conviso-cli 2.2.1__tar.gz → 2.2.2__tar.gz

{conviso-cli-2.2.1 → conviso-cli-2.2.2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: conviso-cli
-Version: 2.2.1
+Version: 2.2.2
 Summary: UNKNOWN
 Maintainer: Conviso
 Maintainer-email: development@convisoappsec.com

{conviso-cli-2.2.1 → conviso-cli-2.2.2}/conviso_cli.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: conviso-cli
-Version: 2.2.1
+Version: 2.2.2
 Summary: UNKNOWN
 Maintainer: Conviso
 Maintainer-email: development@convisoappsec.com

{conviso-cli-2.2.1 → conviso-cli-2.2.2}/conviso_cli.egg-info/requires.txt

@@ -11,4 +11,3 @@ jsonschema<3,>=2.5.1
 giturlparse<=0.12.0
 jmespath<1.0.1,>=0.9.0
 setuptools==69.2.0
-importlib_metadata==7.2.1

{conviso-cli-2.2.1 → conviso-cli-2.2.2}/convisoappsec/flow/graphql_api/v1/client.py

@@ -1,5 +1,5 @@
 from convisoappsec.common.graphql.low_client import GraphQLClient
-from convisoappsec.flow.graphql_api.v1.resources_api import AssetsAPI, ProjectsApi, CompaniesApi, IssuesApi, DeploysApi
+from convisoappsec.flow.graphql_api.v1.resources_api import AssetsAPI, ProjectsApi, CompaniesApi, IssuesApi, DeploysApi, SbomApi
 
 
 class ConvisoGraphQLClient():
@@ -31,3 +31,7 @@ class ConvisoGraphQLClient():
     @property
     def deploys(self):
         return DeploysApi(self.__low_client)
+
+    @property
+    def sbom(self):
+        return SbomApi(self.__low_client)

{conviso-cli-2.2.1 → conviso-cli-2.2.2}/convisoappsec/flow/graphql_api/v1/resources_api.py

@@ -1,10 +1,11 @@
-from urllib.parse import urlparse
-
 import jmespath
-
+import json
+import requests
 from convisoappsec.flow.graphql_api.v1.models.asset import AssetInput
 from convisoappsec.flow.graphql_api.v1.models.project import CreateProjectInput, UpdateProjectInput
 from convisoappsec.flow.graphql_api.v1.schemas import mutations, resolvers
+from urllib.parse import urlparse
+from convisoappsec.version import __version__
 
 
 class AssetsAPI(object):
@@ -266,3 +267,59 @@ class DeploysApi(object):
         )
 
         return deploys
+
+
+class SbomApi(object):
+    """ Class for sbom file resources """
+
+    def __init__(self, conviso_graphql_client):
+        self._conviso_graphql_client = conviso_graphql_client
+
+    def send_sbom_file(self, company_id, asset_id, file_path, api_key):
+        """ Send SBOM file to Conviso platform """
+
+        url = self._conviso_graphql_client.url
+
+        operations = {
+            "query": mutations.IMPORT_SBOM,
+            "variables": {
+                "companyId": company_id,
+                "assetId": asset_id,
+                "file": None
+            }
+        }
+
+        file_map = {
+            "0": ["variables.file"]
+        }
+
+        with open(file_path, 'rb') as sbom_file:
+            files = {
+                'operations': (None, json.dumps(operations), 'application/json'),
+                'map': (None, json.dumps(file_map), 'application/json'),
+                '0': (file_path, sbom_file, 'application/octet-stream')
+            }
+
+            headers = {
+                'x-api-key': f'{api_key}',
+                "User-Agent": "AST:{version}".format(version=__version__)
+            }
+
+            response = requests.post(url, files=files, headers=headers)
+
+            response.raise_for_status()
+            json_response = response.json()
+
+            self._handle_graphql_errors(json_response)
+
+            return json_response.get('data')
+
+    @staticmethod
+    def _handle_graphql_errors(json_response):
+        """ Handle GraphQL errors """
+        if 'errors' in json_response:
+            errors = json_response['errors']
+            for error in errors:
+                print(f"GraphQL Error: {error.get('message')}")
+            raise Exception("GraphQL request failed with errors.")
+

