diff --git a/new-components/scanners/nancy/.env b/new-components/scanners/nancy/.env new file mode 100644 index 000000000..98c6b5dc0 --- /dev/null +++ b/new-components/scanners/nancy/.env @@ -0,0 +1,7 @@ +# This is for local setup only. +SMITHY_INSTANCE_ID=8d719c1c-c569-4078-87b3-4951bd4012ee +SMITHY_LOG_LEVEL=debug +SMITHY_IS_LOCAL=false +NANCY_RAW_OUT_FILE_PATH=nancy.json +NANCY_TARGET_TYPE=TARGET_TYPE_REPOSITORY +NANCY_SCANNED_PROJECT_ROOT="" diff --git a/new-components/scanners/nancy/README.md b/new-components/scanners/nancy/README.md new file mode 100644 index 000000000..1a3fb4f5d --- /dev/null +++ b/new-components/scanners/nancy/README.md @@ -0,0 +1,49 @@ +# nancy + +This component implements a [scanner](https://github.com/smithy-security/smithy/blob/main/sdk/component/component.go) +that parses json reports output by [nancy](https://github.com/securego/gosec) into [ocsf](https://github.com/ocsf) format. + +## Environment variables + +The component uses environment variables for configuration. + +It requires the component +environment variables defined [here](https://github.com/smithy-security/smithy/blob/main/sdk/README.md#component) as well +as the following: + +| Environment Variable | Type | Required | Default | Description | +|--------------------------|--------|----------|------------|---------------------------------------------------------| +| NANCY\_RAW\_OUT\_FILE\_PATH | string | yes | - | The path where to find the gosec report | +| NANCY\_TARGET\_TYPE | string | false | repository | The type of target that was used to generate the report | +| NANCY\_SCANNED\_PROJECT\_ROOT | string | false | | The root of the project being scanned, used to find go.mod files and point at lines where fixes are needed | + +## How to run + +Execute: + +```shell +docker-compose up --build --force-recreate --remove-orphans +``` + +Then shutdown with: + +```shell +docker-compose down --rmi all +``` + +## Test data + +The `nancy.json` file used in tests was generated with the following steps: + +* Cloning: + +```shell +git clone https://github.com/smithy-security/e2e-monorepo +``` + +* Running nancy + +```shell +cd $location-of-e2e-monorepo-or-any-vulnerable-go-application && go list -json -deps ./... | docker run -v `pwd`:/code -i docker.io/sonatypecommunity/nancy:v1.0.42-alpine nancy sleuth -o json > nancy.json + +``` diff --git a/new-components/scanners/nancy/cmd/main.go b/new-components/scanners/nancy/cmd/main.go new file mode 100644 index 000000000..8073a847f --- /dev/null +++ b/new-components/scanners/nancy/cmd/main.go @@ -0,0 +1,37 @@ +package main + +import ( + "context" + "log" + "time" + + "github.com/go-errors/errors" + + "github.com/smithy-security/smithy/new-components/scanner/nancy/internal/transformer" + "github.com/smithy-security/smithy/sdk/component" +) + +func main() { + ctx, cancel := context.WithTimeout(context.Background(), 1*time.Minute) + defer cancel() + + if err := Main(ctx); err != nil { + log.Fatalf("unexpected error: %v", err) + } +} + +// Main is the main entrypoint of this component +func Main(ctx context.Context, opts ...component.RunnerOption) error { + opts = append(opts, component.RunnerWithComponentName("bandit")) + + ocsfTransformer, err := transformer.New() + if err != nil { + return errors.Errorf("could not create transformer: %w", err) + } + + if err := component.RunScanner(ctx, ocsfTransformer, opts...); err != nil { + return errors.Errorf("could not run scanner: %w", err) + } + + return nil +} diff --git a/new-components/scanners/nancy/docker-compose.yaml b/new-components/scanners/nancy/docker-compose.yaml new file mode 100644 index 000000000..e7cafe783 --- /dev/null +++ b/new-components/scanners/nancy/docker-compose.yaml @@ -0,0 +1,12 @@ +services: + scanner: + build: + context: ../.. + args: + - COMPONENT_PATH=scanners/bandit + - COMPONENT_BINARY_SOURCE_PATH=cmd/main.go + platform: linux/amd64 + volumes: + - ./internal/transformer/testdata:/workspace + env_file: + - .env diff --git a/new-components/scanners/nancy/go.mod b/new-components/scanners/nancy/go.mod new file mode 100644 index 000000000..6ba7550d4 --- /dev/null +++ b/new-components/scanners/nancy/go.mod @@ -0,0 +1,67 @@ +module github.com/smithy-security/smithy/new-components/scanner/nancy + +go 1.23.3 + +require ( + github.com/go-errors/errors v1.5.1 + github.com/jonboulle/clockwork