?.split(',').map(severity => {
+      if (severity === 'moderate') return 'warning'
+      if (severity === 'low') return 'note'
+      return severity
+    })
+
+    // Check that telemetry is enabled.
+    if (!args.QUIET && !telemetry.enabled) {
+      log(`ERROR: Telemetry not enabled.`)
+      log(`Terminating with exit code 16. See 'radar help import' for list of possible exit codes.`)
+      return 0x10 // exit code
+    }
+
+    // Results include the log and the SARIF findings.
+    const results = { log: `Import from "${args.INPUT}"` }
+    results.sarif = JSON.parse(fs.readFileSync(args.INPUT, 'utf8'))
+
+    // Read scanner names from the input SARIF.
+    const scanners = []
+    for (const run of results.sarif.runs) {
+      const scanner = run.tool.driver?.properties?.scanner_name ?? run.tool.driver.name
+      scanners.push(scanner)
+    }
+
+    // Check for unsupported scanners.
+    try {
+      const unknownScanners = scanners.filter(name => !availableScanners.find(s => s.name === name))
+      if (unknownScanners.length > 1) throw new Error(`Unknown scanners: ${unknownScanners.join(', ')}`)
+      else if (unknownScanners.length === 1) throw new Error(`Unknown scanner: ${unknownScanners[0]}`)
+    }
+    catch (error) {
+      log(`ERROR: ${error.message}`)
+      log(`Terminating with exit code 1. See 'radar help import' for list of possible exit codes.`)
+      return 0x1 // exit code
+    }
+
+    // Send telemetry: scan started.
+    let scanID = undefined
+    // TODO: Should pass scanID to the server; not read it from the server.
+    try {
+      const res = await telemetry.send(`scans/started`, {}, { scanners })
+      if (!res.ok) throw new Error(`[${res.status}] ${res.statusText}: ${await res.text()}`)
+      const data = await res.json()
+      scanID = data.scan_id
+    }
+    catch (error) {
+      log(`ERROR: ${error.message}${error?.cause?.code === 'ECONNREFUSED' ? ': CONNECTION REFUSED' : ''}`)
+      log(`Terminating with exit code 16. See 'radar help import' for list of possible exit codes.`)
+      return 0x10 // exit code
+    }
+
+    // Transform scan findings: treat warnings and notes as errors, and normalize location paths.
+    if (escalations) results.sarif = SARIF.transforms.escalate(results.sarif, escalations)
+
+    // Send telemetry: scan results.
+    await telemetry.sendSensitive(`scans/:scanID/results`, { scanID }, { findings: results.sarif, log: results.log })
+
+    // Analyze scan results: group findings by severity level.
+    const analysis = await telemetry.receiveSensitive(`scans/:scanID/summary`, { scanID })
+    if (!analysis?.findingsBySeverity) throw new Error(`Failed to retrieve analysis summary for scan '${scanID}'`)
+    const summary = analysis.findingsBySeverity
+
+    // Send telemetry: scan summary.
+    await telemetry.send(`scans/:scanID/completed`, { scanID }, summary)
+
+    // Display summarized findings.
+    if (!args.QUIET) {
+      process.stdout.write('Imported ')
+      SARIF.visualizations.display_totals(summary, args.FORMAT, log, telemetry.enabled && scanID)
+    }
+
+    // Success.
+    return 0 // exit code
+  }
+}

package/src/commands/index.js

@@ -1,5 +1,6 @@
 module.exports = {
   help: 'display help',
+  import: require('./import'),
   scan: require('./scan'),
   scanners: require('./scanners')
 }

package/src/commands/scan.js

@@ -87,7 +87,7 @@ module.exports = {
     '$ radar scan -f sarif -e warning,note ' + '(treat lower severities as errors)'.grey
   ],
   run: async (toolbox, args) => {
-    const { log, scanners: availableScanners, categories: availableCategories, telemetry } = toolbox
+    const { log, scanners: availableScanners, categories: availableCategories, telemetry, git } = toolbox
 
     // Set defaults for args and options.
     args.TARGET ??= process.cwd()
@@ -149,6 +149,13 @@ module.exports = {
       }
     }
 
+    // Send telemetry: git metadata.
+    if (telemetry.enabled && scanID) {
+      const metadata = git.metadata(target)
+      await telemetry.send(`scans/:scanID/metadata`, { scanID }, { metadata })
+      await telemetry.sendSensitive(`scans/:scanID/metadata`, { scanID }, { metadata })
+    }
+
     // Run scanners.
     log(`Running ${scanners.length} of ${availableScanners.length} scanners:`)
     let results = { /* log, sarif */ }
@@ -180,8 +187,8 @@ module.exports = {
     let summary
     if (telemetry.enabled && scanID) {
       const analysis = await telemetry.receiveSensitive(`scans/:scanID/summary`, { scanID })
-      if (!analysis?.summary) throw new Error(`Failed to retrieve analysis summary for scan '${scanID}'`)
-      summary = analysis.summary.findingsBySeverity
+      if (!analysis?.findingsBySeverity) throw new Error(`Failed to retrieve analysis summary for scan '${scanID}'`)
+      summary = analysis.findingsBySeverity
     } else {
       summary = await SARIF.analysis.summarize(results.sarif, target)
     }

package/src/index.js

@@ -6,6 +6,7 @@ const path = require('node:path')
 // Plugins.
 const plugins = {
   settings: require('@persistr/clif-plugin-settings'),
+  git: require(path.join(__dirname, 'plugins', 'git')),
   scanners: require(path.join(__dirname, 'plugins', 'scanners')),
   telemetry: require(path.join(__dirname, 'plugins', 'telemetry'))
 }

