conviso-ast 3.0.0__py3-none-any.whl

convisoappsec/flow/api.py

@@ -0,0 +1,104 @@
+import copy
+import json
+from contextlib import suppress
+from os import SEEK_SET
+from urllib.parse import urljoin
+
+import jsonschema
+import requests
+
+PRODUCTION_API_URL = "https://api.convisoappsec.com"
+STAGING_API_URL = "https://api.staging.convisoappsec.com"
+DEVELOPMENT_API_URL = "http://localhost:3000"
+DEFAULT_API_URL = PRODUCTION_API_URL
+
+
+class RequestsSession(requests.Session):
+
+    def __init__(self, base_url):
+        super().__init__()
+        self.base_url = base_url
+
+    def request(self, method, url, *args, **kwargs):
+        url = urljoin(self.base_url, url)
+
+        return super().request(
+            method, url, *args, **kwargs
+        )
+
+
+class FlowAPIException(Exception):
+    pass
+
+
+class FlowAPIAccessDeniedException(FlowAPIException):
+    pass
+
+
+class DeployNotFoundException(FlowAPIException):
+    pass
+
+
+class DockerRegistry(object):
+    SAST_ENDPOINT = '/auth/public_auth'
+
+    def __init__(self, client):
+        self.client = client
+
+    def get_sast_token(self):
+        session = self.client.requests_session
+        response = session.get(self.SAST_ENDPOINT)
+        response.raise_for_status()
+        return response.text
+
+
+class RESTClient(object):
+
+    def __init__(
+        self,
+        url=STAGING_API_URL,
+        key=None,
+        insecure=False,
+        user_agent=None,
+        ci_provider_name=None
+    ):
+        self.url = url
+        self.insecure = insecure
+        self.key = key
+        self.user_agent = user_agent
+        self.ci_provider_name = ci_provider_name
+
+    @property
+    def requests_session(self):
+        session = RequestsSession(self.url)
+        session.verify = not self.insecure
+
+        session.headers.update({
+            'x-api-key': self.key,
+            'x-flowcli-ci-provider-name': self.ci_provider_name
+        })
+
+        if self.user_agent:
+            user_agent_header = {}
+            name = self.user_agent.get('name')
+            version = self.user_agent.get('version')
+
+            if name and version:
+                user_agent_header_fmt = "{name}/{version}"
+                user_agent_header_content = user_agent_header_fmt.format(
+                    name=name,
+                    version=version,
+                )
+
+                user_agent_header = {
+                    'User-Agent': user_agent_header_content
+                }
+
+            session.headers.update(user_agent_header)
+
+        return session
+
+
+    @property
+    def docker_registry(self):
+        return DockerRegistry(self)

