Dependency check producer (#28)

* depcheck init * added owasp depcheck * cleanup
thought-machine · May 28, 2020 · 47589a7 · 47589a7
1 parent 11d51b7
commit 47589a7
Show file tree

Hide file tree

Showing 4 changed files with 177 additions and 0 deletions.
diff --git a/producers/dependency_check/BUILD b/producers/dependency_check/BUILD
@@ -0,0 +1,34 @@
+subinclude("@pleasings//docker")
+
+go_binary(
+    name = "dependency_check",
+    srcs = [
+        "main.go",
+    ],
+    deps = [
+        "//api/proto:v1",
+        "//producers",
+    ],
+)
+
+go_test(
+    name = "dependency_check_test",
+    srcs = [
+        "main.go",
+        "main_test.go",
+    ],
+    deps = [
+        "//api/proto:v1",
+        "//producers",
+        "//third_party/go:stretchr_testify",
+    ],
+)
+
+docker_image(
+    name = "dracon-producer-dependency-check",
+    srcs = [
+        ":dependency_check",
+    ],
+    base_image = "//build/docker:dracon-base-go",
+    image = "dracon-producer-dependency-check",
+)
diff --git a/producers/dependency_check/Dockerfile b/producers/dependency_check/Dockerfile
@@ -0,0 +1,5 @@
+FROM //build/docker:dracon-base-go
+
+COPY dependency_check /parse
+
+ENTRYPOINT ["/parse"]
diff --git a/producers/dependency_check/main.go b/producers/dependency_check/main.go
@@ -0,0 +1,103 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"log"
+
+	v1 "api/proto/v1"
+
+	"github.com/thought-machine/dracon/producers"
+)
+
+type DependencyVulnerability struct {
+	target      string
+	cvss3       float64
+	cwes        []interface{}
+	notes       string
+	name        string
+	severity    string
+	cvss2       float64
+	description string
+}
+
+func UnmarshalJSON(jsonBytes []byte) []DependencyVulnerability {
+	var result []DependencyVulnerability
+	var v map[string]interface{}
+	if !json.Valid(jsonBytes) {
+		log.Fatal("Inputfile not valid JSON")
+	}
+	if err := json.Unmarshal(jsonBytes, &v); err != nil {
+		log.Fatal(err)
+	}
+	dependencies := v["dependencies"].([]interface{})
+	for _, dependency := range dependencies {
+		depmap := dependency.(map[string]interface{})
+		if vulns, ok := depmap["vulnerabilities"]; ok {
+			target := depmap["filePath"].(string)
+			for _, vuln := range vulns.([]interface{}) {
+				vv := vuln.(map[string]interface{})
+				cvss3 := 0.0
+				cvss2 := 0.0
+				if vv["cvssv3"] != nil {
+					v3 := vv["cvssv3"].(map[string]interface{})
+					cvss3 = v3["baseScore"].(float64)
+				}
+				if vv["cvssv2"] != nil {
+					v2 := vv["cvssv2"].(map[string]interface{})
+					cvss2 = v2["score"].(float64)
+				}
+				result = append(result, DependencyVulnerability{
+					target:      target,
+					cvss3:       cvss3,
+					cwes:        vv["cwes"].([]interface{}),
+					notes:       vv["notes"].(string),
+					name:        vv["name"].(string),
+					severity:    vv["severity"].(string),
+					cvss2:       cvss2,
+					description: vv["description"].(string),
+				})
+			}
+		}
+	}
+	return result
+}
+
+func parseIssues(out []DependencyVulnerability) []*v1.Issue {
+	issues := []*v1.Issue{}
+	for _, r := range out {
+		cvss := r.cvss2
+		if r.cvss3 != 0.0 {
+			cvss = r.cvss3
+		}
+		issues = append(issues, &v1.Issue{
+			Target:      r.target,
+			Type:        "Vulnerable Dependency",
+			Title:       fmt.Sprintf("%s", r.target),
+			Severity:    v1.Severity(v1.Severity_value[fmt.Sprintf("SEVERITY_%s", r.severity)]),
+			Cvss:        cvss,
+			Confidence:  v1.Confidence_CONFIDENCE_MEDIUM,
+			Description: r.description,
+		})
+	}
+	return issues
+}
+
+func main() {
+	if err := producers.ParseFlags(); err != nil {
+		log.Fatal(err)
+	}
+	jsonBytes, err := ioutil.ReadFile(producers.InResults)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	issues := UnmarshalJSON(jsonBytes)
+	if err := producers.WriteDraconOut(
+		"dependencyCheck",
+		parseIssues(issues),
+	); err != nil {
+		log.Fatal(err)
+	}
+}