devsecops-engine-tools 1.11.1__tar.gz → 1.11.3__tar.gz

{devsecops_engine_tools-1.11.1 → devsecops_engine_tools-1.11.3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: devsecops-engine-tools
-Version: 1.11.1
+Version: 1.11.3
 Summary: Tool for DevSecOps strategy
 Home-page: https://github.com/bancolombia/devsecops-engine-tools
 Author: Bancolombia DevSecOps Team
@@ -144,10 +144,14 @@ devsecops-engine-tools --platform_devops ["local","azure","github"] --remote_con
     <td>Free</td>
   </tr>
   <tr>
-    <td>ENGINE_DEPENDENCIES</td>
+    <td rowspan="2">ENGINE_DEPENDENCIES</td>
     <td><a href="https://jfrog.com/help/r/get-started-with-the-jfrog-platform/jfrog-xray">XRAY</a></td>
     <td>Paid</td>
   </tr>
+  <tr>
+    <td><a href="https://owasp.org/www-project-dependency-check/">DEPENDENCY CHECK</a></td>
+    <td>Free</td>
+  </tr>
   <tr>
     <td>ENGINE_CODE</td>
     <td><a href="https://docs.bearer.com/quickstart/">BEARER</a></td>

{devsecops_engine_tools-1.11.1 → devsecops_engine_tools-1.11.3}/devsecops_engine_tools/engine_core/src/applications/runner_engine_core.py

@@ -144,7 +144,7 @@ def get_inputs_from_cli(args):
     parser.add_argument(
         "--token_external_checks",
         required=False,
-        help="Token for downloading external checks from engine_iac if is necessary. Ej: github:token, ssh:privatekey:pass",
+        help="Token for downloading external checks from engine_iac or engine_secret if is necessary. Ej: github:token, ssh:privatekey:pass",
     )
     parser.add_argument(
         "--xray_mode",

{devsecops_engine_tools-1.11.1 → devsecops_engine_tools-1.11.3}/devsecops_engine_tools/engine_core/src/domain/usecases/handle_scan.py

@@ -136,7 +136,8 @@ class HandleScan:
             findings_list, input_core = runner_secret_scan(
                 dict_args,
                 config_tool["ENGINE_SECRET"]["TOOL"],
-                self.devops_platform_gateway
+                self.devops_platform_gateway,
+                secret_tool
             )
             if (
                 dict_args["use_vulnerability_management"] == "true"

{devsecops_engine_tools-1.11.1 → devsecops_engine_tools-1.11.3}/devsecops_engine_tools/engine_core/src/infrastructure/driven_adapters/aws/secrets_manager.py

@@ -36,5 +36,5 @@ class SecretsManager(SecretsManagerGateway):
             secret_dict = json.loads(secret)
             return secret_dict
         except NoCredentialsError as e:
-            logger.error("Error getting secret: {e}")
+            logger.error(f"Error getting secret: {e}")
             return None

{devsecops_engine_tools-1.11.1 → devsecops_engine_tools-1.11.3}/devsecops_engine_tools/engine_core/src/infrastructure/driven_adapters/defect_dojo/defect_dojo.py

@@ -65,7 +65,8 @@ class DefectDojoPlatform(VulnerabilityManagementGateway):
                 "TRIVY": "Trivy Scan",
                 "KUBESCAPE": "Kubescape Scanner",
                 "KICS": "KICS Scanner",
-                "BEARER": "Bearer CLI"
+                "BEARER": "Bearer CLI",
+                "DEPENDENCY_CHECK": "Dependency Check Scan"
             }
 
             if any(

{devsecops_engine_tools-1.11.1 → devsecops_engine_tools-1.11.3}/devsecops_engine_tools/engine_sast/engine_iac/src/infrastructure/driven_adapters/kics/kics_tool.py

@@ -11,7 +11,7 @@ from devsecops_engine_tools.engine_sast.engine_iac.src.infrastructure.driven_ada
 )
 from devsecops_engine_tools.engine_utilities.utils.logger_info import MyLogger
 from devsecops_engine_tools.engine_utilities import settings
-from devsecops_engine_tools.engine_utilities.github.infrastructure.github_api import GithubApi
+from devsecops_engine_tools.engine_utilities.utils.utils import Utils
 
 logger = MyLogger.__call__(**settings.SETTING_LOGGER).get_logger()
 
