boman-cli 2.2.0__tar.gz → 2.4.0__tar.gz

{boman-cli-2.2.0 → boman-cli-2.4.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: boman-cli
-Version: 2.2.0
+Version: 2.4.0
 Summary: CLI tool of boman.ai
 Home-page: https://boman.ai
 Author: Sumeru Software Solutions Pvt. Ltd.
@@ -14,7 +14,7 @@ Classifier: Operating System :: OS Independent
 Description-Content-Type: text/markdown
 
 # Introduction 
-Boman CLI is a Orchestration script written in python to run security scans on the customer's local or CI/CD environment and upload the results to Boman.ai SaaS server.
+Boman CLI is a Orchestration script written in python to run security scans on the local or CI/CD environment and upload the results to Boman.ai SaaS server.
 
 
 # Installation
@@ -27,6 +27,13 @@ Boman CLI is a Orchestration script written in python to run security scans on t
 
 ` boman-cli -h` 
 
+### Authentication of project has been moved from boman.yaml to boman-cli
+
+`boman-cli -a run -at <project token> -ct <customer token>`
+
+To obtain `project token` and `customer token`. Go to SaaS platform. Click on Apps -> app menu of the particular app -> Get Scan Token 
+
+
 ### To test the boman cli server
 
 ` boman-cli -a test-saas`
@@ -68,9 +75,7 @@ Example: boman-cli -a run -config ./customboman.yaml
 Example: boman-cli -a run -zap_session_script ./session.js
 
 
-
-
-# Error codes & meannings
+# Error codes
 
 0  : Successfull scan
 1  : Server/SaaS error
@@ -83,6 +88,10 @@ Example: boman-cli -a run -zap_session_script ./session.js
 
 ### Release Note:
 
+### V2.3.0
+- **New:** The pipeline configuration has been relocated from `boman.yaml` to the SaaS platform. Navigate to **Apps -> App menu -> Configure pipeline** to set it up. The current `boman.yaml` configuration will remain functional until it is officially deprecated.
+
+
 ### V2.2.0
     - New scan added: IaC.
 

{boman-cli-2.2.0 → boman-cli-2.4.0}/README.md

@@ -1,5 +1,5 @@
 # Introduction 
-Boman CLI is a Orchestration script written in python to run security scans on the customer's local or CI/CD environment and upload the results to Boman.ai SaaS server.
+Boman CLI is a Orchestration script written in python to run security scans on the local or CI/CD environment and upload the results to Boman.ai SaaS server.
 
 
 # Installation
@@ -12,6 +12,13 @@ Boman CLI is a Orchestration script written in python to run security scans on t
 
 ` boman-cli -h` 
 
+### Authentication of project has been moved from boman.yaml to boman-cli
+
+`boman-cli -a run -at <project token> -ct <customer token>`
+
+To obtain `project token` and `customer token`. Go to SaaS platform. Click on Apps -> app menu of the particular app -> Get Scan Token 
+
+
 ### To test the boman cli server
 
 ` boman-cli -a test-saas`
@@ -53,9 +60,7 @@ Example: boman-cli -a run -config ./customboman.yaml
 Example: boman-cli -a run -zap_session_script ./session.js
 
 
-
-
-# Error codes & meannings
+# Error codes
 
 0  : Successfull scan
 1  : Server/SaaS error
@@ -68,6 +73,10 @@ Example: boman-cli -a run -zap_session_script ./session.js
 
 ### Release Note:
 
+### V2.3.0
+- **New:** The pipeline configuration has been relocated from `boman.yaml` to the SaaS platform. Navigate to **Apps -> App menu -> Configure pipeline** to set it up. The current `boman.yaml` configuration will remain functional until it is officially deprecated.
+
+
 ### V2.2.0
     - New scan added: IaC.
 

{boman-cli-2.2.0 → boman-cli-2.4.0}/boman_cli.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: boman-cli
-Version: 2.2.0
+Version: 2.4.0
 Summary: CLI tool of boman.ai
 Home-page: https://boman.ai
 Author: Sumeru Software Solutions Pvt. Ltd.
@@ -14,7 +14,7 @@ Classifier: Operating System :: OS Independent
 Description-Content-Type: text/markdown
 
 # Introduction 
-Boman CLI is a Orchestration script written in python to run security scans on the customer's local or CI/CD environment and upload the results to Boman.ai SaaS server.
+Boman CLI is a Orchestration script written in python to run security scans on the local or CI/CD environment and upload the results to Boman.ai SaaS server.
 
