guarddog 2.5.0__py3-none-any.whl → 2.7.0__py3-none-any.whl

guarddog/reporters/sarif.py

@@ -4,181 +4,187 @@ import json
 from guarddog.analyzer.sourcecode import get_sourcecode_rules
 from guarddog.analyzer.metadata import get_metadata_detectors
 from guarddog.ecosystems import ECOSYSTEM
+from guarddog.reporters import BaseReporter
+from guarddog.scanners.scanner import DependencyFile
+from typing import List
+from guarddog.reporters.human_readable import HumanReadableReporter
+
+
+class SarifReporter(BaseReporter):
+    """
+    Sarif is a class that formats and prints scan results in the SARIF format.
+    """
+
+    @staticmethod
+    def render_verify(
+        dependency_files: List[DependencyFile],
+        rule_names: list[str],
+        scan_results: list[dict],
+        ecosystem: ECOSYSTEM,
+    ) -> tuple[str, str]:
+        """
+        Report the scans results in the SARIF format.
+
+        Args:
+            scan_results (dict): The scan results to be reported.
+        """
+
+        def build_rules_help_list() -> dict:
+            """
+            Builds a dict with the names of all available rules and their documentation
+            @return: dict[name_of_rule, rule_description]
+            """
+            rules_documentation = {}
+            for ecosystem in ECOSYSTEM:
+                rules = get_metadata_detectors(ecosystem)
+                for name, instance in rules.items():
+                    detector_class = instance.__class__.__base__
+                    rules_documentation[name] = detector_class.__doc__
+                for sourcecode_rule in get_sourcecode_rules(ecosystem):
+                    rules_documentation[sourcecode_rule.id] = (
+                        sourcecode_rule.description
+                    )
+            return rules_documentation
+
+        def get_sarif_log(runs):
+            """
+            https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#sariflog-object
+            """
+            return {
+                "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
+                "version": "2.1.0",
+                "runs": runs,
+            }
 
+        def get_run(results, driver):
+            """
+            https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#run-object
+            """
+            return {"tool": {"driver": driver}, "results": results}
+
+        def get_driver(rules, ecosystem: str):
+            """
+            https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#toolcomponent-object
+            """
+            return {
+                "name": f"GuardDog-{ecosystem}",
+                "informationUri": "https://github.com/DataDog/guarddog",
+                "rules": rules,
+            }
 
-def build_rules_help_list() -> dict:
-    """
-    Builds a dict with the names of all available rules and their documentation
-    @return: dict[name_of_rule, rule_description]
-    """
-    rules_documentation = {}
-    for ecosystem in ECOSYSTEM:
-        rules = get_metadata_detectors(ecosystem)
-        for name, instance in rules.items():
-            detector_class = instance.__class__.__base__
-            rules_documentation[name] = detector_class.__doc__
-        for sourcecode_rule in get_sourcecode_rules(ecosystem):
-            rules_documentation[sourcecode_rule.id] = sourcecode_rule.description
-    return rules_documentation
-
-
-def get_sarif_log(runs):
-    """
-    https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#sariflog-object
-    """
-    return {
-        "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
-        "version": "2.1.0",
-        "runs": runs
-    }
-
-
-def get_run(results, driver):
-    """
-    https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#run-object
-    """
-    return {
-        "tool": {
-            "driver": driver
-        },
-        "results": results
-    }
-
-
-def get_driver(rules, ecosystem: str):
-    """
-    https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#toolcomponent-object
-    """
-    return {
-        "name": f"GuardDog-{ecosystem}",
-        "rules": rules
-    }
-
-
-def get_rule(rule_name: str, rules_documentation) -> dict:
-    """
-    https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#reportingdescriptor-object
-    """
-    message = rules_documentation[rule_name] if rules_documentation[rule_name] is not None else ""
-    return {
-        "id": rule_name,
-        "defaultConfiguration": {
-            "level": "warning"
-        },
-        "shortDescription": {
-            "text": f"GuardDog rule: {rule_name}"
-        },
-        "fullDescription": {
-            "text": message
-        },
-        "help": {
-            "text": message,
-            "markdown": message
-        },
-        "properties": {
-            "precision": "medium"
-        }
-    }
-
-
-def get_result(rule_name, locations, text, partial_fingerprints):
-    """
-    https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#result-object
-    """
-    return {
-        "ruleId": rule_name,
-        "message": {
-            "text": text
-        },
-        "locations": locations,
-        "partialFingerprints": partial_fingerprints
-    }
-
-
-def get_location(physical_location):
-    """
-    https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#location-object
-    """
-    return {
-        "physicalLocation": physical_location
-    }
+        def get_rule(rule_name: str, rules_documentation) -> dict:
+            """
+            https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#reportingdescriptor-object
+            """
+            message = (
+                rules_documentation[rule_name]
+                if rules_documentation[rule_name] is not None
+                else ""
+            )
+            return {
+                "id": rule_name,
+                "defaultConfiguration": {"level": "warning"},
+                "shortDescription": {"text": f"GuardDog rule: {rule_name}"},
+                "fullDescription": {"text": message},
+                "help": {"text": message, "markdown": message},
+                "properties": {"precision": "medium"},
+            }
 