v0.5.0 + github.com/smithy-security/pkg/env v0.0.1 + github.com/smithy-security/smithy/new-components/scanners/gosec v0.0.0-20250114182125-ae2b90b14ae1 + github.com/smithy-security/smithy/sdk v0.0.4-alpha + github.com/stretchr/testify v1.10.0 + google.golang.org/protobuf v1.36.3 +) + +require ( + ariga.io/atlas v0.29.0 // indirect + dario.cat/mergo v1.0.1 // indirect + github.com/Masterminds/goutils v1.1.1 // indirect + github.com/Masterminds/semver/v3 v3.3.1 // indirect + github.com/Masterminds/sprig/v3 v3.3.0 // indirect + github.com/abice/go-enum v0.6.0 // indirect + github.com/agext/levenshtein v1.2.3 // indirect + github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect + github.com/bmatcuk/doublestar v1.3.4 // indirect + github.com/cpuguy83/go-md2man/v2 v2.0.5 // indirect + github.com/davecgh/go-spew v1.1.1 // indirect + github.com/go-openapi/inflect v0.19.0 // indirect + github.com/golang/mock v1.6.0 // indirect + github.com/google/go-cmp v0.6.0 // indirect + github.com/google/uuid v1.6.0 // indirect + github.com/hashicorp/hcl/v2 v2.18.1 // indirect + github.com/huandu/xstrings v1.5.0 // indirect + github.com/jackc/pgpassfile v1.0.0 // indirect + github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect + github.com/jackc/pgx/v5 v5.6.0 // indirect + github.com/labstack/gommon v0.4.2 // indirect + github.com/mattn/go-colorable v0.1.13 // indirect + github.com/mattn/go-isatty v0.0.20 // indirect + github.com/mattn/go-sqlite3 v1.14.24 // indirect + github.com/mattn/goveralls v0.0.12 // indirect + github.com/mitchellh/copystructure v1.2.0 // indirect + github.com/mitchellh/go-wordwrap v1.0.1 // indirect + github.com/mitchellh/mapstructure v1.5.0 // indirect + github.com/mitchellh/reflectwalk v1.0.2 // indirect + github.com/package-url/packageurl-go v0.1.0 + github.com/pmezard/go-difflib v1.0.0 // indirect + github.com/russross/blackfriday/v2 v2.1.0 // indirect + github.com/shopspring/decimal v1.4.0 // indirect + github.com/smithy-security/pkg/sarif v0.0.1 // indirect + github.com/spf13/cast v1.7.0 // indirect + github.com/sqlc-dev/sqlc v1.27.0 // indirect + github.com/urfave/cli/v2 v2.27.5 // indirect + github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect + github.com/zclconf/go-cty v1.14.4 // indirect + go.uber.org/mock v0.5.0 // indirect + golang.org/x/crypto v0.31.0 // indirect + golang.org/x/mod v0.22.0 // indirect + golang.org/x/net v0.32.0 // indirect + golang.org/x/sync v0.10.0 // indirect + golang.org/x/sys v0.28.0 // indirect + golang.org/x/text v0.21.0 // indirect + golang.org/x/tools v0.28.0 // indirect + golang.org/x/tools/cmd/cover v0.1.0-deprecated // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240528184218-531527333157 // indirect + google.golang.org/grpc v1.65.0 // indirect + gopkg.in/yaml.v3 v3.0.1 // indirect +) diff --git a/new-components/scanners/nancy/go.sum b/new-components/scanners/nancy/go.sum new file mode 100644 index 000000000..77f697a76 --- /dev/null +++ b/new-components/scanners/nancy/go.sum @@ -0,0 +1,241 @@ +ariga.io/atlas v0.29.0 h1:sXlI6ktGjo0vpBDvStjtgEKwLvjFfveK0vmRRTxyu1E= +ariga.io/atlas v0.29.0/go.mod h1:LOOp18LCL9r+VifvVlJqgYJwYl271rrXD9/wIyzJ8sw= +dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s= +dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= +github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0= +github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= +github.com/DATA-DOG/go-sqlmock v1.5.0 h1:Shsta01QNfFxHCfpW6YH2STWB0MudeXXEWMr20OEh60= +github.com/DATA-DOG/go-sqlmock v1.5.0/go.mod h1:f/Ixk793poVmq4qj/V1dPUg2JEAKC73Q5eFN3EC/SaM= +github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI= +github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU= +github.com/Masterminds/semver/v3 v3.3.1 h1:QtNSWtVZ3nBfk8mAOu/B6v7FMJ+NHTIgUPi7rj+4nv4= +github.com/Masterminds/semver/v3 v3.3.1/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM= +github.com/Masterminds/sprig/v3 v3.3.0 h1:mQh0Yrg1XPo6vjYXgtf5OtijNAKJRNcTdOOGZe3tPhs= +github.com/Masterminds/sprig/v3 v3.3.0/go.mod h1:Zy1iXRYNqNLUolqCpL4uhk6SHUMAOSCzdgBfDb35Lz0= +github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY= +github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= +github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 