add -skips3 flag and instructions for local testing

components/consumers/pdf/README.md

@@ -0,0 +1,24 @@
+# PDF consumer
+
+This consumer prints the pipeline results into a Go template, prints them into a PDF and uploads them into an S3 bucket.
+
+# How it works
+The HTML template is in `/components/consumers/pdf/default.html` .  
+The styles for it are inline.  
+The PDF uses the Print styles, so it's slightly different from what you see in the browser.
+Then the component uses Playwright to render the template and print it into a PDF.
+The PDF is then uploaded into an S3 bucket.
+
+# How to test locally
+
+1. Install the requirements for the component. Check the Docker file (`/components/consumers/pdf/Dockerfile`) for the latest versions:
+```
+$ go install github.com/playwright-community/playwright-go/cmd/[email protected]
+$ playwright install chromium --with-deps
+```
+2. Copy `/components/consumers/pdf/default.html` into the root of your `smithy` oss repo
+3. Generate the PDF by running this in the `smithy` oss repo root. We don't want to upload to s3, so we add the `skips3` flag:
+```
+go run components/consumers/pdf/main.go -in components/consumers/pdf/example_data/gosec.enriched.aggregated.pb -skips3
+```
+This generates the PDF and the report.html in the root of your repo, without uploading it to an S3 bucket. Don't forget to delete it later.

