@eurekadevsecops/radar 1.8.2 → 1.8.4

package/contributors.txt

@@ -0,0 +1,78 @@
+{"name":"Alvin Kam","email":"64457658+alvinkam33@users.noreply.github.com"}
+{"name":"Alvin","email":"alvin.kam.33@gmail.com"}
+{"name":"alvinkam","email":"alvin.kam.33@gmail.com"}
+{"name":"Andrew Cheah","email":"62257557+atcheah@users.noreply.github.com"}
+{"name":"Artem Kh","email":"artem@fintelconnect.com"}
+{"name":"Artem","email":"artem@FC-LAPTOP69.local"}
+{"name":"Artem","email":"artem@FC-LAPTOP69.localdomain"}
+{"name":"Ben Lu","email":"blu@nautilusdigital.com"}
+{"name":"carvalhojg","email":"48341861+carvalhojg@users.noreply.github.com"}
+{"name":"Cheryl Ho","email":"91933101+cho196@users.noreply.github.com"}
+{"name":"cho196","email":"ho.cheryl@outlook.com"}
+{"name":"Cristian Najera","email":"45493332+CristianNajeraL@users.noreply.github.com"}
+{"name":"cristianenajera@gmail.com","email":"*O+0clqH5dR@]mC]{1w!|6:P]&/.XFo}Mp0HtAlAQ&~Q:@{a(^iVn'H;jggA)!y!Gcff5\lc"}
+{"name":"Darren Luck","email":"dluck@nautilusdigital.com"}
+{"name":"Darren542","email":"Darrenluck@icloud.com"}
+{"name":"David Moseley","email":"david@fintelconnect.com"}
+{"name":"David Moseley","email":"davidmoseley@gmail.com"}
+{"name":"Divyansh Tangri","email":"divyansh.tangri@fintelconnect.com"}
+{"name":"Divyansh","email":"divyansh.tangri@fintelconnect.com"}
+{"name":"EC2 Default User","email":"ec2-user@ip-10-1-1-185.us-east-2.compute.internal"}
+{"name":"Eddie Moon","email":"97134997+eddiemoon99@users.noreply.github.com"}
+{"name":"George Fairbairn","email":"57505013+georgefairbairn@users.noreply.github.com"}
+{"name":"giovangonzalez","email":"giovangonzalez@gmail.com"}
+{"name":"GitHub","email":"noreply@github.com"}
+{"name":"Hashim Syed","email":"112725957+HashimSyedUBC@users.noreply.github.com"}
+{"name":"Hashim Syed","email":"hsyed@nautilusdigital.com"}
+{"name":"HashimSyedUBC","email":"112725957+HashimSyedUBC@users.noreply.github.com"}
+{"name":"ihu-cc","email":"132296630+ihu-cc@users.noreply.github.com"}
+{"name":"ihu-cc","email":"ihu@nautilusdigital.com"}
+{"name":"Ivan Hu","email":"132296630+ihu-cc@users.noreply.github.com"}
+{"name":"James Dahl","email":"33878022+jamesgdahl@users.noreply.github.com"}
+{"name":"jgabrielsantos","email":"48341861+carvalhojg@users.noreply.github.com"}
+{"name":"Joao Gabriel Carvalho","email":"joaoocarvalhol.santos@gmail.com"}
+{"name":"João Gabriel Santos","email":"48341861+jgabrielsantos@users.noreply.github.com"}
+{"name":"Johnathan Tam","email":"97713947+tamjohn@users.noreply.github.com"}
+{"name":"Kelsey Chua","email":"77289991+kelc4@users.noreply.github.com"}
+{"name":"Kelsey Chua","email":"kchua@nautilusdigital.com"}
