2022-02-23 09:30:19 +01:00
|
|
|
package whitesource
|
|
|
|
|
|
|
|
import (
|
2022-08-09 13:56:01 +02:00
|
|
|
"bytes"
|
2022-02-23 09:30:19 +01:00
|
|
|
"crypto/sha1"
|
2022-08-11 13:12:14 +02:00
|
|
|
"encoding/base64"
|
2022-02-23 09:30:19 +01:00
|
|
|
"encoding/json"
|
|
|
|
"fmt"
|
|
|
|
"path/filepath"
|
2022-08-11 13:12:14 +02:00
|
|
|
"runtime"
|
2022-02-23 09:30:19 +01:00
|
|
|
"sort"
|
|
|
|
"strings"
|
|
|
|
"time"
|
|
|
|
|
2022-08-09 13:56:01 +02:00
|
|
|
cdx "github.com/CycloneDX/cyclonedx-go"
|
|
|
|
"github.com/package-url/packageurl-go"
|
|
|
|
|
2022-02-23 09:30:19 +01:00
|
|
|
"github.com/SAP/jenkins-library/pkg/format"
|
|
|
|
"github.com/SAP/jenkins-library/pkg/log"
|
|
|
|
"github.com/SAP/jenkins-library/pkg/piperutils"
|
|
|
|
"github.com/SAP/jenkins-library/pkg/reporting"
|
|
|
|
"github.com/pkg/errors"
|
|
|
|
)
|
|
|
|
|
|
|
|
// CreateCustomVulnerabilityReport creates a vulnerability ScanReport to be used for uploading into various sinks
|
|
|
|
func CreateCustomVulnerabilityReport(productName string, scan *Scan, alerts *[]Alert, cvssSeverityLimit float64) reporting.ScanReport {
|
|
|
|
severe, _ := CountSecurityVulnerabilities(alerts, cvssSeverityLimit)
|
|
|
|
|
|
|
|
// sort according to vulnerability severity
|
|
|
|
sort.Slice(*alerts, func(i, j int) bool {
|
|
|
|
return vulnerabilityScore((*alerts)[i]) > vulnerabilityScore((*alerts)[j])
|
|
|
|
})
|
|
|
|
|
|
|
|
projectNames := scan.ScannedProjectNames()
|
|
|
|
|
|
|
|
scanReport := reporting.ScanReport{
|
2022-03-17 15:32:48 +01:00
|
|
|
ReportTitle: "WhiteSource Security Vulnerability Report",
|
2022-02-23 09:30:19 +01:00
|
|
|
Subheaders: []reporting.Subheader{
|
|
|
|
{Description: "WhiteSource product name", Details: productName},
|
|
|
|
{Description: "Filtered project names", Details: strings.Join(projectNames, ", ")},
|
|
|
|
},
|
|
|
|
Overview: []reporting.OverviewRow{
|
|
|
|
{Description: "Total number of vulnerabilities", Details: fmt.Sprint(len((*alerts)))},
|
|
|
|
{Description: "Total number of high/critical vulnerabilities with CVSS score >= 7.0", Details: fmt.Sprint(severe)},
|
|
|
|
},
|
|
|
|
SuccessfulScan: severe == 0,
|
|
|
|
ReportTime: time.Now(),
|
|
|
|
}
|
|
|
|
|
|
|
|
detailTable := reporting.ScanDetailTable{
|
|
|
|
NoRowsMessage: "No publicly known vulnerabilities detected",
|
|
|
|
Headers: []string{
|
|
|
|
"Date",
|
|
|
|
"CVE",
|
|
|
|
"CVSS Score",
|
|
|
|
"CVSS Version",
|
|
|
|
"Project",
|
|
|
|
"Library file name",
|
|
|
|
"Library group ID",
|
|
|
|
"Library artifact ID",
|
|
|
|
"Library version",
|
|
|
|
"Description",
|
|
|
|
"Top fix",
|
|
|
|
},
|
|
|
|
WithCounter: true,
|
|
|
|
CounterHeader: "Entry #",
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, alert := range *alerts {
|
|
|
|
var score float64
|
|
|
|
var scoreStyle reporting.ColumnStyle = reporting.Yellow
|
|
|
|
if isSevereVulnerability(alert, cvssSeverityLimit) {
|
|
|
|
scoreStyle = reporting.Red
|
|
|
|
}
|
|
|
|
var cveVersion string
|
|
|
|
if alert.Vulnerability.CVSS3Score > 0 {
|
