code-audit-23 0.1.1__py3-none-any.whl

code_audit_23/sonarqube_cli.py

@@ -0,0 +1,292 @@
+import json
+import os
+import platform
+import shutil
+import stat
+import subprocess
+import sys
+import tarfile
+import time
+import urllib.request
+import zipfile
+from pathlib import Path
+
+import click
+
+try:
+    from .logger import logger
+except ImportError:
+    from logger import logger
+
+# Cache folder for downloaded JRE
+CACHE_DIR = Path.home() / ".audit_scan"
+JRE_DIR = CACHE_DIR / "jre"
+JRE_DIR.mkdir(parents=True, exist_ok=True)
+
+
+def find_java():
+    """Check system java or JAVA_HOME"""
+    logger.debug("Looking for Java installation")
+    java_path = shutil.which("java")
+    if java_path:
+        logger.debug(f"Found Java at: {java_path}")
+        return java_path
+
+    java_home = os.environ.get("JAVA_HOME")
+    if java_home:
+        java_bin = Path(java_home) / "bin" / ("java.exe" if os.name == "nt" else "java")
+        if java_bin.exists():
+            logger.debug(f"Found Java in JAVA_HOME: {java_bin}")
+            return str(java_bin)
+
+    logger.warning("Java not found in PATH or JAVA_HOME")
+    return None
+
+
+def download_jre():
+    """Download minimal JRE into cache folder"""
+    system = platform.system().lower()
+    dest = None
+
+    # Get the machine architecture (e.g., 'x86_64', 'arm64')
+    arch = platform.machine()
+    os = (
+        "macos"
+        if system == "darwin"
+        else ("windows" if system == "windows" else "linux")
+    )
+    ext = "zip" if system != "linux" else "tar.gz"
+    zulu_url = f"https://api.azul.com/zulu/download/community/v1.0/bundles/latest?os={os}&arch={arch}&ext={ext}&bundle_type=jre&java_version=17"
+    try:
+        with urllib.request.urlopen(zulu_url) as r:
+            data = json.load(r)
+            url = data["url"]
+    except Exception as exc:
+        error_msg = f"Failed to fetch JRE metadata: {exc}"
+        logger.exception(error_msg)
+        raise RuntimeError(error_msg) from exc
+
+    if "windows" in system:
+        dest = CACHE_DIR / "jre.zip"
+    elif "darwin" in system:
+        dest = CACHE_DIR / "jre.zip"
+    else:  # linux
+        dest = CACHE_DIR / "jre.tar.gz"
+
+    try:
+        print(f"🌐 Downloading JRE from {url} ...")
+        urllib.request.urlretrieve(url, dest)
+    except Exception as exc:
+        error_msg = f"Failed to download JRE archive: {exc}"
+        logger.exception(error_msg)
+        raise RuntimeError(error_msg) from exc
+
+    try:
+        # Extract
+        if dest.suffix == ".zip":
+            with zipfile.ZipFile(dest, "r") as zip_ref:
+                zip_ref.extractall(JRE_DIR)
+        else:
+            with tarfile.open(dest, "r:gz") as tar_ref:
+                tar_ref.extractall(JRE_DIR)
+    except Exception as exc:
+        error_msg = f"Failed to extract JRE archive: {exc}"
+        logger.exception(error_msg)
+        raise RuntimeError(error_msg) from exc
+    finally:
+        if dest.exists():
+            try:
+                dest.unlink()
+            except Exception as unlink_exc:
+                logger.warning(
+                    f"Could not remove temporary JRE archive {dest}: {unlink_exc}"
+                )
+
+    # Ensure the extracted java binaries are executable (particularly for zip archives)
+    try:
+        for jre_root in sorted([d for d in JRE_DIR.iterdir() if d.is_dir()]):
+            bin_dir = jre_root / "bin"
+            if bin_dir.exists():
+                for binary in bin_dir.iterdir():
+                    if binary.is_file():
+                        current_mode = binary.stat().st_mode
+                        binary.chmod(
+                            current_mode | stat.S_IXUSR | stat.S_IXGRP | stat.S_IXOTH
+                        )
+    except Exception as exc:
+        error_msg = f"Failed to set executable permissions on JRE binaries: {exc}"
+        logger.exception(error_msg)
+        raise RuntimeError(error_msg) from exc
+
+    print(f"✅ JRE installed to {JRE_DIR}")
+
+
+def get_jre_bin():
+    """Return path to java binary"""
+    java_bin = find_java()
+    if java_bin:
+        return java_bin
+
+    # Download and find inside extracted folder
+    java_filename = "java.exe" if os.name == "nt" else "java"
+    subdirs = [
+        d
+        for d in JRE_DIR.iterdir()
+        if d.is_dir() and (d / "bin" / java_filename).exists()
+    ]
+    if not subdirs:
+        download_jre()
+        subdirs = [
+            d
+            for d in JRE_DIR.iterdir()
+            if d.is_dir() and (d / "bin" / java_filename).exists()
+        ]
+    if not subdirs:
+        raise RuntimeError("JRE download failed or empty.")