convisoappsec/flow/cleaner.py

@@ -0,0 +1,118 @@
+import subprocess
+import shutil
+import os
+from pathlib import Path
+from typing import List, Optional
+
+
+class RunnerCleanup:
+    """Class to handle CI/CD runner cleanup operations"""
+
+    def __init__(self, temp_dirs: Optional[List[str]] = None):
+        """
+        Initialize cleanup class
+
+        Args:
+            temp_dirs: Optional list of temporary directories to clean
+        """
+        self.temp_dirs = temp_dirs or [
+            "/tmp",
+            "/var/tmp",
+            str(Path.home() / ".cache")
+        ]
+        self.is_runner = self._is_running_in_ci()
+        self._check_requirements()
+
+    def _is_running_in_ci(self) -> bool:
+        """Check if running in a CI/CD environment"""
+        ci_indicators = {
+            'CI': None,
+            'GITLAB_CI': None,
+            'GITHUB_ACTIONS': None,
+            'JENKINS_URL': None,
+            'TRAVIS': None,
+            'CIRCLECI': None,
+            'BUILD_ID': None,
+            'CI_JOB_ID': None,
+            'GITHUB_RUN_ID': None,
+        }
+
+        # Check if any CI-specific environment variable is set
+        for var in ci_indicators:
+            if os.environ.get(var):
+                print(f"Detected CI environment: {var}")
+                return True
+
+        # Additional check for runner-specific variables
+        if os.environ.get('RUNNER_TEMP') or os.environ.get('RUNNER_WORKSPACE'):
+            print("Detected GitHub Actions runner environment")
+            return True
+
+        print("No CI environment detected")
+        return False
+
+    def _run_command(self, command: str) -> Optional[str]:
+        """Execute shell command and return output"""
+
+        try:
+            result = subprocess.run(
+                command,
+                shell=True,
+                check=True,
+                stdout=subprocess.PIPE,
+                stderr=subprocess.PIPE,
+                text=True
+            )
+            return result.stdout.strip()
+        except subprocess.CalledProcessError as e:
+            print(f"Error executing '{command}': {e.stderr}")
+            return None
+
+    def _check_requirements(self) -> None:
+        """Check system requirements"""
+        if not self._run_command("docker --version"):
+            raise RuntimeError("Docker is not installed or not accessible")
+
+    def get_disk_space(self) -> tuple[float, float, float]:
+        """Get disk space information in GB"""
+        stat = shutil.disk_usage("/")
+        total = stat.total / (1024 ** 3)
+        used = stat.used / (1024 ** 3)
+        free = stat.free / (1024 ** 3)
+        return total, used, free
+
+    def cleanup_docker(self) -> None:
+        """Clean up Docker resources"""
+        commands = [
+            "docker container prune -f",
+            "docker image prune -f",
+            "docker volume prune -f",
+            "docker network prune -f"
+        ]
+
+        for cmd in commands:
+            self._run_command(cmd)
+
+    def cleanup_temp(self) -> None:
+        """Clean up temporary directories"""
+
+        for dir_path in self.temp_dirs:
+            dir_path = Path(dir_path)
+            if not dir_path.exists():
+                continue
+
+            for item in dir_path.iterdir():
+                try:
+                    if item.is_file():
+                        item.unlink()
+                    elif item.is_dir():
+                        shutil.rmtree(item, ignore_errors=True)
+                except Exception as e:
+                    print(f"Failed to remove {item}: {e}")
+
+    def cleanup_all(self):
+        """Perform full cleanup and return before/after disk space stats"""
+        print("Cleaning up ...")
+
+        self.cleanup_docker()
+        self.cleanup_temp()

convisoappsec/flow/graphql_api/beta/client.py

@@ -0,0 +1,18 @@
+
+from convisoappsec.common.graphql.low_client import GraphQLClient
+from convisoappsec.flow.graphql_api.beta.resources_api import IssuesAPI
+
+
+class ConvisoGraphQLClientBeta():
+    DEFAULT_AUTHORIZATION_HEADER_NAME = 'x-api-key'
+
+    def __init__(self, api_url, api_key):
+        headers = {
+            self.DEFAULT_AUTHORIZATION_HEADER_NAME: api_key
+        }
+
+        self.__low_client = GraphQLClient(api_url, headers)
+
+    @property
+    def issues(self):
+        return IssuesAPI(self.__low_client)

