@eurekadevsecops/radar 1.7.2 → 1.8.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/package.json +2 -2
  2. package/report.sarif +1 -0
  3. package/src/commands/import.js +0 -12
  4. package/src/util/sarif/transforms/normalize.js +12 -16
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@eurekadevsecops/radar",
3
- "version": "1.7.2",
3
+ "version": "1.8.1",
4
4
  "description": "Radar is an open-source orchestrator of security scanners.",
5
5
  "homepage": "https://www.eurekadevsecops.com/radar",
6
6
  "keywords": [
@@ -27,7 +27,7 @@
27
27
  "url": "https://github.com/EurekaDevSecOps/radarctl.git"
28
28
  },
29
29
  "dependencies": {
30
- "@persistr/clif": "^1.11.0",
30
+ "@persistr/clif": "^1.11.1",
31
31
  "@persistr/clif-plugin-settings": "^2.3.1",
32
32
  "hosted-git-info": "^9.0.0",
33
33
  "humanize-duration": "^3.33.0",
package/report.sarif ADDED
@@ -0,0 +1 @@
1
+ {"version":"2.1.0","$schema":"https://json.schemastore.org/sarif-2.1.0.json","runs":[{"tool":{"driver":{"name":"gitleaks","semanticVersion":"v8.0.0","informationUri":"https://github.com/gitleaks/gitleaks","properties":{"officialName":"gitleaks"},"rules":[{"id":"generic-api-key","shortDescription":{"text":"Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}},{"id":"stripe-access-token","shortDescription":{"text":"Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data."}}]}},"results":[{"message":{"text":"stripe-access-token has detected secret for file apps/backend/.env."},"ruleId":"stripe-access-token","locations":[{"physicalLocation":{"artifactLocation":{"uri":"apps/backend/.env"},"region":{"startLine":30,"startColumn":24,"endLine":30,"endColumn":130,"snippet":{"text":"sk_test_51RYvkf2YG6fO9qlhtYIIbnGSXSr6xpzqdqryyPk58EVMgZMjIviKEXde8r55HE4vbVgzKwNb7owr74qRMEHUKakC007aUEcU3n"}}}}],"properties":{"tags":[]}},{"message":{"text":"generic-api-key has detected secret for file apps/backend/.env."},"ruleId":"generic-api-key","locations":[{"physicalLocation":{"artifactLocation":{"uri":"apps/backend/.env"},"region":{"startLine":5,"startColumn":2,"endLine":5,"endColumn":26,"snippet":{"text":"0123456789abcdxyz"}}}}],"properties":{"tags":[]}},{"message":{"text":"generic-api-key has detected secret for file apps/backend/.env."},"ruleId":"generic-api-key","locations":[{"physicalLocation":{"artifactLocation":{"uri":"apps/backend/.env"},"region":{"startLine":10,"startColumn":2,"endLine":10,"endColumn":62,"snippet":{"text":"e78b1199d5bc447bd36ecea679727578a9d5b0dd"}}}}],"properties":{"tags":[]}},{"message":{"text":"generic-api-key has detected secret for file apps/backend/.env."},"ruleId":"generic-api-key","locations":[{"physicalLocation":{"artifactLocation":{"uri":"apps/backend/.env"},"region":{"startLine":18,"startColumn":2,"endLine":18,"endColumn":54,"snippet":{"text":"0c8615f7-c7b2-4f45-adc3-dfeb67d967b4"}}}}],"properties":{"tags":[]}},{"message":{"text":"generic-api-key has detected secret for file apps/backend/.env."},"ruleId":"generic-api-key","locations":[{"physicalLocation":{"artifactLocation":{"uri":"apps/backend/.env"},"region":{"startLine":29,"startColumn":2,"endLine":29,"endColumn":58,"snippet":{"text":"whsec_PkjJVdKoCWMNnQMuw4mANbfMxfQnjj63"}}}}],"properties":{"tags":[]}}],"properties":{"repository":{"type":"git","url":"https://github.com/EurekaDevSecOps/app.git"},"includedirs":["apps/backend"]}},{"tool":{"driver":{"name":"grype","informationUri":"https://github.com/anchore/grype","properties":{"officialName":"grype"},"rules":[]}},"results":[],"properties":{"repository":{"type":"git","url":"https://github.com/EurekaDevSecOps/app.git"},"includedirs":["apps/backend"]}},{"tool":{"driver":{"name":"opengrep","semanticVersion":"1.5.0","properties":{"officialName":"Opengrep OSS"},"rules":[{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'."},"help":{"markdown":"By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.missing-user.missing-user)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n","text":"By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'."