diff --git a/go.mod b/go.mod index ca9edd7..9d69184 100644 --- a/go.mod +++ b/go.mod @@ -8,7 +8,7 @@ require ( github.com/edoardottt/depsdev v0.0.3 github.com/google/uuid v1.3.0 github.com/jarcoal/httpmock v1.3.0 - github.com/package-url/packageurl-go v0.1.2-0.20230717211154-3587d8c2829e + github.com/package-url/packageurl-go v0.1.2 github.com/remeh/sizedwaitgroup v1.0.0 github.com/rs/zerolog v1.29.1 github.com/spdx/tools-golang v0.5.2 diff --git a/go.sum b/go.sum index 2c7bfc7..73aac61 100644 --- a/go.sum +++ b/go.sum @@ -168,8 +168,8 @@ github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/ github.com/maxatome/go-testdeep v1.12.0 h1:Ql7Go8Tg0C1D/uMMX59LAoYK7LffeJQ6X2T04nTH68g= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= -github.com/package-url/packageurl-go v0.1.2-0.20230717211154-3587d8c2829e h1:h/TWC+mVfoco4qhPEsaxkdwymlTaDe/BGnzljU8SIPw= -github.com/package-url/packageurl-go v0.1.2-0.20230717211154-3587d8c2829e/go.mod h1:uQd4a7Rh3ZsVg5j0lNyAfyxIeGde9yrlhjF78GzeW0c= +github.com/package-url/packageurl-go v0.1.2 h1:0H2DQt6DHd/NeRlVwW4EZ4oEI6Bn40XlNPRqegcxuo4= +github.com/package-url/packageurl-go v0.1.2/go.mod h1:uQd4a7Rh3ZsVg5j0lNyAfyxIeGde9yrlhjF78GzeW0c= github.com/pelletier/go-toml/v2 v2.0.6 h1:nrzqCb7j9cDFj2coyLNLaZuJTLjWjlaz6nvTvIwycIU= github.com/pelletier/go-toml/v2 v2.0.6/go.mod h1:eumQOmlWiOPt5WriQQqoM5y18pDHwha2N+QD+EUNTek= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= diff --git a/lib/snyk/enrich_cyclonedx.go b/lib/snyk/enrich_cyclonedx.go index 99ac218..b5f8559 100644 --- a/lib/snyk/enrich_cyclonedx.go +++ b/lib/snyk/enrich_cyclonedx.go @@ -31,6 +31,47 @@ import ( "github.com/snyk/parlay/snyk/issues" ) +type cdxEnricher = func(cdx.Component, packageurl.PackageURL) cdx.Component + +var cdxEnrichers = []cdxEnricher{ + enrichCDXSnykAdvisorData, + enrichCDXSnykVulnerabilityDBData, +} + +func enrichCDXSnykVulnerabilityDBData(component cdx.Component, purl packageurl.PackageURL) cdx.Component { + pkgPath := purlToSnykVulnDB(purl) + if pkgPath != "" { + ext := cdx.ExternalReference{ + URL: SnykVulnURL(pkgPath, purl), + Comment: "Snyk Vulnerability DB", + Type: "Other", + } + if component.ExternalReferences == nil { + component.ExternalReferences = &[]cdx.ExternalReference{ext} + } else { + *component.ExternalReferences = append(*component.ExternalReferences, ext) + } + } + return component +} + +func enrichCDXSnykAdvisorData(component cdx.Component, purl packageurl.PackageURL) cdx.Component { + pkgPath := purlToSnykAdvisor(purl) + if pkgPath != "" { + ext := cdx.ExternalReference{ + URL: SnykAdvisorURL(pkgPath, purl), + Comment: "Snyk Advisor", + Type: "Other", + } + if component.ExternalReferences == nil { + component.ExternalReferences = &[]cdx.ExternalReference{ext} + } else { + *component.ExternalReferences = append(*component.ExternalReferences, ext) + } + } + return component +} + func enrichCycloneDX(bom *cdx.BOM, logger zerolog.Logger) *cdx.BOM { auth, err := AuthFromToken(APIToken()) if err != nil { @@ -60,7 +101,9 @@ func enrichCycloneDX(bom *cdx.BOM, logger zerolog.Logger) *cdx.BOM { Msg("Could not identify package.") return } - + for _, enrichFunc := range cdxEnrichers { + *component = enrichFunc(*component, purl) + } resp, err := GetPackageVulnerabilities(&purl, auth, orgID) if err != nil { logger.Err(err). diff --git a/lib/snyk/enrich_spdx.go b/lib/snyk/enrich_spdx.go index 5593d1d..34e2dc8 100644 --- a/lib/snyk/enrich_spdx.go +++ b/lib/snyk/enrich_spdx.go @@ -22,6 +22,7 @@ import ( "net/url" "sync" + "github.com/package-url/packageurl-go" "github.com/remeh/sizedwaitgroup" "github.com/rs/zerolog" "github.com/spdx/tools-golang/spdx" @@ -35,6 +36,49 @@ const ( snykVulnerabilityDB_URI = "https://security.snyk.io" ) +type spdxEnricher = func(spdx_2_3.Package, packageurl.PackageURL) spdx_2_3.Package + +var spdxEnrichers = []spdxEnricher{ + enrichSPDXSnykAdvisorData, + enrichSPDXSnykVulnerabilityDBData, +} + +func enrichSPDXSnykAdvisorData(component spdx_2_3.Package, purl packageurl.PackageURL) spdx_2_3.Package { + pkgPath := purlToSnykAdvisor(purl) + if pkgPath != "" { + ext := &spdx_2_3.PackageExternalReference{ + Locator: SnykAdvisorURL(pkgPath, purl), + RefType: "advisory", + Category: "Other", + ExternalRefComment: "Snyk Advisor", + } + if component.PackageExternalReferences == nil { + component.PackageExternalReferences = []*spdx_2_3.PackageExternalReference{ext} + } else { + component.PackageExternalReferences = append(component.PackageExternalReferences, ext) + } + } + return component +} + +func enrichSPDXSnykVulnerabilityDBData(component spdx_2_3.Package, purl packageurl.PackageURL) spdx_2_3.Package { + pkgPath := purlToSnykVulnDB(purl) + if pkgPath != "" { + ext := &spdx_2_3.PackageExternalReference{ + Locator: SnykVulnURL(pkgPath, purl), + RefType: "url", + Category: "Other", + ExternalRefComment: "Snyk Vulnerability DB", + } + if component.PackageExternalReferences == nil { + component.PackageExternalReferences = []*spdx_2_3.PackageExternalReference{ext} + } else { + component.PackageExternalReferences = append(component.PackageExternalReferences, ext) + } + } + return component +} + func enrichSPDX(bom *spdx.Document, logger zerolog.Logger) *spdx.Document { auth, err := AuthFromToken(APIToken()) if err != nil { @@ -65,7 +109,9 @@ func enrichSPDX(bom *spdx.Document, logger zerolog.Logger) *spdx.Document { Msg("Could not identify package.") return } - + for _, enrichFn := range spdxEnrichers { + *pkg = enrichFn(*pkg, *purl) + } resp, err := GetPackageVulnerabilities(purl, auth, orgID) if err != nil { logger.Err(err). diff --git a/lib/snyk/enrich_test.go b/lib/snyk/enrich_test.go index 0ce70ed..52230f7 100644 --- a/lib/snyk/enrich_test.go +++ b/lib/snyk/enrich_test.go @@ -39,6 +39,74 @@ func TestEnrichSBOM_CycloneDXWithVulnerabilities(t *testing.T) { assert.Equal(t, "SNYK-PYTHON-NUMPY-73513", vuln.ID) } +func TestEnrichSBOM_CycloneDXExternalRefs(t *testing.T) { + teardown := setupTestEnv(t) + defer teardown() + + bom := &cdx.BOM{ + Components: &[]cdx.Component{ + { + BOMRef: "pkg:pypi/numpy@1.16.0", + Name: "numpy", + Version: "1.16.0", + PackageURL: "pkg:pypi/numpy@1.16.0", + }, + }, + } + doc := &sbom.SBOMDocument{BOM: bom} + logger := zerolog.Nop() + + EnrichSBOM(doc, logger) + + assert.NotNil(t, bom.Components) + refs := (*bom.Components)[0].ExternalReferences + assert.Len(t, *refs, 2) + + ref1 := (*refs)[0] + assert.Equal(t, "https://snyk.io/advisor/python/numpy", ref1.URL) + assert.Equal(t, "Snyk Advisor", ref1.Comment) + assert.Equal(t, cdx.ExternalReferenceType("Other"), ref1.Type) + + ref2 := (*refs)[1] + assert.Equal(t, "https://security.snyk.io/package/pip/numpy", ref2.URL) + assert.Equal(t, "Snyk Vulnerability DB", ref2.Comment) + assert.Equal(t, cdx.ExternalReferenceType("Other"), ref2.Type) +} + +func TestEnrichSBOM_CycloneDXExternalRefs_WithNamespace(t *testing.T) { + teardown := setupTestEnv(t) + defer teardown() + + bom := &cdx.BOM{ + Components: &[]cdx.Component{ + { + BOMRef: "@emotion/react@11.11.3", + Name: "react", + Version: "11.11.3", + PackageURL: "pkg:npm/%40emotion/react@11.11.3", + }, + }, + } + doc := &sbom.SBOMDocument{BOM: bom} + logger := zerolog.Nop() + + EnrichSBOM(doc, logger) + + assert.NotNil(t, bom.Components) + refs := (*bom.Components)[0].ExternalReferences + assert.Len(t, *refs, 2) + + ref1 := (*refs)[0] + assert.Equal(t, "https://snyk.io/advisor/npm-package/@emotion/react", ref1.URL) + assert.Equal(t, "Snyk Advisor", ref1.Comment) + assert.Equal(t, cdx.ExternalReferenceType("Other"), ref1.Type) + + ref2 := (*refs)[1] + assert.Equal(t, "https://security.snyk.io/package/npm/@emotion%2Freact", ref2.URL) + assert.Equal(t, "Snyk Vulnerability DB", ref2.Comment) + assert.Equal(t, cdx.ExternalReferenceType("Other"), ref2.Type) +} + func