update with latest files

alex-nightvision · alex-nightvision · commit afabf062c7af · 2024-06-21T10:19:55.000-04:00
diff --git a/.github/workflows/nightvision.yml b/.github/workflows/nightvision.yml
@@ -1,7 +1,20 @@
+## SETUP
+
+## Run before activating pipeline
+# nightvision app create -n javaspringvulny-api
+# nightvision target create -n javaspringvulny-api -u https://127.0.0.1:9000 --type api
+# nightvision auth playwright create -n javaspringvulny-api -u https://127.0.0.1:9000
+
+## Optional steps can be preformed locally or in the pipeline
+# nightvision swagger extract ./ -t javaspringvulny-api --lang spring
+# nightvision scan -t javaspringvulny-api -a javaspringvulny-api
+
 name: Test Case - Java Spring App
 
 on:
   push:
+    branches:
+      - main
   workflow_dispatch:
 
 env:
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -0,0 +1,54 @@
+stages:
+  - test
+  - convert_sarif_to_gitlab
+
+variables:
+  NIGHTVISION_TARGET: javaspringvulny-api-gitlab
+  NIGHTVISION_APP: javaspringvulny-api-gitlab
+  NIGHTVISION_AUTH: javaspringvulny-api-gitlab
+  DOCKER_HOST: tcp://docker:2375/
+  DOCKER_DRIVER: overlay2
+  # activate container-to-container networking
+  FF_NETWORK_PER_BUILD: "true"
+
+services:
+  - docker:dind
+
+test:
+  stage: test
+  image: ubuntu:latest
+  services:
+    - docker:dind
+  before_script:
+    - apt-get update && apt-get install -y wget python3-venv python3-docker python3-pip python3 docker-compose curl gcc musl-dev libffi-dev
+    - python3 -m venv venv
+    - source venv/bin/activate
+    - pip3 install requests urllib3 semgrep
+    - wget -c https://downloads.nightvision.net/binaries/latest/nightvision_latest_linux_amd64.tar.gz -O - | tar -xz
+    - mv nightvision /usr/local/bin/
+  script:
+    # "Extract API documentation from code"
+    - nightvision swagger extract ./ --lang spring -t ${NIGHTVISION_APP} || true
+    - if [ ! -e openapi-spec.yml ]; then cp backup-openapi-spec.yml openapi-spec.yml; fi
+    # "Starting the app"
+    - docker-compose up -d
+    - sleep 60
+    # "Scanning the API"
+    - nightvision scan -t ${NIGHTVISION_TARGET} -a ${NIGHTVISION_APP} --auth ${NIGHTVISION_AUTH} > scan-results.txt
+    - nightvision export sarif -s "$(head -n 1 scan-results.txt)" --swagger-file openapi-spec.yml
+  artifacts:
+    paths:
+      - openapi-spec.yml
+      - results.sarif
+    expire_in: 30 days
+
+convert_sarif_to_gitlab:
+  stage: convert_sarif_to_gitlab
+  image: python:3.9 
+  script:
+    - python3 convert_sarif_to_gitlab.py
+  artifacts:
+    reports:
+      sast: gitlab_security_report.json
+  dependencies:
+    - test
diff --git a/azure-pipelines.yml b/azure-pipelines.yml
@@ -0,0 +1,83 @@
+## SETUP
+
+## Run before activating pipeline
+# nightvision app create -n javaspringvulny-api
+# nightvision target create -n javaspringvulny-api -u https://127.0.0.1:9000 --type api
+# nightvision auth playwright create -n javaspringvulny-api -u https://127.0.0.1:9000
+
+## Optional steps can be preformed locally or in the pipeline
+# nightvision swagger extract ./ -t javaspringvulny-api --lang spring
+# nightvision scan -t javaspringvulny-api -a javaspringvulny-api
+
+trigger:
+- main
+
+pool:
+  vmImage: 'ubuntu-latest'
+
+stages:
+- stage: Test
+  jobs:
+  - job: BuildAndTest
+    steps:
+    - checkout: self
+      displayName: 'Clone Code'
+
+    - script: |
+        wget -c https://downloads.nightvision.net/binaries/latest/nightvision_latest_linux_amd64.tar.gz -O - | tar -xz
+        sudo mv nightvision /usr/local/bin/
+        python -m pip install semgrep --user
+      displayName: 'Install NightVision'
+
+    - script: |
+        nightvision swagger extract ./ -t $NIGHTVISION_TARGET --lang spring || true
+        if [ ! -e openapi-spec.yml ]; then
+          cp backup-openapi-spec.yml openapi-spec.yml
+        fi
+      displayName: 'Extract API Documentation from Code'
+      env:
+        NIGHTVISION_TOKEN: $(NIGHTVISION_TOKEN)
+        NIGHTVISION_TARGET: javaspringvulny-api
+
+    - script: |
+        docker-compose up -d
+        sleep 20