+{"name":"kelseychua","email":"112977843+kelseychua@users.noreply.github.com"}
+{"name":"Leonart Gutz","email":"leonartgutz@hotmail.com"}
+{"name":"LeonartGutz","email":"leonartgutz@hotmail.com"}
+{"name":"lgutz","email":"lgutz@nautilusdigital.com"}
+{"name":"Lisa Zhu","email":"lzhu@nautilusdigital.com"}
+{"name":"lisaz-cc","email":"132297040+lisaz-cc@users.noreply.github.com"}
+{"name":"Matheus Franceschini","email":"m.franceschini17@gmail.com"}
+{"name":"Matheus Franceschini","email":"matheus@fintelconnect.com"}
+{"name":"matheusfintel","email":"matheus@fintelconnect.com"}
+{"name":"Michael Zhang","email":"michael@fintelconnect.com"}
+{"name":"Milton Gonzalez","email":"giovangonzalez@gmail.com"}
+{"name":"Milton Gonzalez","email":"mgonzalez@nautilusdigital.com"}
+{"name":"Pavel","email":"psmolov@nautilusdigital.com"}
+{"name":"Raphael Cassio de Souza","email":"rapha.cassio@gmail.com"}
+{"name":"Raphael Cássio de Souza","email":"rapha.cassio@gmail.com"}
+{"name":"rohitsh1","email":"rohit_sh1@yahoo.ca"}
+{"name":"rohitsh1","email":"rohit@fintelconnect.com"}
+{"name":"SamanthaOkada","email":"93158687+SamanthaOkada@users.noreply.github.com"}
+{"name":"Sher Shah Arsalaie","email":"69232811+arsala1995@users.noreply.github.com"}
+{"name":"Sher Shah Arsalaie","email":"sherarsalaie@convergncesmini.lan"}
+{"name":"Sultan Singh Atwal","email":"58763741+atwalsultan@users.noreply.github.com"}
+{"name":"Sultan","email":"sultan.singh.atwal@gmail.com"}
+{"name":"Tamara Smith","email":"50457535+tamaradesmith@users.noreply.github.com"}
+{"name":"Tamara Smith","email":"tdesmith81@gmail.com"}
+{"name":"tamaradesmith","email":"tsmith@nautilusdigital.com"}
+{"name":"tamjohn","email":"tamjohnathan@gmail.com"}
+{"name":"Tausif Ezaj Khan","email":"49699301+tausvels@users.noreply.github.com"}
+{"name":"Tausif Khan","email":"tkhan@nautilusdigital.com"}
+{"name":"Tony Xu","email":"xxy1994212@gmail.com"}
+{"name":"Vikram","email":"72895347+vikrams171@users.noreply.github.com"}
+{"name":"vikramfc","email":"vikramjit@fintelconnect.com"}
+{"name":"Vikramjit Singh","email":"vikramjit@fintelconnect.com"}
+{"name":"Vivek R","email":"vivek@fintelconnect.com"}
+{"name":"Vivek Raskar","email":"vivek@fintelconnect.com"}
+{"name":"Wataru Maeda","email":"14352132+wataru-maeda@users.noreply.github.com"}
+{"name":"Wataru Maeda","email":"14352132+wtr07@users.noreply.github.com"}
+{"name":"Wataru Maeda","email":"WataruMaeda@users.noreply.github.com"}
+{"name":"WataruMaeda","email":"w.maeda.jp@gmail.com"}
+{"name":"Xiaoyong Xu","email":"xiaoyongxu@Mac-mini.hitronhub.home"}
+{"name":"Xiaoyong Xu","email":"xiaoyongxu@XiaoyongdeMini.hitronhub.home"}
+{"name":"XiaoyongXu","email":"xxy1994212@gmail.com"}

