nancy icon indicating copy to clipboard operation
nancy copied to clipboard

Published 20 hours ago verified publisher icon sonatype-nexus-community

Add new sarif formatter

Open zendern opened this issue 4 years ago • 3 comments

Working through adding what is needed to do #239.

This pull request makes the following changes:

  • Adds a new formatter... thats it nothing to crazy

It relates to the following issue #s:

  • Fixes #239

cc @bhamail / @DarthHater

How im testing this?

Currently using the https://github.com/sonatype-nexus-community/intentionally-vulnerable-golang-project project. And running my local build against nancy with the -o sarif output option and then dumping to a file and doing some magic incantations necessary for github to be happy. (the action will take care of this later)

go list -json -m all | ../nancy/nancy sleuth -o sarif > analysis-data.sarif
gzip -c analysis-data.sarif | base64 |tr -d '\n' | pbcopy

And then this curl command to send the results to my forked repo above

curl --location --request POST 'https://api.github.com/repos/zendern/intentionally-vulnerable-golang-project/code-scanning/sarifs' \
--header 'Accept: application/vnd.github.v3+json' \
--header 'Authorization: token <your github token>' \
--header 'Content-Type: application/json' \
--data-raw '{
"tool_name": "Sonatype Nancy",
"commit_sha": "d027c0472f6ef91aa9ce50674536c2787ca9863b",
"ref": "refs/heads/master",
"sarif": "<paste in big chunk of sarif here>"
}'

If you want to stitch the above together to check it out on your own repo you should be able to by changing the url in the curl above.

So whats it look like??

So you can poke around here.

https://github.com/zendern/intentionally-vulnerable-golang-project/security/code-scanning?query=tool%3Anancy

List screen

Github alert types can only be of one of the 4 types. [none, note, warning and error]. I have implemented it as follows :

  • CVSS score > 7 == error (Critical and High)
  • Anything less than that == warning (Medium and Low)

Following the lead here

https://github.com/sonatype-nexus-community/nancy/blob/30fb76a3ebf93a41d391d4cacff9d8154ca3fd5d/internal/audit/auditlogtextformatter.go#L124-L135

Outstanding question on this would be should Low == Note as far as github code scanning goes or does Warning still make sense to use??

screencapture-github-zendern-intentionally-vulnerable-golang-project-security-code-scanning-2021-06-06-23_10_00

Vulnerability details page

screencapture-github-zendern-intentionally-vulnerable-golang-project-security-code-scanning-22-2021-06-06-23_10_18

Looks wise we can probably maybe do better. Markdown support is available in some fields but does have the caveat of once you throw a newline in there Github collapses it and will make you expand before you get them sweet sweet details.

Also something to note since we do not have full (is transitive deps/actually in go.mod/Gopkg.lock file) I am just pinning the line number of the issue to the first line in the corresponding go.mod/Gopkg.lock file to indicate its a dependency issue. Does this seem reasonable??

What's left outstanding?

  • [ ] Implement the stubbed out tests
  • [ ] Determine if levels are setup appropriately for CVVS Score -> Github Severity
  • [ ] Probably some formatting
  • [ ] Test it out using github action

zendern avatar Jun 07 '21 03:06 zendern

This PR is amazing! It works so fine, I have already written a draft Github Action, please merge it :rocket: (thanks for this PR :pray: )

name: Sonatype Nancy alpha

on:
  push:
    branches: [ master ]
  pull_request:
    branches: [ master ]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
    - name: Check out code into the Go module directory
      uses: actions/checkout@v2

    - name: Set up Go 1.x in order to write go.list file
      uses: actions/setup-go@v2
      with:
        go-version: ^1.15
        
    - name: Configure git for private modules
      env:
        ACTOR: ${{ github.actor }}
        TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
      run: git config --global url."https://${ACTOR}:${TOKEN}@github.com".insteadOf "https://github.com"

    # Generate result.sarif
    - name: Nancy by Zendern
      run: |
        echo $(cd /tmp && git clone --branch sarif-output https://github.com/zendern/nancy.git && cd nancy && go get ./... && go build -o nancy .)
        echo $(go list -json -m all | nancy sleuth -o sarif > results.sarif)

    - name: Upload SARIF file
      uses: github/codeql-action/upload-sarif@v1
      with:
        sarif_file: results.sarif

luigigubello avatar Jun 15 '21 19:06 luigigubello

Thanks for the contribution! Unfortunately we can't verify if the committer(s), Tobi Fuhrimann [email protected], signed the CLA because they have not associated their commits with their GitHub user. Please follow these instructions to associate your commits with your GitHub user. Then sign the Sonatype Contributor License Agreement and this Pull Request will be revalidated.

sonatypecla[bot] avatar Mar 07 '22 02:03 sonatypecla[bot]

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 3 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

sonarqubecloud[bot] avatar Aug 03 '23 18:08 sonarqubecloud[bot]