|
|
|
score = alert.Vulnerability.CVSS3Score
|
|
|
|
cveVersion = "v3"
|
|
|
|
} else {
|
|
|
|
score = alert.Vulnerability.Score
|
|
|
|
cveVersion = "v2"
|
|
|
|
}
|
|
|
|
|
|
|
|
var topFix string
|
|
|
|
emptyFix := Fix{}
|
|
|
|
if alert.Vulnerability.TopFix != emptyFix {
|
|
|
|
topFix = fmt.Sprintf(`%v<br>%v<br><a href="%v">%v</a>}"`, alert.Vulnerability.TopFix.Message, alert.Vulnerability.TopFix.FixResolution, alert.Vulnerability.TopFix.URL, alert.Vulnerability.TopFix.URL)
|
|
|
|
}
|
|
|
|
|
|
|
|
row := reporting.ScanRow{}
|
|
|
|
row.AddColumn(alert.Vulnerability.PublishDate, 0)
|
|
|
|
row.AddColumn(fmt.Sprintf(`<a href="%v">%v</a>`, alert.Vulnerability.URL, alert.Vulnerability.Name), 0)
|
|
|
|
row.AddColumn(score, scoreStyle)
|
|
|
|
row.AddColumn(cveVersion, 0)
|
|
|
|
row.AddColumn(alert.Project, 0)
|
|
|
|
row.AddColumn(alert.Library.Filename, 0)
|
|
|
|
row.AddColumn(alert.Library.GroupID, 0)
|
|
|
|
row.AddColumn(alert.Library.ArtifactID, 0)
|
|
|
|
row.AddColumn(alert.Library.Version, 0)
|
|
|
|
row.AddColumn(alert.Vulnerability.Description, 0)
|
|
|
|
row.AddColumn(topFix, 0)
|
|
|
|
|
|
|
|
detailTable.Rows = append(detailTable.Rows, row)
|
|
|
|
}
|
|
|
|
scanReport.DetailTable = detailTable
|
|
|
|
|
|
|
|
return scanReport
|
|
|
|
}
|
|
|
|
|
|
|
|
// CountSecurityVulnerabilities counts the security vulnerabilities above severityLimit
|
|
|
|
func CountSecurityVulnerabilities(alerts *[]Alert, cvssSeverityLimit float64) (int, int) {
|
|
|
|
severeVulnerabilities := 0
|
|
|
|
for _, alert := range *alerts {
|
|
|
|
if isSevereVulnerability(alert, cvssSeverityLimit) {
|
|
|
|
severeVulnerabilities++
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
nonSevereVulnerabilities := len(*alerts) - severeVulnerabilities
|
|
|
|
return severeVulnerabilities, nonSevereVulnerabilities
|
|
|
|
}
|
|
|
|
|
|
|
|
func isSevereVulnerability(alert Alert, cvssSeverityLimit float64) bool {
|
|
|
|
|
|
|
|
if vulnerabilityScore(alert) >= cvssSeverityLimit && cvssSeverityLimit >= 0 {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
func vulnerabilityScore(alert Alert) float64 {
|
|
|
|
if alert.Vulnerability.CVSS3Score > 0 {
|
|
|
|
return alert.Vulnerability.CVSS3Score
|
|
|
|
}
|
|
|
|
return alert.Vulnerability.Score
|
|
|
|
}
|
|
|
|
|
|
|
|
// ReportSha creates a SHA unique to the WS product and scan to be used as part of the report filename
|
|
|
|
func ReportSha(productName string, scan *Scan) string {
|
|
|
|
reportShaData := []byte(productName + "," + strings.Join(scan.ScannedProjectNames(), ","))
|
|
|
|
return fmt.Sprintf("%x", sha1.Sum(reportShaData))
|
|
|
|
}
|
|
|
|
|
|
|
|
// WriteCustomVulnerabilityReports creates an HTML and a JSON format file based on the alerts brought up by the scan
|
|
|
|
func WriteCustomVulnerabilityReports(productName string, scan *Scan, scanReport reporting.ScanReport, utils piperutils.FileUtils) ([]piperutils.Path, error) {
|
|
|
|
reportPaths := []piperutils.Path{}
|
|
|
|
|
|
|
|