package/contributors2.txt

@@ -0,0 +1,78 @@
+Alvin Kam:64457658+alvinkam33@users.noreply.github.com
+Alvin:alvin.kam.33@gmail.com
+alvinkam:alvin.kam.33@gmail.com
+Andrew Cheah:62257557+atcheah@users.noreply.github.com
+Artem Kh:artem@fintelconnect.com
+Artem:artem@FC-LAPTOP69.local
+Artem:artem@FC-LAPTOP69.localdomain
+Ben Lu:blu@nautilusdigital.com
+carvalhojg:48341861+carvalhojg@users.noreply.github.com
+Cheryl Ho:91933101+cho196@users.noreply.github.com
+cho196:ho.cheryl@outlook.com
+Cristian Najera:45493332+CristianNajeraL@users.noreply.github.com
+cristianenajera@gmail.com:*O+0clqH5dR@]mC]{1w!|6:P]&/.XFo}Mp0HtAlAQ&~Q:@{a(^iVn'H;jggA)!y!Gcff5\lc
+Darren Luck:dluck@nautilusdigital.com
+Darren542:Darrenluck@icloud.com
+David Moseley:david@fintelconnect.com
+David Moseley:davidmoseley@gmail.com
+Divyansh Tangri:divyansh.tangri@fintelconnect.com
+Divyansh:divyansh.tangri@fintelconnect.com
+EC2 Default User:ec2-user@ip-10-1-1-185.us-east-2.compute.internal
+Eddie Moon:97134997+eddiemoon99@users.noreply.github.com
+George Fairbairn:57505013+georgefairbairn@users.noreply.github.com
+giovangonzalez:giovangonzalez@gmail.com
+GitHub:noreply@github.com
+Hashim Syed:112725957+HashimSyedUBC@users.noreply.github.com
+Hashim Syed:hsyed@nautilusdigital.com
+HashimSyedUBC:112725957+HashimSyedUBC@users.noreply.github.com
+ihu-cc:132296630+ihu-cc@users.noreply.github.com
+ihu-cc:ihu@nautilusdigital.com
+Ivan Hu:132296630+ihu-cc@users.noreply.github.com
+James Dahl:33878022+jamesgdahl@users.noreply.github.com
+jgabrielsantos:48341861+carvalhojg@users.noreply.github.com
+Joao Gabriel Carvalho:joaoocarvalhol.santos@gmail.com
+João Gabriel Santos:48341861+jgabrielsantos@users.noreply.github.com
+Johnathan Tam:97713947+tamjohn@users.noreply.github.com
+Kelsey Chua:77289991+kelc4@users.noreply.github.com
+Kelsey Chua:kchua@nautilusdigital.com
+kelseychua:112977843+kelseychua@users.noreply.github.com
+Leonart Gutz:leonartgutz@hotmail.com
+LeonartGutz:leonartgutz@hotmail.com
+lgutz:lgutz@nautilusdigital.com
+Lisa Zhu:lzhu@nautilusdigital.com
+lisaz-cc:132297040+lisaz-cc@users.noreply.github.com
+Matheus Franceschini:m.franceschini17@gmail.com
+Matheus Franceschini:matheus@fintelconnect.com
+matheusfintel:matheus@fintelconnect.com
+Michael Zhang:michael@fintelconnect.com
+Milton Gonzalez:giovangonzalez@gmail.com
+Milton Gonzalez:mgonzalez@nautilusdigital.com
+Pavel:psmolov@nautilusdigital.com
+Raphael Cassio de Souza:rapha.cassio@gmail.com
+Raphael Cássio de Souza:rapha.cassio@gmail.com
+rohitsh1:rohit_sh1@yahoo.ca
+rohitsh1:rohit@fintelconnect.com
+SamanthaOkada:93158687+SamanthaOkada@users.noreply.github.com
+Sher Shah Arsalaie:69232811+arsala1995@users.noreply.github.com
+Sher Shah Arsalaie:sherarsalaie@convergncesmini.lan
+Sultan Singh Atwal:58763741+atwalsultan@users.noreply.github.com
+Sultan:sultan.singh.atwal@gmail.com
+Tamara Smith:50457535+tamaradesmith@users.noreply.github.com
+Tamara Smith:tdesmith81@gmail.com
+tamaradesmith:tsmith@nautilusdigital.com
+tamjohn:tamjohnathan@gmail.com
+Tausif Ezaj Khan:49699301+tausvels@users.noreply.github.com
+Tausif Khan:tkhan@nautilusdigital.com
+Tony Xu:xxy1994212@gmail.com
+Vikram:72895347+vikrams171@users.noreply.github.com
+vikramfc:vikramjit@fintelconnect.com
+Vikramjit Singh:vikramjit@fintelconnect.com
+Vivek R:vivek@fintelconnect.com
+Vivek Raskar:vivek@fintelconnect.com
+Wataru Maeda:14352132+wataru-maeda@users.noreply.github.com
+Wataru Maeda:14352132+wtr07@users.noreply.github.com
+Wataru Maeda:WataruMaeda@users.noreply.github.com
+WataruMaeda:w.maeda.jp@gmail.com
+Xiaoyong Xu:xiaoyongxu@Mac-mini.hitronhub.home
+Xiaoyong Xu:xiaoyongxu@XiaoyongdeMini.hitronhub.home
+XiaoyongXu:xxy1994212@gmail.com

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@eurekadevsecops/radar",
-  "version": "1.8.2",
+  "version": "1.8.4",
   "description": "Radar is an open-source orchestrator of security scanners.",
   "homepage": "https://www.eurekadevsecops.com/radar",
   "keywords": [
@@ -27,7 +27,7 @@
     "url": "https://github.com/EurekaDevSecOps/radarctl.git"
   },
   "dependencies": {
-    "@persistr/clif": "^1.11.1",
+    "@persistr/clif": "^1.11.2",
     "@persistr/clif-plugin-settings": "^2.3.1",
     "hosted-git-info": "^9.0.0",
     "humanize-duration": "^3.33.0",