h1:TngWCqHvy9oXAN6lEVMRuU21PR1EtLVZJmdB18Gu3Rw= +github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5/go.mod h1:lmUJ/7eu/Q8D7ML55dXQrVaamCz2vxCfdQBasLZfHKk= +github.com/abice/go-enum v0.6.0 h1:J6xiV+nyu/D5c5+/rQfgkMi9zJ1Hkap8clxCZf8KNsk= +github.com/abice/go-enum v0.6.0/go.mod h1:istq/zbgIh0kwEdbwHb+t8OS5dsB7w4w4VygV6HcpLg= +github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo= +github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= +github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew1u1fNQOlOtuGxQY= +github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4= +github.com/bmatcuk/doublestar v1.3.4 h1:gPypJ5xD31uhX6Tf54sDPUOBXTqKH4c9aPY66CyQrS0= +github.com/bmatcuk/doublestar v1.3.4/go.mod h1:wiQtGV+rzVYxB7WIlirSN++5HPtPlXEo9MEoZQC/PmE= +github.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M= +github.com/bradleyjkemp/cupaloy/v2 v2.8.0/go.mod h1:bm7JXdkRd4BHJk9HpwqAI8BoAY1lps46Enkdqw6aRX0= +github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= +github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= +github.com/containerd/continuity v0.4.3 h1:6HVkalIp+2u1ZLH1J/pYX2oBVXlJZvh1X1A7bEZ9Su8= +github.com/containerd/continuity v0.4.3/go.mod h1:F6PTNCKepoxEaXLQp3wDAjygEnImnZ/7o4JzpodfroQ= +github.com/cpuguy83/go-md2man/v2 v2.0.5 h1:ZtcqGrnekaHpVLArFSe4HK5DoKx1T0rq2DwVB0alcyc= +github.com/cpuguy83/go-md2man/v2 v2.0.5/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/docker/cli v26.1.4+incompatible h1:I8PHdc0MtxEADqYJZvhBrW9bo8gawKwwenxRM7/rLu8= +github.com/docker/cli v26.1.4+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/docker v27.1.1+incompatible h1:hO/M4MtV36kzKldqnA37IWhebRA+LnqqcqDja6kVaKY= +github.com/docker/docker v27.1.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c= +github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc= +github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4= +github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= +github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8= +github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= +github.com/go-errors/errors v1.5.1 h1:ZwEMSLRCapFLflTpT7NKaAc7ukJ8ZPEjzlxt8rPN8bk= +github.com/go-errors/errors v1.5.1/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og= +github.com/go-openapi/inflect v0.19.0 h1:9jCH9scKIbHeV9m12SmPilScz6krDxKRasNNSNPXu/4= +github.com/go-openapi/inflect v0.19.0/go.mod h1:lHpZVlpIQqLyKwJ4N+YSc9hchQy/i12fJykb83CRBH4= +github.com/go-test/deep v1.0.3 h1:ZrJSEWsXzPOxaZnFteGEfooLba+ju3FYIbOrS+rQd68= +github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= +github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= +github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc= +github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= +github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/hashicorp/hcl/v2 v2.18.1 h1:6nxnOJFku1EuSawSD81fuviYUV8DxFr3fp2dUi3ZYSo= +github.com/hashicorp/hcl/v2 v2.18.1/go.mod h1:ThLC89FV4p9MPW804KVbe/cEXoQ8NZEh+JtMeeGErHE= +github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI= +github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= +github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM= +github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg= +github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a h1:bbPeKD0xmW/Y25WS6cokEszi5g+S0QxI/d45PkRi7Nk= +github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM= +github.com/jackc/pgx/v5 v5.6.0 h1:SWJzexBzPL5jb0GEsrPMLIsi/3jOo7RHlzTjcAeDrPY= +github.com/jackc/pgx/v5 v5.6.0/go.mod h1:DNZ/vlrUnhWCoFGxHAG8U2ljioxukquj7utPDgtQdTw= +github.com/jackc/puddle/v2 v2.2.1 h1:RhxXJtFG022u4ibrCSMSiu5aOq1i77R3OHKNJj77OAk= +github.com/jackc/puddle/v2 v2.2.1/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4= +github.com/jonboulle/clockwork v0.5.0 h1:Hyh9A8u51kptdkR+cqRpT1EebBwTn1oK9YfGYbdFz6I= +github.com/jonboulle/clockwork v0.5.0/go.mod h1:3mZlmanh0g2NDKO5TWZVJAfofYk64M7XN3SzBPjZF60= +github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= +github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= +github.com/labstack/gommon v0.4.2 h1:F8qTUNXgG1+6WQmqoUWnz8WiEU60mXVVw0P4ht1WRA0= +github.com/labstack/gommon v0.4.2/go.mod h1:QlUFxVM+SNXhDL/Z7YhocGIBYOiwB0mXm1+1bAPHPyU= +github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= +github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= +github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= +github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= +github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= +github.com/mattn/go-sqlite3 