{conviso-cli-2.2.1 → conviso-cli-2.2.2}/convisoappsec/flow/graphql_api/v1/schemas/mutations/__init__.py

@@ -93,3 +93,21 @@ mutation (
   }
 }
 """
+
+IMPORT_SBOM = """
+mutation (
+  $file: Upload!,
+  $assetId: ID!,
+  $companyId: ID!
+) {
+  importSbom(
+    input: {
+      file: $file,
+      assetId: $assetId,
+      companyId: $companyId
+    }
+  ) {
+    success
+  }
+}
+"""

{conviso-cli-2.2.1 → conviso-cli-2.2.2}/convisoappsec/flowcli/sbom/generate.py

@@ -1,35 +1,24 @@
 import click
 import subprocess
-import json
 import tempfile
 import os
 from convisoappsec.flowcli.context import pass_flow_context
 from datetime import datetime
 from convisoappsec.flowcli.requirements_verifier import RequirementsVerifier
 from convisoappsec.flowcli import help_option
-from convisoappsec.flowcli.common import (asset_id_option, project_code_option, on_http_error)
-from convisoappsec.sast.sastbox import SASTBox
+from convisoappsec.flowcli.common import (asset_id_option, project_code_option)
 
 
 @click.command()
 @project_code_option(required=False)
 @asset_id_option(required=False)
-@click.option(
-    "-s",
-    "--start-commit",
-    required=False,
-    help="If no value is set so the empty tree hash commit is used.",
-)
-@click.option(
-    "-e",
-    "--end-commit",
-    required=False,
-    help="""If no value is set so the HEAD commit
-    from the current branch is used""",
+@project_code_option(
+    help="Not required when --no-send-to-flow option is set",
+    required=False
 )
 @click.option(
-    "-r",
-    "--repository-dir",
+    '-r',
+    '--repository-dir',
     default=".",
     show_default=True,
     type=click.Path(
@@ -39,65 +28,46 @@ from convisoappsec.sast.sastbox import SASTBox
     required=False,
     help="The source code repository directory.",
 )
-@click.option(
-    "--fail-on-severity-threshold",
-    required=False,
-    help="If the threshold of the informed severity and higher has reach, then the command will fail after send the results to AppSec Flow.\n \
-    The severity levels are: UNDEFINED, INFO, LOW, MEDIUM, HIGH, CRITICAL.",
-    type=click.Tuple([str, int]),
-    default=(None, None),
-)
-@click.option(
-    "--fail-on-threshold",
-    required=False,
-    help="If the threshold has reach then the command will fail after send the result to AppSec Flow",
-    type=int,
-    default=False,
-)
 @click.option(
     "--send-to-flow/--no-send-to-flow",
     default=True,
     show_default=True,
     required=False,
-    hidden=True,
     help="""Enable or disable the ability of send analysis result
     reports to flow. When --send-to-flow option is set the --project-code
     option is required""",
+    hidden=True
 )
 @click.option(
-    "--deploy-id",
-    default=None,
-    required=False,
+    "--custom-sca-tags",
     hidden=True,
-    envvar=("CONVISO_DEPLOY_ID", "FLOW_DEPLOY_ID")
-)
-@click.option(
-    "--sastbox-registry",
-    default="",
     required=False,
-    hidden=True,
-    envvar=("CONVISO_SASTBOX_REGISTRY", "FLOW_SASTBOX_REGISTRY"),
+    multiple=True,
+    type=(str, str),
+    help="""It should be passed as <repository_name> <image_tag>. It accepts multiple values"""
 )
 @click.option(
-    "--sastbox-repository-name",
-    default="",
-    required=False,
+    "--scanner-timeout",
     hidden=True,
-    envvar=("CONVISO_SASTBOX_REPOSITORY_NAME", "FLOW_SASTBOX_REPOSITORY_NAME"),
+    required=False,
+    default=7200,
+    type=int,
+    help="Set timeout for each scanner"
 )
 @click.option(
-    "--sastbox-tag",
-    default=SASTBox.DEFAULT_TAG,
-    required=False,
+    "--parallel-workers",
     hidden=True,
-    envvar=("CONVISO_SASTBOX_TAG", "FLOW_SASTBOX_TAG"),
+    required=False,
+    default=2,
+    type=int,
+    help="Set max parallel workers"
 )
 @click.option(
-    "--sastbox-skip-login/--sastbox-no-skip-login",
-    default=False,
+    "--deploy-id",
+    default=None,
     required=False,
     hidden=True,
-    envvar=("CONVISO_SASTBOX_SKIP_LOGIN", "FLOW_SASTBOX_SKIP_LOGIN"),
+    envvar=("CONVISO_DEPLOY_ID", "FLOW_DEPLOY_ID")
 )
 @click.option(
     '--experimental',
@@ -135,10 +105,9 @@ from convisoappsec.sast.sastbox import SASTBox
 @help_option
 @pass_flow_context
 @click.pass_context
-def generate(context, flow_context, project_code, asset_id, company_id, end_commit, start_commit, repository_dir,
-             send_to_flow, deploy_id, sastbox_registry, sastbox_repository_name, sastbox_tag, sastbox_skip_login,
-             fail_on_threshold, fail_on_severity_threshold, experimental, asset_name, vulnerability_auto_close,
-             from_ast):
+def generate(context, flow_context, project_code, asset_id, company_id, repository_dir, send_to_flow, custom_sca_tags,
+             scanner_timeout, parallel_workers, deploy_id, experimental, asset_name, vulnerability_auto_close, from_ast):
+
     context.params['company_id'] = context.params.get('company_id') or company_id
 