},"helpUri":"https://semgrep.dev/r/dockerfile.security.missing-user.missing-user","id":"assets.dockerfile.security.missing-user.missing-user","name":"assets.dockerfile.security.missing-user.missing-user","properties":{"precision":"very-high","tags":["CWE-250: Execution with Unnecessary Privileges","MEDIUM CONFIDENCE","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Opengrep Finding: assets.dockerfile.security.missing-user.missing-user"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Generic Secret detected"},"help":{"markdown":"Generic Secret detected\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-generic-secret.detected-generic-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Generic Secret detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-generic-secret.detected-generic-secret","id":"assets.generic.secrets.security.detected-generic-secret.detected-generic-secret","name":"assets.generic.secrets.security.detected-generic-secret.detected-generic-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Opengrep Finding: assets.generic.secrets.security.detected-generic-secret.detected-generic-secret"}}]}},"invocations":[{"executionSuccessful":true,"toolExecutionNotifications":[{"descriptor":{"id":"Syntax error"},"level":"warning","message":{"text":"Syntax error at line /app/app/auth/guards/agent.ts:190:\n `let jwt: Awaited<ReturnType<typeof keys.verifyJWT<(typeof requiredClaims)[number]>>>` was unexpected"}},{"descriptor":{"id":"Syntax error"},"level":"warning","message":{"text":"Syntax error at line /app/app/controllers/about_controller.ts:3:\n `pkg from '#package' with { type:` was unexpected"}},{"descriptor":{"id":"Syntax error"},"level":"warning","message":{"text":"Syntax error at line /app/app/controllers/application_membership_controller.ts:181:\n `'APP_ADMIN' satisfies` was unexpected"}},{"descriptor":{"id":"Syntax error"},"level":"warning","message":{"text":"Syntax error at line /app/app/controllers/membership_controller.ts:179:\n `'ORG_ADMIN' satisfies` was unexpected"}},{"descriptor":{"id":"Syntax error"},"level":"warning","message":{"text":"Syntax error at line /app/app/controllers/stripe_webhook_controller.ts:425:\n `satisfies Stripe` was unexpected"}},{"descriptor":{"id":"Syntax error"},"level":"warning","message":{"text":"Syntax error at line /app/app/policies/policy_helpers.ts:165:\n `'ORG_ADMIN' satisfies` was unexpected"}},{"descriptor":{"id":"Syntax error"},"level":"warning","message":{"text":"Syntax error at line /app/app/services/jwk_cache.ts:77:\n `satisfies` was unexpected"}},{"descriptor":{"id":"Syntax error"},"level":"warning","message":{"text":"Syntax error at line /app/app/utils/application_access.ts:65:\n `'ORG_ADMIN' satisfies` was unexpected"}},{"descriptor":{"id":"Syntax error"},"level":"warning","message":{"text":"Syntax error at line /app/app/validators/application_membership.ts:20:\n `satisfies readonly ApplicationRole[]` was unexpected"}},{"descriptor":{"id":"Syntax error"},"level":"warning","message":{"text":"Syntax error at line /app/app/validators/invitations.ts:29:\n `satisfies readonly OrganizationRole[]` was unexpected"}},{"descriptor":{"id":"Syntax error"},"level":"warning","message":{"text":"Syntax error at line /app/app/validators/org_membership.ts:7:\n `satisfies readonly OrganizationRole[]` was unexpected"}}]}],"results":[{"fingerprints":{"matchBasedId/v1":"05ce98718277fa686170ef7202a0768f043200190754f695c68c8815181eaf4e805f2e061b8f99e37d4553530db1e3622cf715741ca54a62549bc291272af4a3_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"apps/backend/.env","uriBaseId":"%SRCROOT%"},"region":{"endColumn":62,"endLine":10,"snippet":{"text":"GITHUB_CLIENT_SECRET=e78b1199d5bc447bd36ecea679727578a9d5b0dd"},"startColumn":15,"startLine":10}}}],"message":{"text":"Generic Secret detected"},"properties":{},"ruleId":"assets.generic.secrets.security.detected-generic-secret.detected-generic-secret"},{"fingerprints":{"matchBasedId/v1":"108f493d284212513046232eea055f6677464e9392d15dc19d73b5d83e1601b23b8ad7c2a631d8c1a23ee682fe0b76f316193556c656e743cb244b55f5a6b82b_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"apps/backend/Dockerfile","uriBaseId":"%SRCROOT%"},"region":{"endColumn":28,"endLine":35,"snippet":{"text":"CMD [ \"npm\", \"run\", \"dev\" ]"},"startColumn":1,"startLine":35}}}],"message":{"text":"By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'."},"properties":{},"ruleId":"assets.dockerfile.security.missing-user.missing-user"}],"properties":{"repository":{"type":"git","url":"https://github.com/EurekaDevSecOps/app.git"},"includedirs":["apps/backend"]}}]}
package/src/commands/import.js CHANGED
@@ -83,18 +83,6 @@ module.exports = {
83
83
  scanners.push(scanner)
84
84
  }
85
85
 
86
- // Check for unsupported scanners.