v1.14.24 h1:tpSp2G2KyMnnQu99ngJ47EIkWVmliIizyZBfPrBWDRM= +github.com/mattn/go-sqlite3 v1.14.24/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y= +github.com/mattn/goveralls v0.0.12 h1:PEEeF0k1SsTjOBQ8FOmrOAoCu4ytuMaWCnWe94zxbCg= +github.com/mattn/goveralls v0.0.12/go.mod h1:44ImGEUfmqH8bBtaMrYKsM65LXfNLWmwaxFGjZwgMSQ= +github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw= +github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s= +github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0= +github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0= +github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= +github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ= +github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= +github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0= +github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo= +github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0= +github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y= +github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= +github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= +github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= +github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM= +github.com/opencontainers/runc v1.1.13 h1:98S2srgG9vw0zWcDpFMn5TRrh8kLxa/5OFUstuUhmRs= +github.com/opencontainers/runc v1.1.13/go.mod h1:R016aXacfp/gwQBYw2FDGa9m+n6atbLWrYY8hNMT/sA= +github.com/ory/dockertest/v3 v3.11.0 h1:OiHcxKAvSDUwsEVh2BjxQQc/5EHz9n0va9awCtNGuyA= +github.com/ory/dockertest/v3 v3.11.0/go.mod h1:VIPxS1gwT9NpPOrfD3rACs8Y9Z7yhzO4SB194iUDnUI= +github.com/package-url/packageurl-go v0.1.0 h1:efWBc98O/dBZRg1pw2xiDzovnlMjCa9NPnfaiBduh8I= +github.com/package-url/packageurl-go v0.1.0/go.mod h1:C/ApiuWpmbpni4DIOECf6WCjFUZV7O1Fx7VAzrZHgBw= +github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII= +github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o= +github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= +github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8= +github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I= +github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k= +github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME= +github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= +github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= +github.com/smithy-security/pkg/env v0.0.1 h1:uwLTMLdNN/dv3x4zat75JahEBQDpdBeldjEE8El4OiM= +github.com/smithy-security/pkg/env v0.0.1/go.mod h1:VIJfDqeAbQQcmohaXcZI6grjeJC9Y8CmqR4ITpdngZE= +github.com/smithy-security/pkg/sarif v0.0.1 h1:iZDtYBzUKbQlDCli0x8ZSaTt3+2WYoryFVrhS6/1v3c= +github.com/smithy-security/pkg/sarif v0.0.1/go.mod h1:+zGyJKSH8xfpcHvJEsDp47lWCtfmePuKF51cshOydZo= +github.com/smithy-security/smithy/new-components/scanners/gosec v0.0.0-20250114182125-ae2b90b14ae1 h1:VX92D6qnwzj6xfIwPw1uLeMgrdQHq+xzJP3PiBEJOAc= +github.com/smithy-security/smithy/new-components/scanners/gosec v0.0.0-20250114182125-ae2b90b14ae1/go.mod h1:EQo+NUKL9mBRwNLducpjKtC/7CX9d0uOakGUIn0uaCg= +github.com/smithy-security/smithy/sdk v0.0.4-alpha h1:2SRgY1TBp68utOHSu4O4RdzBsxWqUeGI9Hx9tK55R7o= +github.com/smithy-security/smithy/sdk v0.0.4-alpha/go.mod h1:76LY9UVqLYfc7+a1++rOHkCvvMXAU4zfWw5/TtHbeOI= +github.com/spf13/cast v1.7.0 h1:ntdiHjuueXFgm5nzDRdOS4yfT43P5Fnud6DH50rz/7w= +github.com/spf13/cast v1.7.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo= +github.com/sqlc-dev/sqlc v1.27.0 h1:wWc+401GLh0whLa30WmDkkl11lMBZuqvDvgu5OsaDiQ= +github.com/sqlc-dev/sqlc v1.27.0/go.mod h1:wXAlx++Ed1eUhMeEKyXfeCO+ogPIN1adG5DdPavR4k0= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= +github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +github.com/urfave/cli/v2 v2.27.5 h1:WoHEJLdsXr6dDWoJgMq/CboDmyY/8HMMH1fTECbih+w= +github.com/urfave/cli/v2 v2.27.5/go.mod h1:3Sevf16NykTbInEnD0yKkjDAeZDS0A6bzhBH5hrMvTQ= +github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo= +github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= +github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0= +github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= +github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74= +github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y= +github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 