npm - @eurekadevsecops/radar - Versions diffs - 1.5.2 → 1.6.2 - Mend

@eurekadevsecops/radar 1.5.2 → 1.6.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (29) hide show

package/package.json +1 -1
package/scanners/depscan/about.toml +5 -0
package/scanners/gitleaks/about.toml +5 -0
package/scanners/grype/about.toml +5 -0
package/scanners/{radar-sast → grype}/run.sh +1 -1
package/scanners/opengrep/about.toml +5 -0
package/src/commands/scan.js +2 -2
package/src/plugins/scanners.js +40 -2
package/src/telemetry/index.js +1 -1
package/src/util/git/index.js +18 -1
package/src/util/sarif/analysis/summarize.js +9 -7
package/src/util/sarif/transforms/escalate.js +7 -5
package/src/util/sarif/transforms/merge.js +5 -3
package/src/util/sarif/transforms/normalize.js +26 -9
package/depscan/depscan-universal.json +0 -1
package/depscan/depscan.html +0 -31
package/depscan/depscan.sarif +0 -70
package/depscan/sbom-universal.json +0 -1
package/depscan/sbom-universal.vdr.json +0 -20938
package/depscan/scan.sarif +0 -70
package/depscan-c1.sarif +0 -1
package/depscan-c2.sarif +0 -1
package/depscan.sarif +0 -70
package/gitleaks-c1.sarif +0 -1
package/gitleaks-c2.sarif +0 -1
package/opengrep-c1.sarif +0 -1
package/opengrep-c2.sarif +0 -1
package/scanners/radar-sast/rules.yaml +0 -69031
package/scanners/scanners.toml +0 -20

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@eurekadevsecops/radar",
-  "version": "1.5.2",
+  "version": "1.6.2",
   "description": "Radar is an open-source orchestrator of security scanners.",
   "homepage": "https://www.eurekadevsecops.com/radar",
   "keywords": [

package/scanners/depscan/about.toml ADDED Viewed

@@ -0,0 +1,5 @@
+name = "depscan"
+title = "OWASP dep-scan"
+description = "Next-generation security and risk audit tool."
+categories = [ "SCA" ]
+cmd = "${assets}/run.sh ${target} ${assets} ${output}"

package/scanners/gitleaks/about.toml ADDED Viewed

@@ -0,0 +1,5 @@
+name = "gitleaks"
+title = "Gitleaks"
+description = "Detect secrets like passwords, API keys, and tokens in source code."
+categories = [ "SAST" ]
+cmd = "${assets}/run.sh ${target} ${assets} ${output}"

package/scanners/grype/about.toml ADDED Viewed

@@ -0,0 +1,5 @@
+name = "grype"
+title = "Grype"
+description = "A vulnerability scanner for container images and filesystems."
+categories = [ "SCA" ]
+cmd = "${assets}/run.sh ${target} ${assets} ${output}"

package/scanners/{radar-sast → grype}/run.sh RENAMED Viewed

@@ -4,4 +4,4 @@
 # $3 - Path to the output folder where scan results should be stored
 set -e
-opengrep --disable-version-check --config $2/rules.yaml --sarif-output $3/radar-sast.sarif $1 2>&1
+docker run --rm -v $1:/app -v $2:/input -v $3:/output ghcr.io/eurekadevsecops/radar-grype 2>&1

package/scanners/opengrep/about.toml ADDED Viewed

@@ -0,0 +1,5 @@
+name = "opengrep"
+title = "Opengrep"
+description = "Ultra-fast static analysis tool."
+categories = [ "SAST" ]
+cmd = "${assets}/run.sh ${target} ${assets} ${output}"

package/src/commands/scan.js CHANGED Viewed

@@ -150,8 +150,8 @@ module.exports = {
     }
     // Send telemetry: git metadata.
+    const metadata = git.metadata(target)
     if (telemetry.enabled && scanID) {
-      const metadata = git.metadata(target)
       await telemetry.send(`scans/:scanID/metadata`, { scanID }, { metadata })
       await telemetry.sendSensitive(`scans/:scanID/metadata`, { scanID }, { metadata })
     }
@@ -173,7 +173,7 @@ module.exports = {
     // Transform scan findings: treat warnings and notes as errors, and normalize location paths.
     if (escalations) results.sarif = SARIF.transforms.escalate(results.sarif, escalations)
-    SARIF.transforms.normalize(results.sarif, target)
+    SARIF.transforms.normalize(results.sarif, target, metadata, git.root(target))
     // Write findings to the destination SARIF file.
     if (outfile) fs.writeFileSync(outfile, JSON.stringify(results.sarif))

