socketsecurity 0.0.99__tar.gz → 1.0.1__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- {socketsecurity-0.0.99/socketsecurity.egg-info → socketsecurity-1.0.1}/PKG-INFO +1 -1
- {socketsecurity-0.0.99 → socketsecurity-1.0.1}/socketsecurity/__init__.py +1 -1
- {socketsecurity-0.0.99 → socketsecurity-1.0.1}/socketsecurity/core/__init__.py +5 -16
- {socketsecurity-0.0.99 → socketsecurity-1.0.1}/socketsecurity/core/classes.py +12 -1
- {socketsecurity-0.0.99 → socketsecurity-1.0.1}/socketsecurity/core/github.py +12 -2
- {socketsecurity-0.0.99 → socketsecurity-1.0.1}/socketsecurity/core/messages.py +26 -8
- {socketsecurity-0.0.99 → socketsecurity-1.0.1}/socketsecurity/socketcli.py +17 -4
- {socketsecurity-0.0.99 → socketsecurity-1.0.1/socketsecurity.egg-info}/PKG-INFO +1 -1
- {socketsecurity-0.0.99 → socketsecurity-1.0.1}/LICENSE +0 -0
- {socketsecurity-0.0.99 → socketsecurity-1.0.1}/README.md +0 -0
- {socketsecurity-0.0.99 → socketsecurity-1.0.1}/pyproject.toml +0 -0
- {socketsecurity-0.0.99 → socketsecurity-1.0.1}/setup.cfg +0 -0
- {socketsecurity-0.0.99 → socketsecurity-1.0.1}/socketsecurity/core/exceptions.py +0 -0
- {socketsecurity-0.0.99 → socketsecurity-1.0.1}/socketsecurity/core/git_interface.py +0 -0
- {socketsecurity-0.0.99 → socketsecurity-1.0.1}/socketsecurity/core/gitlab.py +0 -0
- {socketsecurity-0.0.99 → socketsecurity-1.0.1}/socketsecurity/core/issues.py +0 -0
- {socketsecurity-0.0.99 → socketsecurity-1.0.1}/socketsecurity/core/licenses.py +0 -0
- {socketsecurity-0.0.99 → socketsecurity-1.0.1}/socketsecurity/core/scm_comments.py +0 -0
- {socketsecurity-0.0.99 → socketsecurity-1.0.1}/socketsecurity.egg-info/SOURCES.txt +0 -0
- {socketsecurity-0.0.99 → socketsecurity-1.0.1}/socketsecurity.egg-info/dependency_links.txt +0 -0
- {socketsecurity-0.0.99 → socketsecurity-1.0.1}/socketsecurity.egg-info/entry_points.txt +0 -0
- {socketsecurity-0.0.99 → socketsecurity-1.0.1}/socketsecurity.egg-info/requires.txt +0 -0
- {socketsecurity-0.0.99 → socketsecurity-1.0.1}/socketsecurity.egg-info/top_level.txt +0 -0
|
@@ -1,2 +1,2 @@
|
|
|
1
1
|
__author__ = 'socket.dev'
|
|
2
|
-
__version__ = '
|
|
2
|
+
__version__ = '1.0.1'
|
|
@@ -637,30 +637,16 @@ class Core:
|
|
|
637
637
|
if alert_key not in head_scan_alerts:
|
|
638
638
|
new_alerts = new_scan_alerts[alert_key]
|
|
639
639
|
for alert in new_alerts:
|
|
640
|
-
if
|
|
640
|
+
if alert.error or alert.warn:
|
|
641
641
|
alerts.append(alert)
|
|
642
642
|
else:
|
|
643
643
|
new_alerts = new_scan_alerts[alert_key]
|
|
644
644
|
head_alerts = head_scan_alerts[alert_key]
|
|
645
645
|
for alert in new_alerts:
|
|
646
|
-
if alert not in head_alerts and
|
|
646
|
+
if alert not in head_alerts and (alert.error or alert.warn):
|
|
647
647
|
alerts.append(alert)
|
|
648
648
|
return alerts
|
|
649
649
|
|
|
650
|
-
@staticmethod
|
|
651
|
-
def is_error(alert: Alert):
|
|
652
|
-
"""
|
|
653
|
-
Compare the current alert against the Security Policy to determine if it should be included. Can be overridden
|
|
654
|
-
with all_new_alerts Global setting if desired to return all alerts and not just the error category from the
|
|
655
|
-
security policy.