h1:gEOO8jv9F4OT7lGCjxCBTO/36wtF6j2nSip77qHd4x4= +github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1/go.mod h1:Ohn+xnUBiLI6FVj/9LpzZWtj1/D6lUovWYBkxHVV3aM= +github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= +github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= +github.com/zclconf/go-cty v1.14.4 h1:uXXczd9QDGsgu0i/QFR/hzI5NYCHLf6NQw/atrbnhq8= +github.com/zclconf/go-cty v1.14.4/go.mod h1:VvMs5i0vgZdhYawQNq5kePSpLAoz8u1xvZgrPIxfnZE= +go.uber.org/mock v0.5.0 h1:KAMbZvZPyBPWgD14IrIQ38QCyjwpvVVV6K/bHl1IwQU= +go.uber.org/mock v0.5.0/go.mod h1:ge71pBPLYDk7QIi1LupWxdAykm7KIEFchiOqd6z7qMM= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U= +golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk= +golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.10.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4= +golang.org/x/mod v0.22.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns= +golang.org/x/net v0.32.0 h1:ZqPmj8Kzc+Y6e0+skZsuACbx+wzMgo5MQsJh9Qd6aYI= +golang.org/x/net v0.32.0/go.mod h1:CwU0IoeOlnQQWJ6ioyFrfRuomB8GKF6KbYXZVyeXNfs= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ= +golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA= +golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= +golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo= +golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= +golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= +golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= +golang.org/x/tools v0.8.0/go.mod h1:JxBZ99ISMI5ViVkT1tr6tdNmXeTrcpVSD3vZ1RsRdN4= +golang.org/x/tools v0.28.0 h1:WuB6qZ4RPCQo5aP3WdKZS7i595EdWqWR8vqJTlwTVK8= +golang.org/x/tools v0.28.0/go.mod h1:dcIOrVd3mfQKTgrDVQHqCPMWy6lnhfhtX3hLXYVLfRw= +golang.org/x/tools/cmd/cover v0.1.0-deprecated h1:Rwy+mWYz6loAF+LnG1jHG/JWMHRMMC2/1XX3Ejkx9lA= +golang.org/x/tools/cmd/cover v0.1.0-deprecated/go.mod h1:hMDiIvlpN1NoVgmjLjUJE9tMHyxHjFX7RuQ+rW12mSA= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240528184218-531527333157 h1:Zy9XzmMEflZ/MAaA7vNcoebnRAld7FsPW1EeBB7V0m8= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240528184218-531527333157/go.mod h1:EfXuqaE1J41VCDicxHzUDm+8rk+7ZdXzHV0IhO/I6s0= +google.golang.org/grpc v1.65.0 h1:bs/cUb4lp1G5iImFFd3u5ixQzweKizoZJAwBNLR42lc= +google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ= +google.golang.org/protobuf v1.36.3 h1:82DV7MYdb8anAVi3qge1wSnMDrnKK7ebr+I0hHRN1BU= +google.golang.org/protobuf v1.36.3/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= +gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/new-components/scanners/nancy/internal/transformer/testdata/nancy-incorrect-packages.json b/new-components/scanners/nancy/internal/transformer/testdata/nancy-incorrect-packages.json new file mode 100644 index 000000000..d8ba43c48 --- /dev/null +++ b/new-components/scanners/nancy/internal/transformer/testdata/nancy-incorrect-packages.json @@ -0,0 +1,327 @@ +{ + "audited": [ + { + "Coordinates": "pkg:golang/github.com/gorilla/mux@v1.7.4", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/gorilla/mux@v1.7.4?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/pkg/errors@v0.9.1", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/pkg/errors@v0.9.1?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/hashicorp/golang-lru@v0.5.1", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/hashicorp/golang-lru@v0.5.1?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/hashicorp/go-immutable-radix@v1.2.0", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/hashicorp/go-immutable-radix@v1.2.0?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/kentik/patricia@v0.0.0-20200128193914-c35d94c5e02f", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/kentik/patricia@v0.0.0-20200128193914-c35d94c5e02f?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/golang.org/x/xerrors@v0.0.0-20200804184101-5ec99f83aff1", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/golang.org/x/xerrors@v0.0.0-20200804184101-5ec99f83aff1?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/sqreen/go-agent@v1.0.5", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/sqreen/go-agent@v1.0.5?