// ignore templating errors since template is in our hands and issues will be detected with the automated tests
|
|
|
|
htmlReport, _ := scanReport.ToHTML()
|
|
|
|
if err := utils.MkdirAll(ReportsDirectory, 0777); err != nil {
|
|
|
|
return reportPaths, errors.Wrapf(err, "failed to create report directory")
|
|
|
|
}
|
|
|
|
htmlReportPath := filepath.Join(ReportsDirectory, "piper_whitesource_vulnerability_report.html")
|
|
|
|
if err := utils.FileWrite(htmlReportPath, htmlReport, 0666); err != nil {
|
|
|
|
log.SetErrorCategory(log.ErrorConfiguration)
|
|
|
|
return reportPaths, errors.Wrapf(err, "failed to write html report")
|
|
|
|
}
|
|
|
|
reportPaths = append(reportPaths, piperutils.Path{Name: "WhiteSource Vulnerability Report", Target: htmlReportPath})
|
|
|
|
|
|
|
|
// JSON reports are used by step pipelineCreateSummary in order to e.g. prepare an issue creation in GitHub
|
|
|
|
// ignore JSON errors since structure is in our hands
|
|
|
|
jsonReport, _ := scanReport.ToJSON()
|
|
|
|
if exists, _ := utils.DirExists(reporting.StepReportDirectory); !exists {
|
|
|
|
err := utils.MkdirAll(reporting.StepReportDirectory, 0777)
|
|
|
|
if err != nil {
|
|
|
|
return reportPaths, errors.Wrap(err, "failed to create step reporting directory")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if err := utils.FileWrite(filepath.Join(reporting.StepReportDirectory, fmt.Sprintf("whitesourceExecuteScan_oss_%v.json", ReportSha(productName, scan))), jsonReport, 0666); err != nil {
|
|
|
|
return reportPaths, errors.Wrapf(err, "failed to write json report")
|
|
|
|
}
|
|
|
|
// we do not add the json report to the overall list of reports for now,
|
|
|
|
// since it is just an intermediary report used as input for later
|
|
|
|
// and there does not seem to be real benefit in archiving it.
|
|
|
|
|
|
|
|
return reportPaths, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Creates a SARIF result from the Alerts that were brought up by the scan
|
|
|
|
func CreateSarifResultFile(scan *Scan, alerts *[]Alert) *format.SARIF {
|
|
|
|
//Now, we handle the sarif
|
|
|
|
log.Entry().Debug("Creating SARIF file for data transfer")
|
|
|
|
var sarif format.SARIF
|
2022-03-22 14:47:19 +01:00
|
|
|
sarif.Schema = "https://docs.oasis-open.org/sarif/sarif/v2.1.0/cos02/schemas/sarif-schema-2.1.0.json"
|
2022-02-23 09:30:19 +01:00
|
|
|
sarif.Version = "2.1.0"
|
|
|
|
var wsRun format.Runs
|
|
|
|
sarif.Runs = append(sarif.Runs, wsRun)
|
|
|
|
|
|
|
|
//handle the tool object
|
|
|
|
tool := *new(format.Tool)
|
|
|
|
tool.Driver = *new(format.Driver)
|
|
|
|
tool.Driver.Name = scan.AgentName
|
|
|
|
tool.Driver.Version = scan.AgentVersion
|
2022-08-11 13:12:14 +02:00
|
|
|
tool.Driver.InformationUri = "https://mend.io"
|
2022-02-23 09:30:19 +01:00
|
|
|
|
|
|
|
// Handle results/vulnerabilities
|
2022-08-11 13:12:14 +02:00
|
|
|
collectedRules := []string{}
|
|
|
|
for _, alert := range *alerts {
|
2022-02-23 09:30:19 +01:00
|
|
|
result := *new(format.Results)
|
2022-08-11 13:12:14 +02:00
|
|
|
ruleId := alert.Vulnerability.Name
|
|
|
|