+    java_bin = subdirs[0] / "bin" / java_filename
+    if not java_bin.exists():
+        raise RuntimeError(f"Java binary not found in {java_bin}")
+    return str(java_bin)
+
+
+def get_scanner_path():
+    """Return path to sonar-scanner bundled folder"""
+    if getattr(sys, "frozen", False):
+        base_path = Path(sys._MEIPASS)
+    else:
+        base_path = Path(__file__).parent
+
+    # Assume a 'sonar-scanner' folder is next to CLI
+    scanner_bin = (
+        base_path
+        / "sonar-scanner"
+        / "bin"
+        / ("sonar-scanner.bat" if os.name == "nt" else "sonar-scanner")
+    )
+    if not scanner_bin.exists():
+        raise FileNotFoundError(f"SonarScanner binary not found: {scanner_bin}")
+    return scanner_bin
+
+
+def run_sonarqube_scan(sonar_url, token, project_key, sources):
+    project_root = Path(sources).resolve()
+    if not project_root.exists():
+        click.echo("❌ Source directory not found.")
+        sys.exit(1)
+
+    project_name = project_root.name
+    project_key = project_key or project_name
+    click.echo(f"🔍 Starting SonarQube scan for project: {project_key}")
+
+    # Create temporary sonar-project.properties if not exists
+    temp_props = None
+    props_file = project_root / "sonar-project.properties"
+    if not props_file.exists():
+        temp_props = props_file
+        temp_props.write_text(
+            f"""
+sonar.projectKey={project_key}
+sonar.projectName={project_name}
+sonar.sources={sources}
+        """.strip()
+        )
+        click.echo("📝 Created temporary sonar-project.properties")
+
+    # Get scanner and Java paths
+    scanner_bin = get_scanner_path()
+    java_bin = get_jre_bin()
+    java_home = str(Path(java_bin).parent.parent)
+
+    env = os.environ.copy()
+    env["JAVA_HOME"] = java_home
+    env["PATH"] = f"{Path(java_bin).parent}:{env.get('PATH', '')}"
+
+    # # Ensure URL and token are properly formatted
+    # sonar_url = sonar_url or SONAR_HOST_URL
+    # token = token or SONAR_LOGIN
+
+    # if not sonar_url or sonar_url == SONAR_HOST_URL:
+    #     click.echo(f"⚠️  Using default SonarQube URL: {SONAR_HOST_URL}")
+    if not token:
+        error_msg = "No SonarQube token provided. Please set SONAR_LOGIN in your .env file or use --token"
+        logger.error(error_msg)
+        click.echo(f"❌ {error_msg}")
+        sys.exit(1)
+
+    env["SONAR_HOST_URL"] = sonar_url.rstrip("/")
+    env["SONAR_TOKEN"] = token.strip()
+    logger.debug("SonarQube configuration verified")
+
+    # Prepare SARIF report paths
+    reports_dir = project_root / "reports"
+
+    # Check which report files exist
+    report_files = [
+        "gitleaks.sarif",
+        "trivy.sarif",
+        "bandit.sarif",
+        "eslint.sarif",
+        "checkov.sarif",
+    ]
+
+    # Find existing report files
+    existing_reports = [f for f in report_files if (reports_dir / f).exists()]
+
+    # Build sonar-scanner command
+    scanner_cmd = [str(scanner_bin), "-Dsonar.verbose=false"]
+    # scanner_cmd = [str(scanner_bin)]
+
+    # Add SARIF reports if any exist
+    if existing_reports:
+        sarif_paths = [f"reports/{report}" for report in existing_reports]
+        sarif_arg = "-Dsonar.sarifReportPaths=" + ",".join(sarif_paths)
+        scanner_cmd.append(sarif_arg)
+        click.echo(f"📊 Including SARIF reports: {', '.join(existing_reports)}")
+
+    click.echo("🚀 Starting SonarScanner...")