     if not context.params['company_id']:
@@ -149,10 +118,9 @@ def generate(context, flow_context, project_code, asset_id, company_id, end_comm
         prepared_context = RequirementsVerifier.prepare_context(context)
 
         params_to_copy = [
-            'project_code', 'asset_id', 'start_commit', 'end_commit',
-            'repository_dir', 'send_to_flow', 'deploy_id', 'sastbox_registry',
-            'sastbox_repository_name', 'sastbox_tag', 'sastbox_skip_login',
-            'experimental', 'asset_name', 'vulnerability_auto_close', 'company_id'
+            'project_code', 'asset_id', 'repository_dir', 'send_to_flow',
+            'deploy_id', 'custom_sca_tags', 'scanner_timeout', 'parallel_workers',
+            'experimental', 'asset_name', 'vulnerability_auto_close'
         ]
 
         for param_name in params_to_copy:
@@ -164,25 +132,36 @@ def generate(context, flow_context, project_code, asset_id, company_id, end_comm
     asset_name = context.params['asset_name']
     temp_dir = tempfile.gettempdir()
     timestamp = datetime.now().strftime('%Y%m%d_%H%M%S')
+    sanitized_asset_name = asset_name.replace(" ", "_").replace("(", "").replace(")", "")
     file_name = os.path.join(temp_dir, "sbom_{asset_name}_{timestamp}.json".format(
-        asset_name=asset_name, timestamp=timestamp
+        asset_name=sanitized_asset_name, timestamp=timestamp
     ))
 
     command = [
-        f"syft packages {repository_dir} -o syft-json={file_name}"
+        f"syft scan {repository_dir} -o cyclonedx-json={file_name}"
     ]
 
     try:
         subprocess.run(command, shell=True, check=True, capture_output=True)
-        log_func(f"SBOM file generated successfully!")
+        log_func("SBOM file generated successfully!")
     except subprocess.CalledProcessError as error:
-        log_func("We have a problem when try to generate the sbom file ...{error}".format(error=error), color='red')
+        log_func(f"Error generating SBOM file: {error}")
         return
 
