@eurekadevsecops/radar 1.7.1 → 1.8.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@eurekadevsecops/radar",
-  "version": "1.7.1",
+  "version": "1.8.0",
   "description": "Radar is an open-source orchestrator of security scanners.",
   "homepage": "https://www.eurekadevsecops.com/radar",
   "keywords": [
@@ -27,7 +27,7 @@
     "url": "https://github.com/EurekaDevSecOps/radarctl.git"
   },
   "dependencies": {
-    "@persistr/clif": "^1.11.0",
+    "@persistr/clif": "^1.11.1",
     "@persistr/clif-plugin-settings": "^2.3.1",
     "hosted-git-info": "^9.0.0",
     "humanize-duration": "^3.33.0",

package/scan.sarif

@@ -0,0 +1 @@
+{"version":"2.1.0","$schema":"https://json.schemastore.org/sarif-2.1.0.json","runs":[{"tool":{"driver":{"name":"abcgitleaks","semanticVersion":"v8.0.0","informationUri":"https://github.com/gitleaks/gitleaks","properties":{"officialName":"gitleaks"},"rules":[]}},"results":[],"originalUriBaseIds":{"SOURCE":{"uri":"https://github.com/EurekaDevSecOps/radarctl.git","description":{"text":"Source origin for the target being scanned (ie. git repo URL)."}},"TARGET":{"uri":"","uriBaseId":"SOURCE","description":{"text":"Scan target (subfolder) within the source repo or folder."}}}},{"tool":{"driver":{"name":"abcgrype","informationUri":"https://github.com/anchore/grype","properties":{"officialName":"grype"},"rules":[{"id":"GHSA-pfrx-2q88-qq97-got","name":"JavascriptMatcherExactDirectMatch","shortDescription":{"text":"GHSA-pfrx-2q88-qq97 medium vulnerability for got package"},"fullDescription":{"text":"Got allows a redirect to a UNIX socket"},"helpUri":"https://github.com/anchore/grype","help":{"text":"Vulnerability GHSA-pfrx-2q88-qq97\nSeverity: medium\nPackage: got\nVersion: 9.6.0\nFix Version: 11.8.5\nType: npm\nLocation: /package-lock.json\nData Namespace: github:language:javascript\nLink: [GHSA-pfrx-2q88-qq97](https://github.com/advisories/GHSA-pfrx-2q88-qq97)","markdown":"**Vulnerability GHSA-pfrx-2q88-qq97**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| medium  | got  | 9.6.0  | 11.8.5  | npm  | /package-lock.json  | github:language:javascript  | [GHSA-pfrx-2q88-qq97](https://github.com/advisories/GHSA-pfrx-2q88-qq97)  |\n"},"properties":{"purls":["pkg:npm/got@9.6.0"],"security-severity":"5.3"}}]}},"results":[{"ruleId":"GHSA-pfrx-2q88-qq97-got","level":"warning","message":{"text":"A medium vulnerability in npm package: got, version 9.6.0 was found at: package-lock.json"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"package-lock.json"},"region":{"startLine":1,"startColumn":1,"endLine":1,"endColumn":1}}}],"partialFingerprints":{"primaryLocationLineHash":"677706e2c84cd6dfb855b123e8a34db12a8f4eeb5df5b8ab253aa5299b80da0b:1"}}],"originalUriBaseIds":{"SOURCE":{"uri":"https://github.com/EurekaDevSecOps/radarctl.git","description":{"text":"Source origin for the target being scanned (ie. git repo URL)."}},"TARGET":{"uri":"","uriBaseId":"SOURCE","description":{"text":"Scan target (subfolder) within the source repo or folder."}}}},{"tool":{"driver":{"name":"abcopengrep","semanticVersion":"1.5.0","properties":{"officialName":"Opengrep OSS"},"rules":[]}},"invocations":[{"executionSuccessful":true,"toolExecutionNotifications":[]}],"results":[],"originalUriBaseIds":{"SOURCE":{"uri":"https://github.com/EurekaDevSecOps/radarctl.git","description":{"text":"Source origin for the target being scanned (ie. git repo URL)."}},"TARGET":{"uri":"","uriBaseId":"SOURCE","description":{"text":"Scan target (subfolder) within the source repo or folder."}}}}]}