TestEnrichSBOM_CycloneDXWithVulnerabilities_NestedComponents(t *testing.T) { teardown := setupTestEnv(t) defer teardown() @@ -117,13 +185,56 @@ func TestEnrichSBOM_SPDXWithVulnerabilities(t *testing.T) { EnrichSBOM(doc, logger) - vulnRef := bom.Packages[0].PackageExternalReferences[1] + vulnRef := bom.Packages[0].PackageExternalReferences[3] assert.Equal(t, "SECURITY", vulnRef.Category) assert.Equal(t, "advisory", vulnRef.RefType) assert.Equal(t, "https://security.snyk.io/vuln/SNYK-PYTHON-NUMPY-73513", vulnRef.Locator) assert.Equal(t, "Arbitrary Code Execution", vulnRef.ExternalRefComment) } +func TestEnrichSBOM_SPDXExternalRefs(t *testing.T) { + teardown := setupTestEnv(t) + defer teardown() + + bom := &spdx_2_3.Document{ + Packages: []*spdx_2_3.Package{ + { + PackageSPDXIdentifier: "pkg:pypi/numpy@1.16.0", + PackageName: "numpy", + PackageVersion: "1.16.0", + PackageExternalReferences: []*spdx_2_3.PackageExternalReference{ + { + Category: spdx.CategoryPackageManager, + RefType: "purl", + Locator: "pkg:pypi/numpy@1.16.0", + }, + }, + }, + }, + } + + doc := &sbom.SBOMDocument{BOM: bom} + logger := zerolog.Nop() + + EnrichSBOM(doc, logger) + + assert.NotNil(t, bom.Packages) + refs := (*bom.Packages[0]).PackageExternalReferences + assert.Len(t, refs, 4) + + ref1 := refs[1] + assert.Equal(t, "https://snyk.io/advisor/python/numpy", ref1.Locator) + assert.Equal(t, "Snyk Advisor", ref1.ExternalRefComment) + assert.Equal(t, "advisory", ref1.RefType) + assert.Equal(t, "Other", ref1.Category) + + ref2 := refs[2] + assert.Equal(t, "https://security.snyk.io/package/pip/numpy", ref2.Locator) + assert.Equal(t, "Snyk Vulnerability DB", ref2.ExternalRefComment) + assert.Equal(t, "url", ref2.RefType) + assert.Equal(t, "Other", ref2.Category) +} + func setupTestEnv(t *testing.T) func() { t.Helper() diff --git a/lib/snyk/package.go b/lib/snyk/package.go index ea10e0f..25e1802 100644 --- a/lib/snyk/package.go +++ b/lib/snyk/package.go @@ -18,6 +18,7 @@ package snyk import ( "context" + "strings" "github.com/deepmap/oapi-codegen/pkg/securityprovider" "github.com/google/uuid" @@ -29,6 +30,51 @@ import ( const snykServer = "https://api.snyk.io/rest" const version = "2023-04-28" +func purlToSnykURL(basePath string, purl packageurl.PackageURL, nsDelimiter string) string { + sb := strings.Builder{} + sb.WriteString(basePath) + if purl.Namespace != "" { + sb.WriteString(purl.Namespace) + sb.WriteString(nsDelimiter) + } + sb.WriteString(purl.Name) + return sb.String() +} + +func purlToSnykAdvisor(purl packageurl.PackageURL) string { + return map[string]string{ + packageurl.TypeNPM: "npm-package", + packageurl.TypePyPi: "python", + packageurl.TypeGolang: "golang", + packageurl.TypeDocker: "docker", + }[purl.Type] +} + +func SnykAdvisorURL(pkgPath string, purl packageurl.PackageURL) string { + return purlToSnykURL("https://snyk.io/advisor/"+pkgPath+"/", purl, "/") +} + +func purlToSnykVulnDB(purl packageurl.PackageURL) string { + return map[string]string{ + packageurl.TypeCargo: "cargo", + packageurl.TypeCocoapods: "cocoapods", + packageurl.TypeComposer: "composer", + packageurl.TypeGolang: "golang", + packageurl.TypeHex: "hex", + packageurl.TypeMaven: "maven", + packageurl.TypeNPM: "npm", + packageurl.TypeNuget: "nuget", + packageurl.TypePyPi: "pip", + packageurl.TypePub: "pub", + packageurl.TypeGem: "rubygems", + packageurl.TypeSwift: "swift", + }[purl.Type] +} + +func SnykVulnURL(pkgPath string, purl packageurl.PackageURL) string { + return purlToSnykURL("https://security.snyk.io/package/"+pkgPath+"/", purl, "%2F") +} + func GetPackageVulnerabilities(purl *packageurl.PackageURL, auth *securityprovider.SecurityProviderApiKey, orgID *uuid.UUID) (*issues.FetchIssuesPerPurlResponse, error) { client, err := issues.NewClientWithResponses(snykServer, issues.WithRequestEditorFn(auth.Intercept)) if err != nil {