Skip to content

Commit

Permalink
Merge branch 'smithy-security:main' into main
Browse files Browse the repository at this point in the history
  • Loading branch information
@albrodfer1
albrodfer1 authored Dec 16, 2024
2 parents 10978ae + 601fccc commit 4cbcfdc
Show file tree
Hide file tree
Showing 3,137 changed files with 2,401,658 additions and 497 deletions.
The diff you're trying to view is too large. We only load the first 3000 changed files.
8 changes: 2 additions & 6 deletions examples/pipelines/golang-project/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ import (
)

const (
repoPath = "govwa"
repoPath = "damn-vulnerable-golang"
)

func main() {
Expand All @@ -24,10 +24,6 @@ func main() {
}

func Main(ctx context.Context) error {
if err := migrate(); err != nil {
log.Fatalf("failed to migrate: %v", err)
}

defer func() {
if err := os.RemoveAll("smithy.db"); err != nil {
log.Printf("failed to remove sqlite db: %v\n", err)
Expand All @@ -44,7 +40,7 @@ func Main(ctx context.Context) error {
}
}()

gitClone, err := NewGitCloneTarget("https://github.com/0c34/govwa.git", repoPath)
gitClone, err := NewGitCloneTarget("git@github.com:TheHackerDev/damn-vulnerable-golang.git", repoPath)
if err != nil {
return fmt.Errorf("failed to create git clone target: %w", err)
}
Expand Down
32 changes: 0 additions & 32 deletions examples/pipelines/golang-project/migrate.go
View file

This file was deleted.

18 changes: 7 additions & 11 deletions examples/pipelines/golang-project/scanner.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ import (
ocsf "github.com/smithy-security/smithy/sdk/gen/com/github/ocsf/ocsf_schema/v1"
)

const goSecOutPath = "gosec_out.json"
const goSecOutPath = "gosec.sarif"

var (
confidences = map[string]*ocsf.VulnerabilityFinding_ConfidenceId{
Expand Down Expand Up @@ -104,15 +104,15 @@ func (g *goSecScanner) Transform(ctx context.Context) ([]*ocsf.VulnerabilityFind
func (g *goSecScanner) parseVulns(ctx context.Context) ([]*ocsf.VulnerabilityFinding, error) {
f, err := os.Open(goSecOutPath)
if err != nil {
return nil, fmt.Errorf("could not open gosec_out.json: %w", err)
return nil, fmt.Errorf("could not open gosec.sarif: %w", err)
}

defer func() {
if err := f.Close(); err != nil {
component.
LoggerFromContext(ctx).
Error(
"could not close gosec_out.json",
"could not close gosec.sarif",
slog.String("err", err.Error()),
)
}
Expand All @@ -121,20 +121,20 @@ func (g *goSecScanner) parseVulns(ctx context.Context) ([]*ocsf.VulnerabilityFin
component.
LoggerFromContext(ctx).
Error(
"could not remove gosec_out.json",
"could not remove gosec.sarif",
slog.String("err", err.Error()),
)
}
}()

b, err := io.ReadAll(f)
if err != nil {
return nil, fmt.Errorf("could not read gosec_out.json: %w", err)
return nil, fmt.Errorf("could not read gosec.sarif: %w", err)
}

var out GoSecOut
if err := json.Unmarshal(b, &out); err != nil {
return nil, fmt.Errorf("could not decode gosec_out.json: %w", err)
return nil, fmt.Errorf("could not decode gosec.sarif: %w", err)
}

var (
Expand Down Expand Up @@ -224,12 +224,8 @@ func (g *goSecScanner) runGoSec(ctx context.Context) error {
Tag: "2.15.0",
WorkingDir: "/workspace",
Cmd: []string{
"-r",
"-sort",
"-nosec",
"-fmt=json",
"-fmt=sarif",
fmt.Sprintf("-out=%s", goSecOutPath),
"-no-fail",
fmt.Sprintf("./%s", g.repoPath),
},
}, func(config *docker.HostConfig) {
Expand Down
5 changes: 4 additions & 1 deletion examples/pipelines/golang-project/target.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,8 +34,11 @@ func (g *gitCloneTarget) Prepare(ctx context.Context) error {
logger.Debug("preparing to clone repo")

if _, err := git.PlainClone(g.clonePath, false, &git.CloneOptions{
Depth: 1,
ReferenceName: "main",
ShallowSubmodules: true,
SingleBranch: true,
URL: g.repositoryURL,
RecurseSubmodules: git.DefaultSubmoduleRecursionDepth,
}); err != nil {
return fmt.Errorf("could not clone repository: %w", err)
}
Expand Down
5 changes: 3 additions & 2 deletions go.mod
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
module github.com/smithy-security/smithy

