Skip to content

Commit

Permalink
close #542 nancy rewritten to work with the new sdk
Browse files Browse the repository at this point in the history
  • Loading branch information
@northdpole
northdpole committed Jan 18, 2025
1 parent ae2b90b commit c801eaf
Show file tree
Hide file tree
Showing 1,785 changed files with 1,090,651 additions and 0 deletions.
7 changes: 7 additions & 0 deletions new-components/scanners/nancy/.env
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# This is for local setup only.
SMITHY_INSTANCE_ID=8d719c1c-c569-4078-87b3-4951bd4012ee
SMITHY_LOG_LEVEL=debug
SMITHY_IS_LOCAL=false
NANCY_RAW_OUT_FILE_PATH=nancy.json
NANCY_TARGET_TYPE=TARGET_TYPE_REPOSITORY
NANCY_SCANNED_PROJECT_ROO=""
49 changes: 49 additions & 0 deletions new-components/scanners/nancy/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
# nancy

This component implements a [scanner](https://github.com/smithy-security/smithy/blob/main/sdk/component/component.go)
that parses json reports output by [nancy](https://github.com/securego/gosec) into [ocsf](https://github.com/ocsf) format.

## Environment variables

The component uses environment variables for configuration.

It requires the component
environment variables defined [here](https://github.com/smithy-security/smithy/blob/main/sdk/README.md#component) as well
as the following:

| Environment Variable | Type | Required | Default | Description |
|--------------------------|--------|----------|------------|---------------------------------------------------------|
| NANCY\_RAW\_OUT\_FILE\_PATH | string | yes | - | The path where to find the gosec report |
| NANCY\_TARGET\_TYPE | string | false | repository | The type of target that was used to generate the report |
| NANCY\_SCANNED\_PROJECT\_ROOT | string | false | | The root of the project being scanned, used to find go.mod files and point at lines where fixes are needed |

## How to run

Execute:

```shell
docker-compose up --build --force-recreate --remove-orphans
```

Then shutdown with:

```shell
docker-compose down --rmi all
```

## Test data

The `nancy.json` file used in tests was generated with the following steps:

* Cloning:

```shell
git clone https://github.com/smithy-security/e2e-monorepo
```

* Running nancy

```shell
cd $location-of-e2e-monorepo-or-any-vulnerable-go-application && go list -json -deps ./... | docker run -v `pwd`:/code -i docker.io/sonatypecommunity/nancy:v1.0.42-alpine nancy sleuth -o json > nancy.json

```
38 changes: 38 additions & 0 deletions new-components/scanners/nancy/cmd/main.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
package main

import (
"context"
"log"
"time"

"github.com/go-errors/errors"

"github.com/smithy-security/smithy/sdk/component"

"github.com/smithy-security/smithy/new-components/scanners/gosec/internal/transformer"
)

func main() {
ctx, cancel := context.WithTimeout(context.Background(), 1*time.Minute)
defer cancel()

if err := Main(ctx); err != nil {
log.Fatalf("unexpected error: %v", err)
}
}

// Main is the main entrypoint of this component
func Main(ctx context.Context, opts ...component.RunnerOption) error {
opts = append(opts, component.RunnerWithComponentName("bandit"))

ocsfTransformer, err := transformer.New()
if err != nil {
return errors.Errorf("could not create transformer: %w", err)
}

if err := component.RunScanner(ctx, ocsfTransformer, opts...); err != nil {
return errors.Errorf("could not run scanner: %w", err)
}

return nil
}
12 changes: 12 additions & 0 deletions new-components/scanners/nancy/docker-compose.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
services:
scanner:
build:
context: ../..
args:
- COMPONENT_PATH=scanners/bandit
- COMPONENT_BINARY_SOURCE_PATH=cmd/main.go
platform: linux/amd64
volumes:
- ./internal/transformer/testdata:/workspace
env_file:
- .env
67 changes: 67 additions & 0 deletions new-components/scanners/nancy/go.mod
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
module github.com/smithy-security/smithy/new-components/scanner/nancy

go 1.23.3

require (
github.com/go-errors/errors v1.5.1
github.com/jonboulle/clockwork v0.5.0
github.com/smithy-security/pkg/env v0.0.1
github.com/smithy-security/smithy/new-components/scanners/gosec v0.0.0-20250114182125-ae2b90b14ae1
github.com/smithy-security/smithy/sdk v0.0.4-alpha
github.com/stretchr/testify v1.10.0
google.golang.org/protobuf v1.36.3
)

require (
ariga.io/atlas v0.29.0 // indirect
dario.cat/mergo v1.0.1 // indirect
github.com/Masterminds/goutils v1.1.1 // indirect
github.com/Masterminds/semver/v3 v3.3.1 // indirect
github.com/Masterminds/sprig/v3 v3.3.0 // indirect
github.com/abice/go-enum v0.6.0 // indirect
github.com/agext/levenshtein v1.2.3 // indirect
github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
github.com/bmatcuk/doublestar v1.3.4 // indirect
github.com/cpuguy83/go-md2man/v2 v2.0.5 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/go-openapi/inflect v0.19.0 // indirect
github.com/golang/mock v1.6.0 // indirect
github.com/google/go-cmp v0.6.0 // indirect
github.com/google/uuid v1.6.0 // indirect
github.com/hashicorp/hcl/v2 v2.18.1 // indirect
github.com/huandu/xstrings v1.5.0 // indirect
github.com/jackc/pgpassfile v1.0.0 // indirect
github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect
github.com/jackc/pgx/v5 v5.6.0 // indirect
github.com/labstack/gommon v0.4.2 // indirect
github.com/mattn/go-colorable v0.1.13 // indirect
github.com/mattn/go-isatty v0.0.20 // indirect
github.com/mattn/go-sqlite3 v1.14.24 // indirect
github.com/mattn/goveralls v0.0.12 // indirect
github.com/mitchellh/copystructure v1.2.0 // indirect
github.com/mitchellh/go-wordwrap v1.0.1 // indirect
github.com/mitchellh/mapstructure v1.5.0 // indirect
github.com/mitchellh/reflectwalk v1.0.2 // indirect
github.com/package-url/packageurl-go v0.1.0
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/russross/blackfriday/v2 v2.1.0 // indirect
github.com/shopspring/decimal v1.4.0 // indirect
github.com/smithy-security/pkg/sarif v0.0.1 // indirect
github.com/spf13/cast v1.7.0 // indirect
github.com/sqlc-dev/sqlc v1.27.0 // indirect
github.com/urfave/cli/v2 v2.27.5 // indirect
github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect
github.com/zclconf/go-cty v1.14.4 // indirect
go.uber.org/mock v0.5.0 // indirect
golang.org/x/crypto v0.31.0 // indirect
golang.org/x/mod v0.22.0 // indirect
golang.org/x/net v0.32.0 // indirect
golang.org/x/sync v0.10.0 // indirect
golang.org/x/sys v0.28.0 // indirect
golang.org/x/text v0.21.0 // indirect
golang.org/x/tools v0.28.0 // indirect
golang.org/x/tools/cmd/cover v0.1.0-deprecated // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20240528184218-531527333157 // indirect
google.golang.org/grpc v1.65.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
)
Loading

0 comments on commit c801eaf

Please sign in to comment.