package/src/commands/scan.js

@@ -17,6 +17,7 @@ module.exports = {
   },
   options: [
     { name: 'CATEGORIES', short: 'c', long: 'categories', type: 'string', description: 'list of scanner categories' },
+    { name: 'DEBUG', short: 'd', long: 'debug', type: 'boolean', description: 'log detailed debug info to stdout' },
     { name: 'ESCALATE', short: 'e', long: 'escalate', type: 'string', description: 'severities to treat as high/error' },
     { name: 'FORMAT', short: 'f', long: 'format', type: 'string', description: 'severity format' },
     { name: 'OUTPUT', short: 'o', long: 'output', type: 'string', description: 'output SARIF file' },
@@ -75,6 +76,8 @@ module.exports = {
   examples: [
     '$ radar scan ' + '(scan current working directory)'.grey,
     '$ radar scan . ' + '(scan current working directory)'.grey,
+    '$ radar scan -d' + '(turn debug mode on)'.grey,
+    '$ radar scan --debug' + '(turn debug mode on)'.grey,
     '$ radar scan /my/repo/dir ' + '(scan target directory)'.grey,
     '$ radar scan --output=scan.sarif ' + '(save findings in a file)'.grey,
     '$ radar scan -o scan.sarif /my/repo/dir ' + '(short versions of options)'.grey,
@@ -87,9 +90,12 @@ module.exports = {
     '$ radar scan -e moderate,low ' + '(treat lower severities as high)'.grey,
     '$ radar scan -f sarif -e warning,note ' + '(treat lower severities as errors)'.grey
   ],
-  run: async (toolbox, args) => {
+  run: async (toolbox, args, globals) => {
     const { log, scanners: availableScanners, categories: availableCategories, telemetry, git } = toolbox
 
+    // Enable debug mode, if needed.
+    if (args.DEBUG) globals.debug = true
+
     // Set defaults for args and options.
     args.TARGET ??= process.cwd()
     args.FORMAT ??= 'security'
@@ -150,14 +156,24 @@ module.exports = {
       }
       catch (error) {
         log(`WARNING: Telemetry will be skipped for this scan run: ${error.message}\n`)
+        if (args.DEBUG) {
+          log(error)
+          if (error?.cause?.code === 'ECONNREFUSED') {
+            log(error.cause.errors)
+            log()
+          }
+        }
       }
     }
 
     // Send telemetry: git metadata.
     const metadata = git.metadata(target)
+    if (metadata.type === 'error') throw new Error(`${metadata.error.code}: ${metadata.error.details}`)
     if (telemetry.enabled && scanID) {
-      await telemetry.send(`scans/:scanID/metadata`, { scanID }, { metadata })
-      await telemetry.sendSensitive(`scans/:scanID/metadata`, { scanID }, { metadata })
+      let res = await telemetry.send(`scans/:scanID/metadata`, { scanID }, { metadata })
+      if (!res.ok) log(`WARNING: Scan metadata (stage 1) telemetry upload failed: [${res.status}] ${res.statusText}: ${await res.text()}`)
+      res = await telemetry.sendSensitive(`scans/:scanID/metadata`, { scanID }, { metadata })
+      if (!res.ok) log(`WARNING: Scan metadata (stage 2) telemetry upload failed: [${res.status}] ${res.statusText}: ${await res.text()}`)
     }
 
     // Run scanners.
@@ -170,7 +186,10 @@ module.exports = {
     catch (error) {
       log(`\n${error}`)
       if (!args.QUIET) log('Scan NOT completed!')
-      if (telemetry.enabled) await telemetry.send(`scans/:scanID/failed`, { scanID })
+      if (telemetry.enabled) {
+        const res = await telemetry.send(`scans/:scanID/failed`, { scanID })
+        if (!res.ok) log(`WARNING: Scan status (not completed) telemetry upload failed: [${res.status}] ${res.statusText}: ${await res.text()}`)
+      }
       fs.rmSync(tmpdir, { recursive: true, force: true }) // Clean up.
       return 0x10 // exit code
     }
@@ -184,7 +203,8 @@ module.exports = {
 
     // Send telemetry: scan results.
     if (telemetry.enabled && scanID) {
-      await telemetry.sendSensitive(`scans/:scanID/results`, { scanID }, { findings: results.sarif, log: results.log })
+      const res = await telemetry.sendSensitive(`scans/:scanID/results`, { scanID }, { findings: results.sarif, log: results.log })
+      if (!res.ok) log(`WARNING: Scan results telemetry upload failed: [${res.status}] ${res.statusText}: ${await res.text()}`)
     }
 
     // Analyze scan results: group findings by severity level.
@@ -199,7 +219,8 @@ module.exports = {
 
     // Send telemetry: scan summary.
     if (telemetry.enabled && scanID) {
-      await telemetry.send(`scans/:scanID/completed`, { scanID }, summary)
+      const res = await telemetry.send(`scans/:scanID/completed`, { scanID }, summary)
+      if (!res.ok) log(`WARNING: Scan status (completed) telemetry upload failed: [${res.status}] ${res.statusText}: ${await res.text()}`)
     }
 