@@ -28,7 +28,7 @@ class KicsTool(ToolGateway):
             logger.error(f"An error ocurred downloading {file} {ex}")
 
     def install_tool(self, file, url, command_prefix):
-        github_api = GithubApi()
+        utils = Utils()
         kics = f"./{command_prefix}/kics"
         installed = subprocess.run(
             ["which", command_prefix],
@@ -38,7 +38,7 @@ class KicsTool(ToolGateway):
         if installed.returncode == 1:
             try:
                 self.download(file, url)
-                github_api.unzip_file(file, command_prefix)
+                utils.unzip_file(file, command_prefix)
                 subprocess.run(["chmod", "+x", kics])
                 return kics
             except Exception as e:
@@ -56,9 +56,9 @@ class KicsTool(ToolGateway):
             return command_prefix
         except:
             try:
-                github_api = GithubApi()
+                utils = Utils()
                 self.download(file, url)
-                github_api.unzip_file(file, command_prefix)
+                utils.unzip_file(file, command_prefix)
                 return f"./{command_prefix}/kics"
 
             except Exception as e:
@@ -81,34 +81,32 @@ class KicsTool(ToolGateway):
             logger.error(f"An error ocurred loading KICS results {ex}")
             return None
 
-    def select_operative_system(self, os_platform, folders_to_scan, config_tool, path_kics):
+    def select_operative_system(self, os_platform, config_tool, path_kics):
         command_prefix = path_kics
         if os_platform == "Linux":
             kics_zip = "kics_linux.zip"
             url_kics = config_tool[self.TOOL_KICS]["KICS_LINUX"]
-            command_prefix = self.install_tool(kics_zip, url_kics, command_prefix)
+            return self.install_tool(kics_zip, url_kics, command_prefix)
         elif os_platform == "Windows":
             kics_zip = "kics_windows.zip"
             url_kics = config_tool[self.TOOL_KICS]["KICS_WINDOWS"]
-            command_prefix = self.install_tool_windows(kics_zip, url_kics, command_prefix)
+            return self.install_tool_windows(kics_zip, url_kics, command_prefix)
         elif os_platform == "Darwin":
             kics_zip = "kics_macos.zip"
             url_kics = config_tool[self.TOOL_KICS]["KICS_MAC"]
-            command_prefix = self.install_tool(kics_zip, url_kics, command_prefix)
+            return self.install_tool(kics_zip, url_kics, command_prefix)
         else:
             logger.warning(f"{os_platform} is not supported.")
             return [], None
 
-        self.execute_kics(folders_to_scan, command_prefix)
-
     def get_assets(self, kics_version):
         name_zip = "assets_compressed.zip"
         assets_url = f"https://github.com/Checkmarx/kics/releases/download/v{kics_version}/extracted-info.zip"
         self.download(name_zip, assets_url)
 
         directory_assets = "kics_assets"
-        github_api = GithubApi()
-        github_api.unzip_file(name_zip, directory_assets)
+        utils = Utils()
+        utils.unzip_file(name_zip, directory_assets)
 
     def run_tool(
             self, config_tool, folders_to_scan, **kwargs
@@ -120,7 +118,8 @@ class KicsTool(ToolGateway):
             self.get_assets(kics_version)
 
         os_platform = platform.system()
-        self.select_operative_system(os_platform, folders_to_scan, config_tool, path_kics)
+        command_prefix = self.select_operative_system(os_platform, config_tool, path_kics)
+        self.execute_kics(folders_to_scan, command_prefix)
 
         data = self.load_results()
         if data:

{devsecops_engine_tools-1.11.1 → devsecops_engine_tools-1.11.3}/devsecops_engine_tools/engine_sast/engine_iac/src/infrastructure/driven_adapters/kubescape/kubescape_deserealizator.py

@@ -46,7 +46,7 @@ class KubescapeDeserealizator:
                     resource = resources.get(resource_id)
 
                     if resource:
-                        relative_path = resource.get("source", {}).get("path", "").replace("\\", "/")
+                        relative_path = resource.get("source", {}).get("relativePath", "").replace("\\", "/")
                         severity_score = self.get_severity_score(frameworks, control_id)
 
                         result_extracted_data.append({

{devsecops_engine_tools-1.11.1 → devsecops_engine_tools-1.11.3}/devsecops_engine_tools/engine_sast/engine_iac/src/infrastructure/driven_adapters/kubescape/kubescape_tool.py

