@eurekadevsecops/radar 1.9.5 → 1.9.7

package/ewa.sarif

@@ -0,0 +1,274 @@
+{
+  "version": "2.1.0",
+  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "gitleaks",
+          "semanticVersion": "v8.0.0",
+          "informationUri": "https://github.com/gitleaks/gitleaks",
+          "properties": {
+            "officialName": "gitleaks"
+          },
+          "rules": [
+            {
+              "id": "bitbucket-client-id",
+              "shortDescription": {
+                "text": "Discovered a potential Bitbucket Client ID, risking unauthorized repository access and potential codebase exposure."
+              }
+            },
+            {
+              "id": "generic-api-key",
+              "shortDescription": {
+                "text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."
+              }
+            },
+            {
+              "id": "gitlab-oauth-app-secret",
+              "shortDescription": {
+                "text": "Identified a GitLab OIDC Application Secret, risking access to apps using GitLab as authentication provider."
+              }
+            },
+            {
+              "id": "private-key",
+              "shortDescription": {
+                "text": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption."
+              }
+            },
+            {
+              "id": "stripe-access-token",
+              "shortDescription": {
+                "text": "Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data."
+              }
+            }
+          ]
+        }
+      },
+      "results": [
+        {
+          "message": {
+            "text": "generic-api-key has detected secret for file apps/backend/.env.local."
+          },
+          "ruleId": "generic-api-key",
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "apps/backend/.env.local"
+                },
+                "region": {
+                  "startLine": 121,
+                  "startColumn": 2,
+                  "endLine": 121,
+                  "endColumn": 62,
+                  "snippet": {
+                    "text": "0231e56436d8862a967f583939d1d91e955c2bd3"
+                  }
+                }
+              }
+            }
+          ],
+          "properties": {
+            "tags": []
+          }
+        },
+        {
+          "message": {
+            "text": "generic-api-key has detected secret for file apps/backend/.env.local."
+          },
+          "ruleId": "generic-api-key",
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "apps/backend/.env.local"
+                },
+                "region": {
+                  "startLine": 132,
+                  "startColumn": 2,
+                  "endLine": 132,
+                  "endColumn": 57,
+                  "snippet": {
+                    "text": "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"
+                  }
+                }
+              }
+            }
+          ],
+          "properties": {
+            "tags": []
+          }
+        },
+        {
+          "message": {
+            "text": "generic-api-key has detected secret for file apps/backend/.env.local."
+          },
+          "ruleId": "generic-api-key",
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "apps/backend/.env.local"
+                },
+                "region": {
+                  "startLine": 146,
+                  "startColumn": 2,
+                  "endLine": 146,
+                  "endColumn": 54,
+                  "snippet": {
+                    "text": "00e3e61c-50ed-44f2-8901-ba56c166b4e5"
+                  }
+                }
+              }
+            }
+          ],
+          "properties": {
+            "tags": []
+          }
+        },
+        {
+          "message": {
+            "text": "generic-api-key has detected secret for file apps/backend/.env.local."
+          },
+          "ruleId": "generic-api-key",
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "apps/backend/.env.local"
+                },
+                "region": {
+                  "startLine": 155,
+                  "startColumn": 2,
+                  "endLine": 155,
+                  "endColumn": 58,
+                  "snippet": {
+                    "text": "whsec_X92mgLcj9LACgQCfxlEazUtZ5Qb1MSN6"
+                  }
+                }
+              }
+            }
+          ],
+          "properties": {
+            "tags": []
+          }
+        },
+        {
+          "message": {
+            "text": "gitlab-oauth-app-secret has detected secret for file apps/backend/.env.local."
+          },
+          "ruleId": "gitlab-oauth-app-secret",
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "apps/backend/.env.local"
+                },
+                "region": {
+                  "startLine": 126,
+                  "startColumn": 23,
+                  "endLine": 126,
+                  "endColumn": 92,
+                  "snippet": {
+                    "text": "gloas-776889e1488d83b207ac8a3e3230b71ee8f91ef6cfd6007aa4f5accb579eacd5"
+                  }
+                }
+              }
+            }
+          ],