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/sqreen/go-sdk/signal@v1.2.0", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/sqreen/go-sdk/signal@v1.2.0?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/golang.org/x/sys@v0.0.0-20201116194326-cc9327a14d48", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/golang.org/x/sys@v0.0.0-20201116194326-cc9327a14d48?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/fsnotify/fsnotify@v1.4.9", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/fsnotify/fsnotify@v1.4.9?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/hashicorp/hcl@v1.0.0", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/hashicorp/hcl@v1.0.0?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/magiconair/properties@v1.8.1", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/magiconair/properties@v1.8.1?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/mitchellh/mapstructure@v1.3.1", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/mitchellh/mapstructure@v1.3.1?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/pelletier/go-toml@v1.8.0", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/pelletier/go-toml@v1.8.0?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/spf13/afero@v1.2.2", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/spf13/afero@v1.2.2?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/golang.org/x/text@v0.3.3", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/golang.org/x/text@v0.3.3?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [ + { + "ID": "CVE-2021-38561", + "Title": "[CVE-2021-38561] CWE-125: Out-of-bounds Read", + "Description": "golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.", + "CvssScore": "7.5", + "CvssVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cve": "CVE-2021-38561", + "Reference": "https://ossindex.sonatype.org/vulnerability/CVE-2021-38561?component-type=golang\u0026component-name=golang.org%2Fx%2Ftext\u0026utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Excluded": false + }, + { + "ID": "CVE-2022-32149", + "Title": "[CVE-2022-32149] CWE-772: Missing Release of Resource after Effective Lifetime", + "Description": "An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.", + "CvssScore": "7.5", + "CvssVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cve": "CVE-2022-32149", + "Reference": "https://ossindex.sonatype.org/vulnerability/CVE-2022-32149?component-type=golang\u0026component-name=golang.org%2Fx%2Ftext\u0026utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Excluded": false + } + ], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/spf13/cast@v1.3.1", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/spf13/cast@v1.3.1?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/spf13/jwalterweatherman@v1.1.0", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/spf13/jwalterweatherman@v1.1.0?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/spf13/pflag@v1.0.5", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/spf13/pflag@v1.0.5?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/subosito/gotenv@v1.2.0", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/subosito/gotenv@v1.2.0?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/go-ini/ini@v1.56.0", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/go-ini/ini@v1.56.0?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/go-yaml/yaml@v2.3.0", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/go-yaml/yaml@v2.3.0?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/spf13/viper@v1.7.0", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/spf13/viper@v1.7.0?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/golang.org/x/net@v0.0.0-20201021035429-f5854403a974", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/golang.org/x/net@v0.0.0-20201021035429-f5854403a974?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/dlclark/regexp2@v1.2.0", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/dlclark/regexp2@v1.2.0?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/dop251/goja@v0.0.0-20200526165454-f1752421c432", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/dop251/goja@v0.0.0-20200526165454-f1752421c432?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/go-sourcemap/sourcemap@v2.1.3", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/go-sourcemap/sourcemap@v2.1.3?