package/scanners/gitleaks/about.toml

@@ -2,4 +2,5 @@ name = "gitleaks"
 title = "Gitleaks"
 description = "Detect secrets like passwords, API keys, and tokens in source code."
 categories = [ "SAST" ]
+default = true
 cmd = "${assets}/run.sh ${target} ${assets} ${output}"

package/scanners/grype/about.toml

@@ -2,4 +2,5 @@ name = "grype"
 title = "Grype"
 description = "A vulnerability scanner for container images and filesystems."
 categories = [ "SCA" ]
+default = true
 cmd = "${assets}/run.sh ${target} ${assets} ${output}"

package/scanners/opengrep/about.toml

@@ -2,4 +2,5 @@ name = "opengrep"
 title = "Opengrep"
 description = "Ultra-fast static analysis tool."
 categories = [ "SAST" ]
+default = true
 cmd = "${assets}/run.sh ${target} ${assets} ${output}"

package/src/commands/import.js

@@ -83,18 +83,6 @@ module.exports = {
       scanners.push(scanner)
     }
 
-    // Check for unsupported scanners.
-    try {
-      const unknownScanners = scanners.filter(name => !availableScanners.find(s => s.name === name))
-      if (unknownScanners.length > 1) throw new Error(`Unknown scanners: ${unknownScanners.join(', ')}`)
-      else if (unknownScanners.length === 1) throw new Error(`Unknown scanner: ${unknownScanners[0]}`)
-    }
-    catch (error) {
-      log(`ERROR: ${error.message}`)
-      log(`Terminating with exit code 1. See 'radar help import' for list of possible exit codes.`)
-      return 0x1 // exit code
-    }
-
     // Send telemetry: scan started.
     let scanID = undefined
     // TODO: Should pass scanID to the server; not read it from the server.

package/src/commands/scan.js

@@ -33,7 +33,8 @@ module.exports = {
     a file on disk.
 
     Select which scanners to use with the SCANNERS and CATEGORIES options. If
-    neither option is specified, all scanners are run.
+    neither option is specified, all default scanners are run. You can see which
+    scanners are marked as defaults with the 'radar scanners' command.
 
     If you want to run all scanners of a certain type, such as SAST, SCA, or DAST,
     use the CATEGORIES option. All scanners are classified into categories and
@@ -46,7 +47,7 @@ module.exports = {
     specific list of scanners, comma-separated, in the SCANNERS option. Scanner 
     names passed into the SCANNERS option should match the scanner names returned 
     by the "scanners" command. To select all scanners across selected categories,
-    use the value 'all' for SCANNERS. Defaults to 'all'.
+    use the value 'all' for SCANNERS.
 
     You can specify both SCANNERS and CATEGORIES at the same time. This will run
     only those scanners that match both options. For example, if you specify the
@@ -93,7 +94,7 @@ module.exports = {
     args.TARGET ??= process.cwd()
     args.FORMAT ??= 'security'
     args.CATEGORIES ??= 'all'
-    args.SCANNERS ??= 'all'
+    args.SCANNERS ??= ''
 
     // Normalize and/or rewrite args and options.
     args.TARGET = path.resolve(path.normalize(args.TARGET))
@@ -108,6 +109,9 @@ module.exports = {
       if (unknownScanners.length > 1) throw new Error(`Unknown scanners: ${unknownScanners.join(', ')}`)
       else if (unknownScanners.length === 1) throw new Error(`Unknown scanner: ${unknownScanners[0]}`)
     }
+    else {
+      args.SCANNERS = availableScanners.filter(s => s.default).map(s => s.name).join(',')
+    }
     if (args.ESCALATE) args.ESCALATE.split(',').map(severity => {
       if (args.FORMAT === 'security' && severity !== 'moderate' && severity !== 'low') throw new Error(`Severity to escalate must be 'moderate' or 'low'`)
       if (args.FORMAT === 'sarif' && severity !== 'warning' && severity !== 'note') throw new Error(`Severity to escalate must be 'warning' or 'note'`)

package/src/commands/scanners.js

@@ -9,7 +9,7 @@ module.exports = {
   run: async (toolbox, args) => {
     const { log, scanners } = toolbox
     for (const scanner of scanners) {
-      log(`${scanner.name}: ${scanner.title} [${scanner.categories.join()}] - ${scanner.description}`)
+      log(`${scanner.name}: ${scanner.title} [${scanner.categories.join()}] - ${scanner.default ? '(default) ' : ''}${scanner.description}`)
     }
   }
 }