@@ -72,30 +72,28 @@ class KubescapeTool(ToolGateway):
             logger.error("The JSON result is empty.")
         return None
 
-    def select_operative_system(self, os_platform, folders_to_scan, base_url):
+    def select_operative_system(self, os_platform, base_url):
         if os_platform == "Linux":
             distro_name = distro.name()
             if distro_name == "Ubuntu":
                 file = "kubescape-ubuntu-latest"
                 self.install_tool(file, base_url + file)
-                command_prefix = f"./{file}"
+                return f"./{file}"
             else:
                 logger.warning(f"{distro_name} is not supported.")
                 return None
         elif os_platform == "Windows":
             file = "kubescape-windows-latest.exe"
             self.install_tool_windows(file, base_url + file)
-            command_prefix = f"./{file}"
+            return f"./{file}"
         elif os_platform == "Darwin":
             file = "kubescape-macos-latest"
             self.install_tool(file, base_url + file)
-            command_prefix = f"./{file}"
+            return f"./{file}"
         else:
             logger.warning(f"{os_platform} is not supported.")
             return [], None
 
-        self.execute_kubescape(folders_to_scan, command_prefix)
-
     def run_tool(self, config_tool, folders_to_scan, platform_to_scan, **kwargs):
 
         if folders_to_scan and "k8s" in platform_to_scan:
@@ -103,7 +101,8 @@ class KubescapeTool(ToolGateway):
             kubescape_version = config_tool["KUBESCAPE"]["VERSION"]
             os_platform = platform.system()
             base_url = f"https://github.com/kubescape/kubescape/releases/download/v{kubescape_version}/"
-            self.select_operative_system(os_platform, folders_to_scan, base_url)
+            command_prefix = self.select_operative_system(os_platform, base_url)
+            self.execute_kubescape(folders_to_scan, command_prefix)
 
             json_name = "results_kubescape.json"
             data = self.load_json(json_name)

{devsecops_engine_tools-1.11.1 → devsecops_engine_tools-1.11.3}/devsecops_engine_tools/engine_sast/engine_secret/src/applications/runner_secret_scan.py

@@ -11,7 +11,7 @@ from devsecops_engine_tools.engine_utilities.git_cli.infrastructure.git_run impo
     GitRun
     )
 
-def runner_secret_scan(dict_args, tool, devops_platform_gateway):
+def runner_secret_scan(dict_args, tool, devops_platform_gateway, secret_tool):
     try:
         tool_deserealizator = None
         tool_gateway = None
@@ -25,7 +25,8 @@ def runner_secret_scan(dict_args, tool, devops_platform_gateway):
             dict_args = dict_args,
             tool=tool,
             tool_deserealizator = tool_deserealizator,
-            git_gateway = git_gateway
+            git_gateway = git_gateway,
+            secret_tool = secret_tool
         )
     except Exception as e:
         raise Exception(f"Error engine_secret : {str(e)}")

{devsecops_engine_tools-1.11.1 → devsecops_engine_tools-1.11.3}/devsecops_engine_tools/engine_sast/engine_secret/src/domain/model/DeserializeConfigTool.py

@@ -9,3 +9,6 @@ class DeserializeConfigTool:
         self.exclude_path = json_data[tool]["EXCLUDE_PATH"]
         self.number_threads = json_data[tool]["NUMBER_THREADS"]
         self.target_branches = json_data["TARGET_BRANCHES"]
+        self.enable_custom_rules = json_data[tool]["ENABLE_CUSTOM_RULES"]
+        self.external_dir_owner = json_data[tool]["EXTERNAL_DIR_OWNER"]
+        self.external_dir_repo = json_data[tool]["EXTERNAL_DIR_REPOSITORY"]

{devsecops_engine_tools-1.11.1 → devsecops_engine_tools-1.11.3}/devsecops_engine_tools/engine_sast/engine_secret/src/domain/model/gateway/tool_gateway.py