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/google/uuid@v1.1.1", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/google/uuid@v1.1.1?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/sqreen/go-libsqreen@v0.7.1", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/sqreen/go-libsqreen@v0.7.1?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/mattn/go-sqlite3@v2.0.3", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/mattn/go-sqlite3@v2.0.3?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + } + ], + "excluded": null, + "exclusions": [], + "invalid": [], + "num_audited": 30, + "num_exclusions": 0, + "num_vulnerable": 1, + "version": "1.0.42", + "vulnerable": [ + { + "Coordinates": "pkg:golang/ariga.io/atlas@v0.29.0", + "Comment for tests":"not actually vulnerable, copied from go.mod, valid finding", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/golang.org/x/text@v0.3.3?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [ + { + "ID": "CVE-2021-38561", + "Title": "[CVE-2021-38561] CWE-125: Out-of-bounds Read", + "Description": "golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.", + "CvssScore": "7.5", + "CvssVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cve": "CVE-2021-38561", + "Reference": "https://ossindex.sonatype.org/vulnerability/CVE-2021-38561?component-type=golang\u0026component-name=golang.org%2Fx%2Ftext\u0026utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Excluded": false + }, + { + "ID": "CVE-2022-32149", + "Title": "[CVE-2022-32149] CWE-772: Missing Release of Resource after Effective Lifetime", + "Description": "An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.", + "CvssScore": "7.5", + "CvssVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cve": "CVE-2022-32149", + "Reference": "https://ossindex.sonatype.org/vulnerability/CVE-2022-32149?component-type=golang\u0026component-name=golang.org%2Fx%2Ftext\u0026utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Excluded": false + } + ], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/dario.cat/cat.dario@v1.0.1", + "Comment for tests":"correct version wrong package, this should not appear", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/golang.org/x/text@v0.3.3?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [ + { + "ID": "CVE-2021-38561", + "Title": "[CVE-2021-38561] CWE-125: Out-of-bounds Read", + "Description": "golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.", + "CvssScore": "7.5", + "CvssVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cve": "CVE-2021-38561", + "Reference": "https://ossindex.sonatype.org/vulnerability/CVE-2021-38561?component-type=golang\u0026component-name=golang.org%2Fx%2Ftext\u0026utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Excluded": false + }, + { + "ID": "CVE-2022-32149", + "Title": "[CVE-2022-32149] CWE-772: Missing Release of Resource after Effective Lifetime", + "Description": "An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.", + "CvssScore": "7.5", + "CvssVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cve": "CVE-2022-32149", + "Reference": "https://ossindex.sonatype.org/vulnerability/CVE-2022-32149?component-type=golang\u0026component-name=golang.org%2Fx%2Ftext\u0026utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Excluded": false + } + ], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/dario.cat/mergo@v1.0.2", + "Comment for tests":"correct package wrong version, this should not appear", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/golang.org/x/text@v0.3.3?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [ + { + "ID": "CVE-2021-38561", + "Title": "[CVE-2021-38561] CWE-125: Out-of-bounds Read", + "Description": "golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.", + "CvssScore": "7.5", + "CvssVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cve": "CVE-2021-38561", + "Reference": "https://ossindex.sonatype.org/vulnerability/CVE-2021-38561?component-type=golang\u0026component-name=golang.org%2Fx%2Ftext\u0026utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Excluded": false + }, + { + "ID": "CVE-2022-32149", + "Title": "[CVE-2022-32149] CWE-772: Missing Release of Resource after Effective Lifetime", + "Description": "An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.", + "CvssScore": "7.5", + "CvssVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cve": "CVE-2022-32149", + "Reference": "https://ossindex.sonatype.org/vulnerability/CVE-2022-32149?component-type=golang\u0026component-name=golang.org%2Fx%2Ftext\u0026utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Excluded": false + } + ], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/dario.cat/mergo@v1.0.1", + "Comment for tests":"not actually vulnerable, copied from go.mod", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/golang.org/x/text@v0.3.3?