+    try:
+        # Start the subprocess and stream logs in real-time
+        process = subprocess.Popen(
+            scanner_cmd,
+            cwd=project_root,
+            env=env,
+            stdout=subprocess.PIPE,
+            stderr=subprocess.STDOUT,
+            text=True,
+            bufsize=1,
+        )
+
+        click.echo("🔍 Scanning code (streaming Sonar logs)...")
+        streamed_output = []
+        assert process.stdout is not None
+        for line in process.stdout:
+            streamed_output.append(line)
+            click.echo(line.rstrip())
+
+        process.wait()
+
+        # Check the return code
+        if process.returncode != 0:
+            raise subprocess.CalledProcessError(
+                process.returncode, process.args, output="".join(streamed_output)
+            )
+        click.echo("✅ Sonar scan completed successfully!")
+        click.echo(f"👉 View results: {sonar_url}/dashboard?id={project_key}")
+
+    except subprocess.CalledProcessError as e:
+        error_msg = f"Sonar scan failed with exit code {e.returncode}"
+        logger.error(error_msg)
+        click.echo("❌ Sonar scan failed!")
+        click.echo(f"Exit code: {e.returncode}")
+        sys.exit(1)
+
+    except Exception as e:
+        error_msg = f"Unexpected error during Sonar scan: {str(e)}"
+        logger.exception(error_msg)
+        click.echo(f"❌ {error_msg}")
+        sys.exit(1)
+
+    finally:
+        if temp_props and temp_props.exists():
+            temp_props.unlink()
+            click.echo("🧹 Cleaned up temporary sonar-project.properties")

code_audit_23/trivy_cli.py

@@ -0,0 +1,302 @@
+import os
+import platform
+import shutil
+import stat
+import subprocess
+import tarfile
+import tempfile
+import urllib.request
+import zipfile
+from pathlib import Path
+
+try:
+    from .logger import logger
+except ImportError:
+    from logger import logger
+
+
+def find_trivy():
+    """
+    Check system for Trivy installation.
+
+    Returns:
+        str: Path to trivy executable if found, None otherwise
+    """
+    logger.debug("Looking for Trivy installation")
+
+    # Check for trivy in PATH first (works on both Windows and Unix-like systems)
+    trivy_path = shutil.which("trivy")
+    if trivy_path:
+        logger.debug(f"Found Trivy in PATH: {trivy_path}")
+        return trivy_path
+
+    # Platform-specific checks
+    if os.name == "nt":  # Windows
+        # Common Windows installation paths
+        windows_paths = [
+            os.path.expandvars("$ProgramFiles\\Aqua Security\\Trivy\\trivy.exe"),
+            os.path.expandvars("$ProgramFiles(x86)\\Aqua Security\\Trivy\\trivy.exe"),
+            os.path.expandvars("$LOCALAPPDATA\\aquasec\\trivy\\trivy.exe"),
+            os.path.expandvars(
+                "$USERPROFILE\\scoop\\shims\\trivy.exe"
+            ),  # Scoop package manager
+            os.path.expandvars(
+                "$USERPROFILE\\AppData\\Local\\Microsoft\\WindowsApps\\trivy.exe"
+            ),
+        ]
+
+        for path in windows_paths:
+            if os.path.isfile(path):
+                logger.debug(f"Found Trivy at Windows location: {path}")
+                return path
+    else:  # Unix-like systems (Linux, macOS)
+        # Common Unix installation paths
+        unix_paths = [
+            "/usr/local/bin/trivy",
+            "/usr/bin/trivy",
+            "/opt/homebrew/bin/trivy",  # Homebrew on macOS (Apple Silicon)
+            "/usr/local/opt/trivy/bin/trivy",  # Homebrew on macOS
+            "/snap/bin/trivy",  # Snap package
+            os.path.expanduser("~/.local/bin/trivy"),  # Local user installation
+            "/opt/trivy/trivy",  # Manual installation
+        ]
+
+        for path in unix_paths:
+            if os.path.isfile(path) and os.access(path, os.X_OK):
+                logger.debug(f"Found Trivy at: {path}")
+                return path
+
+    # Check for TRIVY_INSTALL_DIR environment variable as a fallback
+    trivy_install_dir = os.environ.get("TRIVY_INSTALL_DIR")
+    if trivy_install_dir:
+        trivy_bin = Path(trivy_install_dir) / "trivy" + (
+            ".exe" if os.name == "nt" else ""
+        )
+        if trivy_bin.exists() and (os.name == "nt" or os.access(trivy_bin, os.X_OK)):
+            logger.debug(f"Found Trivy in TRIVY_INSTALL_DIR: {trivy_bin}")
+            return str(trivy_bin)
+
+    logger.warning("Trivy not found in PATH or common installation locations")
+    return None
+
+
+def install_trivy():
+    """Install Trivy based on the current operating system.
