@eurekadevsecops/radar 1.5.0 → 1.5.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@eurekadevsecops/radar",
-  "version": "1.5.0",
+  "version": "1.5.1",
   "description": "Radar is an open-source orchestrator of security scanners.",
   "homepage": "https://www.eurekadevsecops.com/radar",
   "keywords": [

package/src/commands/import.js

@@ -0,0 +1,136 @@
+const crypto = require('node:crypto')
+const fs = require('node:fs')
+const path = require('node:path')
+const os = require('node:os')
+const SARIF = require('../util/sarif')
+const runner = require('../util/runner')
+module.exports = {
+  summary: 'import vulnerabilities',
+  args: {
+    INPUT: {
+      description: 'input SARIF file',
+      validate: INPUT => {
+        if (!fs.existsSync(path.normalize(INPUT))) throw new Error(`path doesn't exist: ${INPUT}`)
+      }
+    }
+  },
+  options: [
+    { name: 'ESCALATE', short: 'e', long: 'escalate', type: 'string', description: 'severities to treat as high/error' },
+    { name: 'FORMAT', short: 'f', long: 'format', type: 'string', description: 'severity format' },
+    { name: 'QUIET', short: 'q', long: 'quiet', type: 'boolean', description: 'suppress stdout logging' }
+  ],
+  description: `
+    Imports vulnerabilities from the input SARIF file given by INPUT argument.
+    The SARIF file must have been produced by scanners supported by Radar CLI.
+
+    When quiet mode is selected with the QUIET command-line option, most stdout
+    logs are ommitted except for errors that occur with the importing process.
+
+    By default, findings are displayed as high, moderate, and low. This is the
+    'security' severity format. Findings can also be displayed as errors, warnings,
+    and notes. This is the 'sarif' severity format.
+
+    Exit codes:
+         0 - Clean and successful import. No errors, warnings, or notes.
+         1 - Bad command, arguments, or options. Import not completed.
+        16 - Import aborted due to unexpected error.
+  `,
+  examples: [
+    '$ radar import scan.sarif ' + '(import findings from SARIF file)'.grey,
+    '$ radar import -f security scan.sarif ' + '(displays findings as high, moderate, and low)'.grey,
+    '$ radar import -f sarif scan.sarif ' + '(displays findings as error, warning, and note)'.grey,
+    '$ radar import -e moderate,low scan.sarif ' + '(treat lower severities as high)'.grey,
+    '$ radar import -f sarif -e warning,note scan.sarif ' + '(treat lower severities as errors)'.grey
+  ],
+  run: async (toolbox, args) => {
+    const { log, scanners: availableScanners, telemetry } = toolbox
+
+    // Set defaults for args and options.
+    args.FORMAT ??= 'security'
+
+    // Normalize and/or rewrite args and options.
+    args.INPUT = path.resolve(path.normalize(args.INPUT))
+
+    // Validate args and options.
+    if (args.FORMAT !== 'sarif' && args.FORMAT !== 'security') throw new Error('FORMAT must be one of \'sarif\' or \'security\'')
+    if (args.ESCALATE) args.ESCALATE.split(',').map(severity => {
+      if (args.FORMAT === 'security' && severity !== 'moderate' && severity !== 'low') throw new Error(`Severity to escalate must be 'moderate' or 'low'`)
+      if (args.FORMAT === 'sarif' && severity !== 'warning' && severity !== 'note') throw new Error(`Severity to escalate must be 'warning' or 'note'`)
+    })
+
+    // Derive scan parameters.
+    const escalations = args.ESCALATE?.split(',').map(severity => {
+      if (severity === 'moderate') return 'warning'
+      if (severity === 'low') return 'note'
+      return severity
+    })
+
+    // Check that telemetry is enabled.
+    if (!args.QUIET && !telemetry.enabled) {
+      log(`ERROR: Telemetry not enabled.`)
+      log(`Terminating with exit code 16. See 'radar help import' for list of possible exit codes.`)
+      return 0x10 // exit code
+    }
+
+    // Results include the log and the SARIF findings.
+    const results = { log: `Import from "${args.INPUT}"` }
+    results.sarif = JSON.parse(fs.readFileSync(args.INPUT, 'utf8'))
+
+    // Read scanner names from the input SARIF.
+    const scanners = []
+    for (const run of results.sarif.runs) {
+      const scanner = run.tool.driver?.properties?.scanner_name ?? run.tool.driver.name
+      scanners.push(scanner)
+    }
+
+    // Check for unsupported scanners.
+    try {
+      const unknownScanners = scanners.filter(name => !availableScanners.find(s => s.name === name))
+      if (unknownScanners.length > 1) throw new Error(`Unknown scanners: ${unknownScanners.join(', ')}`)
+      else if (unknownScanners.length === 1) throw new Error(`Unknown scanner: ${unknownScanners[0]}`)
+    }
+    catch (error) {
+      log(`ERROR: ${error.message}`)
+      log(`Terminating with exit code 1. See 'radar help import' for list of possible exit codes.`)
+      return 0x1 // exit code
+    }
+
+    // Send telemetry: scan started.
+    let scanID = undefined
+    // TODO: Should pass scanID to the server; not read it from the server.
+    try {
+      const res = await telemetry.send(`scans/started`, {}, { scanners })
+      if (!res.ok) throw new Error(`[${res.status}] ${res.statusText}: ${await res.text()}`)
+      const data = await res.json()
+      scanID = data.scan_id
+    }
+    catch (error) {
+      log(`ERROR: ${error.message}${error?.cause?.code === 'ECONNREFUSED' ? ': CONNECTION REFUSED' : ''}`)
+      log(`Terminating with exit code 16. See 'radar help import' for list of possible exit codes.`)
+      return 0x10 // exit code
+    }
+
+    // Transform scan findings: treat warnings and notes as errors, and normalize location paths.
+    if (escalations) results.sarif = SARIF.transforms.escalate(results.sarif, escalations)
+
+    // Send telemetry: scan results.
+    await telemetry.sendSensitive(`scans/:scanID/results`, { scanID }, { findings: results.sarif, log: results.log })
+
+    // Analyze scan results: group findings by severity level.
+    const analysis = await telemetry.receiveSensitive(`scans/:scanID/summary`, { scanID })
+    if (!analysis?.findingsBySeverity) throw new Error(`Failed to retrieve analysis summary for scan '${scanID}'`)
+    const summary = analysis.findingsBySeverity
+
+    // Send telemetry: scan summary.
+    await telemetry.send(`scans/:scanID/completed`, { scanID }, summary)
+
+    // Display summarized findings.
+    if (!args.QUIET) {
+      process.stdout.write('Imported ')
+      SARIF.visualizations.display_totals(summary, args.FORMAT, log, telemetry.enabled && scanID)
+    }
+
+    // Success.
+    return 0 // exit code
+  }
+}