+        def get_result(rule_name, locations, text, partial_fingerprints):
+            """
+            https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#result-object
+            """
+            return {
+                "ruleId": rule_name,
+                "message": {"text": text},
+                "locations": locations,
+                "partialFingerprints": partial_fingerprints,
+            }
 
-def get_physical_location(uri, region):
-    """
-    https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#physicallocation-object
-    """
-    return {
-        "artifactLocation": {
-            "uri": uri
-        },
-        "region": region
-    }
-
-
-def get_region(package_raw: str, package: str) -> dict:
-    start_line = 0
-    start_column = 0
-    end_column = 0
-    for idx, val in enumerate(package_raw.split("\n")):
-        if package in val:
-            start_line = idx + 1
-            start_column = val.index(package) + 1
-            end_column = start_column + len(package)
-
-    return {
-        "startLine": start_line,
-        "endLine": start_line,
-        "startColumn": start_column,
-        "endColumn": end_column,
-    }
-
-
-def report_verify_sarif(
-    package_path: str,
-    rule_names: list[str],
-    scan_results: list[dict],
-    ecosystem: ECOSYSTEM,
-) -> str:
-    rules_documentation = build_rules_help_list()
-    rules = list(map(
-        lambda s: get_rule(s, rules_documentation),
-        rule_names
-    ))
-    driver = get_driver(rules, ecosystem.value)
-    results = []
-
-    with open(package_path, "r") as file:
-        package_raw = file.read()
-
-    for entry in scan_results:
-        if entry["result"]["issues"] == 0:
-            continue
-
-        region = get_region(package_raw, entry["dependency"])
-        uri = package_path[2:] if package_path.startswith('./') else package_path
-        physical_location = get_physical_location(uri, region)
-        location = get_location(physical_location)
-        scan_result_details = entry["result"]["results"]
-        package = entry["dependency"]
-        version = entry["version"]
-        for rule_name in scan_result_details.keys():
-            if scan_result_details[rule_name] is None or len(scan_result_details[rule_name]) == 0:
+        def get_location(physical_location):
+            """
+            https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#location-object
+            """
+            return {"physicalLocation": physical_location}
+
+        def get_physical_location(uri, region):
+            """
+            https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#physicallocation-object
+            """
+            return {"artifactLocation": {"uri": uri}, "region": region}
+
+        def get_region(
+            dependency_files: List[DependencyFile], package: str
+        ) -> tuple[DependencyFile, dict]:
+            for dependency_file in dependency_files:
+                for d in dependency_file.dependencies:
+                    if d.name == package:
+                        return dependency_file, {
+                            "startLine": list(d.versions)[0].location,
+                            "endLine": list(d.versions)[0].location,
+                            "startColumn": 1,
+                            "endColumn": len(package),
+                        }
+            raise ValueError(
+                f"Could not find the package {package} in the dependency files"
+            )
+
+        rules_documentation = build_rules_help_list()
+        rules = list(map(lambda s: get_rule(s, rules_documentation), rule_names))
+        driver = get_driver(rules, ecosystem.value)
+        results = []
+
+        for entry in scan_results:
+            if entry["result"]["issues"] == 0:
                 continue
-            text = f"On package: {package} version: {version}\n" + "\n".join(map(
-                lambda x: x["message"],
-                scan_result_details[rule_name]
-            )) if isinstance(scan_result_details[rule_name], list) else scan_result_details[rule_name]
-            key = f"{rule_name}-{text}"
-            partial_fingerprints = {
-                f"guarddog/v1/{rule_name}": hashlib.sha256(key.encode('utf-8')).hexdigest()
-            }
-            result = get_result(rule_name,
-                                [location],
-                                text,
-                                partial_fingerprints)
-            results.append(result)
-
-    runs = get_run(results, driver)
-    log = get_sarif_log([runs])
-    return json.dumps(log, indent=2)
+
+            dep_file, region = get_region(
+                dependency_files=dependency_files, package=entry["dependency"]
+            )
+            package_path = dep_file.file_path
+            uri = package_path[2:] if package_path.startswith("./") else package_path
+            physical_location = get_physical_location(uri, region)
+            location = get_location(physical_location)
+            scan_result_details = entry["result"]["results"]
+            package = entry["dependency"]
+            version = entry["version"]
+            for rule_name in scan_result_details.keys():
+                if (
+                    scan_result_details[rule_name] is None
+                    or len(scan_result_details[rule_name]) == 0
+                ):
+                    continue
+
+                text = (
+                    f"On package: {package} version: {version}\n"
+                    + "\n".join(
+                        map(
+                            lambda x: f"{x['message']} in file {x['location']}",
+                            scan_result_details[rule_name],
+                        )
+                    )
+                    if isinstance(scan_result_details[rule_name], list)
+                    else scan_result_details[rule_name]
+                )
+                key = f"{rule_name}-{text}"
+                partial_fingerprints = {
+                    f"guarddog/v1/{rule_name}": hashlib.sha256(
+                        key.encode("utf-8")
+                    ).hexdigest()
+                }
+                result = get_result(rule_name, [location], text, partial_fingerprints)
+                results.append(result)
+
+        runs = get_run(results, driver)
+        log = get_sarif_log([runs])
+
+        errors = "\n".join(
+            [
+                HumanReadableReporter.print_errors(
+                    identifier=r["dependency"], results=r["result"]
+                )
+                for r in scan_results
+            ]
+        )
+
+        return (json.dumps(log, indent=2), errors)

