This repository has been archived by the owner on Jan 30, 2023. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #15 from nearform/add-docker-support
Add docker support
- Loading branch information
Showing
64 changed files
with
7,612 additions
and
482 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -3,3 +3,4 @@ gammaray | |
dist | ||
debug.test | ||
*.log | ||
*.orig |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,113 @@ | ||
package analyzer | ||
|
||
import ( | ||
"fmt" | ||
"log" | ||
|
||
"github.com/nearform/gammaray/pathrunner" | ||
"github.com/nearform/gammaray/vulnfetcher" | ||
"github.com/nearform/gammaray/vulnfetcher/nodeswg" | ||
"github.com/nearform/gammaray/vulnfetcher/ossvulnfetcher" | ||
) | ||
|
||
// OSSIndexURL URL for OSSIndex. Is not a hardcoded value to facilitate testing. | ||
const OSSIndexURL = "https://ossindex.net/api/v3/component-report" | ||
const nodeswgURL = "https://github.com/nodejs/security-wg/archive/master.zip" | ||
|
||
// Analyze analyzes a path to an installed (npm install) node package | ||
func Analyze(path string) (vulnfetcher.VulnerabilityReport, error) { | ||
fmt.Println("Will scan folder <", path, ">") | ||
packageList, err := pathrunner.Walk(path) | ||
if err != nil { | ||
return nil, err | ||
} | ||
|
||
// keep only valid packages | ||
var packages []pathrunner.NodePackage | ||
for _, pkg := range packageList { | ||
if pkg.Name == "" { | ||
log.Print("Ignoring package with empty name") | ||
continue | ||
} | ||
if pkg.Version == "" { | ||
pkg.Version = "*" | ||
} | ||
packages = append(packages, pkg) | ||
} | ||
|
||
ossFetcher := ossvulnfetcher.New(OSSIndexURL) | ||
err = ossFetcher.Fetch() | ||
if err != nil { | ||
return nil, err | ||
} | ||
|
||
nodeswgFetcher := nodeswg.New(nodeswgURL) | ||
err = nodeswgFetcher.Fetch() | ||
if err != nil { | ||
return nil, err | ||
} | ||
|
||
vulnerabilitiesOSS, err := ossFetcher.TestAll(packages) | ||
if err != nil { | ||
return nil, err | ||
} | ||
|
||
if len(vulnerabilitiesOSS) > 0 { | ||
fmt.Println("🚨 Some vulnerabilities found by OSS Index") | ||
var pkg string | ||
var pkgversion string | ||
for _, vulnerability := range vulnerabilitiesOSS { | ||
if vulnerability.Package != pkg && vulnerability.PackageVersion != pkgversion { | ||
fmt.Printf("\t📦 Package: %s (%s)\n", vulnerability.Package, vulnerability.PackageVersion) | ||
} | ||
pkg = vulnerability.Package | ||
pkgversion = vulnerability.PackageVersion | ||
|
||
fmt.Printf("\t\t- Vulnerability (OSS Index):\n") | ||
fmt.Printf("\t\t\tCVE: %s\n\t\t\tCWE: %s\n\t\t\tTitle: %s\n\t\t\tDescription: %s\n\t\t\tMore Info: [%s]\n", | ||
vulnerability.CVE, | ||
vulnerability.CWE, | ||
vulnerability.Title, | ||
vulnerability.Description, | ||
vulnerability.References, | ||
) | ||
} | ||
} else { | ||
fmt.Println("✅ No Vulnerability found by OSS Index") | ||
} | ||
|
||
vulnerabilitiesNodeSWG, err := nodeswgFetcher.TestAll(packages) | ||
if err != nil { | ||
return nil, err | ||
} | ||
if len(vulnerabilitiesNodeSWG) > 0 { | ||
fmt.Println("🚨 Some vulnerabilities found by Node Security Working Group") | ||
var pkg string | ||
var pkgversion string | ||
for _, vulnerability := range vulnerabilitiesNodeSWG { | ||
if vulnerability.Package != pkg && vulnerability.PackageVersion != pkgversion { | ||
fmt.Printf("\t📦 Package: %s (%s)\n", vulnerability.Package, vulnerability.PackageVersion) | ||
} | ||
pkg = vulnerability.Package | ||
pkgversion = vulnerability.PackageVersion | ||
fmt.Printf("\t\t- Vulnerability (Node Security Working Group):\n") | ||
fmt.Printf("\t\t\tCVE: %s\n\t\t\tTitle: %s\n\t\t\tVersions: %s\n\t\t\tFixed: %s\n\t\t\tDescription: %s\n\t\t\tMore Info: [%s]\n", | ||
vulnerability.CVE, | ||
vulnerability.Title, | ||
vulnerability.Versions, | ||
vulnerability.Fixed, | ||
vulnerability.Description, | ||
vulnerability.References, | ||
) | ||
} | ||
} else { | ||
fmt.Println("✅ No Vulnerability found by Node Security Working Group") | ||
} | ||
|
||
report := vulnfetcher.VulnerabilityReport{ | ||
"OSSIndex": vulnerabilitiesOSS, | ||
"NodeSWG": vulnerabilitiesNodeSWG, | ||
} | ||
|
||
return report, nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
package analyzer | ||
|
||
import ( | ||
"log" | ||
"testing" | ||
|
||
"github.com/google/go-cmp/cmp" | ||
) | ||
|
||
func TestHelloWorld(t *testing.T) { | ||
vulns, err := Analyze("../test_data/hello-world") | ||
if err != nil { | ||
panic(err) | ||
} | ||
numVulns := 0 | ||
for provider, vulnList := range vulns { | ||
numVulns += len(vulnList) | ||
log.Print(provider, "> ", len(vulnList), " vulnerabilities:\n", vulnList) | ||
} | ||
if diff := cmp.Diff(numVulns, 0); diff != "" { | ||
t.Errorf("TestHelloWorld: vulnerabilities : (-got +want)\n%s", diff) | ||
} | ||
} | ||
|
||
func TestInsecureProject(t *testing.T) { | ||
vulns, err := Analyze("../test_data/insecure-project") | ||
if err != nil { | ||
panic(err) | ||
} | ||
|
||
for provider, vulnList := range vulns { | ||
providerVulns := len(vulnList) | ||
log.Print(provider, "> ", providerVulns, " vulnerabilities:\n", vulnList) | ||
// both OSSIndex and NodeSWG report bassmaster-1.0.0 and its dep hoek-1.5.2 | ||
if diff := cmp.Diff(providerVulns, 2); diff != "" { | ||
t.Errorf("TestInsecureProject: %s vulnerabilities : (-got +want)\n%s", provider, diff) | ||
} | ||
} | ||
|
||
} |
Oops, something went wrong.