@eurekadevsecops/radar 1.5.1 → 1.6.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@eurekadevsecops/radar",
-  "version": "1.5.1",
+  "version": "1.6.1",
   "description": "Radar is an open-source orchestrator of security scanners.",
   "homepage": "https://www.eurekadevsecops.com/radar",
   "keywords": [

package/scanners/depscan/about.toml

@@ -0,0 +1,5 @@
+name = "depscan"
+title = "OWASP dep-scan"
+description = "Next-generation security and risk audit tool."
+categories = [ "SCA" ]
+cmd = "${assets}/run.sh ${target} ${assets} ${output}"

package/scanners/gitleaks/about.toml

@@ -0,0 +1,5 @@
+name = "gitleaks"
+title = "Gitleaks"
+description = "Detect secrets like passwords, API keys, and tokens in source code."
+categories = [ "SAST" ]
+cmd = "${assets}/run.sh ${target} ${assets} ${output}"

package/scanners/grype/about.toml

@@ -0,0 +1,5 @@
+name = "grype"
+title = "Grype"
+description = "A vulnerability scanner for container images and filesystems."
+categories = [ "SCA" ]
+cmd = "${assets}/run.sh ${target} ${assets} ${output}"

package/scanners/grype/run.sh

@@ -0,0 +1,7 @@
+# Parameters:
+# $1 - Path to the source code folder that should be scanned
+# $2 - Path to the assets folder
+# $3 - Path to the output folder where scan results should be stored
+
+set -e
+docker run --rm -v $1:/app -v $2:/input -v $3:/output ghcr.io/eurekadevsecops/radar-grype 2>&1

package/scanners/opengrep/about.toml

@@ -0,0 +1,5 @@
+name = "opengrep"
+title = "Opengrep"
+description = "Ultra-fast static analysis tool."
+categories = [ "SAST" ]
+cmd = "${assets}/run.sh ${target} ${assets} ${output}"

package/src/plugins/scanners.js

@@ -2,8 +2,46 @@ const fs = require('node:fs')
 const path = require('node:path')
 const TOML = require('smol-toml')
 
-const data = fs.readFileSync(path.join(__dirname, '..', '..', 'scanners', 'scanners.toml'), 'utf8')
-const config = TOML.parse(data)
+function enumerate(dir) {
+  const files = []
+  const entries = fs.readdirSync(dir, { withFileTypes: true })
+  for (const entry of entries) {
+    if (entry.isDirectory()) {
+      const candidate = path.join(dir, entry.name, 'about.toml')
+      try {
+        const stat = fs.statSync(candidate)
+        if (stat.isFile()) {
+          files.push(candidate)
+        }
+      } catch {
+        // no about.toml in this subfolder — ignore
+      }
+    }
+  }
+  return files
+}
+
+function parseTOML(filePath) {
+  const text = fs.readFileSync(filePath, "utf8")
+  try {
+    return TOML.parse(text)
+  } catch (error) {
+    const rel = path.relative(process.cwd(), filePath)
+    throw new Error(`Failed to parse TOML at ${rel}: ${error.message}`)
+  }
+}
+
+function readConfig(dir) {
+  const scanners = []
+  const files = enumerate(dir)
+  for (const file of files) {
+    const scanner = parseTOML(file)
+    scanners.push(scanner)
+  }
+  return { scanners }
+}
+
+const config = readConfig(path.join(__dirname, '..', '..', 'scanners'))
 const categories = Array.from(new Set(config.scanners.flatMap(scanner => scanner.categories)))
 
 module.exports = {

package/src/telemetry/index.js

@@ -9,7 +9,7 @@ class Telemetry {
 
   constructor() {
     this.enabled = !!this.#EUREKA_AGENT_TOKEN
-    this.#EWA_URL = this.#claims(this.#EUREKA_AGENT_TOKEN).aud
+    this.#EWA_URL = this.#claims(this.#EUREKA_AGENT_TOKEN)?.aud?.replace(/\/$/, '')
   }
 