package/src/commands/index.js

@@ -1,5 +1,6 @@
 module.exports = {
   help: 'display help',
+  import: require('./import'),
   scan: require('./scan'),
   scanners: require('./scanners')
 }

package/src/commands/scan.js

@@ -151,7 +151,7 @@ module.exports = {
 
     // Send telemetry: git metadata.
     if (telemetry.enabled && scanID) {
-      const metadata = git.metadata()
+      const metadata = git.metadata(target)
       await telemetry.send(`scans/:scanID/metadata`, { scanID }, { metadata })
       await telemetry.sendSensitive(`scans/:scanID/metadata`, { scanID }, { metadata })
     }

package/src/util/git/index.js

@@ -1,35 +1,35 @@
 const { execSync } = require('node:child_process')
 const hostedGitInfo = require('hosted-git-info')
 
-function metadata() {
+function metadata(folder) {
   try {
     // Determine if we're scanning a valid git repo.
-    const isGitRepo = execSync('git rev-parse --is-inside-work-tree').toString().trim()
+    const isGitRepo = execSync('git rev-parse --is-inside-work-tree', { cwd: folder }).toString().trim()
     if (isGitRepo !== 'true') {
       return { type: 'folder' }
     }
 
     // Get the repo name and owner.
-    const originUrl = execSync('git config --get remote.origin.url').toString().trim()
+    const originUrl = execSync('git config --get remote.origin.url', { cwd: folder }).toString().trim()
     const info = hostedGitInfo.fromUrl(originUrl, { noGitPlus: true })
     const ownerPath = info.user.split('/')
 
     // Get the branch name.
-    const branch = execSync('git rev-parse --abbrev-ref HEAD').toString().trim()
+    const branch = execSync('git rev-parse --abbrev-ref HEAD', { cwd: folder }).toString().trim()
 
     // Get the commit identifier and timestamp.
-    const shortCommitId = execSync('git rev-parse --short HEAD').toString().trim()
-    const fullCommitId = execSync('git rev-parse HEAD').toString().trim()
-    const commitTime = execSync('git show -s --format=%cI HEAD').toString().trim()
+    const shortCommitId = execSync('git rev-parse --short HEAD', { cwd: folder }).toString().trim()
+    const fullCommitId = execSync('git rev-parse HEAD', { cwd: folder }).toString().trim()
+    const commitTime = execSync('git show -s --format=%cI HEAD', { cwd: folder }).toString().trim()
 
     // Get the tags for the current commit.
-    let tags = execSync('git tag --points-at HEAD').toString().trim()
+    let tags = execSync('git tag --points-at HEAD', { cwd: folder }).toString().trim()
     tags = '["' + tags.split('\n').join('","') + '"]'
     tags = JSON.parse(tags).filter(tag => tag)
 
     // Get the list of unique repo contributors (authors and committers).
     const template = '"{\\\"name\\\":\\\"%cn\\\",\\\"email\\\":\\\"%ce\\\"}%n{\\\"name\\\":\\\"%an\\\",\\\"email\\\":\\\"%ae\\\"}"'
-    let contributors = execSync(`git log --pretty=${template} | sort -u`).toString().trim()
+    let contributors = execSync(`git log --pretty=${template} | sort -u`, { cwd: folder }).toString().trim()
     contributors = '[' + contributors.split('\n').join(',') + ']'
     contributors = JSON.parse(contributors)
 
@@ -41,11 +41,11 @@ git rev-list --abbrev=4 --abbrev-commit --all | \
       fi
     done && printf %s\\\\n "$MAX_LENGTH"
   )`
-    const abbrevs = Number(execSync(script).toString().trim())
+    const abbrevs = Number(execSync(script, { cwd: folder }).toString().trim())
 
 /*
     // Get the total lines of code in the repo.
-    const loc = execSync('git ls-files -z ${1} | xargs -0 cat | wc -l').toString().trim()
+    const loc = execSync('git ls-files -z ${1} | xargs -0 cat | wc -l', { cwd: folder }).toString().trim()
 */
 
     // Return the repo metadata.