log.Entry().Debugf("Transforming alert %v into SARIF format", ruleId)
|
|
|
|
result.RuleID = ruleId
|
2022-03-22 14:47:19 +01:00
|
|
|
result.Message = new(format.Message)
|
|
|
|
result.Message.Text = alert.Vulnerability.Description
|
2022-03-17 13:09:15 +01:00
|
|
|
artLoc := new(format.ArtifactLocation)
|
|
|
|
artLoc.Index = 0
|
|
|
|
artLoc.URI = alert.Library.Filename
|
|
|
|
result.AnalysisTarget = artLoc
|
2022-03-22 14:47:19 +01:00
|
|
|
location := format.Location{PhysicalLocation: format.PhysicalLocation{ArtifactLocation: format.ArtifactLocation{URI: alert.Library.Filename}}}
|
2022-02-23 09:30:19 +01:00
|
|
|
result.Locations = append(result.Locations, location)
|
2022-08-11 13:12:14 +02:00
|
|
|
partialFingerprints := new(format.PartialFingerprints)
|
|
|
|
partialFingerprints.PackageURLPlusCVEHash = base64.URLEncoding.EncodeToString([]byte(fmt.Sprintf("%v+%v", alert.Library.ToPackageUrl().ToString(), alert.Vulnerability.Name)))
|
|
|
|
result.PartialFingerprints = *partialFingerprints
|
|
|
|
//append the result
|
2022-02-23 09:30:19 +01:00
|
|
|
sarif.Runs[0].Results = append(sarif.Runs[0].Results, result)
|
2022-08-11 13:12:14 +02:00
|
|
|
|
|
|
|
// only create rule on new CVE
|
|
|
|
if !piperutils.ContainsString(collectedRules, ruleId) {
|
|
|
|
collectedRules = append(collectedRules, ruleId)
|
|
|
|
|
|
|
|
sarifRule := *new(format.SarifRule)
|
|
|
|
sarifRule.ID = ruleId
|
|
|
|
sarifRule.Name = alert.Vulnerability.Name
|
|
|
|
sd := new(format.Message)
|
|
|
|
sd.Text = fmt.Sprintf("%v Package %v", alert.Vulnerability.Name, alert.Library.ArtifactID)
|
|
|
|
sarifRule.ShortDescription = sd
|
|
|
|
fd := new(format.Message)
|
|
|
|
fd.Text = alert.Vulnerability.Description
|
|
|
|
sarifRule.FullDescription = fd
|
|
|
|
defaultConfig := new(format.DefaultConfiguration)
|
|
|
|
defaultConfig.Level = transformToLevel(alert.Vulnerability.Severity, alert.Vulnerability.CVSS3Severity)
|
|
|
|
sarifRule.DefaultConfiguration = defaultConfig
|
|
|
|
sarifRule.HelpURI = alert.Vulnerability.URL
|
|
|
|
markdown, _ := alert.ToMarkdown()
|
|
|
|
sarifRule.Help = new(format.Help)
|
|
|
|
sarifRule.Help.Text = alert.ToTxt()
|
|
|
|
sarifRule.Help.Markdown = string(markdown)
|
|
|
|
|
|
|
|
ruleProp := *new(format.SarifRuleProperties)
|
|
|
|
ruleProp.Tags = append(ruleProp.Tags, alert.Type)
|
|
|
|
ruleProp.Tags = append(ruleProp.Tags, alert.Library.ToPackageUrl().ToString())
|
|
|
|
ruleProp.Tags = append(ruleProp.Tags, alert.Vulnerability.URL)
|
|
|
|
ruleProp.SecuritySeverity = fmt.Sprint(consolidateScores(alert.Vulnerability.Score, alert.Vulnerability.CVSS3Score))
|
|
|
|
ruleProp.Precision = "very-high"
|
|
|
|
|
|
|
|
sarifRule.Properties = &ruleProp
|
|
|
|
|
|
|
|
// append the rule
|
|
|
|
tool.Driver.Rules = append(tool.Driver.Rules, sarifRule)
|
|
|
|
}
|
2022-02-23 09:30:19 +01:00
|
|
|
}
|
|
|
|
//Finalize: tool
|
|
|
|
sarif.Runs[0].Tool = tool
|
|
|
|
|
2022-08-11 13:12:14 +02:00
|
|
|
// Threadflowlocations is no loger useful: voiding it will make for smaller reports
|
|
|
|
