@eurekadevsecops/radar 1.8.0 → 1.8.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/package.json +1 -1
  2. package/report.sarif +1 -0
  3. package/src/util/sarif/transforms/normalize.js +12 -16
  4. package/scan.sarif +0 -1
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@eurekadevsecops/radar",
3
- "version": "1.8.0",
3
+ "version": "1.8.1",
4
4
  "description": "Radar is an open-source orchestrator of security scanners.",
5
5
  "homepage": "https://www.eurekadevsecops.com/radar",
6
6
  "keywords": [
package/report.sarif ADDED
@@ -0,0 +1 @@
1
+ {"version":"2.1.0","$schema":"https://json.schemastore.org/sarif-2.1.0.json","runs":[{"tool":{"driver":{"name":"gitleaks","semanticVersion":"v8.0.0","informationUri":"https://github.com/gitleaks/gitleaks","properties":{"officialName":"gitleaks"},"rules":[{"id":"generic-api-key","shortDescription":{"text":"Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}},{"id":"stripe-access-token","shortDescription":{"text":"Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data."}}]}},"results":[{"message":{"text":"stripe-access-token has detected secret for file apps/backend/.env."},"ruleId":"stripe-access-token","locations":[{"physicalLocation":{"artifactLocation":{"uri":"apps/backend/.env"},"region":{"startLine":30,"startColumn":24,"endLine":30,"endColumn":130,"snippet":{"text":"sk_test_51RYvkf2YG6fO9qlhtYIIbnGSXSr6xpzqdqryyPk58EVMgZMjIviKEXde8r55HE4vbVgzKwNb7owr74qRMEHUKakC007aUEcU3n"}}}}],"properties":{"tags":[]}},{"message":{"text":"generic-api-key has detected secret for file apps/backend/.env."},"ruleId":"generic-api-key","locations":[{"physicalLocation":{"artifactLocation":{"uri":"apps/backend/.env"},"region":{"startLine":5,"startColumn":2,"endLine":5,"endColumn":26,"snippet":{"text":"0123456789abcdxyz"}}}}],"properties":{"tags":[]}},{"message":{"text":"generic-api-key has detected secret for file apps/backend/.env."},"ruleId":"generic-api-key","locations":[{"physicalLocation":{"artifactLocation":{"uri":"apps/backend/.env"},"region":{"startLine":10,"startColumn":2,"endLine":10,"endColumn":62,"snippet":{"text":"e78b1199d5bc447bd36ecea679727578a9d5b0dd"}}}}],"properties":{"tags":[]}},{"message":{"text":"generic-api-key has detected secret for file apps/backend/.env."},"ruleId":"generic-api-key","locations":[{"physicalLocation":{"artifactLocation":{"uri":"apps/backend/.env"},"region":{"startLine":18,"startColumn":2,"endLine":18,"endColumn":54,"snippet":{"text":"0c8615f7-c7b2-4f45-adc3-dfeb67d967b4"}}}}],"properties":{"tags":[]}},{"message":{"text":"generic-api-key has detected secret for file apps/backend/.env."},"ruleId":"generic-api-key","locations":[{"physicalLocation":{"artifactLocation":{"uri":"apps/backend/.env"},"region":{"startLine":29,"startColumn":2,"endLine":29,"endColumn":58,"snippet":{"text":"whsec_PkjJVdKoCWMNnQMuw4mANbfMxfQnjj63"}}}}],"properties":{"tags":[]}}],"properties":{"repository":{"type":"git","url":"https://github.com/EurekaDevSecOps/app.git"},"includedirs":["apps/backend"]}},{"tool":{"driver":{"name":"grype","informationUri":"https://github.com/anchore/grype","properties":{"officialName":"grype"},"rules":[]}},"results":[],"properties":{"repository":{"type":"git","url":"https://github.com/EurekaDevSecOps/app.git"},"includedirs":["apps/backend"]}},{"tool":{"driver":{"name":"opengrep","semanticVersion":"1.5.0","properties":{"officialName":"Opengrep OSS"},"rules":[{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'."},"help":{"markdown":"By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.missing-user.missing-user)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n","text":"By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'."},"helpUri":"https://semgrep.dev/r/dockerfile.security.missing-user.missing-user","id":"assets.dockerfile.security.missing-user.missing-user","name":"assets.dockerfile.security.missing-user.missing-user","properties":{"precision":"very-high","tags":["CWE-250: Execution with Unnecessary Privileges","MEDIUM CONFIDENCE","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Opengrep Finding: assets.dockerfile.security.missing-user.missing-user"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Generic Secret detected"},"help":{"markdown":"Generic Secret detected\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-generic-secret.detected-generic-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Generic Secret detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-generic-secret.detected-generic-secret","id":"assets.generic.secrets.security.detected-generic-secret.detected-generic-secret","name":"assets.generic.secrets.security.detected-generic-secret.detected-generic-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Opengrep Finding: assets.generic.secrets.security.detected-generic-secret.detected-generic-secret"}}]}},"invocations":[{"executionSuccessful":true,"toolExecutionNotifications":[{"descriptor":{"id":"Syntax error"},"level":"warning","message":{"text":"Syntax error at line /app/app/auth/guards/agent.ts:190:\n `let jwt: Awaited<ReturnType<typeof keys.verifyJWT<(typeof requiredClaims)[number]>>>` was unexpected"}},{"descriptor":{"id":"Syntax error"},"level":"warning","message":{"text":"Syntax error at line /app/app/controllers/about_controller.ts:3:\n `pkg from '#package' with { type:` was unexpected"}},{"descriptor":{"id":"Syntax error"},"level":"warning","message":{"text":"Syntax error at line /app/app/controllers/application_membership_controller.ts:181:\n `'APP_ADMIN' satisfies` was unexpected"}},{"descriptor":{"id":"Syntax error"},"level":"warning","message":{"text":"Syntax error at line /app/app/controllers/membership_controller.ts:179:\n `'ORG_ADMIN' satisfies` was unexpected"}},{"descriptor":{"id":"Syntax error"},"level":"warning","message":{"text":"Syntax error at line /app/app/controllers/stripe_webhook_controller.ts:425:\n `satisfies Stripe` was unexpected"}},{"descriptor":{"id":"Syntax error"},"level":"warning","message":{"text":"Syntax error at line /app/app/policies/policy_helpers.ts:165:\n `'ORG_ADMIN' satisfies` was unexpected"}},{"descriptor":{"id":"Syntax error"},"level":"warning","message":{"text":"Syntax error at line /app/app/services/jwk_cache.ts:77:\n `satisfies` was unexpected"}},{"descriptor":{"id":"Syntax error"},"level":"warning","message":{"text":"Syntax error at line /app/app/utils/application_access.ts:65:\n `'ORG_ADMIN' satisfies` was unexpected"}},{"descriptor":{"id":"Syntax error"},"level":"warning","message":{"text":"Syntax error at line /app/app/validators/application_membership.ts:20:\n `satisfies readonly ApplicationRole[]` was unexpected"}},{"descriptor":{"id":"Syntax error"},"level":"warning","message":{"text":"Syntax error at line /app/app/validators/invitations.ts:29:\n `satisfies readonly OrganizationRole[]` was unexpected"}},{"descriptor":{"id":"Syntax error"},"level":"warning","message":{"text":"Syntax error at line /app/app/validators/org_membership.ts:7:\n `satisfies readonly OrganizationRole[]` was unexpected"}}]}],"results":[{"fingerprints":{"matchBasedId/v1":"05ce98718277fa686170ef7202a0768f043200190754f695c68c8815181eaf4e805f2e061b8f99e37d4553530db1e3622cf715741ca54a62549bc291272af4a3_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"apps/backend/.env","uriBaseId":"%SRCROOT%"},"region":{"endColumn":62,"endLine":10,"snippet":{"text":"GITHUB_CLIENT_SECRET=e78b1199d5bc447bd36ecea679727578a9d5b0dd"},"startColumn":15,"startLine":10}}}],"message":{"text":"Generic Secret detected"},"properties":{},"ruleId":"assets.generic.secrets.security.detected-generic-secret.detected-generic-secret"},{"fingerprints":{"matchBasedId/v1":"108f493d284212513046232eea055f6677464e9392d15dc19d73b5d83e1601b23b8ad7c2a631d8c1a23ee682fe0b76f316193556c656e743cb244b55f5a6b82b_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"apps/backend/Dockerfile","uriBaseId":"%SRCROOT%"},"region":{"endColumn":28,"endLine":35,"snippet":{"text":"CMD [ \"npm\", \"run\", \"dev\" ]"},"startColumn":1,"startLine":35}}}],"message":{"text":"By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'."},"properties":{},"ruleId":"assets.dockerfile.security.missing-user.missing-user"}],"properties":{"repository":{"type":"git","url":"https://github.com/EurekaDevSecOps/app.git"},"includedirs":["apps/backend"]}}]}
package/src/util/sarif/transforms/normalize.js CHANGED
@@ -3,34 +3,30 @@ module.exports = (sarif, dir, git, root) => {
3
3
  // Normalize findings.
4
4
  for (const run of sarif.runs) {
5
5
 
6
+ // Subfolder within the repo root where the scan took place:
7
+ const subfolder = path.relative(root, dir)
8
+
6
9
  // Record the source repo location and the relative target subfolder within the repo.
7
- run.originalUriBaseIds = {
8
- SOURCE: {
9
- uri: git.repo.url.https,
10
- description: {
11
- text: "Source origin for the target being scanned (ie. git repo URL)."
12
- }
13
- },
14
- TARGET: {
15
- uri: `${path.relative(root, dir)}`,
16
- uriBaseId: "SOURCE",
17
- description: {
18
- text: "Scan target (subfolder) within the source repo or folder."
