conviso-cli 2.2.12.dev0__tar.gz → 2.2.13rc0__tar.gz

{conviso-cli-2.2.12.dev0 → conviso-cli-2.2.13rc0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: conviso-cli
-Version: 2.2.12.dev0
+Version: 2.2.13rc0
 Summary: UNKNOWN
 Maintainer: Conviso
 Maintainer-email: development@convisoappsec.com

{conviso-cli-2.2.12.dev0 → conviso-cli-2.2.13rc0}/conviso_cli.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: conviso-cli
-Version: 2.2.12.dev0
+Version: 2.2.13rc0
 Summary: UNKNOWN
 Maintainer: Conviso
 Maintainer-email: development@convisoappsec.com

{conviso-cli-2.2.12.dev0 → conviso-cli-2.2.13rc0}/conviso_cli.egg-info/SOURCES.txt

@@ -75,6 +75,9 @@ convisoappsec/flowcli/ast/__init__.py
 convisoappsec/flowcli/ast/entrypoint.py
 convisoappsec/flowcli/companies/__init__.py
 convisoappsec/flowcli/companies/ls.py
+convisoappsec/flowcli/container/__init__.py
+convisoappsec/flowcli/container/entrypoint.py
+convisoappsec/flowcli/container/run.py
 convisoappsec/flowcli/deploy/__init__.py
 convisoappsec/flowcli/deploy/entrypoint.py
 convisoappsec/flowcli/deploy/ls.py

{conviso-cli-2.2.12.dev0 → conviso-cli-2.2.13rc0}/convisoappsec/flow/graphql_api/beta/models/issues/sast.py

@@ -14,6 +14,7 @@ class CreateSastFindingInput:
         commit_ref,
         deploy_id,
         reference,
+        category,
         original_issue_id_from_tool,
     ):
         self.asset_id = asset_id
@@ -25,6 +26,7 @@ class CreateSastFindingInput:
         self.vulnerable_line = int(vulnerable_line)
         self.first_line = int(first_line)
         self.reference = reference
+        self.category = category
         self.original_issue_id_from_tool = original_issue_id_from_tool
 
         self.commit_ref = commit_ref
@@ -47,5 +49,6 @@ class CreateSastFindingInput:
             "reference": self.reference,
             "commitRef": self.commit_ref,
             "deployId": str(self.deploy_id),
+            "category": str(self.category),
             "originalIssueIdFromTool": str(self.original_issue_id_from_tool)
         }

{conviso-cli-2.2.12.dev0 → conviso-cli-2.2.13rc0}/convisoappsec/flow/graphql_api/beta/models/issues/sca.py

@@ -15,6 +15,7 @@ class CreateScaFindingInput:
             package,
             cve,
             patched_version,
+            category,
             original_issue_id_from_tool
     ):
         self.asset_id = asset_id
@@ -28,13 +29,8 @@ class CreateScaFindingInput:
         self.package = package
         self.patched_version = patched_version
         self.original_issue_id_from_tool = original_issue_id_from_tool
-
-        if type(cve) is list:
-            self.cve = ' , '.join(cve)
-        elif type(cve) is str:
-            self.cve = cve
-        else:
-            self.cve = ""
+        self.category = self.process_field(category)
+        self.cve = self.process_field(cve)
 
     def to_graphql_dict(self):
         """
@@ -53,5 +49,27 @@ class CreateScaFindingInput:
             "package": self.package,
             "cve": self.cve,
             "patchedVersion": self.patched_version,
+            "category": self.category,
             "originalIssueIdFromTool": self.original_issue_id_from_tool
         }
+
+    @staticmethod
+    def process_field(value):
+        """
+        Processes a field to ensure it is converted into a string.
+
+        - If the value is a list, it joins the items into a comma-separated string.
+        - If the value is a string, it returns the string as is.
+        - If the value is neither a list nor a string, it returns an empty string.
+
+        Args:
+            value (list | str | Any): The value to process.
+
+        Returns:
+            str: The processed string representation of the value.
+        """
+        if isinstance(value, list):
+            return ' , '.join(value)
+        elif isinstance(value, str):
+            return value
+        return ''

conviso-cli-2.2.13rc0/convisoappsec/flowcli/container/__init__.py

@@ -0,0 +1,3 @@
+from .entrypoint import container
+
+__all__ = ['container']

conviso-cli-2.2.13rc0/convisoappsec/flowcli/container/entrypoint.py

@@ -0,0 +1,17 @@
+import click
+
+from convisoappsec.flowcli import help_option
+from .run import run
+
+
+@click.group()
+@help_option
+def container():
+    pass
+
+
+container.add_command(run)
+
+container.epilog = '''
+  Run conviso container COMMAND --help for more information on a command.
+'''