 
 # Installation
@@ -27,6 +27,13 @@ Boman CLI is a Orchestration script written in python to run security scans on t
 
 ` boman-cli -h` 
 
+### Authentication of project has been moved from boman.yaml to boman-cli
+
+`boman-cli -a run -at <project token> -ct <customer token>`
+
+To obtain `project token` and `customer token`. Go to SaaS platform. Click on Apps -> app menu of the particular app -> Get Scan Token 
+
+
 ### To test the boman cli server
 
 ` boman-cli -a test-saas`
@@ -68,9 +75,7 @@ Example: boman-cli -a run -config ./customboman.yaml
 Example: boman-cli -a run -zap_session_script ./session.js
 
 
-
-
-# Error codes & meannings
+# Error codes
 
 0  : Successfull scan
 1  : Server/SaaS error
@@ -83,6 +88,10 @@ Example: boman-cli -a run -zap_session_script ./session.js
 
 ### Release Note:
 
+### V2.3.0
+- **New:** The pipeline configuration has been relocated from `boman.yaml` to the SaaS platform. Navigate to **Apps -> App menu -> Configure pipeline** to set it up. The current `boman.yaml` configuration will remain functional until it is officially deprecated.
+
+
 ### V2.2.0
     - New scan added: IaC.
 

{boman-cli-2.2.0 → boman-cli-2.4.0}/boman_cli.egg-info/requires.txt

@@ -1,5 +1,6 @@
 coloredlogs<=15.0.1
 docker<=7.0.0
+pyfiglet<=1.0.2
 pyyaml
 requests<=2.31.0
 xmltodict<=0.13.0

{boman-cli-2.2.0 → boman-cli-2.4.0}/bomancli/Config.py

@@ -26,6 +26,7 @@ class Config:
     sast_message = None
     sast_errors = None
     sast_ignore = False
+    sast_ignore_folders_and_files = None
 
     dast_present = None
     dast_target = None
@@ -50,7 +51,7 @@ class Config:
     
     sca_present = None
     sca_lang = None
-    sca_type= None
+    sca_type= "directory"
     sca_target= None
     
     sca_scan_status = None
@@ -58,6 +59,7 @@ class Config:
     sca_message = None
     sca_errors = None
     sca_ignore = False
+    sca_ignore_folders_and_files = None
     sca_exclude_paths=None
 
     app_token = None
@@ -78,7 +80,7 @@ class Config:
     secret_scan_response = None
     # custom_zap_auth_method = False
     # zap_custom_auth_method = 'form'
-    # zap_plan_config = None
+    zap_plan_config = None
     # custom_zap_plan_present = False
     zap_script_config = None
     custom_zap_script_present = False
@@ -118,7 +120,7 @@ class Config:
 
     log_level = "INFO"
 
-    version = 'v2.2.0'
+    version = 'v2.4.0'
 
     boman_config_file = 'boman.yaml'
     
@@ -174,4 +176,14 @@ class Config:
     iac_scan_status=None
     iac_scan_type=None
     iac_scan_target=None
-    iac_valid_exit_status = [0,60,50,40,30,20]
+    iac_valid_exit_status = [0,60,50,40,30,20]
+    
+    #SaaS configured
+    saas_configured = None
+    dast_configuration = None
+    sast_configuration = None
+    sca_configuration = None
+    secret_scan_configuration = None
+    con_scan_configuration = None
+    sbom_configuration = None
+    iac_scan_configuration = None