package/src/plugins/scanners.js CHANGED Viewed

@@ -2,8 +2,46 @@ const fs = require('node:fs')
 const path = require('node:path')
 const TOML = require('smol-toml')
-const data = fs.readFileSync(path.join(__dirname, '..', '..', 'scanners', 'scanners.toml'), 'utf8')
-const config = TOML.parse(data)
+function enumerate(dir) {
+  const files = []
+  const entries = fs.readdirSync(dir, { withFileTypes: true })
+  for (const entry of entries) {
+    if (entry.isDirectory()) {
+      const candidate = path.join(dir, entry.name, 'about.toml')
+      try {
+        const stat = fs.statSync(candidate)
+        if (stat.isFile()) {
+          files.push(candidate)
+        }
+      } catch {
+        // no about.toml in this subfolder — ignore
+      }
+    }
+  }
+  return files
+}
+function parseTOML(filePath) {
+  const text = fs.readFileSync(filePath, "utf8")
+  try {
+    return TOML.parse(text)
+  } catch (error) {
+    const rel = path.relative(process.cwd(), filePath)
+    throw new Error(`Failed to parse TOML at ${rel}: ${error.message}`)
+  }
+}
+function readConfig(dir) {
+  const scanners = []
+  const files = enumerate(dir)
+  for (const file of files) {
+    const scanner = parseTOML(file)
+    scanners.push(scanner)
+  }
+  return { scanners }
+}
+const config = readConfig(path.join(__dirname, '..', '..', 'scanners'))
 const categories = Array.from(new Set(config.scanners.flatMap(scanner => scanner.categories)))
 module.exports = {

package/src/telemetry/index.js CHANGED Viewed

@@ -9,7 +9,7 @@ class Telemetry {
   constructor() {
     this.enabled = !!this.#EUREKA_AGENT_TOKEN
-    this.#EWA_URL = this.#claims(this.#EUREKA_AGENT_TOKEN).aud.replace(/\/$/, '')
+    this.#EWA_URL = this.#claims(this.#EUREKA_AGENT_TOKEN)?.aud?.replace(/\/$/, '')
   }
   async send(path, params, body, token) {

package/src/util/git/index.js CHANGED Viewed

@@ -84,6 +84,23 @@ git rev-list --abbrev=4 --abbrev-commit --all | \
   }
 }
+function root(folder) {
+  try {
+    // Get the full OS path to the root of the repo.
+    const root = execSync('git rev-parse --show-toplevel', { cwd: folder }).toString().trim()
+    return root
+  } catch (error) {
+    return {
+      type: 'error',
+      error: {
+        code: 'E_GIT_METADATA',
+        details: error
+      }
+    }
+  }
+}
 module.exports = {
-  metadata
+  metadata,
+  root
 }

package/src/util/sarif/analysis/summarize.js CHANGED Viewed

@@ -20,14 +20,16 @@ module.exports = (sarif, dir) => {
         continue
       }
-      for (const rule of run.tool.driver.rules) {
-        if (rule.id === result.ruleId) {
-          const level = rule?.defaultConfiguration?.level ?? 'error'
-          if (level === 'error' || level === 'warning' || level === 'note') {
-            finding.level = level
-            summary[`${finding.level}s`].push(finding)
+      if (Array.isArray(run?.tool?.driver?.rules)) {
+        for (const rule of run.tool.driver.rules) {
+          if (rule.id === result.ruleId) {
+            const level = rule?.defaultConfiguration?.level ?? 'error'
+            if (level === 'error' || level === 'warning' || level === 'note') {
+              finding.level = level
+              summary[`${finding.level}s`].push(finding)
+            }
+            break
           }
-          break
         }
       }
     }