|
|
656
|
-
:param alert:
|
|
657
|
-
:return:
|
|
658
|
-
"""
|
|
659
|
-
if all_new_alerts or (alert.type in security_policy and security_policy[alert.type]['action'] == "error"):
|
|
660
|
-
return True
|
|
661
|
-
else:
|
|
662
|
-
return False
|
|
663
|
-
|
|
664
650
|
@staticmethod
|
|
665
651
|
def create_issue_alerts(package: Package, alerts: dict, packages: dict) -> dict:
|
|
666
652
|
"""
|
|
@@ -704,6 +690,9 @@ class Core:
|
|
|
704
690
|
purl=package.purl,
|
|
705
691
|
url=package.url
|
|
706
692
|
)
|
|
693
|
+
if alert.type in security_policy:
|
|
694
|
+
action = security_policy[alert.type]['action']
|
|
695
|
+
setattr(issue_alert, action, True)
|
|
707
696
|
if issue_alert.key not in alerts:
|
|
708
697
|
alerts[issue_alert.key] = [issue_alert]
|
|
709
698
|
else:
|
|
@@ -140,7 +140,10 @@ class Issue:
|
|
|
140
140
|
pkg_id: str
|
|
141
141
|
props: dict
|
|
142
142
|
key: str
|
|
143
|
-
|
|
143
|
+
error: bool
|
|
144
|
+
warn: bool
|
|
145
|
+
ignore: bool
|
|
146
|
+
monitor: bool
|
|
144
147
|
description: str
|
|
145
148
|
title: str
|
|
146
149
|
emoji: str
|
|
@@ -162,6 +165,14 @@ class Issue:
|
|
|
162
165
|
self.introduced_by = []
|
|
163
166
|
if not hasattr(self, "manifests"):
|
|
164
167
|
self.manifests = ""
|
|
168
|
+
if not hasattr(self, "error"):
|
|
169
|
+
self.error = False
|
|
170
|
+
if not hasattr(self, "warn"):
|
|
171
|
+
self.warn = False
|
|
172
|
+
if not hasattr(self, "monitor"):
|
|
173
|
+
self.monitor = False
|
|
174
|
+
if not hasattr(self, "ignore"):
|
|
175
|
+
self.ignore = False
|
|
165
176
|
|
|
166
177
|
def __str__(self):
|
|
167
178
|
return json.dumps(self.__dict__)
|
|
@@ -24,6 +24,7 @@ global commit_message
|
|
|
24
24
|
global committer
|
|
25
25
|
global gh_api_token
|
|
26
26
|
global github_repository_owner
|
|
27
|
+
global event_action
|
|
27
28
|
|
|
28
29
|
github_variables = [
|
|
29
30
|
"GITHUB_SHA",
|
|
@@ -40,7 +41,8 @@ github_variables = [
|
|
|
40
41
|
"GITHUB_ACTOR",
|
|
41
42
|
"GITHUB_ENV",
|
|
42
43
|
"GH_API_TOKEN",
|
|
43
|
-
"GITHUB_REPOSITORY_OWNER"
|
|
44
|
+
"GITHUB_REPOSITORY_OWNER",
|
|
45
|
+
"EVENT_ACTION"
|
|
44
46
|
]
|
|
45
47
|
|
|
46
48
|
for env in github_variables:
|
|
@@ -80,6 +82,7 @@ class Github:
|
|
|
80
82
|
github_env: str
|
|
81
83
|
api_token: str
|
|
82
84
|
project_id: int
|
|
85
|
+
event_action: str
|
|
83
86
|
|
|
84
87
|
def __init__(self):
|
|
85
88
|
self.commit_sha = github_sha
|
|
@@ -100,6 +103,7 @@ class Github:
|
|
|
100
103
|
self.github_env = github_env
|
|
101
104
|
self.api_token = gh_api_token
|
|
102
105
|
self.project_id = 0
|
|
106
|
+
self.event_action = event_action
|
|
103
107
|
if self.api_token is None:
|
|
104
108
|
print("Unable to get Github API Token from GH_API_TOKEN")
|
|
105
109
|
sys.exit(2)
|
|
@@ -111,12 +115,18 @@ class Github:
|
|
|
111
115
|
event_type = "main"
|
|
112
116
|
else:
|
|
113
117
|
event_type = "diff"
|
|
118
|
+
elif github_event_name.lower() == "pull_request":
|
|
119
|
+
if event_action is not None and event_action != "" and event_action.lower() == "opened":
|
|
120
|
+
event_type = "diff"
|
|
121
|
+
else:
|
|
122
|
+
log.info(f"Pull Request Action {event_action} is not a supported type")
|
|
123
|
+
sys.exit(0)
|
|
114
124
|
elif github_event_name.lower() == "issue_comment":
|
|
115
125
|
event_type = "comment"
|
|
116
126
|
else:
|
|
117
127
|
event_type = None
|
|
118
128
|
log.error(f"Unknown event type {github_event_name}")
|
|
119
|
-
sys.exit(
|
|
129
|
+
sys.exit(0)
|
|
120
130
|
return event_type
|
|
121
131
|
|
|
122
132
|
@staticmethod
|
|
@@ -9,10 +9,13 @@ class Messages:
|
|
|
9
9
|
|
|
10
10
|
@staticmethod
|
|
11
11
|
def create_security_comment_json(diff: Diff) -> dict:
|
|
12
|
+
scan_failed = False
|
|
12
13
|
if len(diff.new_alerts) == 0:
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
14
|
+
for alert in diff.new_alerts:
|
|
15
|
+
alert: Issue
|
|
16
|
+
if alert.error:
|
|
17
|
+
scan_failed = True
|
|
18
|
+
break
|
|
16
19
|
output = {
|
|
17
20
|
"scan_failed": scan_failed,
|
|
18
21
|
"new_alerts": []
|
|
@@ -22,7 +25,6 @@ class Messages:
|
|
|
22
25
|
output["new_alerts"].append(json.loads(str(alert)))
|
|
23
26
|
return output
|
|
24
27
|
|
|
25
|
-
|
|
26
28
|
@staticmethod
|
|
27
29
|
def security_comment_template(diff: Diff) -> str:
|
|
28
30
|
"""
|
|
@@ -130,7 +132,8 @@ class Messages:
|
|
|
130
132
|
"Alert",
|
|
131
133
|
"Package",
|
|
132
134
|
"Introduced by",
|
|
133
|
-
"Manifest File"
|
|
135
|
+
"Manifest File",
|
|
136
|
+
"CI"
|
|
134
137
|
]
|
|
135
138
|
num_of_alert_columns = len(alert_table)
|
|
136
139
|
next_steps = {}
|
|
@@ -147,11 +150,16 @@ class Messages:
|
|
|
147
150
|
ignore_commands.append(ignore)
|
|
148
151
|
manifest_str, sources = Messages.create_sources(alert, "console")
|
|
149
152
|
purl_url = f"[{alert.purl}]({alert.url})"
|
|
153
|
+
if alert.error:
|
|
154
|
+
emoji = ':no_entry_sign:'
|
|
155
|
+
else:
|
|
156
|
+
emoji = ':warning:'
|
|
150
157
|
row = [
|
|
151
158
|
alert.title,
|
|
152
159
|
purl_url,
|
|
153
160
|
", ".join(sources),
|
|
154
|
-
manifest_str
|
|
161
|
+
manifest_str,
|
|
162
|
+
emoji
|
|
155
163
|
]
|
|
156
164
|
if row not in alert_table:
|
|
157
165
|
alert_table.extend(row)
|
|
@@ -262,17 +270,27 @@ class Messages:
|
|
|
262
270
|
"Alert",
|
|
263
271
|
"Package",
|
|
264
272
|
"Introduced by",
|
|
265
|
-
"Manifest File"
|
|
273
|
+
"Manifest File",
|
|
274
|
+
"CI Status"
|
|
266
275
|
]
|
|
267
276
|
)
|
|
268
277
|
for alert in diff.new_alerts:
|
|
269
278
|
alert: Issue
|
|
270
279
|
manifest_str, sources = Messages.create_sources(alert, "console")
|
|
280
|
+