+          "properties": {
+            "tags": []
+          }
+        },
+        {
+          "message": {
+            "text": "private-key has detected secret for file apps/backend/.env.local."
+          },
+          "ruleId": "private-key",
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "apps/backend/.env.local"
+                },
+                "region": {
+                  "startLine": 81,
+                  "startColumn": 26,
+                  "endLine": 107,
+                  "endColumn": 30,
+                  "snippet": {
+                    "text": "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAs1jrtHlMuqGnpah5PdGJ1Tzeoth+dWJ4hP1Nr8a50z0JCBHT\n7NZ0XW/DmNroKXqxmVW7U1iKw0g96+5xRuJiFDLs+qeJGXiog7gOETKI3gHum2h2\nj/VcGzMRfe7gH4le+69SFnCK9+9nB5H4oVXQ5JimUA74pmRxKWBY9+96BsMUVBp+\n2PYFtOsNHplx+UlzAQ3KnbDlE73aAZpPGW1GKrw8ZkrN22srDokp2ZbjWqbp54mc\nht0/7g2h+6naJonhNOKmadHOb9T2OcwKgmNrNINQq0R7X4fb7Wcs6Ecru8H+8H2h\nInViwTuI17gdrI8iBeNCNayKigdTu5BTFJurJwIDAQABAoIBAFMx330De81jacJV\nyZAcoGSTbO97oAXR3PhMDHqKo+7SdFsS8gz+WlJxovlIKsP7D2GCvHfoLc5yt463\nOELahwa5rOaFSvrO1tTrT1M47vaVTNs4dS9IcSaI5QdXBQ58CdyUsm6IXF6w5klD\ntGMazOEN0rB2kW+WTkwUTpEMvL1ff8BZEvYygv9a8hgPLfxyu4Lvkan7059UG766\nOW5eLQ8eaf+jjWw3YRsty8YK+w3kGOErIHZ7qw+JiQ6nbSxUKbqAGJCXwsvvLiKs\nNfhxeksHqod4CQMIrFDCwYw5pEW9Ji3AWj1XS8h0THYM6z5XPijHsvRVSLC1Fl45\nWFHC6cECgYEA5mFN+XixFLqXGb0N4jtZVC/WUJs+ER9sasMJrwd7moWAyZvjMdkA\nDKq2TeiuNRGcjP9VWM9EWDqNiyQEBxUcwwT3RD5KRykNkLYz51nJZcRmijQUb7ss\nmtLd+tGTaFDfMU3dRihzwYmfYiKJpqwa8mgeTZEXEEU8lEEh7JfrO8cCgYEAx0rD\niI6Lv/7MwoG+cH7eZR3ezyfiGFAbWOfMKtBxLsVyNSzl3JCnyaWf2tsrJSmYlVUa\nANNo9gXvSfrrFjnPOC9ZLEnB2xl1XoJagBFj5Qwf3Giy/i9eiRSu0SyT6WrSzfKa\nOaIFhwwsx1s6Qoeck4UqQFqUgk+FnN3BuCaeVaECgYB0AsfrOnWhxJxWX7dgFxbS\nqAw6JxLIOJS15mU3+IKru1KxM4jjDy1RM539+Y/QNYAqGGH4CNeXvlSMnqRQlLcZ\nFaUWfm+VCf1ExBu7AqHCV3ZzXep0oULC7DDQHz0lqKPcBiPJMpGoAg96sX2zqrMf\nIoMv+EIu9U6eMXZN1+qi/QKBgB0Mv93a8XIGITDFGs5pH9/bb8wAg0uJ+cKG31Lq\nWWU48MHhjowNJfgVxWxwgCSFoLE723N9XZJnIQ9GnRf7S0JkXHpBMhnO5zXkiG6c\nmlQb5VUKifTVUNFoi2cAOXtPz/SnRWXbQTUDSE+y85YZEHDMe3EwAu/PyakpBgDi\n2DehAoGBAKJtxule5t0JQpFzYtk7Ojxv8ppellrqevoX/z+xNG58AT97/JtQAD0D\nTwz1fuptQFe1Mq+cA561hZaTH9MqhTOCVxdP7tMGnGmIT+MXU24o4EhGN0EFtsvR\npKxf8/C9KgyrbfXXzb/LMQIZko0cAFI47EMo/Ad8wgyPDsTnTcJZ\n-----END RSA PRIVATE KEY-----"
+                  }
+                }
+              }
+            }
+          ],
+          "properties": {
+            "tags": []
+          }
+        },
+        {
+          "message": {
+            "text": "bitbucket-client-id has detected secret for file apps/backend/.env.local."
+          },
+          "ruleId": "bitbucket-client-id",
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "apps/backend/.env.local"
+                },
+                "region": {
+                  "startLine": 116,
+                  "startColumn": 2,
+                  "endLine": 116,
+                  "endColumn": 57,
+                  "snippet": {
+                    "text": "KbPZjucUXpxhqmKjP6wbtS5BfEERxdnb"
+                  }
+                }
+              }
+            }
+          ],
+          "properties": {
+            "tags": []
+          }
+        },
+        {
+          "message": {
+            "text": "stripe-access-token has detected secret for file apps/backend/.env.local."
+          },
+          "ruleId": "stripe-access-token",
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "apps/backend/.env.local"
+                },
+                "region": {
+                  "startLine": 154,
+                  "startColumn": 24,
+                  "endLine": 154,
+                  "endColumn": 130,
+                  "snippet": {
+                    "text": "sk_test_51RYvkf2YG6fO9qlhtYIIbnGSXSr6xpzqdqryyPk58EVMgZMjIviKEXde8r55HE4vbVgzKwNb7owr74qRMEHUKakC007aUEcU3n"
+                  }
+                }
+              }
+            }
+          ],
+          "properties": {
+            "tags": []
+          }
+        }
+      ],
+      "properties": {
+        "repository": {
+          "type": "git",
+          "url": "https://github.com/EurekaDevSecOps/app.git"
+        }
+      }
+    }
+  ]
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@eurekadevsecops/radar",
-  "version": "1.9.5",
+  "version": "1.9.7",
   "description": "Radar is an open-source orchestrator of security scanners.",
   "homepage": "https://www.eurekadevsecops.com/radar",
   "keywords": [
@@ -20,6 +20,8 @@
     "radar": "cli.js"
   },
   "scripts": {
+    "commit": "npx cz",
+    "prepare": "husky || true",
     "test": "standard"
   },
   "repository": {
@@ -37,6 +39,21 @@
     "tiny-spinner": "^2.0.5"
   },
   "devDependencies": {
+    "@commitlint/cli": "^20.1.0",
+    "@commitlint/config-conventional": "^20.0.0",
+    "@commitlint/cz-commitlint": "^20.1.0",
+    "commitizen": "^4.3.1",
+    "commitlint-plugin-selective-scope": "^1.0.1",
+    "conventional-changelog-atom": "^5.0.0",
+    "cz-conventional-changelog": "^3.3.0",
+    "cz-git": "^1.12.0",
+    "husky": "^9.1.7",
     "standard": "*"
+  },
+  "config": {
+    "commitizen": {
+      "path": "cz-git",
+      "czConfig": ".config/commitlint/cz.config.mjs"
+    }
   }
 }