convisoappsec/flow/graphql_api/beta/models/issues/container.py

@@ -0,0 +1,72 @@
+from convisoappsec.flow.graphql_api.beta.models.issues.normalize import Normalize
+
+
+class CreateOrUpdateContainerFindingInput:
+    def __init__(
+            self,
+            asset_id,
+            title,
+            description,
+            severity,
+            solution,
+            reference,
+            affected_version,
+            package,
+            cve,
+            patched_version,
+            category,
+            original_issue_id_from_tool
+    ):
+        self.asset_id = asset_id
+        self.title = title
+        self.description = description
+        self.severity = Normalize.normalize_severity(severity)
+        self.solution = solution
+        self.reference = reference
+        self.affected_version = affected_version
+        self.package = package
+        self.patched_version = patched_version
+        self.original_issue_id_from_tool = original_issue_id_from_tool
+        self.category = self.process_field(category)
+        self.cve = self.process_field(cve)
+
+    def to_graphql_dict(self):
+        """
+        This function returns a dictionary containing various attributes of an
+        asset in a GraphQL format.
+        """
+        return {
+            "assetId": int(self.asset_id),
+            "title": self.title,
+            "description": self.description,
+            "severity": self.severity,
+            "solution": self.solution,
+            "reference": self.reference,
+            "affectedVersion": self.affected_version,
+            "package": self.package,
+            "cve": self.cve,
+            "patchedVersion": self.patched_version,
+            "category": self.category,
+            "originalIssueIdFromTool": self.original_issue_id_from_tool
+        }
+
+    @staticmethod
+    def process_field(value):
+        """
+        Processes a field to ensure it is converted into a string.
+
+        - If the value is a list, it joins the items into a comma-separated string.
+        - If the value is a string, it returns the string as is.
+        - If the value is neither a list nor a string, it returns an empty string.
+
+        Args:
+            value (list | str | Any): The value to process.
+
+        Returns:
+            str: The processed string representation of the value.
+        """
+        if isinstance(value, list):
+            return ' , '.join(value)
+        elif isinstance(value, str):
+            return value
+        return ''

convisoappsec/flow/graphql_api/beta/models/issues/iac.py

@@ -0,0 +1,6 @@
+from convisoappsec.flow.graphql_api.beta.models.issues.sast import CreateSastFindingInput
+
+class CreateIacFindingInput(CreateSastFindingInput):
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)

convisoappsec/flow/graphql_api/beta/models/issues/normalize.py

@@ -0,0 +1,13 @@
+class Normalize:
+
+    @staticmethod
+    def normalize_severity(severity):
+        """
+        The function normalizes severity by validating and returning a standardized severity level.
+        """
+
+        validate_severity = ["LOW", "MEDIUM", "HIGH", "CRITICAL", "NOTIFICATION"]
+        if severity.upper() in validate_severity:
+            return severity.upper()
+        else:
+            return validate_severity[0]

convisoappsec/flow/graphql_api/beta/models/issues/sast.py

@@ -0,0 +1,53 @@
+from convisoappsec.flow.graphql_api.beta.models.issues.normalize import Normalize
+
+class CreateSastFindingInput:
+    def __init__(
+        self,
+        asset_id,
+        code_snippet,
+        file_name,
+        vulnerable_line,
+        first_line,
+        title,
+        description,
+        severity,
+        reference,
+        category,
+        original_issue_id_from_tool,
+        solution,
+        control_sync_status_id
+    ):
+        self.asset_id = asset_id
+        self.severity = Normalize.normalize_severity(severity)
+        self.title = title
+        self.description = description
+        self.code_snippet = code_snippet
+        self.file_name = file_name
+        self.vulnerable_line = int(vulnerable_line)
+        self.first_line = int(first_line)
+        self.reference = reference
+        self.category = category
+        self.original_issue_id_from_tool = original_issue_id_from_tool
+        self.solution = solution
+        self.control_sync_status_id = control_sync_status_id
+
+    def to_graphql_dict(self):
+        """
+        This function returns a dictionary containing various attributes of an
+        asset in a GraphQL format.
+        """
+        return {
+            "assetId": int(self.asset_id),
+            "severity": self.severity,
+            "title": self.title,
+            "description": self.description,
+            "codeSnippet": self.code_snippet,
+            "fileName": self.file_name,
+            "vulnerableLine": int(self.vulnerable_line),
+            "firstLine": int(self.first_line),
+            "reference": self.reference,
+            "category": str(self.category),
+            "originalIssueIdFromTool": str(self.original_issue_id_from_tool),
+            "solution": str(self.solution),
+            "controlSyncStatusId": str(self.control_sync_status_id)
+        }