package/src/plugins/git.js

@@ -0,0 +1,6 @@
+const git = require('../util/git')
+module.exports = {
+  toolbox: {
+    git
+  }
+}

package/src/telemetry/index.js

@@ -83,6 +83,7 @@ class Telemetry {
     if (path === `scans/started`) return `${claims.aud}/scans/started`
     if (path === `scans/:scanID/completed`) return `${claims.aud}/scans/${params.scanID}/completed`
     if (path === `scans/:scanID/failed`) return `${claims.aud}/scans/${params.scanID}/completed`
+    if (path === `scans/:scanID/metadata`) return `${claims.aud}/scans/${params.scanID}/metadata`
     if (path === `scans/:scanID/results`) return `${claims.aud}/scans/${params.scanID}/results`
     throw new Error(`Internal Error: Unknown telemetry event: POST ${path}`)
   }
@@ -102,6 +103,7 @@ class Telemetry {
     if (path === `scans/started`) body = { ...body, timestamp: DateTime.now().toISO(), profile_id: process.env.EUREKA_PROFILE }
     if (path === `scans/:scanID/completed`) body = { ...this.#toFindings(body), timestamp: DateTime.now().toISO(), status: 'success', log: { sizeBytes: 0, warnings: 0, errors: 0, link: 'none' }, params: { id: '' }}
     if (path === `scans/:scanID/failed`) body = { ...body, timestamp: DateTime.now().toISO(), status: 'failure', findings: { total: 0, critical: 0, high: 0, med: 0, low: 0 }, log: { sizeBytes: 0, warnings: 0, errors: 0, link: 'none' }, params: { id: '' }}
+    if (path === `scans/:scanID/metadata`) body = { metadata: body.metadata, profileId: process.env.EUREKA_PROFILE }
     if (path === `scans/:scanID/results`) body = { findings: body.findings /* SARIF */, profileId: process.env.EUREKA_PROFILE, log: Buffer.from(body.log, 'utf8').toString('base64') }
     return JSON.stringify(body)
   }

package/src/util/git/index.js

@@ -0,0 +1,89 @@
+const { execSync } = require('node:child_process')
+const hostedGitInfo = require('hosted-git-info')
+
+function metadata(folder) {
+  try {
+    // Determine if we're scanning a valid git repo.
+    const isGitRepo = execSync('git rev-parse --is-inside-work-tree', { cwd: folder }).toString().trim()
+    if (isGitRepo !== 'true') {
+      return { type: 'folder' }
+    }
+
+    // Get the repo name and owner.
+    const originUrl = execSync('git config --get remote.origin.url', { cwd: folder }).toString().trim()
+    const info = hostedGitInfo.fromUrl(originUrl, { noGitPlus: true })
+    const ownerPath = info.user.split('/')
+
+    // Get the branch name.
+    const branch = execSync('git rev-parse --abbrev-ref HEAD', { cwd: folder }).toString().trim()
+
+    // Get the commit identifier and timestamp.
+    const shortCommitId = execSync('git rev-parse --short HEAD', { cwd: folder }).toString().trim()
+    const fullCommitId = execSync('git rev-parse HEAD', { cwd: folder }).toString().trim()
+    const commitTime = execSync('git show -s --format=%cI HEAD', { cwd: folder }).toString().trim()
+
+    // Get the tags for the current commit.
+    let tags = execSync('git tag --points-at HEAD', { cwd: folder }).toString().trim()
+    tags = '["' + tags.split('\n').join('","') + '"]'
+    tags = JSON.parse(tags).filter(tag => tag)
+
+    // Get the list of unique repo contributors (authors and committers).
+    const template = '"{\\\"name\\\":\\\"%cn\\\",\\\"email\\\":\\\"%ce\\\"}%n{\\\"name\\\":\\\"%an\\\",\\\"email\\\":\\\"%ae\\\"}"'
+    let contributors = execSync(`git log --pretty=${template} | sort -u`, { cwd: folder }).toString().trim()
+    contributors = '[' + contributors.split('\n').join(',') + ']'
+    contributors = JSON.parse(contributors)
+
+    const script = `MAX_LENGTH=4;
+git rev-list --abbrev=4 --abbrev-commit --all | \
+  ( while read -r line; do
+      if [ \${#line} -gt $MAX_LENGTH ]; then
+        MAX_LENGTH=\${#line};
+      fi
+    done && printf %s\\\\n "$MAX_LENGTH"
+  )`
+    const abbrevs = Number(execSync(script, { cwd: folder }).toString().trim())
+
+/*
+    // Get the total lines of code in the repo.
+    const loc = execSync('git ls-files -z ${1} | xargs -0 cat | wc -l', { cwd: folder }).toString().trim()
+*/
+
+    // Return the repo metadata.
+    return {
+      type: 'git',
+      repo: {
+        url: {
+          origin: originUrl,
+          https: info.https()
+        },
+        source: {
+          type: info.type,
+          domain: info.domain
+        },
+        owner: ownerPath[0],
+        path: ownerPath.slice(1).join('/'),
+        name: info.project,
+        abbrevs,
+        contributors
+      },
+      commit: {
+        id: fullCommitId,
+        time: commitTime,
+        branch,
+        tags
+      }
+    }
+  } catch (error) {
+    return {
+      type: 'error',
+      error: {
+        code: 'E_GIT_METADATA',
+        details: error
+      }
+    }
+  }
+}
+
+module.exports = {
+  metadata
+}