sarif.Runs[0].ThreadFlowLocations = []format.Locations{}
|
|
|
|
|
|
|
|
// Add a conversion object to highlight this isn't native SARIF
|
|
|
|
conversion := new(format.Conversion)
|
|
|
|
conversion.Tool.Driver.Name = "Piper FPR to SARIF converter"
|
|
|
|
conversion.Tool.Driver.InformationUri = "https://github.com/SAP/jenkins-library"
|
|
|
|
conversion.Invocation.ExecutionSuccessful = true
|
|
|
|
convInvocProp := new(format.InvocationProperties)
|
|
|
|
convInvocProp.Platform = runtime.GOOS
|
|
|
|
conversion.Invocation.Properties = convInvocProp
|
|
|
|
sarif.Runs[0].Conversion = conversion
|
|
|
|
|
2022-02-23 09:30:19 +01:00
|
|
|
return &sarif
|
|
|
|
}
|
|
|
|
|
2022-03-22 14:47:19 +01:00
|
|
|
func transformToLevel(cvss2severity, cvss3severity string) string {
|
2022-08-11 13:12:14 +02:00
|
|
|
cvssseverity := consolidateSeverities(cvss2severity, cvss3severity)
|
|
|
|
switch cvssseverity {
|
2022-03-22 14:47:19 +01:00
|
|
|
case "low":
|
|
|
|
return "warning"
|
|
|
|
case "medium":
|
|
|
|
return "warning"
|
|
|
|
case "high":
|
|
|
|
return "error"
|
2022-08-11 13:12:14 +02:00
|
|
|
case "critical":
|
2022-03-22 14:47:19 +01:00
|
|
|
return "error"
|
|
|
|
}
|
|
|
|
return "none"
|
|
|
|
}
|
|
|
|
|
2022-08-11 13:12:14 +02:00
|
|
|
func consolidateSeverities(cvss2severity, cvss3severity string) string {
|
|
|
|
if len(cvss3severity) > 0 {
|
|
|
|
return cvss3severity
|
|
|
|
}
|
|
|
|
return cvss2severity
|
|
|
|
}
|
|
|
|
|
2022-03-17 15:32:48 +01:00
|
|
|
// WriteSarifFile write a JSON sarif format file for upload into e.g. GCP
|
2022-02-23 09:30:19 +01:00
|
|
|
func WriteSarifFile(sarif *format.SARIF, utils piperutils.FileUtils) ([]piperutils.Path, error) {
|
|
|
|
reportPaths := []piperutils.Path{}
|
|
|
|
|
|
|
|
// ignore templating errors since template is in our hands and issues will be detected with the automated tests
|
|
|
|
sarifReport, errorMarshall := json.Marshal(sarif)
|
|
|
|
if errorMarshall != nil {
|
|
|
|
return reportPaths, errors.Wrapf(errorMarshall, "failed to marshall SARIF json file")
|
|
|
|
}
|
|
|
|
if err := utils.MkdirAll(ReportsDirectory, 0777); err != nil {
|
|
|
|
return reportPaths, errors.Wrapf(err, "failed to create report directory")
|
|
|
|
}
|
|
|
|
sarifReportPath := filepath.Join(ReportsDirectory, "piper_whitesource_vulnerability.sarif")
|
|
|
|
if err := utils.FileWrite(sarifReportPath, sarifReport, 0666); err != nil {
|
|
|
|
log.SetErrorCategory(log.ErrorConfiguration)
|
|
|
|
return reportPaths, errors.Wrapf(err, "failed to write SARIF file")
|
|
|
|
}
|
|
|
|
reportPaths = append(reportPaths, piperutils.Path{Name: "WhiteSource Vulnerability SARIF file", Target: sarifReportPath})
|
|
|
|
|
|
|
|
return reportPaths, nil
|
|
|
|
}
|
2022-08-09 13:56:01 +02:00
|
|
|
|
|
|
|
func transformToCdxSeverity(severity string) cdx.Severity {
|
|
|
|
switch severity {
|
|
|
|
case "info":
|
|
|
|
return cdx.SeverityInfo
|
|
|
|
case "low":
|
|
|
|
return cdx.SeverityLow
|
|
|
|
case "medium":
|
|
|
|
return cdx.SeverityMedium
|
|
|
|
case "high":
|