@@ -1,5 +1,5 @@
 from abc import ABCMeta, abstractmethod
-
+from devsecops_engine_tools.engine_sast.engine_secret.src.domain.model.DeserializeConfigTool import DeserializeConfigTool
 
 class ToolGateway(metaclass=ABCMeta):
     @abstractmethod
@@ -8,9 +8,10 @@ class ToolGateway(metaclass=ABCMeta):
     @abstractmethod
     def run_tool_secret_scan(self,
                             files_pullrequest: dict,
-                            exclude_path: dict,
                             agent_os: str,
                             agent_work_folder: str,
-                            num_threads: int,
-                            repository_name: str) -> str:
+                            repository_name: str,
+                            config_tool: DeserializeConfigTool,
+                            secret_tool,
+                            secret_external_checks) -> str:
         "run tool secret scan"

{devsecops_engine_tools-1.11.1 → devsecops_engine_tools-1.11.3}/devsecops_engine_tools/engine_sast/engine_secret/src/domain/usecases/secret_scan.py

@@ -28,9 +28,10 @@ class SecretScan:
         self.tool_deserialize = tool_deserialize
         self.git_gateway = git_gateway
 
-    def process(self, skip_tool, config_tool):
+    def process(self, skip_tool, config_tool, secret_tool, dict_args):
         finding_list = []
         file_path_findings = ""
+        secret_external_checks=dict_args["token_external_checks"]
         if skip_tool == False:
             self.tool_gateway.install_tool(self.devops_platform_gateway.get_variable("os"), self.devops_platform_gateway.get_variable("temp_directory"))
             files_pullrequest = self.git_gateway.get_files_pull_request(
@@ -45,12 +46,12 @@ class SecretScan:
                 self.devops_platform_gateway.get_variable("repository_provider"))
             findings, file_path_findings = self.tool_gateway.run_tool_secret_scan(
                     files_pullrequest,
-                    config_tool.exclude_path,
                     self.devops_platform_gateway.get_variable("os"),
                     self.devops_platform_gateway.get_variable("path_directory"),
-                    config_tool.number_threads,
-                    self.devops_platform_gateway.get_variable("repository")
-                    )
+                    self.devops_platform_gateway.get_variable("repository"),
+                    config_tool,
+                    secret_tool,
+                    secret_external_checks)
             finding_list = self.tool_deserialize.get_list_vulnerability(
                 findings,
                 self.devops_platform_gateway.get_variable("os"),

{devsecops_engine_tools-1.11.1 → devsecops_engine_tools-1.11.3}/devsecops_engine_tools/engine_sast/engine_secret/src/infrastructure/driven_adapters/trufflehog/trufflehog_run.py

@@ -7,6 +7,13 @@ import concurrent.futures
 from devsecops_engine_tools.engine_sast.engine_secret.src.domain.model.gateway.tool_gateway import (
     ToolGateway,
 )
+from devsecops_engine_tools.engine_utilities.github.infrastructure.github_api import (
+    GithubApi,
+)
+from devsecops_engine_tools.engine_utilities.utils.logger_info import MyLogger
+from devsecops_engine_tools.engine_utilities import settings
+
+logger = MyLogger.__call__(**settings.SETTING_LOGGER).get_logger()
 
 result = []
 
@@ -40,20 +47,34 @@ class TrufflehogRun(ToolGateway):
     def run_tool_secret_scan(
         self,
         files_commits,
-        exclude_paths,
         agent_os,
         agent_work_folder,
-        num_threads,
         repository_name,
+        config_tool,
+        secret_tool,
+        secret_external_checks
     ):
         trufflehog_command = "trufflehog"
         if "Windows" in agent_os:
             trufflehog_command = "C:/Trufflehog/bin/trufflehog.exe"
         with open(f"{agent_work_folder}/excludedPath.txt", "w") as file:
-            file.write("\n".join(exclude_paths))
+            file.write("\n".join(config_tool.exclude_path))
         exclude_path = f"{agent_work_folder}/excludedPath.txt"
         include_paths = self.config_include_path(files_commits, agent_work_folder)
-        with concurrent.futures.ThreadPoolExecutor(max_workers=num_threads) as executor:
+        enable_custom_rules = config_tool.enable_custom_rules.lower()
+        secret = None
+        
+        if secret_tool is not None:
+            secret = secret_tool["github_token"] if "github" in secret_tool else None
+        elif secret_external_checks is not None:
+            secret = secret_external_checks.split("github:")[1] if "github" in secret_external_checks else None            
+
+        if enable_custom_rules == "true" and secret is not None:
+            self.configurate_external_checks(config_tool, secret)
+        else: #In case that remote config from tool is enable but in the args dont send any type of secrets. So dont modified command
+            enable_custom_rules == "false"
+
+        with concurrent.futures.ThreadPoolExecutor(max_workers=config_tool.number_threads) as executor:
             results = executor.map(
                 self.run_trufflehog,
                 [trufflehog_command] * len(include_paths),
@@ -61,6 +82,7 @@ class TrufflehogRun(ToolGateway):
                 [exclude_path] * len(include_paths),
                 include_paths,
                 [repository_name] * len(include_paths),
+                [enable_custom_rules],
             )
         findings, file_findings = self.create_file(self.decode_output(results), agent_work_folder)
         return  findings, file_findings
@@ -90,8 +112,13 @@ class TrufflehogRun(ToolGateway):
         exclude_path,
         include_path,
         repository_name,
+        enable_custom_rules
     ):
         command = f"{trufflehog_command} filesystem {agent_work_folder + '/' + repository_name} --include-paths {include_path} --exclude-paths {exclude_path} --no-verification --json"
+
+        if enable_custom_rules == "true":
+            command = command.replace("--no-verification --json", "--config /tmp/rules/trufflehog/custom-rules.yaml --no-verification --json")
+
         result = subprocess.run(command, capture_output=True, shell=True, text=True)
         return result.stdout.strip()
 