package/src/util/sarif/transforms/escalate.js CHANGED Viewed

@@ -8,12 +8,14 @@ module.exports = (sarif, escalations) => {
         continue
       }
-      for (const rule of run.tool.driver.rules) {
-        if (rule.id === result.ruleId) {
-          if (escalations.includes(rule.defaultConfiguration?.level)) {
-            rule.defaultConfiguration.level = 'error'
+      if (Array.isArray(run?.tool?.driver?.rules)) {
+        for (const rule of run.tool.driver.rules) {
+          if (rule.id === result.ruleId) {
+            if (escalations.includes(rule.defaultConfiguration?.level)) {
+              rule.defaultConfiguration.level = 'error'
+            }
+            break
           }
-          break
         }
       }
     }

package/src/util/sarif/transforms/merge.js CHANGED Viewed

@@ -41,9 +41,11 @@ module.exports = async (outfile, files) => {
         rules.set(result.ruleId, true)
       }
-      for (const rule of run.tool.driver.rules) {
-        if (rules.has(rule.id)) {
-          tool.driver.rules.push(rule)
+      if (Array.isArray(run?.tool?.driver?.rules)) {
+        for (const rule of run.tool.driver.rules) {
+          if (rules.has(rule.id)) {
+            tool.driver.rules.push(rule)
+          }
         }
       }

package/src/util/sarif/transforms/normalize.js CHANGED Viewed

@@ -1,18 +1,35 @@
 const path = require('node:path')
-module.exports = (sarif, dir) => {
+module.exports = (sarif, dir, git, root) => {
   // Normalize findings.
   for (const run of sarif.runs) {
-    if (!run.results) continue
-    for (const result of run.results) {
-      // Find paths in the finding description and make them relative to the scan directory.
-      if (result?.message?.text) result.message.text = result.message.text.replace('/app/', '')
+    // Record the source repo location and the relative target subfolder within the repo.
+    run.originalUriBaseIds = {
+     "SOURCE": {
+        "uri": git.repo.url.https,
+        "description": "Source origin for the target being scanned (ie. git repo URL)."
+     },
+      "TARGET": {
+        "uri": `${path.relative(root, dir)}`,
+        "uriBaseId": "SOURCE",
+        "description": "Scan target (subfolder) within the source repo or folder."
+      }
+    }
-      // Make all physical locations for the result relative to the scan directory.
+    // Make all physical locations for the result relative to the scan directory.
+    if (!run.results) continue
+    for (const result of run.results) {
       for (const location of result.locations) {
-        if (!location.physicalLocation?.artifactLocation?.uri?.startsWith('/app')) continue
-        let file = path.relative('/app', location.physicalLocation.artifactLocation.uri)
-        location.physicalLocation.artifactLocation.uri = file
+        if (location.physicalLocation?.artifactLocation?.uri?.startsWith('/app')) {
+          let file = path.relative('/app', location.physicalLocation.artifactLocation.uri)
+          if (result?.message?.text) result.message.text = result.message.text.replace(location.physicalLocation.artifactLocation.uri, file)
+          location.physicalLocation.artifactLocation.uri = file
+        }
+        else if (location.physicalLocation?.artifactLocation?.uri?.startsWith('/')) {
+          let file = path.relative('/', location.physicalLocation.artifactLocation.uri)
+          if (result?.message?.text) result.message.text = result.message.text.replace(location.physicalLocation.artifactLocation.uri, file)
+          location.physicalLocation.artifactLocation.uri = file
+        }
       }
     }

package/depscan/depscan-universal.json DELETED Viewed

@@ -1 +0,0 @@

- {"id": "CVE-2022-33987", "package": "npm:got", "purl": "pkg:npm/got@9.6.0", "package_type": "npm", "package_usage": "optional", "version": "9.6.0", "fix_version": "11.8.5", "severity": "MEDIUM", "cvss_score": "5.3", "short_description": "# Got allows a redirect to a UNIX socket\nThe got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.\nUpgrade to version 11.8.5 or later", "related_urls": [], "occurrence_count": 0, "reachable_flows": 0}

