From c52ed5146e7f4352d11c3bcaa2f9b92d5c96cbdc Mon Sep 17 00:00:00 2001 From: Paul Rosca <152853861+paulrosca-snyk@users.noreply.github.com> Date: Thu, 2 May 2024 21:33:03 +0300 Subject: [PATCH] feat: get snyk api endpoint from env (#67) --- README.md | 12 +++++++----- lib/snyk/package.go | 3 +-- lib/snyk/self.go | 10 +++++++++- 3 files changed, 17 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 489b4d2..f47fbde 100644 --- a/README.md +++ b/README.md @@ -93,7 +93,7 @@ What about with SPDX? Let's take an SBOM containing a list of packages like so: "referenceLocator": "pkg:npm/concat-map@0.0.1" } ] -} +} ``` Running `parlay ecosystems enrich ` will add additional information: @@ -114,7 +114,7 @@ Running `parlay ecosystems enrich ` will add additional informat "referenceType": "purl", "referenceLocator": "pkg:npm/concat-map@0.0.1" } - ] + ] ``` There are a few other utility commands for ecosyste.ms as well. The first returns raw JSON information about a specific package from ecosyste.ms: @@ -138,6 +138,8 @@ It's important to note vulnerability data is moment-in-time information. By addi Note the Snyk commands require you to be a Snyk customer, and require passing a valid Snyk API token in the `SNYK_TOKEN` environment variable. +The API base url can be set using the `SNYK_API` environment variable, and if missing it will default to `https://api.snyk.io/rest`. + ``` parlay snyk enrich testing/sbom.cyclonedx.json ``` @@ -248,9 +250,9 @@ There are lots of other sources of package data, and it would be great to add su ## Pipes! -`parlay` is a fan of stdin and stdout. You can pipe SBOMs from other tools into `parlay`, and pipe between the separate `enrich` commands too. +`parlay` is a fan of stdin and stdout. You can pipe SBOMs from other tools into `parlay`, and pipe between the separate `enrich` commands too. -Maybe you want to enrich an SBOM with both ecosyste.ms and Snyk data: +Maybe you want to enrich an SBOM with both ecosyste.ms and Snyk data: ``` cat testing/sbom.cyclonedx.json | ./parlay e enrich - | ./parlay s enrich - | jq @@ -324,7 +326,7 @@ The various services used to enrich the SBOM data have data for a subset of purl * `npm` * `nuget` * `pypi` -* `rpm` +* `rpm` * `swift` ### OpenSSF Scorecard diff --git a/lib/snyk/package.go b/lib/snyk/package.go index 2f3403b..5037ddc 100644 --- a/lib/snyk/package.go +++ b/lib/snyk/package.go @@ -27,7 +27,6 @@ import ( ) const ( - snykServer = "https://api.snyk.io/rest" version = "2023-04-28" snykAdvisorServer = "https://snyk.io/advisor" snykVulnDBServer = "https://security.snyk.io/package" @@ -86,7 +85,7 @@ func SnykVulnURL(purl *packageurl.PackageURL) string { } func GetPackageVulnerabilities(purl *packageurl.PackageURL, auth *securityprovider.SecurityProviderApiKey, orgID *uuid.UUID) (*issues.FetchIssuesPerPurlResponse, error) { - client, err := issues.NewClientWithResponses(snykServer, issues.WithRequestEditorFn(auth.Intercept)) + client, err := issues.NewClientWithResponses(APIBaseURL(), issues.WithRequestEditorFn(auth.Intercept)) if err != nil { return nil, err } diff --git a/lib/snyk/self.go b/lib/snyk/self.go index 2c9c47d..9a44432 100644 --- a/lib/snyk/self.go +++ b/lib/snyk/self.go @@ -39,7 +39,7 @@ type selfDocument struct { } func SnykOrgID(auth *securityprovider.SecurityProviderApiKey) (*uuid.UUID, error) { - experimental, err := users.NewClientWithResponses(snykServer, users.WithRequestEditorFn(auth.Intercept)) + experimental, err := users.NewClientWithResponses(APIBaseURL(), users.WithRequestEditorFn(auth.Intercept)) if err != nil { return nil, err } @@ -82,3 +82,11 @@ func AuthFromToken(token string) (*securityprovider.SecurityProviderApiKey, erro func APIToken() string { return os.Getenv("SNYK_TOKEN") } + +func APIBaseURL() string { + snykApiEnv := os.Getenv("SNYK_API") + if snykApiEnv != "" { + return snykApiEnv + } + return "https://api.snyk.io/rest" +}