@@ -115,4 +142,15 @@ class TrufflehogRun(ToolGateway):
                 find["SourceMetadata"]["Data"]["Filesystem"]["file"] = where_text
                 json_str = json.dumps(find)
                 file.write(json_str + '\n')
-        return findings, file_findings
+        return findings, file_findings
+    
+    def configurate_external_checks(self, config_tool, secret):
+        try:
+            github_api = GithubApi(secret)
+            github_api.download_latest_release_assets(
+                config_tool.external_dir_owner,
+                config_tool.external_dir_repo,
+                "/tmp",
+            )
+        except Exception as ex:
+            logger.error(f"An error ocurred download external checks {ex}")

{devsecops_engine_tools-1.11.1 → devsecops_engine_tools-1.11.3}/devsecops_engine_tools/engine_sast/engine_secret/src/infrastructure/entry_points/entry_point_tool.py

@@ -4,13 +4,13 @@ from devsecops_engine_tools.engine_sast.engine_secret.src.domain.usecases.set_in
     SetInputCore,
 )
 
-def engine_secret_scan(devops_platform_gateway, tool_gateway, dict_args, tool, tool_deserealizator, git_gateway):
+def engine_secret_scan(devops_platform_gateway, tool_gateway, dict_args, tool, tool_deserealizator, git_gateway, secret_tool):
     exclusions = devops_platform_gateway.get_remote_config(
         dict_args["remote_config_repo"], "engine_sast/engine_secret/Exclusions.json"
     )
     secret_scan = SecretScan(tool_gateway, devops_platform_gateway, tool_deserealizator, git_gateway)
     config_tool = secret_scan.complete_config_tool(dict_args, tool)
     skip_tool = secret_scan.skip_from_exclusion(exclusions)
-    finding_list, file_path_findings = secret_scan.process(skip_tool, config_tool)
+    finding_list, file_path_findings = secret_scan.process(skip_tool, config_tool, secret_tool, dict_args)
     input_core = SetInputCore(devops_platform_gateway, dict_args, tool, config_tool)
     return finding_list, input_core.set_input_core(file_path_findings)

{devsecops_engine_tools-1.11.1 → devsecops_engine_tools-1.11.3}/devsecops_engine_tools/engine_sca/engine_dependencies/src/applications/runner_dependencies_scan.py

@@ -4,6 +4,12 @@ from devsecops_engine_tools.engine_sca.engine_dependencies.src.infrastructure.dr
 from devsecops_engine_tools.engine_sca.engine_dependencies.src.infrastructure.driven_adapters.xray_tool.xray_deserialize_output import (
     XrayDeserializator,
 )
+from devsecops_engine_tools.engine_sca.engine_dependencies.src.infrastructure.driven_adapters.dependency_check.dependency_check_tool import (
+    DependencyCheckTool,
+)
+from devsecops_engine_tools.engine_sca.engine_dependencies.src.infrastructure.driven_adapters.dependency_check.dependency_check_deserialize import (
+    DependencyCheckDeserialize,
+)
 from devsecops_engine_tools.engine_sca.engine_dependencies.src.infrastructure.entry_points.entry_point_tool import (
     init_engine_dependencies,
 )
@@ -11,9 +17,21 @@ from devsecops_engine_tools.engine_sca.engine_dependencies.src.infrastructure.en
 