+        curl -k https://localhost:9000
+      displayName: 'Start the App'
+
+    - script: |
+        nightvision scan -t $NIGHTVISION_TARGET -a $NIGHTVISION_APP --auth $NIGHTVISION_AUTH > scan-results.txt
+        nightvision export sarif -s "$(head -n 1 scan-results.txt)" --swagger-file openapi-spec.yml
+      displayName: 'Scan the API'
+      env:
+        NIGHTVISION_TOKEN: $(NIGHTVISION_TOKEN)
+        NIGHTVISION_TARGET: javaspringvulny-api
+        NIGHTVISION_APP: javaspringvulny-api
+        NIGHTVISION_AUTH: javaspringvulny-api
+
+    # Convert SARIF to Azure DevOps logging commands
+    - script: |
+        wget -O sarif_to_azure_devops.py https://gist.githubusercontent.com/alex-nightvision/d2b0813e051d98f623ec8ad3d20df2e8/raw/b6b4d69188c9aa94f0c3993296ba25de553e986d/sarif_to_azure_devops.py
+        python sarif_to_azure_devops.py
+      displayName: 'Convert SARIF to Azure DevOps Logging Commands'
+      env:
+        PYTHONUNBUFFERED: 1
+
+    # Download and prepare nightvision_azure_importer script
+    - script: |
+        wget -O nightvision_azure_importer.py https://raw.githubusercontent.com/jxbt/nightvision_azure_importer/main/nightvision_azure_importer.py
+        wget -O nightvision_azure_importer_requirements.txt https://raw.githubusercontent.com/jxbt/nightvision_azure_importer/main/requirements.txt
+        sudo apt-get update
+        sudo apt-get install -y python3-pip
+        python3 -m pip install -r nightvision_azure_importer_requirements.txt
+      displayName: 'Prepare Python Script and Dependencies'
+
+    # Execute the Python script to import SARIF into Azure DevOps work items
+    - script: |
+        python3 nightvision_azure_importer.py --organization $organization --project $project --patoken $pa_token --sarif results.sarif
+      displayName: 'Import SARIF to Azure DevOps'
+      env:
+        organization: "nightvision1"
+        project: "java-test"
+        pa_token: $(PERSONAL_ACCESS_TOKEN)
+
diff --git a/convert_sarif_to_gitlab.py b/convert_sarif_to_gitlab.py
@@ -0,0 +1,81 @@
+import json
+from datetime import datetime
+
+
+def sarif_to_gitlab(sarif_file, output_file):
+    # Load SARIF data
+    with open(sarif_file, 'r') as file:
+        sarif_data = json.load(file)
+
+    # Initialize GitLab report structure
+    gitlab_report = {
+        "version": "15.0.0",
+        "vulnerabilities": [],
+        "remediations": [],
+        "scan": {
+            "scanner": {
+                "id": "custom_sarif_import",
+                "name": "Custom SARIF Importer",
+                "version": "1.0",
+                "vendor": {
+                    "name": "Custom Vendor"  # Updated to be an object
+                }
+            },
+            "analyzer": {
+                "name": "Custom Analyzer",
+                "version": "1.0",
+                "id": "custom_analyzer",  # Example ID, adjust as needed
+                "vendor": {
+                    "name": "Custom Analyzer Vendor"  # Example vendor, adjust as needed
+                }
+            },
+            "start_time": datetime.now().strftime("%Y-%m-%dT%H:%M:%S"),
+            "end_time": datetime.now().strftime("%Y-%m-%dT%H:%M:%S"),
+            "status": "success",
+            "type": "sast"
+        }
+    }
+
+    # Map SARIF data to GitLab format
+    for run in sarif_data.get("runs", []):
+        for result in run.get("results", []):
+            vulnerability = {
+                "id": result.get("ruleId"),
+                "category": "sast",
+                "name": result.get("message", {}).get("text"),
+                "message": result.get("message", {}).get("text"),
+                "description": result.get("message", {}).get("text"),
+                "severity": map_severity(result.get("properties", {}).get("nightvision-risk")),  # Mapping function to ensure correct severity
+                "confidence": result.get("properties", {}).get("nightvision-confidence"),
+                "solution": "Please refer to the rule documentation.",
+                "scanner": gitlab_report["scan"]["scanner"],