package/src/commands/scan.js

@@ -4,6 +4,8 @@ const path = require('node:path')
 const os = require('node:os')
 const SARIF = require('../util/sarif')
 const runner = require('../util/runner')
+const { DateTime } = require('luxon')
+
 module.exports = {
   summary: 'scan for vulnerabilities',
   args: {
@@ -63,12 +65,11 @@ module.exports = {
 
     Runs entirely on your machine — by default, Radar CLI doesn’t upload any findings.
     Your vulnerabilities stay local and private. To upload results to Eureka ASPM,
-    provide your API credentials via two environment variables: 'EUREKA_AGENT_TOKEN'
-    (your API token) and 'EUREKA_PROFILE' (your profile ID). When these are set, Radar CLI
-    automatically uploads results after each scan — letting you view your full scan 
-    history and all findings in the Eureka ASPM Dashboard. To prevent Radar CLI from
-    uploading scan findings even when you have 'EUREKA_AGENT_TOKEN' and 'EUREKA_PROFILE'
-    set, you can pass the LOCAL option on the command line.
+    provide your API credentials through the 'EUREKA_AGENT_TOKEN' environment variable.
+    When set, Radar CLI automatically uploads results after each scan — letting you view
+    your full scan history and all findings in the Eureka ASPM Dashboard. To prevent
+    Radar CLI from uploading scan findings even when you have 'EUREKA_AGENT_TOKEN' set,
+    you can pass the LOCAL option on the command line.
 