conviso-cli-2.2.13rc0/convisoappsec/flowcli/container/run.py

@@ -0,0 +1,179 @@
+import traceback
+
+import click
+import json
+import subprocess
+from convisoappsec.flowcli import help_option
+from convisoappsec.flowcli.context import pass_flow_context
+from convisoappsec.flowcli.common import asset_id_option
+from convisoappsec.flow.graphql_api.beta.models.issues.sca import CreateScaFindingInput
+from convisoappsec.common.graphql.errors import ResponseError
+from convisoappsec.common.retry_handler import RetryHandler
+from convisoappsec.logger import LOGGER, log_and_notify_ast_event
+from convisoappsec.flowcli.requirements_verifier import RequirementsVerifier
+from copy import deepcopy as clone
+from convisoappsec.flowcli.common import (
+    asset_id_option,
+    on_http_error,
+    project_code_option,
+)
+
+
+@click.command()
+@project_code_option(
+    help="Not required when --no-send-to-flow option is set",
+    required=False
+)
+@asset_id_option(required=False)
+@click.option(
+    '-r',
+    '--repository-dir',
+    default=".",
+    show_default=True,
+    type=click.Path(
+        exists=True,
+        resolve_path=True,
+    ),
+    required=False,
+    help="The source code repository directory.",
+)
+@click.option(
+    "--send-to-flow/--no-send-to-flow",
+    default=True,
+    show_default=True,
+    required=False,
+    hidden=True,
+    help="""Enable or disable the ability of send analysis result
+    reports to flow. When --send-to-flow option is set the --project-code
+    option is required""",
+)
+@click.option(
+    "--company-id",
+    required=False,
+    envvar=("CONVISO_COMPANY_ID", "FLOW_COMPANY_ID"),
+    help="Company ID on Conviso Platform",
+)
+@click.option(
+    '--asset-name',
+    required=False,
+    envvar=("CONVISO_ASSET_NAME", "FLOW_ASSET_NAME"),
+    help="Provides a asset name.",
+)
+@click.option(
+    '--vulnerability-auto-close',
+    default=False,
+    is_flag=True,
+    hidden=True,
+    help="Enable auto fixing vulnerabilities on cp.",
+)
+@click.argument('image_name')
+@help_option
+@pass_flow_context
+@click.pass_context
+def run(
+        context, flow_context, project_code, asset_id, company_id, repository_dir, send_to_flow, asset_name, vulnerability_auto_close, image_name,
+
+):
+    """ Run command for container vulnerability scan focused on OS vulnerabilities """
+    context.params['company_id'] = company_id if company_id is not None else None
+    prepared_context = RequirementsVerifier.prepare_context(clone(context))
+
+    params_to_copy = [
+        'asset_id', 'send_to_flow', 'asset_name', 'vulnerability_auto_close', 'project_code', 'repository_dir'
+    ]
+
+    for param_name in params_to_copy:
+        context.params[param_name] = (
+                locals()[param_name] or prepared_context.params[param_name]
+        )
+
+    log_func("💬 Preparing to initiate container scanning...")
+
+    scan_command = f"trivy image --pkg-types os --format json --output result.json {image_name}"
+
+    asset_id = context.params['asset_id']
+    company_id = context.params['company_id']
+
+    try:
+        log_func(f"🔧 Scanning image {image_name} ...")
+        run_command(scan_command)
+        log_func("✅ Scan completed successfully.")
+        conviso_api = flow_context.create_conviso_api_client_beta()
+        process_result(conviso_api, flow_context, asset_id, company_id)
+    except Exception as error:
+        log_func(f"❌ Scan failed: {error}")
+
+
+def run_command(command):
+    """
+    Runs a shell command and logs its execution.
+    """
+    result = subprocess.run(command, shell=True, check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+
+    return result
+
+def process_result(conviso_api, flow_context, asset_id, company_id):
+    """
+    Process and send result to conviso platform.
+    """
+    log_func("🔧 Processing results ...")
+    result_file = "result.json"
+
+    try:
+        with open(result_file, 'r') as file:
+            scan_results = json.load(file)
+
+        log_func("✅ Results parsed successfully.")
+
+        results = scan_results.get("Results", [])
+        if results and isinstance(results, list) and len(results) > 0:
+            vulnerabilities = results[0].get("Vulnerabilities", [])
+        else:
+            vulnerabilities = []
+
+        if vulnerabilities:
+            log_func(f"🔍 Found {len(vulnerabilities)} vulnerabilities.")
+
+            for vulnerability in vulnerabilities:
+                issue_model = CreateScaFindingInput(
+                    asset_id=asset_id,
+                    title=vulnerability.get("Title", ""),
+                    description=vulnerability.get("Description", ""),
+                    severity=vulnerability.get("Severity", ""),
+                    solution="Use latest image version",
+                    reference=parse_conviso_references(vulnerability.get("References", [])),
+                    file_name=vulnerability.get("SeveritySource", ""),
+                    affected_version=vulnerability.get("InstalledVersion", ""),
+                    package=vulnerability.get("PkgName", ""),
+                    cve=vulnerability.get("VulnerabilityID", ""),
+                    patched_version=None,
+                    original_issue_id_from_tool=vulnerability.get("PkgIdentifier", "").get("UID", "")
+                )
+
+                try:
+                    conviso_api.issues.create_sca(issue_model)
+                except ResponseError as error:
+                    if error.code == 'RECORD_NOT_UNIQUE':
+                        continue
+
+                continue
+        else:
+            log_func("✅ No vulnerabilities found.")
+
+    except FileNotFoundError:
+        log_func(f"❌ {result_file} not found. Ensure the scan was successful.")
+    except json.JSONDecodeError:
+        log_func(f"❌ Failed to parse {result_file}. Ensure it is valid JSON.")
+    except Exception as error:
+        full_trace = traceback.format_exc()
+        log_func(f"❌ An error occurred while processing results: {full_trace}")
+
+
+def parse_conviso_references(references):
+    DIVIDER = "\n"
+
+    return DIVIDER.join(references)
+
+
+def log_func(msg, new_line=True):
+    click.echo(click.style(msg), nl=new_line, err=True)