+
+    Returns:
+        str: Path to the installed trivy binary if successful, None otherwise
+    """
+
+    system = platform.system().lower()
+    machine = platform.machine().lower()
+
+    # Map platform to Trivy's release assets
+    platform_map = {
+        "darwin": {"x86_64": "macOS-64bit.tar.gz", "arm64": "macOS-ARM64.tar.gz"},
+        "linux": {
+            "x86_64": "Linux-64bit.tar.gz",
+            "arm64": "Linux-ARM64.tar.gz",
+            "armv6": "Linux-ARM.tar.gz",
+            "armv7": "Linux-ARM.tar.gz",
+        },
+        "windows": {
+            "amd64": "Windows-64bit.zip",
+            "x86_64": "Windows-64bit.zip",
+            "x86": "Windows-32bit.zip",
+        },
+    }
+
+    # Get the appropriate asset name
+    try:
+        asset = platform_map.get(system, {}).get(machine)
+        if not asset:
+            logger.error(f"Unsupported platform: {system} {machine}")
+            return None
+
+        trivy_version = "0.49.0"  # You might want to make this configurable
+        download_url = f"https://github.com/aquasecurity/trivy/releases/download/v{trivy_version}/trivy_{trivy_version}_{asset}"
+
+        logger.info(f"Downloading Trivy {trivy_version} for {system} {machine}...")
+        logger.debug(f"Download URL: {download_url}")
+
+        # Create temp directory for download
+        with tempfile.TemporaryDirectory() as temp_dir:
+            temp_dir_path = Path(temp_dir)
+            download_path = temp_dir_path / f"trivy_{asset}"
+
+            # Download the file
+            try:
+                urllib.request.urlretrieve(download_url, download_path)
+                logger.debug(f"Downloaded to: {download_path}")
+            except Exception as e:
+                logger.error(f"Failed to download Trivy: {e}")
+                return None
+
+            # Extract the archive
+            extract_dir = temp_dir_path / "extracted"
+            extract_dir.mkdir(exist_ok=True)
+
+            try:
+                if asset.endswith(".zip"):
+                    with zipfile.ZipFile(download_path, "r") as zip_ref:
+                        zip_ref.extractall(extract_dir)
+                else:  # .tar.gz
+                    with tarfile.open(download_path, "r:gz") as tar_ref:
+                        tar_ref.extractall(extract_dir)
+            except Exception as e:
+                logger.error(f"Failed to extract Trivy: {e}")
+                return None
+
+            # Find the trivy binary in the extracted files
+            trivy_bin = None
+            for ext in ("", ".exe"):
+                bin_name = f"trivy{ext}"
+                bin_path = extract_dir / bin_name
+                if bin_path.exists():
+                    trivy_bin = bin_path
+                    break
+                # Check in subdirectories (common in tar.gz)
+                for sub_path in extract_dir.rglob(bin_name):
+                    trivy_bin = sub_path
+                    break
+
+                if trivy_bin:
+                    break
+
+            if not trivy_bin or not trivy_bin.exists():
+                logger.error("Could not find trivy binary in the downloaded package")
+                return None
+
+            # Make the binary executable on Unix-like systems
+            if system != "windows":
+                trivy_bin.chmod(trivy_bin.stat().st_mode | stat.S_IEXEC)
+
+            # Determine installation directory
+            if system == "windows":
+                install_dir = Path.home() / "AppData" / "Local" / "aquasec" / "trivy"
+                install_dir.mkdir(parents=True, exist_ok=True)
+                install_path = install_dir / "trivy.exe"
+            else:
+                # Try system-wide installation first
+                system_bin = Path("/usr/local/bin")
+                if os.access(system_bin.parent, os.W_OK):
+                    install_dir = system_bin
+                    install_path = install_dir / "trivy"
+                else:
+                    # Fall back to user's local bin
+                    install_dir = Path.home() / ".local" / "bin"
+                    install_dir.mkdir(parents=True, exist_ok=True)
+                    install_path = install_dir / "trivy"
+
+            # Move the binary to the installation directory
+            shutil.move(str(trivy_bin), str(install_path))
+
+            # Add to PATH if not already there
+            bin_dir = str(install_dir)
+            path = os.environ.get("PATH", "")
+            if bin_dir not in path.split(os.pathsep):
+                logger.info(f"Adding {bin_dir} to PATH")
+                os.environ["PATH"] = f"{bin_dir}{os.pathsep}{path}"
+                # You might want to add this to the user's shell profile
+                # but that's more involved and platform-specific
+
+            logger.info(f"Successfully installed Trivy to {install_path}")
+            return str(install_path)
+
+    except Exception as e:
+        logger.error(f"Error installing Trivy: {e}", exc_info=True)
+        return None
+
+
+def run_trivy_scan(report_path, target_path=".", install_if_missing=True, timeout=900):
+    """Run a Trivy security scan on the specified directory.