convisoappsec/flow/graphql_api/beta/models/issues/sca.py

@@ -0,0 +1,78 @@
+from convisoappsec.flow.graphql_api.beta.models.issues.normalize import Normalize
+
+
+class CreateScaFindingInput:
+    def __init__(
+            self,
+            asset_id,
+            title,
+            description,
+            severity,
+            solution,
+            reference,
+            file_name,
+            affected_version,
+            package,
+            cve,
+            patched_version,
+            category,
+            original_issue_id_from_tool,
+            control_sync_status_id
+    ):
+        self.asset_id = asset_id
+        self.title = title
+        self.description = description
+        self.severity = Normalize.normalize_severity(severity)
+        self.solution = solution
+        self.reference = reference
+        self.file_name = file_name
+        self.affected_version = affected_version
+        self.package = package
+        self.patched_version = patched_version
+        self.original_issue_id_from_tool = original_issue_id_from_tool
+        self.category = self.process_field(category)
+        self.cve = self.process_field(cve)
+        self.control_sync_status_id = control_sync_status_id
+
+    def to_graphql_dict(self):
+        """
+        This function returns a dictionary containing various attributes of an
+        asset in a GraphQL format.
+        """
+        return {
+            "assetId": int(self.asset_id),
+            "title": self.title,
+            "description": self.description,
+            "severity": self.severity,
+            "solution": self.solution,
+            "reference": self.reference,
+            "fileName": self.file_name,
+            "affectedVersion": self.affected_version,
+            "package": self.package,
+            "cve": self.cve,
+            "patchedVersion": self.patched_version,
+            "category": self.category,
+            "originalIssueIdFromTool": self.original_issue_id_from_tool,
+            "controlSyncStatusId": self.control_sync_status_id
+        }
+
+    @staticmethod
+    def process_field(value):
+        """
+        Processes a field to ensure it is converted into a string.
+
+        - If the value is a list, it joins the items into a comma-separated string.
+        - If the value is a string, it returns the string as is.
+        - If the value is neither a list nor a string, it returns an empty string.
+
+        Args:
+            value (list | str | Any): The value to process.
+
+        Returns:
+            str: The processed string representation of the value.
+        """
+        if isinstance(value, list):
+            return ' , '.join(value)
+        elif isinstance(value, str):
+            return value
+        return ''