{conviso-cli-2.2.12.dev0 → conviso-cli-2.2.13rc0}/convisoappsec/flowcli/entrypoint.py

@@ -19,6 +19,7 @@ from .sca import sca
 from .vulnerability import vulnerability
 from .assets import assets
 from .sbom import sbom
+from .container import container
 
 click_log.basic_config(LOGGER)
 
@@ -107,6 +108,7 @@ cli.add_command(ast)
 cli.add_command(iac)
 cli.add_command(assets)
 cli.add_command(sbom)
+cli.add_command(container)
 
 cli.epilog = '''
   Run conviso COMMAND --help for more information on a command.

{conviso-cli-2.2.12.dev0 → conviso-cli-2.2.13rc0}/convisoappsec/flowcli/iac/run.py

@@ -189,6 +189,7 @@ def deploy_results_to_conviso_beta(
                         reference=parse_conviso_references(issue.get("reference", "")),
                         first_line=parse_first_line_number(issue.get("code_snippet")),
                         commit_ref=commit_ref,
+                        category=issue.get("cwe"),
                         original_issue_id_from_tool=hash_issue,
                     )
 
@@ -340,6 +341,10 @@ def parse_sarif_data(sarif_result):
             snippet = region_info.get('snippet', {}).get('text', '')
             context_region = physical_location.get('contextRegion', {})
             context_snippet = context_region.get('snippet', {}).get('text', '')
+            cwe = result.get('properties', {}).get('cweId', '')
+
+            if cwe != '':
+                cwe = f'CWE-{cwe}'
 
             # Map severity levels
             severity_map = {
@@ -362,6 +367,7 @@ def parse_sarif_data(sarif_result):
                 'hash_issue_v1': result.get('partialFingerprints', {}).get('hashIssueV1', ''),
                 'hash_issue_v2': result.get('partialFingerprints', {}).get('hashIssueV2', ''),
                 'context_snippet': context_snippet,
+                'cwe': cwe,
             }
 
             parsed_issues.append(issue)

{conviso-cli-2.2.12.dev0 → conviso-cli-2.2.13rc0}/convisoappsec/flowcli/sast/run.py

@@ -226,6 +226,10 @@ def deploy_results_to_conviso_beta(
 
             for issue in issues:
                 total_issues += 1
+                issue_cwe = issue.get('cwe_id', '')
+
+                if issue_cwe != '':
+                    issue_cwe = f'CWE-{issue_cwe}'
 
                 issue_model = CreateSastFindingInput(
                     asset_id=asset_id,
@@ -239,6 +243,7 @@ def deploy_results_to_conviso_beta(
                     code_snippet=parse_code_snippet(issue.get("evidence")),
                     reference=parse_conviso_references(issue.get("references")),
                     first_line=parse_first_line_number(issue.get("evidence")),
+                    category=issue_cwe,
                     original_issue_id_from_tool=issue.get("hash_issue") or issue.get("hash_issue_v2"),
                 )
 

{conviso-cli-2.2.12.dev0 → conviso-cli-2.2.13rc0}/convisoappsec/flowcli/sca/run.py

@@ -238,6 +238,7 @@ def deploy_results_to_conviso_beta(flow_context, conviso_api, results_filepaths,
                         package=issue.get("component", "Unknown"),
                         cve=cves,
                         patched_version=patched_version,
+                        category=issue.get('cwe', ''),
                         original_issue_id_from_tool=hash_issue
                     )
 

conviso-cli-2.2.13rc0/convisoappsec/version.py

@@ -0,0 +1 @@
+__version__ = '2.2.13-rc.0'

conviso-cli-2.2.12.dev0/convisoappsec/version.py

@@ -1 +0,0 @@
-__version__ = '2.2.12-dev.0'