   async send(path, params, body, token) {
@@ -80,17 +80,19 @@ class Telemetry {
 
   #toPostURL(path, params, token) {
     const claims = this.#claims(token ?? this.#EUREKA_AGENT_TOKEN)
-    if (path === `scans/started`) return `${claims.aud}/scans/started`
-    if (path === `scans/:scanID/completed`) return `${claims.aud}/scans/${params.scanID}/completed`
-    if (path === `scans/:scanID/failed`) return `${claims.aud}/scans/${params.scanID}/completed`
-    if (path === `scans/:scanID/metadata`) return `${claims.aud}/scans/${params.scanID}/metadata`
-    if (path === `scans/:scanID/results`) return `${claims.aud}/scans/${params.scanID}/results`
+    const aud = claims.aud.replace(/\/$/, '')
+    if (path === `scans/started`) return `${aud}/scans/started`
+    if (path === `scans/:scanID/completed`) return `${aud}/scans/${params.scanID}/completed`
+    if (path === `scans/:scanID/failed`) return `${aud}/scans/${params.scanID}/completed`
+    if (path === `scans/:scanID/metadata`) return `${aud}/scans/${params.scanID}/metadata`
+    if (path === `scans/:scanID/results`) return `${aud}/scans/${params.scanID}/results`
     throw new Error(`Internal Error: Unknown telemetry event: POST ${path}`)
   }
 
   #toReceiveURL(path, params, token) {
     const claims = this.#claims(token ?? this.#EUREKA_AGENT_TOKEN)
-    if (path === `scans/:scanID/summary`) return `${claims.aud}/scans/${params.scanID}/summary?profileId=${process.env.EUREKA_PROFILE}`
+    const aud = claims.aud.replace(/\/$/, '')
+    if (path === `scans/:scanID/summary`) return `${aud}/scans/${params.scanID}/summary?profileId=${process.env.EUREKA_PROFILE}`
     throw new Error(`Internal Error: Unknown telemetry event: GET ${path}`)
   }
 

package/src/util/sarif/analysis/summarize.js

@@ -20,14 +20,16 @@ module.exports = (sarif, dir) => {
         continue
       }
 
-      for (const rule of run.tool.driver.rules) {
-        if (rule.id === result.ruleId) {
-          const level = rule?.defaultConfiguration?.level ?? 'error'
-          if (level === 'error' || level === 'warning' || level === 'note') {
-            finding.level = level
-            summary[`${finding.level}s`].push(finding)
+      if (Array.isArray(run?.tool?.driver?.rules)) {
+        for (const rule of run.tool.driver.rules) {
+          if (rule.id === result.ruleId) {
+            const level = rule?.defaultConfiguration?.level ?? 'error'
+            if (level === 'error' || level === 'warning' || level === 'note') {
+              finding.level = level
+              summary[`${finding.level}s`].push(finding)
+            }
+            break
           }
-          break
         }
       }
     }

package/src/util/sarif/transforms/escalate.js

@@ -8,12 +8,14 @@ module.exports = (sarif, escalations) => {
         continue
       }
 
-      for (const rule of run.tool.driver.rules) {
-        if (rule.id === result.ruleId) {
-          if (escalations.includes(rule.defaultConfiguration?.level)) {
-            rule.defaultConfiguration.level = 'error'
+      if (Array.isArray(run?.tool?.driver?.rules)) {
+        for (const rule of run.tool.driver.rules) {
+          if (rule.id === result.ruleId) {
+            if (escalations.includes(rule.defaultConfiguration?.level)) {
+              rule.defaultConfiguration.level = 'error'
+            }
+            break
           }
-          break
         }
       }
     }

package/src/util/sarif/transforms/merge.js

@@ -41,9 +41,11 @@ module.exports = async (outfile, files) => {
         rules.set(result.ruleId, true)
       }
 
-      for (const rule of run.tool.driver.rules) {
-        if (rules.has(rule.id)) {
-          tool.driver.rules.push(rule)
+      if (Array.isArray(run?.tool?.driver?.rules)) {
+        for (const rule of run.tool.driver.rules) {
+          if (rules.has(rule.id)) {
+            tool.driver.rules.push(rule)
+          }
         }
       }
 

package/src/util/sarif/transforms/normalize.js

@@ -10,9 +10,14 @@ module.exports = (sarif, dir) => {
 
       // Make all physical locations for the result relative to the scan directory.
       for (const location of result.locations) {
-        if (!location.physicalLocation?.artifactLocation?.uri?.startsWith('/app')) continue
-        let file = path.relative('/app', location.physicalLocation.artifactLocation.uri)
-        location.physicalLocation.artifactLocation.uri = file
+        if (location.physicalLocation?.artifactLocation?.uri?.startsWith('/app')) {
+          let file = path.relative('/app', location.physicalLocation.artifactLocation.uri)
+          location.physicalLocation.artifactLocation.uri = file
+        }
+        else if (location.physicalLocation?.artifactLocation?.uri?.startsWith('/')) {
+          let file = path.relative('/', location.physicalLocation.artifactLocation.uri)
+          location.physicalLocation.artifactLocation.uri = file
+        }
       }
 