go 1.23
go 1.23.2

require (
cloud.google.com/go/bigquery v1.57.1
Expand All @@ -24,7 +24,7 @@ require (
github.com/owenrumney/go-sarif/v2 v2.1.2
github.com/package-url/packageurl-go v0.1.0
github.com/playwright-community/playwright-go v0.4702.0
github.com/smithy-security/smithy/sdk v0.0.0-20241105123058-5f86d13d1f37
github.com/smithy-security/smithy/sdk v0.0.2-alpha
github.com/spf13/cobra v1.8.0
github.com/spf13/viper v1.11.0
github.com/stretchr/testify v1.9.0
Expand Down Expand Up @@ -162,6 +162,7 @@ require (
github.com/shopspring/decimal v1.3.1 // indirect
github.com/sirupsen/logrus v1.9.3 // indirect
github.com/skeema/knownhosts v1.2.1 // indirect
github.com/smithy-security/pkg/env v0.0.1 // indirect
github.com/stoewer/go-strcase v1.2.0 // indirect
github.com/urfave/cli/v2 v2.26.0 // indirect
github.com/xanzy/ssh-agent v0.3.3 // indirect
Expand Down
6 changes: 4 additions & 2 deletions go.sum
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1176,8 +1176,10 @@ github.com/skeema/knownhosts v1.2.1 h1:SHWdIUa82uGZz+F+47k8SY4QhhI291cXCpopT1lK2
github.com/skeema/knownhosts v1.2.1/go.mod h1:xYbVRSPxqBZFrdmDyMmsOs+uX1UZC3nTN3ThzgDxUwo=
github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
github.com/smithy-security/smithy/sdk v0.0.0-20241105123058-5f86d13d1f37 h1:zeSHFLK45R5oeKSPDQeaIjh8IBJvIlq6xz/31ZkI+JY=
github.com/smithy-security/smithy/sdk v0.0.0-20241105123058-5f86d13d1f37/go.mod h1:cqtrJluiVmgIe3LRSuw5nLZlOS5g+bHImjlWUrBvAT8=
github.com/smithy-security/pkg/env v0.0.1 h1:uwLTMLdNN/dv3x4zat75JahEBQDpdBeldjEE8El4OiM=
github.com/smithy-security/pkg/env v0.0.1/go.mod h1:VIJfDqeAbQQcmohaXcZI6grjeJC9Y8CmqR4ITpdngZE=
github.com/smithy-security/smithy/sdk v0.0.2-alpha h1:Ce0cgAl2a8+whD3TJgWNIOGnN+AvNE8HlouJ2hZxMOI=
github.com/smithy-security/smithy/sdk v0.0.2-alpha/go.mod h1:YsIuprp7Sh0shBPsifHOAflo6R4m0hpXuMVzFJDbbsk=
github.com/snowflakedb/gosnowflake v1.6.3/go.mod h1:6hLajn6yxuJ4xUHZegMekpq9rnQbGJ7TMwXjgTmA6lg=
github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM=
github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
Expand Down
42 changes: 42 additions & 0 deletions new-components/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
# Used only to build Go binaries.
FROM golang:1.23.3 AS builder

ARG COMPONENT_PATH
ARG COMPONENT_BINARY_SOURCE_PATH

WORKDIR /wrk

# Copy only go related files.
COPY ${COMPONENT_PATH} ./

# Security hardening and building flags for minimal binaries.
#
# These CGO_CPPFLAGS help preventing overflows.
# Add a small overhead at compile time.
RUN CGO_CPPFLAGS="-D_FORTIFY_SOURCE=2 -fstack-protector-all" \
# Makes memory exploitation harder.
# Add a small overhead at compile time.
GOFLAGS="-buildmode=pie" \
# CGO_ENABLED=0 \
GOOS="linux" \
GOARCH="amd64" \
go build -ldflags "-s -w" -trimpath -o app ${COMPONENT_BINARY_SOURCE_PATH}

# Create a workspace to clone repos to.
RUN mkdir -p /workspace

# Used to actually run the binary in minimal image.
FROM gcr.io/distroless/base-debian12:nonroot

COPY --from=builder --chown=65534:65534 /wrk/app /bin/app
COPY --from=builder --chown=65534:65534 /workspace /workspace

# Run as UID for 'nobody' since k8s pod securityContext runAsNonRoot can't resolve the user ID:
# https://github.com/kubernetes/kubernetes/issues/40958
USER 65534

# Setting the workdir where we'll clone repositories.
WORKDIR /workspace

# Set the binary as the entry point
ENTRYPOINT ["/bin/app"]
6 changes: 6 additions & 0 deletions new-components/enrichers/custom-annotation/.env
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
# This is for local setup only.
SMITHY_INSTANCE_ID=8d719c1c-c569-4078-87b3-4951bd4012ee
SMITHY_LOG_LEVEL=debug
SMITHY_BACKEND_STORE_TYPE=local
CUSTOM_ANNOTATION_NAME=reachability
CUSTOM_ANNOTATION_VALUES={"foo":"bar"}
30 changes: 30 additions & 0 deletions new-components/enrichers/custom-annotation/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
# custom-annotation

This component implements an [enricher](https://github.com/smithy-security/smithy/blob/main/sdk/component/component.go)
that adds a custom json annotation to the fetched vulnerability findings associated with the workflow.