 def runner_engine_dependencies(dict_args, config_tool, secret_tool, devops_platform_gateway):
     try:
-        if config_tool["ENGINE_DEPENDENCIES"]["TOOL"] == "XRAY":
-            tool_run = XrayScan()
-            tool_deserializator = XrayDeserializator()
+        tools_mapping = {
+            "XRAY": {
+                "tool_run": XrayScan,
+                "tool_deserializator": XrayDeserializator
+            },
+            "DEPENDENCY_CHECK": {
+                "tool_run": DependencyCheckTool,
+                "tool_deserializator": DependencyCheckDeserialize
+            }
+        }
+
+        selected_tool = config_tool["ENGINE_DEPENDENCIES"]["TOOL"]
+        tool_run = tools_mapping[selected_tool]["tool_run"]()
+        tool_deserializator = tools_mapping[selected_tool]["tool_deserializator"]()
+
 
         return init_engine_dependencies(
             tool_run,

devsecops_engine_tools-1.11.3/devsecops_engine_tools/engine_sca/engine_dependencies/src/infrastructure/driven_adapters/dependency_check/dependency_check_deserialize.py

@@ -0,0 +1,62 @@
+from devsecops_engine_tools.engine_sca.engine_dependencies.src.domain.model.gateways.deserializator_gateway import (
+    DeserializatorGateway,
+)
+from devsecops_engine_tools.engine_core.src.domain.model.finding import (
+    Finding,
+    Category,
+)
+from dataclasses import dataclass
+from datetime import datetime
+import json
+import os
+from devsecops_engine_tools.engine_utilities.utils.logger_info import MyLogger
+from devsecops_engine_tools.engine_utilities import settings
+
+logger = MyLogger.__call__(**settings.SETTING_LOGGER).get_logger()
+
+@dataclass
+class DependencyCheckDeserialize(DeserializatorGateway):
+
+    def get_list_findings(self, dependencies_scanned_file) -> "list[Finding]":
+        filename, extension = os.path.splitext(dependencies_scanned_file)
+        if extension.lower() != ".json":
+            dependencies_scanned_file = f"{filename}.json"
+
+        data_result = self.load_results(dependencies_scanned_file)
+
+        list_open_vulnerabilities = []
+        for dependency in data_result.get("dependencies", []):
+            for vulnerability in dependency.get("vulnerabilities", []):
+                vulnerable_software = vulnerability.get("vulnerableSoftware", [])
+                fix = (
+                    vulnerable_software[0]
+                    .get("software", {})
+                    .get("versionEndExcluding", None)
+                    if vulnerable_software
+                    else None
+                )
+                finding_open = Finding(
+                    id=vulnerability["name"][:20],
+                    cvss=str(vulnerability.get("cvssv3", {})),
+                    where=dependency.get("fileName").split(':')[-1].strip(),
+                    description=vulnerability["description"][:170].replace("\n\n", " "),
+                    severity=vulnerability["severity"].lower(),
+                    identification_date=datetime.now().strftime("%d%m%Y"),
+                    published_date_cve=None,
+                    module="engine_dependencies",
+                    category=Category.VULNERABILITY,
+                    requirements=fix,
+                    tool="DEPENDENCY_CHECK"
+                )
+                list_open_vulnerabilities.append(finding_open)
+
+        return list_open_vulnerabilities
+    
+    def load_results(self, dependencies_scanned_file):
+        try:
+            with open(dependencies_scanned_file) as f:
+                data = json.load(f)
+            return data
+        except Exception as ex:
+            logger.error(f"An error ocurred loading dependency-check results {ex}")
+            return None

devsecops_engine_tools-1.11.3/devsecops_engine_tools/engine_sca/engine_dependencies/src/infrastructure/driven_adapters/dependency_check/dependency_check_tool.py