package/depscan/depscan.html DELETED Viewed

@@ -1,31 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-<meta charset="UTF-8">
-<style>
-.r1 {font-style: italic}
-.r2 {color: #800080; text-decoration-color: #800080; font-weight: bold}
-.r3 {color: #7c8082; text-decoration-color: #7c8082; font-style: italic}
-.r4 {color: #00875f; text-decoration-color: #00875f}
-.r6 {color: #ff753d; text-decoration-color: #ff753d; font-weight: bold}
-body {
-    color: #000000;
-    background-color: #ffffff;
-}
-</style>
-</head>
-<body>
-    <pre style="font-family:Menlo,'DejaVu Sans Mono',consolas,'Courier New',monospace"><code style="font-family:inherit">
-<span class="r1">                                                         Dependency Scan Results (UNIVERSAL)                                                          </span>
-╔══════════════════════════════════════════════════════╤════════════════════════════════════════╤══════════════════════╤═════════════════╤═══════════╗
-║<span class="r2"> Dependency Tree                                      </span>│<span class="r2"> Insights                               </span>│<span class="r2"> Fix Version          </span>│<span class="r2"> Severity        </span>│<span class="r2">     Score </span>║
-╟──────────────────────────────────────────────────────┼────────────────────────────────────────┼──────────────────────┼─────────────────┼───────────╢
-║ <span class="r3">package-json@6.5.0                                  </span> │ <span class="r4">📓 Indirect dependency</span>                 │ 11.8.5               │ MEDIUM          │       5.3 ║
-║ <span class="r5">└── </span><span class="r6">got@9.6.0 ⬅ CVE-2022-33987                      </span> │                                        │                      │                 │           ║
-╚══════════════════════════════════════════════════════╧════════════════════════════════════════╧══════════════════════╧═════════════════╧═══════════╝
-╭─────────────────────────────────────────────────────────── Recommendation ───────────────────────────────────────────────────────────╮
-│ ✅ No package requires immediate attention since the major vulnerabilities are found only in dev packages and indirect dependencies. │
-╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
-</code></pre>
-</body>
-</html>

package/depscan/depscan.sarif DELETED Viewed

@@ -1,70 +0,0 @@
-{
-  "version": "2.1.0",
-  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
-  "runs": [
-    {
-      "tool": {
-        "driver": {
-          "name": "owasp-depscan",
-          "semanticVersion": "5.5.0",
-          "informationUri": "https://github.com/owasp-dep-scan/dep-scan",
-          "properties": {
-            "protocol_version": "v1.0.0",
-            "scanner_name": "owasp-depscan",
-            "scanner_version": "5.5.0",
-            "db": "https://github.com/AppThreat/vulnerability-db",
-            "scan_mode": "source"
-          },
-          "rules": [
-            {
-              "id": "CVE-2022-33987/pkg:npm/got@9.6.0",
-              "shortDescription": {
-                "text": "Vulnerable pkg: npm/got@9.6.0\nCVE: CVE-2022-33987\nFix: Update to 11.8.5 or later\n\ndepscan:insights: Indirect dependency\ndepscan:prioritized: false\naffectedVersionRange: got@<11.8.5\n"
-              },
-              "fullDescription": {
-                "text": "# Got allows a redirect to a UNIX socket\nThe got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.\nUpgrade to version 11.8.5 or later"
-              },
-              "help": {
-                "text": "Update to 11.8.5 or later"
-              },
-              "helpUri": "https://nvd.nist.gov/vuln/detail/CVE-2022-33987",
-              "properties": {
-                "tags": [
-                    "CVE-2022-33987"
-                ]
-              }
-            }
-          ]
-        }
-      },
-      "results": [
-        {
-          "ruleId": "CVE-2022-33987/pkg:npm/got@9.6.0",
-          "level": "warning",
-                    "message": {
-            "text": "Vulnerability CVE-2022-33987 in pkg npm/got@9.6.0. Update to 11.8.5 or later"
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "package-lock.json",
-                  "uriBaseId": "%SRCROOT%"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "message": {
-                "text": "Vulnerability CVE-2022-33987 in pkg npm/got@9.6.0. Update to 11.8.5 or later"
-              }
-            }
-          ]
-        }
-      ]
-    }
-  ]
-}