|
|
|
return cdx.SeverityHigh
|
|
|
|
case "critical":
|
|
|
|
return cdx.SeverityCritical
|
|
|
|
case "":
|
|
|
|
return cdx.SeverityNone
|
|
|
|
}
|
|
|
|
return cdx.SeverityUnknown
|
|
|
|
}
|
|
|
|
|
|
|
|
func transformBuildToPurlType(buildType string) string {
|
|
|
|
switch buildType {
|
|
|
|
case "maven":
|
|
|
|
return packageurl.TypeMaven
|
|
|
|
case "npm":
|
|
|
|
return packageurl.TypeNPM
|
|
|
|
case "docker":
|
|
|
|
return packageurl.TypeDocker
|
|
|
|
case "kaniko":
|
|
|
|
return packageurl.TypeDocker
|
|
|
|
case "golang":
|
|
|
|
return packageurl.TypeGolang
|
|
|
|
case "mta":
|
|
|
|
return packageurl.TypeComposer
|
|
|
|
}
|
|
|
|
return packageurl.TypeGeneric
|
|
|
|
}
|
|
|
|
|
|
|
|
func CreateCycloneSBOM(scan *Scan, libraries *[]Library, alerts *[]Alert) ([]byte, error) {
|
|
|
|
ppurl := packageurl.NewPackageURL(transformBuildToPurlType(scan.BuildTool), scan.Coordinates.GroupID, scan.Coordinates.ArtifactID, scan.Coordinates.Version, nil, "")
|
|
|
|
metadata := cdx.Metadata{
|
|
|
|
// Define metadata about the main component
|
|
|
|
// (the component which the BOM will describe)
|
|
|
|
|
|
|
|
// TODO check whether we can identify library vs. application
|
|
|
|
Component: &cdx.Component{
|
2022-08-11 13:12:14 +02:00
|
|
|
BOMRef: ppurl.ToString(),
|
|
|
|
Type: cdx.ComponentTypeLibrary,
|
|
|
|
Name: scan.Coordinates.ArtifactID,
|
|
|
|
Group: scan.Coordinates.GroupID,
|
|
|
|
Version: scan.Coordinates.Version,
|
|
|
|
PackageURL: ppurl.ToString(),
|
2022-08-09 13:56:01 +02:00
|
|
|
},
|
|
|
|
// Use properties to include an internal identifier for this BOM
|
|
|
|
// https://cyclonedx.org/use-cases/#properties--name-value-store
|
|
|
|
Properties: &[]cdx.Property{
|
|
|
|
{
|
2022-08-11 13:12:14 +02:00
|
|
|
Name: "internal:ws-product-identifier",
|
|
|
|
Value: scan.ProductToken,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Name: "internal:ws-project-identifier",
|
|
|
|
Value: strings.Join(scan.ScannedProjectTokens(), ", "),
|
2022-08-09 13:56:01 +02:00
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
components := []cdx.Component{}
|
|
|
|
flatUniqueLibrariesMap := map[string]Library{}
|
2022-08-12 11:59:47 +02:00
|
|
|
transformToUniqueFlatList(libraries, &flatUniqueLibrariesMap, 1)
|
2022-08-09 13:56:01 +02:00
|
|
|
flatUniqueLibraries := piperutils.Values(flatUniqueLibrariesMap)
|
2022-08-12 11:59:47 +02:00
|
|
|
log.Entry().Debugf("Got %v unique libraries in condensed flat list", len(flatUniqueLibraries))
|
2022-08-09 13:56:01 +02:00
|
|
|
sort.Slice(flatUniqueLibraries, func(i, j int) bool {
|
|
|
|
return flatUniqueLibraries[i].ToPackageUrl().ToString() < flatUniqueLibraries[j].ToPackageUrl().ToString()
|
|
|
|
})
|
|
|
|
for _, lib := range flatUniqueLibraries {
|
|
|
|
purl := lib.ToPackageUrl()
|
|
|
|
// Define the components that the product ships with
|
|
|
|
// https://cyclonedx.org/use-cases/#inventory
|
|
|
|
component := cdx.Component{
|
|
|
|
BOMRef: purl.ToString(),
|
|
|
|
Type: cdx.ComponentTypeLibrary,
|
|
|
|