+                "identifiers": [{"type": "cve", "name": result.get("ruleId"), "value": result.get("ruleId")}],
+                "location": {
+                    "file": result.get("locations", [{}])[0].get("physicalLocation", {}).get("artifactLocation", {}).get("uri"),
+                }
+            }
+            # Conditionally add start and end lines if they are numbers
+            if isinstance(result.get("locations", [{}])[0].get("physicalLocation", {}).get("region", {}).get("startLine"), int):
+                vulnerability["location"]["start_line"] = result.get("locations", [{}])[0].get("physicalLocation", {}).get("region", {}).get("startLine")
+            if isinstance(result.get("locations", [{}])[0].get("physicalLocation", {}).get("region", {}).get("endLine"), int):
+                vulnerability["location"]["end_line"] = result.get("locations", [{}])[0].get("physicalLocation", {}).get("region", {}).get("endLine")
+
+            gitlab_report["vulnerabilities"].append(vulnerability)
+
+    # Write GitLab report to file
+    with open(output_file, 'w') as file:
+        json.dump(gitlab_report, file, indent=4)
+
+def map_severity(sarif_severity):
+    """Map SARIF severity to GitLab severity levels."""
+    severity_mapping = {
+        "CRITICAL": "Critical",
+        "HIGH": "High",
+        "MEDIUM": "Medium",
+        "LOW": "Low",
+        "INFO": "Info",
+    }
+    return severity_mapping.get(sarif_severity, "Unknown")
+
+# Example usage
+sarif_to_gitlab('results.sarif', 'gitlab_security_report.json')
diff --git a/sarif_to_azure_devops.py b/sarif_to_azure_devops.py
@@ -0,0 +1,48 @@
+import json, os
+
+def parse_sarif(sarif_file):
+    """Parse the SARIF file and return findings."""
+    with open(sarif_file, 'r') as file:
+        sarif_data = json.load(file)
+    
+    findings = []
+    for run in sarif_data.get('runs', []):
+        for result in run.get('results', []):
+            finding = {
+                'rule_id': result.get('ruleId'),
+                'message': result.get('message', {}).get('text'),
+                'severity': result.get('level'),
+                'location': result.get('locations', [{}])[0].get('physicalLocation', {}).get('artifactLocation', {}).get('uri'),
+                'line': result.get('locations', [{}])[0].get('physicalLocation', {}).get('region', {}).get('startLine', 0),
+            }
+            findings.append(finding)
+    return findings
+
+def convert_findings_to_azure_devops_commands(findings, repo_url):
+    """Convert findings to Azure DevOps logging commands with clickable links."""
+    for finding in findings:
+        # Customize the logging command based on your needs. This example logs a warning.
+        severity = 'warning' if finding['severity'] == 'warning' else 'error'
+        
+        # Construct the URL to the file and line in your repository
+        # This example URL format is for GitHub. Adjust it according to your repo's hosting service.
+        file_path = finding['location'].replace('\\', '/')
+        line_number = finding['line']
+        # Ensure your repo_url does not end with a slash
+        file_url = f"{repo_url}?path=/{file_path}&version=GBmain&line={line_number+1}&lineEnd={line_number+2}&lineStartColumn=1&lineEndColumn=1&lineStyle=plain&_a=contents"
+        
+        # Embed the URL in the message
+        message = f"{finding['rule_id']}: {finding['message']} at {finding['location']}:{finding['line']}  |  {file_url}"
+        
+        print(f"##vso[task.logissue type={severity}]{message}")
+
+
+if __name__ == "__main__":
+    sarif_file_path = 'results.sarif'  # Update this to your SARIF file path
+    findings = parse_sarif(sarif_file_path)
+    # Retrieve the repository URL from the Azure DevOps environment variable
+    repo_url = os.getenv('BUILD_REPOSITORY_URI', 'https://dev.azure.com/nightvision1/_git/java-test')
+    if "@" in repo_url:
+        repo_url = "https://" + repo_url.split("@")[1]
+
+    convert_findings_to_azure_devops_commands(findings, repo_url)