+
+    Args:
+        report_path (str): Path where the SARIF report will be saved
+        target_path (str, optional): Path to scan. Defaults to current directory.
+        install_if_missing (bool, optional): Whether to install Trivy if not found. Defaults to True.
+        timeout (int, optional): Maximum time in seconds to wait for the scan to complete. Defaults to 300s.
+
+    Returns:
+        bool: True if scan completed successfully, False otherwise
+    """
+    trivy_path = find_trivy()
+
+    # If Trivy not found, try to install it if allowed
+    if not trivy_path and install_if_missing:
+        logger.info("Trivy not found. Attempting to install...")
+        trivy_path = install_trivy()
+        if not trivy_path:
+            logger.error("Failed to install Trivy. Please install it manually.")
+            return False
+    elif not trivy_path:
+        logger.error("Trivy not found and automatic installation is disabled.")
+        return False
+
+    # Ensure target path exists
+    target_path = Path(target_path).absolute()
+    if not target_path.exists():
+        logger.error(f"Target path does not exist: {target_path}")
+        return False
+
+    # Ensure report directory exists
+    report_path = Path(report_path).absolute()
+    report_path.parent.mkdir(parents=True, exist_ok=True)
+
+    # # Prepare the command
+    # cmd = [
+    #     str(trivy_path),
+    #     "--cache-dir", str(Path.home() / ".cache" / "trivy"),
+    #     "--security-checks", "vuln,config,secret",
+    #     "--severity", "CRITICAL,HIGH,MEDIUM,LOW",
+    #     "--format", "sarif",
+    #     "--output", str(report_path),
+    #     "--exit-code", "0",  # Don't fail on findings, we'll handle that from the report
+    #     "--quiet",  # Only show progress in debug mode
+    #     "--no-progress",  # Disable progress bar
+    #     str(target_path)
+    # ]
+    #
+    cmd = [
+        trivy_path,  # Use the full path to trivy
+        "repository",
+        "--format",
+        "sarif",
+        "--output",
+        str(report_path),
+        str(target_path),
+    ]
+
+    try:
+        result = subprocess.run(
+            cmd,
+            check=False,  # We'll handle the return code ourselves
+            capture_output=True,
+            text=True,
+            timeout=timeout,
+        )
+
+        # Log the output
+        if result.stdout:
+            logger.debug(f"Trivy output:\n{result.stdout}")
+        if result.stderr:
+            logger.debug(f"Trivy stderr:\n{result.stderr}")
+
+        # Check if the scan completed successfully
+        if result.returncode != 0:
+            logger.error(f"Trivy scan failed with exit code {result.returncode}")
+            if result.stderr:
+                logger.error(f"Error: {result.stderr.strip()}")
+            return False
+
+        logger.info(
+            f"Trivy scan completed successfully. Report saved to: {report_path}"
+        )
+        return True
+
+    except subprocess.TimeoutExpired:
+        logger.error(f"Trivy scan timed out after {timeout} seconds")
+        return False
+    except Exception as e:
+        logger.error(f"Error running Trivy scan: {str(e)}", exc_info=True)
+        return False