boman-cli-2.4.0/bomancli/auth.py

@@ -0,0 +1,184 @@
+import requests
+# from base_logger import logging
+# from Config import Config
+from bomancli.base_logger import logging
+from bomancli.Config import Config
+from bomancli import utils as Utils
+import os
+import json 
+
+logging.basicConfig(format='%(asctime)s — %(name)s — %(levelname)s — %(funcName)s:%(lineno)d — %(message)s')
+
+# new authorization which just authorize the cli run using app token and customer token. 
+# This api gets SCA configuration as well to decide which tool to be used (OSV or owasp dependency check)
+def new_authorize():
+    
+    url_new =Config.boman_url+"/api/app/new_authorize"
+    data_new = {'app_token': Config.app_token, 'customer_token': Config.customer_token}
+    headers = {'Content-type': 'application/json', 'Accept': 'text/plain'}
+    try:
+        # logging.info(data_new)
+        logging.info("New Authorization: Communicating with SaaS for Authorization")
+        res = requests.post(url_new, json=data_new, headers=headers)
+        # logging.info(res.content)
+        #print('req:', json.dumps(data))
+        #print('res:',json.loads(res.content))
+    except requests.ConnectionError:
+       logging.error("New Authorization: Failed!!! Message: Can't connect to the Server while authorizing, Please check your Internet connection.")
+       exit(1) #server/saas error
+    else:
+        if res.status_code == 200:
+            try:
+                json_response = json.loads(res.content)
+                logging.info("New Authorization: Success!!! Message: Successfully Authorized")
+                # logging.info(json_response)
+            except:
+                logging.info('New Authorization: Failed!!! exit code: 2 (AUTH ERROR) Message: Authorization Failed unable to load json response')
+                exit(2) ##auth error
+            try:
+                sca_configuration = json_response['sca']
+                
+            except:
+                logging.error('New Authorization: Failed!!! exit code: 1 (Server ERROR) Message: Problem occured while authorizing the scan, Please contact boman.ai team') 
+                #uploadLogs() this wont work because the scan is not initated.
+                exit(1) ## server error
+        elif res.status_code == 401:
+            logging.error('New Authorization: Failed!!! exit code: 2 (Server ERROR) Message: Problem occured while authorizing the scan , Please check authorization tokens correct. If you are still facing the same problem.')
+            exit(2) ##auth error
+        else: 
+            logging.error(f'New Authorization: Failed!!! exit code: 2 (Server ERROR) Message: Boman returned status code: {res.status_code}({res.reason})')	       
+            exit(2) ##auth error
+    Config.sca_present = (sca_configuration['configured'])
+    Config.sca_build_dir = os.getcwd()+'/'           
+    if Config.sca_present:
+        Config.sca_type = sca_configuration['type'].lower()
+        Config.sca_target = sca_configuration['target']
+        Config.sca_ignore = True if sca_configuration['ignore_files'].lower() == "true" else False
+        Config.sca_ignore_folders_and_files = sca_configuration['sca_ignore_file_data']
+        if Config.sca_type == "directory":
+            file_present = False     
+            for filename in Config.osv_supported_files:
+                if Config.sca_target is None:
+                    if recursive_file_present_check(Config.sca_build_dir,filename):
+                        file_present =True
+                        Config.sca_target= ""
+                        logging.info(f"New Authorization: Boman has found the dependency file: {filename} in the path: {os.path.join(Config.sca_build_dir,Config.sca_target)}")
+                        break                
+                else:    
+                    if recursive_file_present_check(os.path.join(Config.sca_build_dir,Config.sca_target),filename):
+                        file_present =True
+                        Config.sca_target= os.path.join(Config.sca_target,filename)
+                        logging.info(f"New Authorization: Boman has found the dependency file: {filename} in the path: {os.path.join(Config.sca_build_dir,Config.sca_target)}")
+                        break
+            if file_present:
+                Config.sca_lang ="osv"
+            else:
+                logging.warning(f"New Authorization: Boman has not found the dependency file which OSV supports.")
+                if Config.sca_target is not None:
+                    Config.sca_build_dir = os.path.join(Config.sca_build_dir,Config.sca_target)
+                logging.info(f"New Authorization: build dir: {Config.sca_build_dir} ")
+                Config.sca_lang = "owasp dependency check"
+        elif file_present_check(os.path.join(Config.sca_build_dir,Utils.remove_leading_slash(Config.sca_target))):
+            Config.sca_lang ="osv"
+        else:
+            logging.error(f"New Authorization: No such file found: {os.path.join(Config.sca_build_dir,Utils.remove_leading_slash(Config.sca_target))}")
+            exit(4)
+        
+        logging.info(f"Boman opted for: {Config.sca_lang} scan.")
+        
+                
+               
+
+## function to authorize and get the images form SAAS --------------------------------------------------------
+def authorize():
+    
+    url = Config.boman_url+"/api/app/authorize"
+    
+    if Config.sca_present:
+        if Config.sca_type == "directory":
+            file_present = False     
+            for filename in Config.osv_supported_files:
+                if Config.sca_target is None:
+                    if recursive_file_present_check(Config.sca_build_dir,filename):
+                        file_present =True
+                        Config.sca_target= ""
+                        logging.info(f"Authorization: Boman has found the dependency file: {filename} in the path: {os.path.join(Config.sca_build_dir,Config.sca_target)}")
+                        break                
+                else:    
+                    if recursive_file_present_check(os.path.join(Config.sca_build_dir,Config.sca_target),filename):
+                        file_present =True
+                        Config.sca_target= os.path.join(Config.sca_target,filename)
+                        logging.info(f"Authorization: Boman has found the dependency file: {filename} in the path: {os.path.join(Config.sca_build_dir,Config.sca_target)}")
+                        break
+            if file_present:
+                Config.sca_lang ="osv"
+            else:
+                logging.warning(f"Authorization: Boman has not found the dependency file")
+                if Config.sca_target is not None:
+                    Config.sca_build_dir = os.path.join(Config.sca_build_dir,Config.sca_target)
+                logging.info(f"Authorization: build dir: {Config.sca_build_dir} ")
+                Config.sca_lang = "owasp dependency check"
+        elif file_present_check(os.path.join(Config.sca_build_dir,Utils.remove_leading_slash(Config.sca_target))):
+            Config.sca_lang ="osv"
+        else:
+            logging.error(f"Authorization: Failed!!! Message: No such file found: {os.path.join(Config.sca_build_dir,Utils.remove_leading_slash(Config.sca_target))}")
+            exit(4)
+        
+        logging.info(f"Authorization: Boman opted for: {Config.sca_lang} scan")
+    logging.info('Authorization: Authenticating with boman server')    
+    data = {'app_token': Config.app_token, 'customer_token': Config.customer_token, 'sast':Config.sast_present,"dast":Config.dast_present,"dast_type":Config.dast_type,"dast_auth_enabled":Config.dast_auth_present,"sast_langs":Config.sast_lang,"sca":Config.sca_present,"sca_langs":Config.sca_lang,"sca_scan_type":Config.sca_type,"secret_scan":Config.secret_scan_present,'container_scan': Config.con_scan_present,'container_scan_type': Config.con_scan_type,"sbom":Config.sbom_present,'iac':Config.iac_scan_present}
+    headers = {'Content-type': 'application/json', 'Accept': 'text/plain'}
+    # logging.info(data)
+    try:
+        logging.info("Authorization: Communicating with SaaS for Authorization")
+        res = requests.post(url, json=data, headers=headers)
+        #print('req:', json.dumps(data))
+        #print('res:',json.loads(res.content))
+    except requests.ConnectionError:
+       logging.error("Authorization: Failed!!! Message: Can't connect to the Server while authorizing, Please check your Internet connection.")
+       exit(1) #server/saas error
+    else:
+        if res.status_code == 200:
+            try:
+                json_response = json.loads(res.content)
+                logging.info("Authorization: Success!!! Message: Successfully Authorized")
+                # logging.info(json_response)
+            except:
+                logging.info("Authorization: Failed!!!  exit code: 1 (Server ERROR) Message: Problem occured while authorizing the scan, Please contact boman.ai team")
+                exit(1) #Server error
+            try:
+                Config.dast_response = json_response['data']['dast']
+                Config.sast_response = json_response['data']['sast']
+                Config.sca_response = json_response['data']['sca']
+                Config.secret_scan_response = json_response['data']['secret_scan']
+                Config.scan_token = json_response['data']['scan_token']    
+                Config.scan_name = json_response['data']['scan_name']
+                Config.con_scan_response = json_response['data']['cs']
+                Config.sbom_response = json_response['data']['sbom']
+                Config.iac_scan_response = json_response['data']['iac']   
+
+                return 1    
+            except:
+                logging.info("Authorization: Failed!!!  exit code: 1 (Server ERROR) Message: Problem occured while authorizing the scan, Please contact boman.ai team")
+                exit(1) ## server error  
+                    
+
+        elif res.status_code == 401:
+            logging.error('Authorization: Failed!!! Message: Unauthorized Access. Check the tokens')
+            exit(2) ##auth error
+        else: 
+            logging.error(f'Authorization: Failed!!! Message: Boman returned status code: {res.status_code}({res.reason})')	       
+            exit(2) ##auth error
+
+# whether file present in the directory or not
+def recursive_file_present_check(root_dir, file_name):
+    for root, dirs, files in os.walk(root_dir):
+        if file_name in files:
+            return os.path.join(root, file_name)
+    return None
+
+# whether file present in the directory or not
+def file_present_check(filename):
+    if os.path.isfile(filename):
+        return True
+    return False