     // Display summarized findings.

package/src/util/git/index.js

@@ -25,13 +25,31 @@ function metadata(folder) {
     // Get the tags for the current commit.
     let tags = execSync('git tag --points-at HEAD', { cwd: folder }).toString().trim()
     tags = '["' + tags.split('\n').join('","') + '"]'
-    tags = JSON.parse(tags).filter(tag => tag)
+    try {
+      tags = JSON.parse(tags).filter(tag => tag)
+    }
+    catch (error) {
+      throw new Error(`failed parsing repo tags: ${error.message}`)
+    }
 
     // Get the list of unique repo contributors (authors and committers).
-    const template = '"{\\\"name\\\":\\\"%cn\\\",\\\"email\\\":\\\"%ce\\\"}%n{\\\"name\\\":\\\"%an\\\",\\\"email\\\":\\\"%ae\\\"}"'
+    const template = '%cn:%ce%n%an:%ae%n'
     let contributors = execSync(`git log --pretty=${template} | sort -u`, { cwd: folder }).toString().trim()
-    contributors = '[' + contributors.split('\n').join(',') + ']'
-    contributors = JSON.parse(contributors)
+    try {
+      contributors = contributors
+        .split('\n')
+        .map(c => {
+          const ne = (c + '').split(':')
+          return {
+            name: ne?.at(0) ?? '',
+            email: ne?.at(1) ?? ''
+          }
+        })
+        .filter(c => isValidEmail(c.email))
+    }
+    catch (error) {
+      throw new Error(`failed parsing repo contributors: ${error.message}`)
+    }
 
     const script = `MAX_LENGTH=4;
 git rev-list --abbrev=4 --abbrev-commit --all | \
@@ -49,7 +67,7 @@ git rev-list --abbrev=4 --abbrev-commit --all | \
 */
 
     // Return the repo metadata.
-    return {
+    const metadata = {
       type: 'git',
       repo: {
         url: {
@@ -73,6 +91,21 @@ git rev-list --abbrev=4 --abbrev-commit --all | \
         tags
       }
     }
+
+    // Validate repo metadata.
+    if (!metadata.repo.url.origin) throw new Error('remote.origin.url not present')
+    if (!metadata.repo.url.https) throw new Error('remote.origin.url (https) not present')
+    if (!metadata.repo.source.type) throw new Error('unable to determine repository type')
+    if (!metadata.repo.source.domain) throw new Error('unable to determine repository domain')
+    if (!metadata.repo.owner) throw new Error('unknown repo owner')
+    if (!metadata.repo.name) throw new Error('unknown repo name')
+    if (!metadata.repo.abbrevs) throw new Error('unable to determine number of significant digits for commit IDs')
+    if (!metadata.repo.contributors) throw new Error('no repository contributors present')
+    if (!metadata.commit.id) throw new Error('commit ID not present')
+    if (!metadata.commit.time) throw new Error('commit time not present')
+    if (!metadata.commit.branch) throw new Error('branch not present')
+
+    return metadata
   } catch (error) {
     return {
       type: 'error',
@@ -100,6 +133,33 @@ function root(folder) {
   }
 }
 
+/**
+ * Thanks to:
+ * http://fightingforalostcause.net/misc/2006/compare-email-regex.php
+ * http://thedailywtf.com/Articles/Validating_Email_Addresses.aspx
+ * http://stackoverflow.com/questions/201323/what-is-the-best-regular-expression-for-validating-email-addresses/201378#201378
+ * https://en.wikipedia.org/wiki/Email_address  The format of an email address is local-part@domain, where the 
+ * local part may be up to 64 octets long and the domain may have a maximum of 255 octets.[4]
+ */
+function isValidEmail(email) {
+  if (!email) return false
+
+  const parts = email.split('@')
+  if (parts.length !== 2) return false
+
+  const account = parts[0]
+  if (account.length > 64) return false
+
+  const address = parts[1]
+  if (address.length > 255) return false
+
+  const domainParts = address.split('.')
+  if (domainParts.some((part) => part.length > 63 )) return false
+
+  const emailRE = /^[-!#$%&'*+\/0-9=?A-Z^_a-z`{|}~](\.?[-!#$%&'*+\/0-9=?A-Z^_a-z`{|}~])*@[a-zA-Z0-9](-*\.?[a-zA-Z0-9])*\.[a-zA-Z](-?[a-zA-Z0-9])+$/;
+  return emailRE.test(email)
+}
+
 module.exports = {
   metadata,
   root