Author: lib.GroupID,
|
|
|
|
Name: lib.ArtifactID,
|
|
|
|
Version: lib.Version,
|
|
|
|
PackageURL: purl.ToString(),
|
2022-08-12 11:59:47 +02:00
|
|
|
Hashes: &[]cdx.Hash{{Algorithm: cdx.HashAlgoSHA1, Value: lib.Sha1}},
|
2022-08-09 13:56:01 +02:00
|
|
|
}
|
|
|
|
components = append(components, component)
|
|
|
|
}
|
|
|
|
|
|
|
|
dependencies := []cdx.Dependency{}
|
|
|
|
declareDependency(ppurl, libraries, &dependencies)
|
|
|
|
|
|
|
|
vulnerabilities := []cdx.Vulnerability{}
|
|
|
|
for _, alert := range *alerts {
|
|
|
|
// Define the vulnerabilities in VEX
|
|
|
|
// https://cyclonedx.org/use-cases/#vulnerability-exploitability
|
|
|
|
purl := alert.Library.ToPackageUrl()
|
2022-08-11 13:12:14 +02:00
|
|
|
advisories := []cdx.Advisory{}
|
|
|
|
for _, fix := range alert.Vulnerability.AllFixes {
|
|
|
|
advisory := cdx.Advisory{
|
|
|
|
Title: fix.Message,
|
|
|
|
URL: alert.Vulnerability.TopFix.URL,
|
|
|
|
}
|
|
|
|
advisories = append(advisories, advisory)
|
|
|
|
}
|
|
|
|
cvss3Score := alert.Vulnerability.CVSS3Score
|
|
|
|
cvssScore := alert.Vulnerability.Score
|
2022-08-09 13:56:01 +02:00
|
|
|
vuln := cdx.Vulnerability{
|
|
|
|
BOMRef: purl.ToString(),
|
|
|
|
ID: alert.Vulnerability.Name,
|
|
|
|
Source: &cdx.Source{URL: alert.Vulnerability.URL},
|
|
|
|
Tools: &[]cdx.Tool{
|
|
|
|
{
|
|
|
|
Name: scan.AgentName,
|
|
|
|
Version: scan.AgentVersion,
|
|
|
|
Vendor: "Mend",
|
|
|
|
ExternalReferences: &[]cdx.ExternalReference{
|
|
|
|
{
|
|
|
|
URL: "https://www.mend.io/",
|
|
|
|
Type: cdx.ERTypeBuildMeta,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
Recommendation: alert.Vulnerability.FixResolutionText,
|
2022-08-11 13:12:14 +02:00
|
|
|
Detail: alert.Vulnerability.URL,
|
2022-08-09 13:56:01 +02:00
|
|
|
Ratings: &[]cdx.VulnerabilityRating{
|
|
|
|
{
|
2022-08-11 13:12:14 +02:00
|
|
|
Score: &cvss3Score,
|
|
|
|
Severity: transformToCdxSeverity(alert.Vulnerability.CVSS3Severity),
|
2022-08-09 13:56:01 +02:00
|
|
|
Method: cdx.ScoringMethodCVSSv3,
|
|
|
|
},
|
|
|
|
{
|
2022-08-11 13:12:14 +02:00
|
|
|
Score: &cvssScore,
|
2022-08-09 13:56:01 +02:00
|
|
|
Severity: transformToCdxSeverity(alert.Vulnerability.Severity),
|
|
|
|
Method: cdx.ScoringMethodCVSSv2,
|
|
|
|
},
|
|
|
|
},
|
2022-08-11 13:12:14 +02:00
|
|
|
Advisories: &advisories,
|
|
|
|
Description: alert.Vulnerability.Description,
|
2022-08-09 13:56:01 +02:00
|
|
|
Created: alert.CreationDate,
|
|
|
|
Published: alert.Vulnerability.PublishDate,
|
|
|
|
Updated: alert.ModifiedDate,
|
|
|
|
Affects: &[]cdx.Affects{
|
|
|
|
{
|
|
|
|
Ref: purl.ToString(),
|
|
|
|
Range: &[]cdx.AffectedVersions{
|
|
|
|
{
|
|
|
|
Version: alert.Library.Version,
|
|
|
|
Status: cdx.VulnerabilityStatus(alert.Status),
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
references := []cdx.VulnerabilityReference{}
|
|
|
|
for _, ref := range alert.Vulnerability.References {
|
|
|
|
reference := cdx.VulnerabilityReference{
|
|
|
|
Source: &cdx.Source{Name: ref.Homepage, URL: ref.URL},
|
|
|
|
ID: ref.GenericPackageIndex,
|
|
|
|
}
|