components/consumers/pdf/example_data/gosec.enriched.aggregated.pb

@@ -0,0 +1,216 @@
+
+�
+�����gosec�
+0file:///tmp/wspc/go-dvwa/vulnerable/sql.go:52-52G404VUse of weak random number generator (math/rand or math/rand/v2 instead of crypto/rand) 0:?51: 			"sneaker",
+52: 			rand.Intn(500))
+53: 		if err != nil {
+BunknownR%:d01e22b2-88b0-4873-a13b-9e3d1279af09b�			fmt.Sprintf("secret password %d", i))
+		if err != nil {
+			return nil, err
+		}
+
+		_, err = db.Exec(
+			"INSERT INTO product (name, category, price) VALUES (?, ?, ?)",
+			fmt.Sprintf("Product %d", i),
+			"sneaker",
+			rand.Intn(500))
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return db, nil
+}
+
+type Product struct {
+	Id       intj��
+-file:///tmp/wspc/go-dvwa/server/main.go:27-27G114GUse of net/http serve function that has no support for setting timeouts 0:�
26: 	log.Println("Serving application on", addr)
+27: 	err = http.ListenAndServe(addr, sqhttp.Middleware(router))
+28: 	if err != nil {
+BunknownR%:34ca912e-8df6-47f2-9bd9-7a1bd3771e81b�	if err != nil {
+		log.Panic("could not get the executable filename:", err)
+	}
+	templateDir := filepath.Join(filepath.Dir(bin), "template")
+
+	router := NewRouter(templateDir)
+
+	addr := ":8080"
+	log.Println("Serving application on", addr)
+	err = http.ListenAndServe(addr, sqhttp.Middleware(router))
+	if err != nil {
+		log.Fatalln(err)
+	}
+}j��
+0file:///tmp/wspc/go-dvwa/vulnerable/sql.go:69-69G202SQL string concatenation 0:�
68: func GetProducts(ctx context.Context, db *sql.DB, category string) ([]Product, error) {
+69: 	rows, err := db.QueryContext(ctx, "SELECT * FROM product WHERE category='"+category+"'")
+70: 	if err != nil {
+BunknownR%:ff3580cd-5ce4-4f88-b125-e66a23dbc41ab�
+type Product struct {
+	Id       int
+	Name     string
+	Category string
+	Price    string
+}
+
+func GetProducts(ctx context.Context, db *sql.DB, category string) ([]Product, error) {
+	rows, err := db.QueryContext(ctx, "SELECT * FROM product WHERE category='"+category+"'")
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var products []Product
+	for rows.Next() {
+		var product Product
+		if err := rows.Scan(&product.Id, &product.Name, &product.Category, &product.Price); err != nil {
+			return nil, err
+		}j
Y�
+1file:///tmp/wspc/go-dvwa/vulnerable/open.go:13-13G304%Potential file inclusion via variable 0:812: 	// restricted.
+13: 	return os.Open(filepath)
+14: }
+BunknownR%:9e858968-7fa7-44b4-9da6-960907c3db38b�
+package vulnerable
+
+import "os"
+
+func Open(filepath string) (*os.File, error) {
+	// Nothing special is needed to make Open vulnerable to local file inclusion
+	// (LFi). LFi is actually possible when the filepath is not properly
+	// restricted.
+	return os.Open(filepath)
+}j
�
+/file:///tmp/wspc/go-dvwa/server/router.go:55-59G104Errors unhandled. 0:�
54: 		enc := json.NewEncoder(w)
+55: 		enc.Encode(struct {
+56: 			Output string
+57: 		}{
+58: 			Output: string(output),
+59: 		})
+60: 	})
+BunknownR%:7f02a510-9b80-4bb6-a4ba-38fc53c6fe53b�		extra := r.FormValue("extra")
+		output, err := vulnerable.System(r.Context(), "ping -c1 sqreen.com"+extra)
+		if err != nil {
+			log.Println(err)
+			w.WriteHeader(http.StatusInternalServerError)
+			return
+		}
+
+		enc := json.NewEncoder(w)
+		enc.Encode(struct {
+			Output string
+		}{
+			Output: string(output),
+		})
+	})
+
+	r.PathPrefix("/").Handler(http.FileServer(http.Dir(templateDir)))
+
+	return r
+}j��
+�
+0file:///tmp/wspc/go-dvwa/vulnerable/sql.go:52-52G404VUse of weak random number generator (math/rand or math/rand/v2 instead of crypto/rand) 0:?51: 			"sneaker",
+52: 			rand.Intn(500))
+53: 		if err != nil {
+BunknownR%:d01e22b2-88b0-4873-a13b-9e3d1279af09b�			fmt.Sprintf("secret password %d", i))
+		if err != nil {
+			return nil, err
+		}
+
+		_, err = db.Exec(
+			"INSERT INTO product (name, category, price) VALUES (?, ?, ?)",
+			fmt.Sprintf("Product %d", i),
+			"sneaker",
+			rand.Intn(500))
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return db, nil
+}
+
+type Product struct {
+	Id       intj��
+�
+-file:///tmp/wspc/go-dvwa/server/main.go:27-27G114GUse of net/http serve function that has no support for setting timeouts 0:�
26: 	log.Println("Serving application on", addr)
+27: 	err = http.ListenAndServe(addr, sqhttp.Middleware(router))
+28: 	if err != nil {
+BunknownR%:34ca912e-8df6-47f2-9bd9-7a1bd3771e81b�	if err != nil {
+		log.Panic("could not get the executable filename:", err)
+	}
+	templateDir := filepath.Join(filepath.Dir(bin), "template")
+
+	router := NewRouter(templateDir)
+
+	addr := ":8080"
+	log.Println("Serving application on", addr)
+	err = http.ListenAndServe(addr, sqhttp.Middleware(router))
+	if err != nil {
+		log.Fatalln(err)
+	}
+}j��
+�
+0file:///tmp/wspc/go-dvwa/vulnerable/sql.go:69-69G202SQL string concatenation 0:�
68: func GetProducts(ctx context.Context, db *sql.DB, category string) ([]Product, error) {
+69: 	rows, err := db.QueryContext(ctx, "SELECT * FROM product WHERE category='"+category+"'")
+70: 	if err != nil {
+BunknownR%:ff3580cd-5ce4-4f88-b125-e66a23dbc41ab�
+type Product struct {
+	Id       int
+	Name     string
+	Category string
+	Price    string
+}
+
+func GetProducts(ctx context.Context, db *sql.DB, category string) ([]Product, error) {
+	rows, err := db.QueryContext(ctx, "SELECT * FROM product WHERE category='"+category+"'")
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var products []Product
+	for rows.Next() {
+		var product Product
+		if err := rows.Scan(&product.Id, &product.Name, &product.Category, &product.Price); err != nil {
+			return nil, err
+		}j
Y�
+�
+1file:///tmp/wspc/go-dvwa/vulnerable/open.go:13-13G304%Potential file inclusion via variable 0:812: 	// restricted.
+13: 	return os.Open(filepath)
+14: }
+BunknownR%:9e858968-7fa7-44b4-9da6-960907c3db38b�
+package vulnerable
+
+import "os"
+
+func Open(filepath string) (*os.File, error) {
+	// Nothing special is needed to make Open vulnerable to local file inclusion
+	// (LFi). LFi is actually possible when the filepath is not properly
+	// restricted.
+	return os.Open(filepath)
+}j
�
+�
+/file:///tmp/wspc/go-dvwa/server/router.go:55-59G104Errors unhandled. 0:�
54: 		enc := json.NewEncoder(w)
+55: 		enc.Encode(struct {
+56: 			Output string
+57: 		}{
+58: 			Output: string(output),
+59: 		})
+60: 	})
+BunknownR%:7f02a510-9b80-4bb6-a4ba-38fc53c6fe53b�		extra := r.FormValue("extra")
+		output, err := vulnerable.System(r.Context(), "ping -c1 sqreen.com"+extra)
+		if err != nil {
+			log.Println(err)
+			w.WriteHeader(http.StatusInternalServerError)
+			return
+		}
+
+		enc := json.NewEncoder(w)
+		enc.Encode(struct {
+			Output string
+		}{
+			Output: string(output),
+		})
+	})
+
+	r.PathPrefix("/").Handler(http.FileServer(http.Dir(templateDir)))
+
+	return r
+}j�

components/consumers/pdf/main.go

@@ -25,23 +25,25 @@ var (
 	bucket         string
 	region         string
 	reportTemplate string
+	skipS3Upload   bool
 )
 
 func main() {
 
 	flag.StringVar(&bucket, "bucket", "", "s3 bucket name")
 	flag.StringVar(&region, "region", "", "s3 bucket region")
 	flag.StringVar(&reportTemplate, "template", "", "report html template location")
+	flag.BoolVar(&skipS3Upload, "skips3", false, "skip s3 upload")
 
 	if err := consumers.ParseFlags(); err != nil {
 		log.Fatal(err)
 	}
 
-	if bucket == "" {
+	if bucket == "" && !skipS3Upload {
 		log.Fatal("bucket is empty, you need to provide a bucket value")
 	}
 
-	if region == "" {
+	if region == "" && !skipS3Upload {
 		log.Fatal("region is empty, you need to provide a region value")
 	}
 
@@ -92,9 +94,13 @@ func run(responses any, s3FilenamePostfix string, pw playwright.Wrapper, s3Wrapp
 	if err != nil {
 		return err
 	}
+	slog.Info("result filename", slog.String("filename", resultFilename))
 
-	slog.Info("uploading pdf to s3", slog.String("filename", resultFilename), slog.String("bucket", bucket), slog.String("region", region))
-	return s3Wrapper.UpsertFile(resultFilename, bucket, s3FilenamePostfix, pdfBytes)
+	if !skipS3Upload {
+		slog.Info("uploading pdf to s3", slog.String("filename", resultFilename), slog.String("bucket", bucket), slog.String("region", region))
+		return s3Wrapper.UpsertFile(resultFilename, bucket, s3FilenamePostfix, pdfBytes)
+	}
+	return nil
 }
 
 func buildPdf(data any, pw playwright.Wrapper) (string, []byte, error) {
@@ -118,11 +124,12 @@ func buildPdf(data any, pw playwright.Wrapper) (string, []byte, error) {
 		return "", nil, fmt.Errorf("could not apply data to template: %w", err)
 	}
 
+	reportPDFPath := filepath.Join(currentPath, "report.pdf")
 	reportPage := fmt.Sprintf("file:///%s", reportHTMLPath)
-	pdfBytes, err := pw.GetPDFOfPage(reportPage, reportHTMLPath)
+	pdfBytes, err := pw.GetPDFOfPage(reportPage, reportPDFPath)
 	if err != nil {
 		return "", nil, fmt.Errorf("could not generate pdf from page %s, err: %w", reportPage, err)
 
 	}
-	return reportHTMLPath, pdfBytes, err
+	return reportPDFPath, pdfBytes, err
 }