     Exit codes:
          0 - Clean and successful scan. No errors, warnings, or notes.
@@ -159,12 +160,18 @@ module.exports = {
       log(`INFO: Running a local scan.\n`)
     }
 
+    // Get target git metadata.
+    const metadata = git.metadata(target)
+    if (metadata.type === 'error') throw new Error(`${metadata.error.code}: ${metadata.error.details}`)
+
     // Send telemetry: scan started.
     let scanID = undefined
+    const timestamp = DateTime.now().toISO()
+
     if (telemetry.enabled && !args.LOCAL) {
       // TODO: Should pass scanID to the server; not read it from the server.
       try {
-        const res = await telemetry.send(`scans/started`, {}, { scanners: scanners.map((s) => s.name) })
+        const res = await telemetry.send(`scans/started`, {}, { scanners: scanners.map((s) => s.name), metadata, timestamp })
         if (!res.ok) throw new Error(`[${res.status}] ${res.statusText}: ${await res.text()}`)
         const data = await res.json()
         scanID = data.scan_id
@@ -181,14 +188,10 @@ module.exports = {
       }
     }
 
-    // Send telemetry: git metadata.
-    const metadata = git.metadata(target)
-    if (metadata.type === 'error') throw new Error(`${metadata.error.code}: ${metadata.error.details}`)
+    // Send telemetry: scan started (stage 2).
     if (telemetry.enabled && scanID && !args.LOCAL) {
-      let res = await telemetry.send(`scans/:scanID/metadata`, { scanID }, { metadata })
-      if (!res.ok) log(`WARNING: Scan metadata (stage 1) telemetry upload failed: [${res.status}] ${res.statusText}: ${await res.text()}`)
-      res = await telemetry.sendSensitive(`scans/:scanID/metadata`, { scanID }, { metadata })
-      if (!res.ok) log(`WARNING: Scan metadata (stage 2) telemetry upload failed: [${res.status}] ${res.statusText}: ${await res.text()}`)
+      const res = await telemetry.sendSensitive(`scans/:scanID/started`, { scanID }, { metadata, timestamp })
+      if (!res.ok) log(`WARNING: Scan started (stage 2) telemetry upload failed: [${res.status}] ${res.statusText}: ${await res.text()}`)
     }
 
     // Run scanners.
@@ -234,7 +237,7 @@ module.exports = {
 
     // Send telemetry: scan summary.
     if (telemetry.enabled && scanID && !args.LOCAL) {
-      const res = await telemetry.send(`scans/:scanID/completed`, { scanID }, summary)
+      const res = await telemetry.send(`scans/:scanID/completed`, { scanID }, { summary })
       if (!res.ok) log(`WARNING: Scan status (completed) telemetry upload failed: [${res.status}] ${res.statusText}: ${await res.text()}`)
     }
 

package/src/telemetry/README.md

@@ -11,15 +11,21 @@ const telemetry = require('./telemetry')
 
 All available telemetry events:
 ```js
-telemetry.send(`scans/:scanID/started`, { scanID }, { scanners })
+telemetry.send(`scans/started`, {}, { scanners, metadata, timestamp })
+telemetry.sendSensitive(`scans/:scanID/started`, { scanID }, { scanners, metadata, timestamp })
 telemetry.send(`scans/:scanID/completed`, { scanID }, { status, findings, log })
 telemetry.sendSensitive(`scans/:scanID/log`, { scanID }, log)
 telemetry.sendSensitive(`scans/:scanID/findings`, { scanID }, sarif)
 ```
 
-To send a telemetry event indicating that a scan has started:
+To send a telemetry event indicating that a scan has started (stage 1):
 ```js
-telemetry.send(`scans/:scanID/started`, { scanID }, { scanners })
+telemetry.send(`scans/started`, {}, { scanners, metadata })
+```
+
+To send a telemetry event indicating that a scan has started (stage 2):
+```js
+telemetry.sendSensitive(`scans/:scanID/started`, { scanID }, { metadata })
 ```
 