|
|
|
references = append(references, reference)
|
|
|
|
}
|
|
|
|
vuln.References = &references
|
|
|
|
vulnerabilities = append(vulnerabilities, vuln)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Assemble the BOM
|
|
|
|
bom := cdx.NewBOM()
|
|
|
|
bom.Vulnerabilities = &vulnerabilities
|
|
|
|
bom.Metadata = &metadata
|
|
|
|
bom.Components = &components
|
|
|
|
bom.Dependencies = &dependencies
|
|
|
|
|
|
|
|
// Encode the BOM
|
|
|
|
var outputBytes []byte
|
|
|
|
buffer := bytes.NewBuffer(outputBytes)
|
|
|
|
encoder := cdx.NewBOMEncoder(buffer, cdx.BOMFileFormatXML)
|
|
|
|
encoder.SetPretty(true)
|
|
|
|
if err := encoder.Encode(bom); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return buffer.Bytes(), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func WriteCycloneSBOM(sbom []byte, utils piperutils.FileUtils) ([]piperutils.Path, error) {
|
|
|
|
paths := []piperutils.Path{}
|
|
|
|
if err := utils.MkdirAll(ReportsDirectory, 0777); err != nil {
|
|
|
|
return paths, errors.Wrapf(err, "failed to create report directory")
|
|
|
|
}
|
|
|
|
|
|
|
|
sbomPath := filepath.Join(ReportsDirectory, "piper_whitesource_sbom.xml")
|
|
|
|
|
|
|
|
// Write file
|
|
|
|
if err := utils.FileWrite(sbomPath, sbom, 0666); err != nil {
|
|
|
|
log.SetErrorCategory(log.ErrorConfiguration)
|
|
|
|
return paths, errors.Wrapf(err, "failed to write SARIF file")
|
|
|
|
}
|
|
|
|
paths = append(paths, piperutils.Path{Name: "WhiteSource SBOM file", Target: sbomPath})
|
|
|
|
|
|
|
|
return paths, nil
|
|
|
|
}
|
|
|
|
|
2022-08-12 11:59:47 +02:00
|
|
|
func transformToUniqueFlatList(libraries *[]Library, flatMapRef *map[string]Library, level int) {
|
|
|
|
log.Entry().Debugf("Got %v libraries reported on level %v", len(*libraries), level)
|
2022-08-09 13:56:01 +02:00
|
|
|
for _, lib := range *libraries {
|
|
|
|
key := lib.ToPackageUrl().ToString()
|
|
|
|
flatMap := *flatMapRef
|
|
|
|
lookup := flatMap[key]
|
|
|
|
if lookup.KeyID != lib.KeyID {
|
|
|
|
flatMap[key] = lib
|
|
|
|
if len(lib.Dependencies) > 0 {
|
2022-08-12 11:59:47 +02:00
|
|
|
transformToUniqueFlatList(&lib.Dependencies, flatMapRef, level+1)
|
2022-08-09 13:56:01 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func declareDependency(parentPurl *packageurl.PackageURL, dependents *[]Library, collection *[]cdx.Dependency) {
|
|
|
|
localDependencies := []cdx.Dependency{}
|
|
|
|
for _, lib := range *dependents {
|
|
|
|
purl := lib.ToPackageUrl()
|
|
|
|
// Define the dependency graph
|
|
|
|
// https://cyclonedx.org/use-cases/#dependency-graph
|
|
|
|
localDependency := cdx.Dependency{Ref: purl.ToString()}
|
|
|
|
localDependencies = append(localDependencies, localDependency)
|
|
|
|
|
|
|
|
if len(lib.Dependencies) > 0 {
|
|
|
|
declareDependency(purl, &lib.Dependencies, collection)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
dependency := cdx.Dependency{
|
|
|
|
Ref: parentPurl.ToString(),
|
|
|
|
Dependencies: &localDependencies,
|
|
|
|
}
|
|
|
|
*collection = append(*collection, dependency)
|
|
|
|
}
|