Merge 3a05ae4 into 18de335

nearform · Jul 27, 2018 · 21f265f · 21f265f
2 parents 18de335 + 3a05ae4
commit 21f265f
Show file tree

Hide file tree

Showing 12 changed files with 1,272 additions and 839 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,5 @@
 vendor
 gammaray
 dist
+debug.test
+*.log
diff --git a/Makefile b/Makefile
@@ -1,8 +1,13 @@
-all: install build
+all: clean install build
 
 formatter:
 	pigeon -o versionformatter/versionformatter.go versionformatter/versionformatter.peg
 
+.PHONY: clean
+clean:
+	@rm -rf vendor || true
+	@rm gammaray || true
+
 build: formatter
 	go build -v -race
 

diff --git a/main.go b/main.go
@@ -2,6 +2,7 @@ package main
 
 import (
 	"fmt"
+	"log"
 	"os"
 
 	"github.com/nearform/gammaray/pathrunner"
@@ -10,7 +11,7 @@ import (
 )
 
 // OSSIndexURL URL for OSSIndex. Is not a hardcoded value to facilitate testing.
-const OSSIndexURL = "https://ossindex.net/v2.0/package"
+const OSSIndexURL = "https://ossindex.net/api/v3/component-report"
 const nodeswgURL = "https://github.com/nodejs/security-wg/archive/master.zip"
 
 func main() {
@@ -19,12 +20,33 @@ func main() {
 		os.Exit(1)
 	}
 
-	packages, err := pathrunner.Walk(os.Args[1])
+	f, err := os.OpenFile(".gammaray.log", os.O_RDWR|os.O_CREATE|os.O_APPEND, 0666)
+	if err != nil {
+		log.Fatalf("Error opening file: %v", err)
+	}
+	defer f.Close()
+
+	log.SetOutput(f)
+
+	packageList, err := pathrunner.Walk(os.Args[1])
 	if err != nil {
 		fmt.Println(err.Error())
 		os.Exit(1)
 	}
 
+	// keep only valid packages
+	var packages []pathrunner.NodePackage
+	for _, pkg := range packageList {
+		if pkg.Name == "" {
+			log.Print("Ignoring package with empty name")
+			continue
+		}
+		if pkg.Version == "" {
+			pkg.Version = "*"
+		}
+		packages = append(packages, pkg)
+	}
+
 	ossFetcher := ossvulnfetcher.New(OSSIndexURL)
 	err = ossFetcher.Fetch()
 	if err != nil {
@@ -39,41 +61,58 @@ func main() {
 		os.Exit(1)
 	}
 
-	for _, singlePackage := range packages {
-		vulnerabilitiesOSS, err := ossFetcher.Test(singlePackage.Name, singlePackage.Version)
-		if err != nil {
-			fmt.Println(err.Error())
-			os.Exit(1)
-		}
+	vulnerabilitiesOSS, err := ossFetcher.TestAll(packages)
+	if err != nil {
+		fmt.Println(err.Error())
+		os.Exit(1)
+	}
 
-		if len(vulnerabilitiesOSS) > 0 {
-			fmt.Printf("\tPackage: %s (%s)\n", singlePackage.Name, singlePackage.Version)
-			for _, vulnerability := range vulnerabilitiesOSS {
-				fmt.Printf("\t\t- Vulnerability (OSS Index):\n")
-				fmt.Printf("\t\t\t- CVE: %s\n\t\tTitle: %s\n\t\tVersions: %s\n\t\tFixed: %s\n\t\tMore Info: [%s]\n",
-					vulnerability.CVE,
-					vulnerability.Title,
-					vulnerability.Versions,
-					vulnerability.Fixed,
-					vulnerability.References,
-				)
+	if len(vulnerabilitiesOSS) > 0 {
+		fmt.Println("🚨 Some vulnerabilities found by OSS Index")
+		var pkg string
+		var pkgversion string
+		for _, vulnerability := range vulnerabilitiesOSS {
+			if vulnerability.Package != pkg && vulnerability.PackageVersion != pkgversion {
+				fmt.Printf("\t📦 Package: %s (%s)\n", vulnerability.Package, vulnerability.PackageVersion)
 			}
+			pkg = vulnerability.Package
+			pkgversion = vulnerability.PackageVersion
+
+			fmt.Printf("\t\t- Vulnerability (OSS Index):\n")
+			fmt.Printf("\t\t\tCVE: %s\n\t\t\tTitle: %s\n\t\t\tDescription: %s\n\t\t\tMore Info: [%s]\n",
+				vulnerability.CVE,
+				vulnerability.Title,
+				vulnerability.Description,
+				vulnerability.References,
+			)
 		}
+	} else {
+		fmt.Println("✅ No Vulnerability found by OSS Index")
+	}
 
-		vulnerabilitiesNodeSWG, err := nodeswgFetcher.Test(singlePackage.Name, singlePackage.Version)
-		if len(vulnerabilitiesNodeSWG) > 0 {
-			fmt.Printf("\tPackage: %s\n", singlePackage.Name)
-			for _, vulnerability := range vulnerabilitiesNodeSWG {
-				fmt.Printf("\t\t- Vulnerability (Node Security Working Group):\n")
-				fmt.Printf("\t\t\t- CVE: %s\n\t\tTitle: %s\n\t\tVersions: %s\n\t\tFixed: %s\n\t\tMore Info: [%s]\n",
-					vulnerability.CVE,
-					vulnerability.Title,
-					vulnerability.Versions,
-					vulnerability.Fixed,
-					vulnerability.References,
-				)
+	vulnerabilitiesNodeSWG, err := nodeswgFetcher.TestAll(packages)
+	if len(vulnerabilitiesNodeSWG) > 0 {
+		fmt.Println("🚨 Some vulnerabilities found by Node Security Working Group")
+		var pkg string
+		var pkgversion string
+		for _, vulnerability := range vulnerabilitiesNodeSWG {
+			if vulnerability.Package != pkg && vulnerability.PackageVersion != pkgversion {
+				fmt.Printf("\t📦 Package: %s (%s)\n", vulnerability.Package, vulnerability.PackageVersion)
 			}
+			pkg = vulnerability.Package
+			pkgversion = vulnerability.PackageVersion
+			fmt.Printf("\t\t- Vulnerability (Node Security Working Group):\n")
+			fmt.Printf("\t\t\tCVE: %s\n\t\t\tTitle: %s\n\t\t\tVersions: %s\n\t\t\tFixed: %s\n\t\t\tDescription: %s\n\t\t\tMore Info: [%s]\n",
+				vulnerability.CVE,
+				vulnerability.Title,
+				vulnerability.Versions,
+				vulnerability.Fixed,
+				vulnerability.Description,
+				vulnerability.References,
+			)
 		}
+	} else {
+		fmt.Println("✅ No Vulnerability found by Node Security Working Group")
 	}
 
 }