convisoappsec/flow/graphql_api/beta/resources_api.py

@@ -0,0 +1,142 @@
+import jmespath
+from convisoappsec.flow.graphql_api.beta.models.issues.iac import CreateIacFindingInput
+from convisoappsec.flow.graphql_api.beta.models.issues.sast import CreateSastFindingInput
+from convisoappsec.flow.graphql_api.beta.models.issues.sca import CreateScaFindingInput
+from convisoappsec.flow.graphql_api.beta.models.issues.container import CreateOrUpdateContainerFindingInput
+from convisoappsec.flow.graphql_api.beta.schemas import mutations
+from convisoappsec.flow.graphql_api.v1.schemas import resolvers
+
+
+class IssuesAPI(object):
+    """ To operations on Issues's (aka, findings and vulnerabilities)) in Conviso Platform. """
+
+    def __init__(self, conviso_graphql_client):
+        self.__conviso_graphql_client = conviso_graphql_client
+
+    def create_sast(self, sast_issue_model: CreateSastFindingInput):
+        graphql_variables = {
+            "input": sast_issue_model.to_graphql_dict()
+        }
+
+        graphql_body_response = self.__conviso_graphql_client.execute(
+            mutations.CREATE_SAST_FINDING_INPUT,
+            graphql_variables
+        )
+
+        expected_path = 'createSastFinding.issue'
+
+        issue = jmespath.search(
+            expected_path,
+            graphql_body_response,
+        )
+
+        return issue
+
+    def create_sca(self, sca_issue_model: CreateScaFindingInput):
+        graphql_variables = {
+            "input": sca_issue_model.to_graphql_dict()
+        }
+
+        graphql_body_response = self.__conviso_graphql_client.execute(
+            mutations.CREATE_SCA_FINDING_INPUT,
+            graphql_variables
+        )
+
+        expected_path = 'createScaFinding.issue'
+
+        issue = jmespath.search(
+            expected_path,
+            graphql_body_response,
+        )
+
+        return issue
+
+    def create_iac(self, issue_model: CreateIacFindingInput):
+        graphql_variables = {
+            "input": issue_model.to_graphql_dict()
+        }
+
+        graphql_body_response = self.__conviso_graphql_client.execute(
+            mutations.CREATE_SAST_FINDING_INPUT,
+            graphql_variables
+        )
+
+        expected_path = 'createSastFinding.issue'
+
+        issue = jmespath.search(
+            expected_path,
+            graphql_body_response,
+        )
+
+        return issue
+
+    def create_container(self, container_issue_model: CreateOrUpdateContainerFindingInput):
+        graphql_variables = {
+            "input": container_issue_model.to_graphql_dict()
+        }
+
+        graphql_body_response = self.__conviso_graphql_client.execute(
+            mutations.CREATE_CONTAINER_FINDING_INPUT,
+            graphql_variables
+        )
+
+        expected_path = 'createOrUpdateContainerFinding.issue'
+
+        issue = jmespath.search(
+            expected_path,
+            graphql_body_response,
+        )
+
+        return issue
+
+    def auto_close_vulnerabilities(self, company_id, asset_id, statuses, page=1, vulnerability_type=None):
+        """ entry point for auto closing vulnerabilities on conviso platform """
+        if vulnerability_type is None:
+            vulnerability_type = ['SAST_FINDING', 'SCA_FINDING']
+
+        graphql_variables = {
+            'company_id': company_id,
+            'asset_id': asset_id,
+            'page': page,
+            'per_page': 100,
+            'statuses': statuses,
+            'failure_types': vulnerability_type
+        }
+
+        graphql_body_response = self.__conviso_graphql_client.execute(
+            resolvers.GET_ISSUES_FINGERPRINT,
+            graphql_variables
+        )
+
+        expected_path = 'issues'
+
+        issues = jmespath.search(
+            expected_path,
+            graphql_body_response
+        )
+
+        return issues
+
+    def update_issue_status(self, issue_id, status, reason, control_sync_status_id):
+        """ Update issue status on conviso platform """
+
+        graphql_variables = {
+            'issueId': issue_id,
+            'status': status,
+            'reason': reason,
+            'controlSyncStatusId': control_sync_status_id
+        }
+
+        graphql_body_response = self.__conviso_graphql_client.execute(
+            mutations.UPDATE_ISSUE_STATUS,
+            graphql_variables
+        )
+
+        expected_path = 'changeIssueStatus.issue'
+
+        issue = jmespath.search(
+            expected_path,
+            graphql_body_response,
+        )
+
+        return issue

convisoappsec/flow/graphql_api/beta/schemas/mutations/__init__.py

@@ -0,0 +1,61 @@
+CREATE_SAST_FINDING_INPUT = """
+mutation createSastFinding($input: CreateSastFindingInput!) {
+  createSastFinding(input: $input) {
+    issue {
+      id
+    }
+  }
+}
+"""
+
+CREATE_SCA_FINDING_INPUT = """
+mutation createScaFinding($input: CreateScaFindingInput!) {
+    createScaFinding(input: $input) {
+        issue {
+            id
+        }
+    }
+}
+"""
+
+CREATE_IAC_FINDING_INPUT = """
+mutation createOrUpdateIacFinding($input: CreateOrUpdateSastFindingInput!) {
+    createOrUpdateIacFinding(input: $input) {
+        issue {
+            id
+        }
+    }
+}
+"""
+
+CREATE_CONTAINER_FINDING_INPUT = """
+mutation createOrUpdateContainerFinding($input: CreateOrUpdateContainerFindingInput!) {
+    createOrUpdateContainerFinding(input: $input) {
+        issue {
+            id
+        }
+    }
+}
+"""
+
+UPDATE_ISSUE_STATUS = """
+mutation (
+  $issueId: ID!,
+  $status: IssueStatusLabel!,
+  $reason: String
+  $controlSyncStatusId: ID
+) {
+  changeIssueStatus (
+    input: {
+      id: $issueId
+      status: $status
+      reason: $reason
+      controlSyncStatusId: $controlSyncStatusId
+    }
+  ) {
+    issue {
+      id
+    }
+  }
+}
+"""