-    with open(file_name, 'r') as sbom_file:
-        sbom_data = json.load(sbom_file)
-        # TODO: here we already have the file, so we need to send to cp
+    asset_id = asset_id or context.params.get('asset_id')
+
+    send_sbom_file_to_csc(company_id=company_id, asset_id=asset_id, file=file_name)
+
+
+@pass_flow_context
+def send_sbom_file_to_csc(flow_context, company_id, asset_id, file):
+    conviso_api = flow_context.create_conviso_graphql_client()
+    api_key = flow_context.key
+
+    log_func(f"Sending sbom to conviso platform ...")
+
+    return conviso_api.sbom.send_sbom_file(company_id=company_id, asset_id=asset_id, file_path=file, api_key=api_key)
 
 
-def log_func(msg, new_line=True, color='blue'):
-    click.echo(click.style(msg, bold=True, fg=color), nl=new_line, err=True)
+def log_func(msg, new_line=True):
+    click.echo(click.style(msg), nl=new_line, err=True)

{conviso-cli-2.2.1 → conviso-cli-2.2.2}/convisoappsec/flowcli/sca/run.py

@@ -1,7 +1,6 @@
 import json
 import click
 import click_log
-import os
 from convisoappsec.common.box import ContainerWrapper
 from convisoappsec.common import strings
 from convisoappsec.flow.graphql_api.beta.models.issues.sca import CreateScaFindingInput
@@ -16,6 +15,7 @@ from convisoappsec.logger import LOGGER
 from convisoappsec.common.graphql.errors import ReponseError
 from convisoappsec.flowcli.requirements_verifier import RequirementsVerifier
 from copy import deepcopy as clone
+from convisoappsec.flowcli.sbom import sbom
 
 click_log.basic_config(LOGGER)
 
@@ -155,6 +155,7 @@ def run(
 
     perform_command(
         flow_context,
+        context,
         context.params['project_code'],
         context.params['asset_id'],
         context.params['repository_dir'],
@@ -276,7 +277,7 @@ def get_relative_path(path):
 
 
 def perform_command(
-        flow_context, project_code, asset_id, repository_dir, send_to_flow, custom_sca_tags, scanner_timeout,
+        flow_context, context, project_code, asset_id, repository_dir, send_to_flow, custom_sca_tags, scanner_timeout,
         deploy_id, experimental
 ):
     if send_to_flow and not experimental and not project_code:
@@ -361,6 +362,11 @@ def perform_command(
         # TODO add CI Decision block code
         LOGGER.info('\U00002705 SCA Scan Finished')
 
+        # Generate SBOM when execute a sca only scan.
+        sbom_generate = sbom.commands.get('generate')
+        specific_param = { "from_ast": True }
+        context.params.update(specific_param)
+        sbom_generate.invoke(context)
     except Exception as e:
         on_http_error(e)
         raise click.ClickException(str(e)) from e

conviso-cli-2.2.2/convisoappsec/version.py

@@ -0,0 +1 @@
+__version__ = '2.2.2'

{conviso-cli-2.2.1 → conviso-cli-2.2.2}/setup.py

@@ -45,8 +45,7 @@ setup(
         "jsonschema>=2.5.1,<3",
         "giturlparse<=0.12.0",
         "jmespath>=0.9.0,<1.0.1",
-        "setuptools==69.2.0",
-        "importlib_metadata==7.2.1"
+        "setuptools==69.2.0"
     ],
     entry_points={
         'console_scripts': [

conviso-cli-2.2.1/convisoappsec/version.py

@@ -1 +0,0 @@
-__version__ = '2.2.1'