if alert.error:
|
|
281
|
+
state = "block"
|
|
282
|
+
elif alert.warn:
|
|
283
|
+
state = "warn"
|
|
284
|
+
elif alert.monitor:
|
|
285
|
+
state = "monitor"
|
|
286
|
+
else:
|
|
287
|
+
state = "ignore"
|
|
271
288
|
row = [
|
|
272
289
|
alert.title,
|
|
273
290
|
alert.url,
|
|
274
291
|
", ".join(sources),
|
|
275
|
-
manifest_str
|
|
292
|
+
manifest_str,
|
|
293
|
+
state
|
|
276
294
|
]
|
|
277
295
|
alert_table.add_row(row)
|
|
278
296
|
return alert_table
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
import argparse
|
|
2
2
|
import json
|
|
3
3
|
from socketsecurity.core import Core, __version__
|
|
4
|
-
from socketsecurity.core.classes import FullScanParams, Diff, Package
|
|
4
|
+
from socketsecurity.core.classes import FullScanParams, Diff, Package, Alert
|
|
5
5
|
from socketsecurity.core.messages import Messages
|
|
6
6
|
from socketsecurity.core.scm_comments import Comments
|
|
7
7
|
from socketsecurity.core.git_interface import Git
|
|
@@ -146,9 +146,10 @@ parser.add_argument(
|
|
|
146
146
|
def output_console_comments(diff_report: Diff, sbom_file_name: str = None) -> None:
|
|
147
147
|
console_security_comment = Messages.create_console_security_alert_table(diff_report)
|
|
148
148
|
save_sbom_file(diff_report, sbom_file_name)
|
|
149
|
-
if
|
|
149
|
+
if not report_pass(diff_report):
|
|
150
150
|
log.info("Security issues detected by Socket Security")
|
|
151
|
-
|
|
151
|
+
msg = f"\n{console_security_comment}"
|
|
152
|
+
log.info(msg)
|
|
152
153
|
sys.exit(1)
|
|
153
154
|
else:
|
|
154
155
|
log.info("No New Security issues detected by Socket Security")
|
|
@@ -158,14 +159,26 @@ def output_console_json(diff_report: Diff, sbom_file_name: str = None) -> None:
|
|
|
158
159
|
console_security_comment = Messages.create_security_comment_json(diff_report)
|
|
159
160
|
save_sbom_file(diff_report, sbom_file_name)
|
|
160
161
|
print(json.dumps(console_security_comment))
|
|
161
|
-
if
|
|
162
|
+
if not report_pass(diff_report):
|
|
162
163
|
sys.exit(1)
|
|
163
164
|
|
|
164
165
|
|
|
166
|
+
def report_pass(diff_report: Diff) -> bool:
|
|
167
|
+
report_passed = True
|
|
168
|
+
if len(diff_report.new_alerts) > 0:
|
|
169
|
+
for alert in diff_report.new_alerts:
|
|
170
|
+
alert: Alert
|
|
171
|
+
if report_passed and alert.error:
|
|
172
|
+
report_passed = False
|
|
173
|
+
break
|
|
174
|
+
return report_passed
|
|
175
|
+
|
|
176
|
+
|
|
165
177
|
def save_sbom_file(diff_report: Diff, sbom_file_name: str = None):
|
|
166
178
|
if diff_report is not None and sbom_file_name is not None:
|
|
167
179
|
Core.save_file(sbom_file_name, json.dumps(Core.create_sbom_output(diff_report)))
|
|
168
180
|
|
|
181
|
+
|
|
169
182
|
def cli():
|
|
170
183
|
try:
|
|
171
184
|
main_code()
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|