     }

package/depscan/depscan-universal.json

@@ -1 +0,0 @@
-{"id": "CVE-2022-33987", "package": "npm:got", "purl": "pkg:npm/got@9.6.0", "package_type": "npm", "package_usage": "optional", "version": "9.6.0", "fix_version": "11.8.5", "severity": "MEDIUM", "cvss_score": "5.3", "short_description": "# Got allows a redirect to a UNIX socket\nThe got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.\nUpgrade to version 11.8.5 or later", "related_urls": [], "occurrence_count": 0, "reachable_flows": 0}

package/depscan/depscan.html

@@ -1,31 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-<meta charset="UTF-8">
-<style>
-.r1 {font-style: italic}
-.r2 {color: #800080; text-decoration-color: #800080; font-weight: bold}
-.r3 {color: #7c8082; text-decoration-color: #7c8082; font-style: italic}
-.r4 {color: #00875f; text-decoration-color: #00875f}
-.r6 {color: #ff753d; text-decoration-color: #ff753d; font-weight: bold}
-body {
-    color: #000000;
-    background-color: #ffffff;
-}
-</style>
-</head>
-<body>
-    <pre style="font-family:Menlo,'DejaVu Sans Mono',consolas,'Courier New',monospace"><code style="font-family:inherit">
-<span class="r1">                                                         Dependency Scan Results (UNIVERSAL)                                                          </span>
-╔══════════════════════════════════════════════════════╤════════════════════════════════════════╤══════════════════════╤═════════════════╤═══════════╗
-║<span class="r2"> Dependency Tree                                      </span>│<span class="r2"> Insights                               </span>│<span class="r2"> Fix Version          </span>│<span class="r2"> Severity        </span>│<span class="r2">     Score </span>║
-╟──────────────────────────────────────────────────────┼────────────────────────────────────────┼──────────────────────┼─────────────────┼───────────╢
-║ <span class="r3">package-json@6.5.0                                  </span> │ <span class="r4">📓 Indirect dependency</span>                 │ 11.8.5               │ MEDIUM          │       5.3 ║
-║ <span class="r5">└── </span><span class="r6">got@9.6.0 ⬅ CVE-2022-33987                      </span> │                                        │                      │                 │           ║
-╚══════════════════════════════════════════════════════╧════════════════════════════════════════╧══════════════════════╧═════════════════╧═══════════╝
-╭─────────────────────────────────────────────────────────── Recommendation ───────────────────────────────────────────────────────────╮
-│ ✅ No package requires immediate attention since the major vulnerabilities are found only in dev packages and indirect dependencies. │
-╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
-</code></pre>
-</body>
-</html>

package/depscan/depscan.sarif

@@ -1,70 +0,0 @@
-{
-  "version": "2.1.0",
-  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
-  "runs": [
-    {
-      "tool": {
-        "driver": {
-          "name": "owasp-depscan",
-          "semanticVersion": "5.5.0",
-          "informationUri": "https://github.com/owasp-dep-scan/dep-scan",
-          "properties": {
-            "protocol_version": "v1.0.0",
-            "scanner_name": "owasp-depscan",
-            "scanner_version": "5.5.0",
-            "db": "https://github.com/AppThreat/vulnerability-db",
-            "scan_mode": "source"
-          },
-          "rules": [ 
-            {
-              "id": "CVE-2022-33987/pkg:npm/got@9.6.0",
-              "shortDescription": {
-                "text": "Vulnerable pkg: npm/got@9.6.0\nCVE: CVE-2022-33987\nFix: Update to 11.8.5 or later\n\ndepscan:insights: Indirect dependency\ndepscan:prioritized: false\naffectedVersionRange: got@<11.8.5\n"
-              },
-              "fullDescription": {
-                "text": "# Got allows a redirect to a UNIX socket\nThe got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.\nUpgrade to version 11.8.5 or later"
-              },
-              "help": {
-                "text": "Update to 11.8.5 or later"
-              },
-              "helpUri": "https://nvd.nist.gov/vuln/detail/CVE-2022-33987",
-              "properties": {
-                "tags": [
-                    "CVE-2022-33987"
-                ]
-              }
-            }
-            
-          ]
-        }
-      },
-      "results": [ 
-        {
-          "ruleId": "CVE-2022-33987/pkg:npm/got@9.6.0",
-          "level": "warning",
-                    "message": {
-            "text": "Vulnerability CVE-2022-33987 in pkg npm/got@9.6.0. Update to 11.8.5 or later"
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "package-lock.json",
-                  "uriBaseId": "%SRCROOT%"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "message": {
-                "text": "Vulnerability CVE-2022-33987 in pkg npm/got@9.6.0. Update to 11.8.5 or later"
-              }
-            }
-          ]
-        }
-        
-        
-      ]
-    }
-  ]
-}