87
- try {
88
- const unknownScanners = scanners.filter(name => !availableScanners.find(s => s.name === name))
89
- if (unknownScanners.length > 1) throw new Error(`Unknown scanners: ${unknownScanners.join(', ')}`)
90
- else if (unknownScanners.length === 1) throw new Error(`Unknown scanner: ${unknownScanners[0]}`)
91
- }
92
- catch (error) {
93
- log(`ERROR: ${error.message}`)
94
- log(`Terminating with exit code 1. See 'radar help import' for list of possible exit codes.`)
95
- return 0x1 // exit code
96
- }
97
-
98
86
  // Send telemetry: scan started.
99
87
  let scanID = undefined
100
88
  // TODO: Should pass scanID to the server; not read it from the server.
package/src/util/sarif/transforms/normalize.js CHANGED
@@ -3,34 +3,30 @@ module.exports = (sarif, dir, git, root) => {
3
3
  // Normalize findings.
4
4
  for (const run of sarif.runs) {
5
5
 
6
+ // Subfolder within the repo root where the scan took place:
7
+ const subfolder = path.relative(root, dir)
8
+
6
9
  // Record the source repo location and the relative target subfolder within the repo.
7
- run.originalUriBaseIds = {
8
- SOURCE: {
9
- uri: git.repo.url.https,
10
- description: {
11
- text: "Source origin for the target being scanned (ie. git repo URL)."
12
- }
13
- },
14
- TARGET: {
15
- uri: `${path.relative(root, dir)}`,
16
- uriBaseId: "SOURCE",
17
- description: {
18
- text: "Scan target (subfolder) within the source repo or folder."
19
- }
10
+ run.properties = {
11
+ repository: {
12
+ type: 'git',
13
+ url: git.repo.url.https
20
14
  }
21
15
  }
16
+ if (subfolder) run.properties.includedirs = [ `${subfolder}` ]
22
17
 
23
- // Make all physical locations for the result relative to the scan directory.
18
+ // Make all physical locations for the result relative to the repo root directory.
19
+ // (or if the root is not available then to the scan directory)
24
20
  if (!run.results) continue
25
21
  for (const result of run.results) {
26
22
  for (const location of result.locations) {
27
23
  if (location.physicalLocation?.artifactLocation?.uri?.startsWith('/app')) {
28
- let file = path.relative('/app', location.physicalLocation.artifactLocation.uri)
24
+ let file = path.join(subfolder, path.relative('/app', location.physicalLocation.artifactLocation.uri))
29
25
  if (result?.message?.text) result.message.text = result.message.text.replace(location.physicalLocation.artifactLocation.uri, file)
30
26
  location.physicalLocation.artifactLocation.uri = file
31
27
  }
32
28
  else if (location.physicalLocation?.artifactLocation?.uri?.startsWith('/')) {
33
- let file = path.relative('/', location.physicalLocation.artifactLocation.uri)
29
+ let file = path.join(subfolder, path.relative('/', location.physicalLocation.artifactLocation.uri))
34
30
  if (result?.message?.text) result.message.text = result.message.text.replace(location.physicalLocation.artifactLocation.uri, file)
35
31
  location.physicalLocation.artifactLocation.uri = file
36
32
  }