@@ -0,0 +1,120 @@
+from devsecops_engine_tools.engine_sca.engine_dependencies.src.domain.model.gateways.tool_gateway import (
+    ToolGateway,
+)
+
+import requests
+import subprocess
+import os
+import platform
+import shutil
+
+from devsecops_engine_tools.engine_utilities.utils.utils import Utils
+from devsecops_engine_tools.engine_sca.engine_dependencies.src.infrastructure.helpers.get_artifacts import GetArtifacts
+from devsecops_engine_tools.engine_utilities.utils.logger_info import MyLogger
+from devsecops_engine_tools.engine_utilities import settings
+
+logger = MyLogger.__call__(**settings.SETTING_LOGGER).get_logger()
+
+
+class DependencyCheckTool(ToolGateway):
+    def download_tool(self, cli_version):
+        try:
+            url = f"https://github.com/jeremylong/DependencyCheck/releases/download/v{cli_version}/dependency-check-{cli_version}-release.zip"
+            response = requests.get(url, allow_redirects=True)
+            home_directory = os.path.expanduser("~")
+            zip_name = os.path.join(home_directory, f"dependency_check_{cli_version}.zip")
+            with open(zip_name, "wb") as f:
+                f.write(response.content)
+
+            utils = Utils()
+            utils.unzip_file(zip_name, home_directory)
+        except Exception as ex:
+            logger.error(f"An error ocurred downloading dependency-check {ex}")
+
+    def install_tool(self, cli_version, is_windows=False):
+        command_prefix = "dependency-check.bat" if is_windows else "dependency-check.sh"
+
+        installed = shutil.which(command_prefix)
+        if installed:
+            return command_prefix
+
+        home_directory = os.path.expanduser("~")
+        bin_route = os.path.join(home_directory, f"dependency-check/bin/{command_prefix}")
+
+        if shutil.which(bin_route):
+            return bin_route
+
+        self.download_tool(cli_version)
+
+        try:
+            if os.path.exists(bin_route):
+                if not is_windows:
+                    subprocess.run(["chmod", "+x", bin_route], check=True)
+                return bin_route 
+        except Exception as e:
+            logger.error(f"Error installing OWASP dependency check: {e}")
+            return None
+
+    def scan_dependencies(self, command_prefix, file_to_scan, token):
+        try:
+            command = [command_prefix, "--format", "JSON", "--format", "XML", "--nvdApiKey", token, "--scan", file_to_scan,]
+
+            if not token:
+                print("¡¡Remember!!, it is recommended to use the API key for faster vulnerability database downloads.")
+                command = [command_prefix, "--format", "JSON", "--format", "XML", "--scan", file_to_scan,]
+
+            subprocess.run(command, capture_output=True, check=True)
+        except subprocess.CalledProcessError as error:
+            logger.error(f"Error executing OWASP dependency check scan: {error}")
+
+    def select_operative_system(self, cli_version):
+        os_platform = platform.system()
+
+        if os_platform in ["Linux", "Darwin"]:
+            return self.install_tool(cli_version, is_windows=False)
+        elif os_platform == "Windows":
+            return self.install_tool(cli_version, is_windows=True)
+        else:
+            logger.warning(f"{os_platform} is not supported.")
+            return None
+
+    def search_result(self):
+        try:
+            file_result = os.path.join(os.getcwd(), "dependency-check-report.xml")
+            return file_result
+        except Exception as ex:
+            logger.error(f"An error ocurred search dependency-check results {ex}")
+            return None
+        
+    def is_java_installed(self):
+        return shutil.which("java") is not None
+
+    def run_tool_dependencies_sca(
+        self,
+        remote_config,
+        dict_args,
+        exclusion,
+        pipeline_name,
+        to_scan,
+        token,
+        token_engine_dependencies
+    ):
+        if not self.is_java_installed():
+            logger.error("Java is not installed, please install it to run dependency check")
+            return None
+
+        cli_version = remote_config["DEPENDENCY_CHECK"]["CLI_VERSION"]
+
+        get_artifacts = GetArtifacts()
+
+        pattern = get_artifacts.excluded_files(remote_config, pipeline_name, exclusion, "DEPENDENCY_CHECK")
+        to_scan = get_artifacts.find_artifacts(
+            to_scan, pattern, remote_config["DEPENDENCY_CHECK"]["PACKAGES_TO_SCAN"]
+        )
+
+        if not to_scan:
+            return None
+
+        command_prefix = self.select_operative_system(cli_version)
+        self.scan_dependencies(command_prefix, to_scan, token_engine_dependencies)
+        return self.search_result()