guarddog/scanners/__init__.py

@@ -8,6 +8,7 @@ from .pypi_project_scanner import PypiRequirementsScanner
 from .go_package_scanner import GoModuleScanner
 from .go_project_scanner import GoDependenciesScanner
 from .github_action_scanner import GithubActionScanner
+from .extension_scanner import ExtensionScanner
 from .scanner import PackageScanner, ProjectScanner
 from ..ecosystems import ECOSYSTEM
 
@@ -33,6 +34,8 @@ def get_package_scanner(ecosystem: ECOSYSTEM) -> Optional[PackageScanner]:
             return GoModuleScanner()
         case ECOSYSTEM.GITHUB_ACTION:
             return GithubActionScanner()
+        case ECOSYSTEM.EXTENSION:
+            return ExtensionScanner()
     return None
 
 
@@ -57,4 +60,6 @@ def get_project_scanner(ecosystem: ECOSYSTEM) -> Optional[ProjectScanner]:
             return GoDependenciesScanner()
         case ECOSYSTEM.GITHUB_ACTION:
             return GitHubActionDependencyScanner()
+        case ECOSYSTEM.EXTENSION:
+            return None  # we're not including dependency scanning for this PR
     return None

guarddog/scanners/extension_scanner.py

@@ -0,0 +1,152 @@
+import logging
+import os
+import typing
+
+import requests
+
+from guarddog.analyzer.analyzer import Analyzer
+from guarddog.ecosystems import ECOSYSTEM
+from guarddog.scanners.scanner import PackageScanner, noop
+
+log = logging.getLogger("guarddog")
+
+MARKETPLACE_URL = (
+    "https://marketplace.visualstudio.com/_apis/public/gallery/extensionquery"
+)
+MARKETPLACE_HEADERS = {
+    "Content-Type": "application/json",
+    "Accept": "application/json;api-version=3.0-preview.1",
+}
+MARKETPLACE_DOWNLOAD_LINK_ASSET_TYPE = "Microsoft.VisualStudio.Services.VSIXPackage"
+VSIX_FILE_EXTENSION = ".vsix"
+
+# VSCode Marketplace API filter types
+# FilterType 7 = publisherName.extensionName (search by exact extension identifier)
+MARKETPLACE_FILTER_TYPE_EXTENSION_NAME = 7
+
+# VSCode Marketplace API flags (bitwise combination)
+# 446 = IncludeVersions | IncludeFiles | IncludeMetadata
+MARKETPLACE_FLAGS_FULL_METADATA = 446
+
+
+class ExtensionScanner(PackageScanner):
+    def __init__(self) -> None:
+        super().__init__(Analyzer(ECOSYSTEM.EXTENSION))
+
+    def download_and_get_package_info(
+        self, directory: str, package_name: str, version=None
+    ) -> typing.Tuple[dict, str]:
+        """
+        Downloads a VSCode extension from the marketplace and extracts it
+
+        Args:
+            directory: Directory to download to
+            package_name: Extension identifier (publisher.extension format)
+            version: Specific version or default to latest
+
+        Returns:
+            Tuple of (marketplace API response, extracted_path)
+        """
+        marketplace_data, vsix_url = self._get_marketplace_info_and_url(
+            package_name, version
+        )
+
+        vsix_path = os.path.join(
+            directory, package_name.replace("/", "-") + VSIX_FILE_EXTENSION
+        )
+        extracted_path = vsix_path.removesuffix(VSIX_FILE_EXTENSION)
+
+        log.debug(f"Downloading VSCode extension from {vsix_url}")
+
+        self.download_compressed(vsix_url, vsix_path, extracted_path)
+