## Environment variables

The component uses environment variables for configuration.

It requires the component
environment variables defined [here](https://github.com/smithy-security/smithy/blob/main/sdk/README.md#component) as well as the following:

| Environment Variable | Type | Required | Default | Description |
|----------------------------|--------|----------|---------|-------------------------------------------------------------------------|
| CUSTOM\_ANNOTATION\_NAME | string | yes | - | The name of the annotation to be added. |
| CUSTOM\_ANNOTATION\_VALUES | string | no | {} | Json annotations to be added as annotation. For example '{"foo":"bar"}' |

## How to run

Execute:

```shell
docker-compose up --build --force-recreate --remove-orphans
```

Then shutdown with:

```shell
docker-compose down --rmi all
```
42 changes: 42 additions & 0 deletions new-components/enrichers/custom-annotation/cmd/main.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
package main

import (
"context"
"log"
"time"

"github.com/go-errors/errors"

"github.com/smithy-security/smithy/sdk/component"

"github.com/smithy-security/smithy/new-components/enrichers/custom-annotation/internal/annotation"
)

func main() {
ctx, cancel := context.WithTimeout(context.Background(), 1*time.Minute)
defer cancel()

if err := Main(ctx); err != nil {
log.Fatalf("unexpected error: %v", err)
}
}

func Main(ctx context.Context, opts ...component.RunnerOption) error {
opts = append(opts, component.RunnerWithComponentName("custom-annotation"))

cfg, err := annotation.NewConf()
if err != nil {
return errors.Errorf("error reading annotation config: %w", err)
}

annotator, err := annotation.NewCustomAnnotator(cfg)
if err != nil {
return errors.Errorf("error creating custom annotation annotator: %w", err)
}

if err := component.RunEnricher(ctx, annotator, opts...); err != nil {
return errors.Errorf("error enriching custom annotation: %w", err)
}

return nil
}
10 changes: 10 additions & 0 deletions new-components/enrichers/custom-annotation/docker-compose.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
services:
enricher:
build:
context: ../..
args:
- COMPONENT_PATH=enrichers/custom-annotation
- COMPONENT_BINARY_SOURCE_PATH=cmd/main.go
platform: linux/amd64
env_file:
- .env
47 changes: 47 additions & 0 deletions new-components/enrichers/custom-annotation/go.mod
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
module github.com/smithy-security/smithy/new-components/enrichers/custom-annotation

go 1.23.2

require (
github.com/go-errors/errors v1.5.1
github.com/smithy-security/pkg/env v0.0.1
github.com/smithy-security/smithy/sdk v0.0.2-alpha
github.com/stretchr/testify v1.9.0
google.golang.org/protobuf v1.35.1
)

require (
github.com/Masterminds/goutils v1.1.1 // indirect
github.com/Masterminds/semver/v3 v3.2.0 // indirect
github.com/Masterminds/sprig/v3 v3.2.3 // indirect
github.com/abice/go-enum v0.6.0 // indirect
github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/golang/mock v1.6.0 // indirect
github.com/google/uuid v1.6.0 // indirect
github.com/huandu/xstrings v1.3.3 // indirect
github.com/imdario/mergo v0.3.13 // indirect
github.com/jonboulle/clockwork v0.4.0 // indirect
github.com/labstack/gommon v0.4.1 // indirect
github.com/mattn/go-colorable v0.1.13 // indirect
github.com/mattn/go-isatty v0.0.20 // indirect
github.com/mattn/go-sqlite3 v1.14.24 // indirect
github.com/mattn/goveralls v0.0.12 // indirect
github.com/mitchellh/copystructure v1.2.0 // indirect
github.com/mitchellh/reflectwalk v1.0.2 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/russross/blackfriday/v2 v2.1.0 // indirect
github.com/shopspring/decimal v1.2.0 // indirect
github.com/spf13/cast v1.3.1 // indirect
github.com/urfave/cli/v2 v2.26.0 // indirect
github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
go.uber.org/mock v0.5.0 // indirect
golang.org/x/crypto v0.3.0 // indirect
golang.org/x/mod v0.18.0 // indirect
golang.org/x/sync v0.8.0 // indirect
golang.org/x/sys v0.21.0 // indirect
golang.org/x/text v0.14.0 // indirect
golang.org/x/tools v0.22.0 // indirect
golang.org/x/tools/cmd/cover v0.1.0-deprecated // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
)
Loading

0 comments on commit 4cbcfdc

Please sign in to comment.