Initial release for 1.0

Jemurai · Aug 19, 2021 · de5a1c1 · de5a1c1
commit de5a1c1
Show file tree

Hide file tree

Showing 7 changed files with 172 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -0,0 +1,21 @@
+# NPM License Checker to OFF Converter
+
+Convert NPM License Checker output (JSON) to OFF format. (see [github.com/owasp/off](https://github.com/owasp/off))
+
+## Running
+
+1. Get an npm license checker report in json (eg. `license-checker --exclude 'MIT, BSD, BSD-2-Clause, Apache-2.0, CC0-1.0, ISC' --json > npm-licenses.json`)
+1. `go get github.com/jemurai/npmlc2off`
+1. `npmlc2off npm-licenses.json`
+
+## Releasing
+
+Npmlc2off works to follow golang best practices.  Therefore, when updating, we need to do the following:
+
+- `go get -u` 
+- `go mod tidy`
+- `git commit -m "change with version"`
+- `git tag v1.0.6`
+- `git push origin v1.0.6`
+
+Run the build.sh and get the different types of artifacts and include them in the release.
diff --git a/build.sh b/build.sh
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+package=$1
+if [[ -z "$package" ]]; then
+  echo "usage: $0 <package-name>"
+  exit 1
+fi
+package_split=(${package//\// })
+
+package_name=${package_split[2]}
+
+platforms=("linux/amd64" "darwin/amd64" "windows/amd64" "windows/386")
+
+for platform in "${platforms[@]}"
+do
+    platform_split=(${platform//\// })
+    GOOS=${platform_split[0]}
+    GOARCH=${platform_split[1]}
+    output_name=$package_name'-'$GOOS'-'$GOARCH
+    if [ $GOOS = "windows" ]; then
+        output_name+='.exe'
+    fi  
+
+    env GOOS=$GOOS GOARCH=$GOARCH go build -o $output_name $package
+    if [ $? -ne 0 ]; then
+        echo 'An error has occurred! Aborting the script execution...'
+        exit 1
+    fi
+done
diff --git a/cmd/command.go b/cmd/command.go
@@ -0,0 +1,10 @@
+package cmd
+
+import (
+	utils "github.com/jemurai/npmlc2off/utils"
+)
+
+func Convert(file string) {
+	findings := utils.BuildFindingsFromNPMLCFile(file)
+	utils.PrintFindings(findings)
+}
diff --git a/go.mod b/go.mod
@@ -0,0 +1,9 @@
+module github.com/jemurai/npmlc2off
+
+go 1.16
+
+require (
+	github.com/jemurai/fkit v1.0.6
+	github.com/sirupsen/logrus v1.8.1
+	golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c // indirect
+)
diff --git a/npmlc2off.go b/npmlc2off.go
@@ -0,0 +1,12 @@
+package main
+
+import (
+	"os"
+
+	cmd "github.com/jemurai/npmlc2off/cmd"
+)
+
+func main() {
+	var npmlcjson string = os.Args[1]
+	cmd.Convert(npmlcjson)
+}
diff --git a/utils/npmlc.go b/utils/npmlc.go
@@ -0,0 +1,12 @@
+package utils
+
+// LicenseDetail captures a license.
+type LicenseDetail struct {
+	URL         string `json:"url"`
+	Path        string `json:"path"`
+	Licenses    string `json:"licenses"`
+	Publisher   string `json:"publisher"`
+	Repository  string `json:"repository"`
+	Email       string `json:"email"`
+	LicenseFile string `json:"licenseFile"`
+}
diff --git a/utils/utils.go b/utils/utils.go
@@ -0,0 +1,79 @@
+package utils
+
+import (
+	"crypto/sha256"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"time"
+
+	"github.com/jemurai/fkit/finding"
+
+	log "github.com/sirupsen/logrus"
+)
+
+func PrintFindings(findings []finding.Finding) {
+	fjson, _ := json.MarshalIndent(findings, "", " ")
+	fmt.Printf("%s", fjson)
+}
+
+// BuildFindingsFromNPMLCFile read a json file of Findings and build an array
+// of findings that can be used for further processing.
+func BuildFindingsFromNPMLCFile(file string) []finding.Finding {
+	var findings []finding.Finding
+	var npmlcreportmap map[string]LicenseDetail
+
+	rfile, err := os.Open(file)
+	if err != nil {
+		log.Error(err)
+	}
+	bytes, err := ioutil.ReadAll(rfile)
+	if err != nil {
+		log.Error(err)
+	}
+
+	err = json.Unmarshal(bytes, &npmlcreportmap)
+	if err != nil {
+		log.Error(err)
+	}
+	log.Debugf("Unmarshalled NPM License Check JSON")
+	num := 0
+	for key, license := range npmlcreportmap {
+		var refs []string
+		var tags []string
+		var cwes []string
+		tags = append(tags, "npm license-checker")
+
+		var source string = "LicenceChecker: " + license.Path
+		var description string = license.Repository + " with license: " + license.Licenses
+		var detail string = license.Licenses + " at " + license.Path + " from: " + license.URL + " by: " + license.Publisher + " with license at: " + license.LicenseFile
+		name := key + " : " + license.Licenses
+		hasher := sha256.New()
+		hasher.Write([]byte(license.Path + name))
+		fingerprint := base64.URLEncoding.EncodeToString(hasher.Sum(nil))
+
+		finding := finding.Finding{
+			Name:        name,
+			Description: description,
+			Detail:      detail,
+			//Severity:    vuln.Severity,
+			//Confidence:  vuln.Confidence,
+			Fingerprint: fingerprint,
+			Timestamp:   time.Now(),
+			Source:      source,
+			Location:    license.Path,
+			Cvss:        0,
+			References:  refs,
+			Cwes:        cwes,
+			Tags:        tags,
+		}
+		if name != "" {
+			num++
+			findings = append(findings, finding)
+		}
+	}
+	log.Debugf("NPM License Check To Off Processed %v vulns", num)
+	return findings
+}