19
- }
10
+ run.properties = {
11
+ repository: {
12
+ type: 'git',
13
+ url: git.repo.url.https
20
14
  }
21
15
  }
16
+ if (subfolder) run.properties.includedirs = [ `${subfolder}` ]
22
17
 
23
- // Make all physical locations for the result relative to the scan directory.
18
+ // Make all physical locations for the result relative to the repo root directory.
19
+ // (or if the root is not available then to the scan directory)
24
20
  if (!run.results) continue
25
21
  for (const result of run.results) {
26
22
  for (const location of result.locations) {
27
23
  if (location.physicalLocation?.artifactLocation?.uri?.startsWith('/app')) {
28
- let file = path.relative('/app', location.physicalLocation.artifactLocation.uri)
24
+ let file = path.join(subfolder, path.relative('/app', location.physicalLocation.artifactLocation.uri))
29
25
  if (result?.message?.text) result.message.text = result.message.text.replace(location.physicalLocation.artifactLocation.uri, file)
30
26
  location.physicalLocation.artifactLocation.uri = file
31
27
  }
32
28
  else if (location.physicalLocation?.artifactLocation?.uri?.startsWith('/')) {
33
- let file = path.relative('/', location.physicalLocation.artifactLocation.uri)
29
+ let file = path.join(subfolder, path.relative('/', location.physicalLocation.artifactLocation.uri))
34
30
  if (result?.message?.text) result.message.text = result.message.text.replace(location.physicalLocation.artifactLocation.uri, file)
35
31
  location.physicalLocation.artifactLocation.uri = file
36
32
  }
package/scan.sarif DELETED
@@ -1 +0,0 @@
1
- {"version":"2.1.0","$schema":"https://json.schemastore.org/sarif-2.1.0.json","runs":[{"tool":{"driver":{"name":"abcgitleaks","semanticVersion":"v8.0.0","informationUri":"https://github.com/gitleaks/gitleaks","properties":{"officialName":"gitleaks"},"rules":[]}},"results":[],"originalUriBaseIds":{"SOURCE":{"uri":"https://github.com/EurekaDevSecOps/radarctl.git","description":{"text":"Source origin for the target being scanned (ie. git repo URL)."}},"TARGET":{"uri":"","uriBaseId":"SOURCE","description":{"text":"Scan target (subfolder) within the source repo or folder."}}}},{"tool":{"driver":{"name":"abcgrype","informationUri":"https://github.com/anchore/grype","properties":{"officialName":"grype"},"rules":[{"id":"GHSA-pfrx-2q88-qq97-got","name":"JavascriptMatcherExactDirectMatch","shortDescription":{"text":"GHSA-pfrx-2q88-qq97 medium vulnerability for got package"},"fullDescription":{"text":"Got allows a redirect to a UNIX socket"},"helpUri":"https://github.com/anchore/grype","help":{"text":"Vulnerability GHSA-pfrx-2q88-qq97\nSeverity: medium\nPackage: got\nVersion: 9.6.0\nFix Version: 11.8.5\nType: npm\nLocation: /package-lock.json\nData Namespace: github:language:javascript\nLink: [GHSA-pfrx-2q88-qq97](https://github.com/advisories/GHSA-pfrx-2q88-qq97)","markdown":"**Vulnerability GHSA-pfrx-2q88-qq97**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| medium | got | 9.6.0 | 11.8.5 | npm | /package-lock.json | github:language:javascript | [GHSA-pfrx-2q88-qq97](https://github.com/advisories/GHSA-pfrx-2q88-qq97) |\n"},"properties":{"purls":["pkg:npm/got@9.6.0"],"security-severity":"5.3"}}]}},"results":[{"ruleId":"GHSA-pfrx-2q88-qq97-got","level":"warning","message":{"text":"A medium vulnerability in npm package: got, version 9.6.0 was found at: package-lock.json"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"package-lock.json"},"region":{"startLine":1,"startColumn":1,"endLine":1,"endColumn":1}}}],"partialFingerprints":{"primaryLocationLineHash":"677706e2c84cd6dfb855b123e8a34db12a8f4eeb5df5b8ab253aa5299b80da0b:1"}}],"originalUriBaseIds":{"SOURCE":{"uri":"https://github.com/EurekaDevSecOps/radarctl.git","description":{"text":"Source origin for the target being scanned (ie. git repo URL)."}},"TARGET":{"uri":"","uriBaseId":"SOURCE","description":{"text":"Scan target (subfolder) within the source repo or folder."}}}},{"tool":{"driver":{"name":"abcopengrep","semanticVersion":"1.5.0","properties":{"officialName":"Opengrep OSS"},"rules":[]}},"invocations":[{"executionSuccessful":true,"toolExecutionNotifications":[]}],"results":[],"originalUriBaseIds":{"SOURCE":{"uri":"https://github.com/EurekaDevSecOps/radarctl.git","description":{"text":"Source origin for the target being scanned (ie. git repo URL)."}},"TARGET":{"uri":"","uriBaseId":"SOURCE","description":{"text":"Scan target (subfolder) within the source repo or folder."}}}}]}