 To send a telemetry event indicating that a scan has completed:

package/src/telemetry/index.js

@@ -9,7 +9,7 @@ class Telemetry {
 
   constructor() {
     this.enabled = !!this.#EUREKA_AGENT_TOKEN
-    this.#EWA_URL = this.#claims(this.#EUREKA_AGENT_TOKEN)?.aud?.replace(/\/$/, '')
+    this.#EWA_URL = this.#claims(this.#EUREKA_AGENT_TOKEN).aud?.replace(/\/$/, '')
   }
 
   async send(path, params, body, token) {
@@ -71,7 +71,8 @@ class Telemetry {
         'Content-Type': 'application/json',
         'User-Agent': this.#USER_AGENT,
         'Accept': 'application/json'
-      }
+      },
+      body: JSON.stringify({ profileId: process.env.EUREKA_PROFILE })
     })
     if (!response.ok) throw new Error(`Internal Error: Failed to get VDBE auth token from EWA: ${response.statusText}: ${await response.text()}`)
     const data = await response.json()
@@ -82,9 +83,9 @@ class Telemetry {
     const claims = this.#claims(token ?? this.#EUREKA_AGENT_TOKEN)
     const aud = claims.aud.replace(/\/$/, '')
     if (path === `scans/started`) return `${aud}/scans/started`
+    if (path === `scans/:scanID/started`) return `${aud}/scans/${params.scanID}/started`
     if (path === `scans/:scanID/completed`) return `${aud}/scans/${params.scanID}/completed`
     if (path === `scans/:scanID/failed`) return `${aud}/scans/${params.scanID}/completed`
-    if (path === `scans/:scanID/metadata`) return `${aud}/scans/${params.scanID}/metadata`
     if (path === `scans/:scanID/results`) return `${aud}/scans/${params.scanID}/results`
     throw new Error(`Internal Error: Unknown telemetry event: POST ${path}`)
   }
@@ -92,7 +93,11 @@ class Telemetry {
   #toReceiveURL(path, params, token) {
     const claims = this.#claims(token ?? this.#EUREKA_AGENT_TOKEN)
     const aud = claims.aud.replace(/\/$/, '')
-    if (path === `scans/:scanID/summary`) return `${aud}/scans/${params.scanID}/summary?profileId=${process.env.EUREKA_PROFILE}`
+    if (path === `scans/:scanID/summary`) {
+      const profileId = process.env.EUREKA_PROFILE
+      const base = `${aud}/scans/${params.scanID}/summary`
+      return profileId ? `${base}?profileId=${profileId}` : base
+    }
     throw new Error(`Internal Error: Unknown telemetry event: GET ${path}`)
   }
 
@@ -102,11 +107,11 @@ class Telemetry {
   }
 
   #toBody(path, body) {
-    if (path === `scans/started`) body = { ...body, timestamp: DateTime.now().toISO(), profile_id: process.env.EUREKA_PROFILE }
-    if (path === `scans/:scanID/completed`) body = { ...this.#toFindings(body), timestamp: DateTime.now().toISO(), status: 'success', log: { sizeBytes: 0, warnings: 0, errors: 0, link: 'none' }, params: { id: '' }}
+    if (path === `scans/started`) body = { ...body, profileId: process.env.EUREKA_PROFILE }
+    if (path === `scans/:scanID/started`) body = { ...body, profileId: process.env.EUREKA_PROFILE }
+    if (path === `scans/:scanID/completed`) body = { ...this.#toFindings(body.summary), timestamp: DateTime.now().toISO(), status: 'success', log: { sizeBytes: 0, warnings: 0, errors: 0, link: 'none' }, profileId: process.env.EUREKA_PROFILE, params: { id: '' }}
     if (path === `scans/:scanID/failed`) body = { ...body, timestamp: DateTime.now().toISO(), status: 'failure', findings: { total: 0, critical: 0, high: 0, med: 0, low: 0 }, log: { sizeBytes: 0, warnings: 0, errors: 0, link: 'none' }, params: { id: '' }}
-    if (path === `scans/:scanID/metadata`) body = { metadata: body.metadata, profileId: process.env.EUREKA_PROFILE }
-    if (path === `scans/:scanID/results`) body = { findings: body.findings /* SARIF */, profileId: process.env.EUREKA_PROFILE, log: Buffer.from(body.log, 'utf8').toString('base64') }
+    if (path === `scans/:scanID/results`) body = { findings: body.findings /* SARIF */, log: Buffer.from(body.log, 'utf8').toString('base64'), profileId: process.env.EUREKA_PROFILE  }
     return JSON.stringify(body)
   }
 
@@ -121,7 +126,6 @@ class Telemetry {
       }
     }
   }
-
 }
 
 module.exports = {