{boman-cli-2.2.0 → boman-cli-2.4.0}/bomancli/base_logger.py

@@ -1,5 +1,6 @@
 import coloredlogs, logging
 # from Config import Config
+import sys
 
 from bomancli.Config import Config
 
@@ -38,9 +39,15 @@ class LogStream:
 # Set up logging to use our custom stream
 Config.log_stream = LogStream()
 
-logging.basicConfig(stream=Config.log_stream,  
-                level=logging.DEBUG,format='%(asctime)s-%(message)s',
+logging.basicConfig(stream=Config.log_stream,
+                level=logging.DEBUG,format='%(asctime)s — %(name)s — %(levelname)s — %(funcName)s:%(lineno)d — %(message)s',
                 datefmt='%Y-%m-%d %H:%M:%S')
 
 
-coloredlogs.install(level='DEBUG')    
+coloredlogs.install(level='DEBUG',fmt='%(asctime)s  %(name)s  %(levelname)s %(funcName)s:%(lineno)d  %(message)s', level_styles = {
+    'debug': {'color': 'blue'},
+    'info': {'color': 'green'},
+    'warning': {'color': 'yellow'},
+    'error': {'color': 'red', 'bold': True},
+    'critical': {'color': 'red', 'bold': True, 'background': 'white'}
+})