+        return marketplace_data, extracted_path
+
+    def _get_marketplace_info_and_url(
+        self, package_name: str, version: typing.Optional[str] = None
+    ) -> typing.Tuple[dict, str]:
+        """Get marketplace metadata and VSIX download URL"""
+        payload = {
+            "filters": [
+                {
+                    "criteria": [
+                        {
+                            "filterType": MARKETPLACE_FILTER_TYPE_EXTENSION_NAME,
+                            "value": package_name,
+                        }
+                    ]
+                }
+            ],
+            "flags": MARKETPLACE_FLAGS_FULL_METADATA,
+        }
+
+        response = requests.post(
+            MARKETPLACE_URL, headers=MARKETPLACE_HEADERS, json=payload
+        )
+
+        response.raise_for_status()
+
+        data = response.json()
+
+        if not data.get("results") or not data["results"][0].get("extensions"):
+            raise ValueError(f"Extension {package_name} not found in marketplace")
+
+        extension_info = data["results"][0]["extensions"][0]
+        versions = extension_info.get("versions", [])
+
+        if not versions:
+            raise ValueError(
+                f"No versions available for this extension: {package_name}"
+            )
+
+        target_version = None
+        if version is None:
+            # if not version is provided, default to latest
+            target_version = versions[0]
+        else:
+            for v in versions:
+                if v.get("version") == version:
+                    target_version = v
+                    break
+            if target_version is None:
+                raise ValueError(
+                    f"Version {version} not found for extension: {package_name}"
+                )
+
+        # Extract download URL
+        files = target_version.get("files", [])
+        vsix_url = None
+        for file_info in files:
+            if file_info.get("assetType") == MARKETPLACE_DOWNLOAD_LINK_ASSET_TYPE:
+                vsix_url = file_info.get("source")
+                break
+
+        if not vsix_url:
+            raise ValueError(
+                f"No VSIX download link available for this extension: {package_name}"
+            )
+
+        return data, vsix_url
+
+    def scan_local(
+        self, path: str, rules=None, callback: typing.Callable[[dict], None] = noop
+    ) -> dict:
+        """
+        Scan a local VSCode extension directory
+
+        Args:
+            path: Path to extension directory containing package.json
+            rules: Set of rules to use
+            callback: Callback to apply to analyzer output
+
+        Returns:
+            Scan results
+        """
+        if rules is not None:
+            rules = set(rules)
+
+        # Use only sourcecode analysis for local scans, consistent with other ecosystems
+        results = self.analyzer.analyze_sourcecode(path, rules=rules)
+        callback(results)
+
+        return results

guarddog/scanners/github_action_project_scanner.py

@@ -1,4 +1,5 @@
 import logging
+import os
 from typing import List, Dict, TypedDict
 from typing_extensions import NotRequired
 
@@ -7,6 +8,7 @@ import re
 
 from guarddog.scanners.github_action_scanner import GithubActionScanner
 from guarddog.scanners.scanner import ProjectScanner
+from guarddog.scanners.scanner import Dependency, DependencyVersion
 
 log = logging.getLogger("guarddog")
 
@@ -66,17 +68,40 @@ class GitHubActionDependencyScanner(ProjectScanner):
     def __init__(self) -> None:
         super().__init__(GithubActionScanner())
 
-    def parse_requirements(self, raw_requirements: str) -> dict[str, set[str]]:
+    def parse_requirements(self, raw_requirements: str) -> List[Dependency]:
         actions = self.parse_workflow_3rd_party_actions(raw_requirements)
+        dependencies: List[Dependency] = []
 
-        requirements: dict[str, set[str]] = {}
         for action in actions:
-            repo, version = action["name"], action["ref"]
-            if repo in requirements:
-                requirements[repo].add(version)
-            else:
-                requirements[repo] = {version}
-        return requirements
+            name = action["name"]
+            version = action["ref"]
+            idx = next(
+                iter(
+                    [
+                        ix
+                        for ix, line in enumerate(raw_requirements.splitlines())
+                        if name in line
+                    ]
+                ),
+                0,
+            )
+            # find the dep with the same name or create a new one
+            dep_versions = [DependencyVersion(version=version, location=idx + 1)]
+
+            dep = next(
+                filter(
+                    lambda d: d.name == name,
+                    dependencies,
+                ),
+                None,
+            )
+            if not dep:
+                dep = Dependency(name=name, versions=set())
+                dependencies.append(dep)
+
+            dep.versions.update(dep_versions)
+
+        return dependencies
 
     def parse_workflow_3rd_party_actions(
         self, workflow_file: str
@@ -99,3 +124,17 @@ class GitHubActionDependencyScanner(ProjectScanner):
                 if action:
                     actions.append(action)
         return actions
+
+    def find_requirements(self, directory: str) -> list[str]:
+        requirement_files = []
+
+        if not os.path.isdir(os.path.join(directory, ".git")):
+            raise Exception(
+                "unable to find github workflows, not called from git directory"
+            )
+        workflow_folder = os.path.join(directory, ".github/workflows")
+        if os.path.isdir(workflow_folder):
+            for name in os.listdir(workflow_folder):
+                if re.match(r"^(.+)\.y(a)?ml$", name, flags=re.IGNORECASE):
+                    requirement_files.append(os.path.join(workflow_folder, name))
+        return requirement_files

guarddog/scanners/github_action_scanner.py

@@ -15,7 +15,9 @@ class GithubActionScanner(PackageScanner):
     def __init__(self) -> None:
         super().__init__(Analyzer(ECOSYSTEM.GITHUB_ACTION))
 
-    def download_and_get_package_info(self, directory: str, package_name: str, version=None) -> typing.Tuple[dict, str]:
+    def download_and_get_package_info(
+        self, directory: str, package_name: str, version=None
+    ) -> typing.Tuple[dict, str]:
         repo = self._get_repo(package_name)
         tarball_url = self._get_git_tarball_url(repo, version)
 
@@ -25,7 +27,9 @@ class GithubActionScanner(PackageScanner):
         if file_extension == "":
             file_extension = ".zip"
 
-        zippath = os.path.join(directory, package_name.replace("/", "-") + file_extension)
+        zippath = os.path.join(
+            directory, package_name.replace("/", "-") + file_extension
+        )
         unzippedpath = zippath.removesuffix(file_extension)
         self.download_compressed(tarball_url, zippath, unzippedpath)