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [ + { + "ID": "CVE-2021-38561", + "Title": "[CVE-2021-38561] CWE-125: Out-of-bounds Read", + "Description": "golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.", + "CvssScore": "7.5", + "CvssVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cve": "CVE-2021-38561", + "Reference": "https://ossindex.sonatype.org/vulnerability/CVE-2021-38561?component-type=golang\u0026component-name=golang.org%2Fx%2Ftext\u0026utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Excluded": false + }, + { + "ID": "CVE-2022-32149", + "Title": "[CVE-2022-32149] CWE-772: Missing Release of Resource after Effective Lifetime", + "Description": "An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.", + "CvssScore": "7.5", + "CvssVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cve": "CVE-2022-32149", + "Reference": "https://ossindex.sonatype.org/vulnerability/CVE-2022-32149?component-type=golang\u0026component-name=golang.org%2Fx%2Ftext\u0026utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Excluded": false + } + ], + "InvalidSemVer": false + } + ] +} + diff --git a/new-components/scanners/nancy/internal/transformer/testdata/nancy.json b/new-components/scanners/nancy/internal/transformer/testdata/nancy.json new file mode 100644 index 000000000..0e27b130e --- /dev/null +++ b/new-components/scanners/nancy/internal/transformer/testdata/nancy.json @@ -0,0 +1,270 @@ +{ + "audited": [ + { + "Coordinates": "pkg:golang/github.com/gorilla/mux@v1.7.4", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/gorilla/mux@v1.7.4?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/pkg/errors@v0.9.1", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/pkg/errors@v0.9.1?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/hashicorp/golang-lru@v0.5.1", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/hashicorp/golang-lru@v0.5.1?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/hashicorp/go-immutable-radix@v1.2.0", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/hashicorp/go-immutable-radix@v1.2.0?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/kentik/patricia@v0.0.0-20200128193914-c35d94c5e02f", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/kentik/patricia@v0.0.0-20200128193914-c35d94c5e02f?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/golang.org/x/xerrors@v0.0.0-20200804184101-5ec99f83aff1", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/golang.org/x/xerrors@v0.0.0-20200804184101-5ec99f83aff1?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/sqreen/go-agent@v1.0.5", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/sqreen/go-agent@v1.0.5?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/sqreen/go-sdk/signal@v1.2.0", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/sqreen/go-sdk/signal@v1.2.0?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/golang.org/x/sys@v0.0.0-20201116194326-cc9327a14d48", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/golang.org/x/sys@v0.0.0-20201116194326-cc9327a14d48?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/fsnotify/fsnotify@v1.4.9", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/fsnotify/fsnotify@v1.4.9?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/hashicorp/hcl@v1.0.0", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/hashicorp/hcl@v1.0.0?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/magiconair/properties@v1.8.1", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/magiconair/properties@v1.8.1?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/mitchellh/mapstructure@v1.3.1", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/mitchellh/mapstructure@v1.3.1?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/pelletier/go-toml@v1.8.0", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/pelletier/go-toml@v1.8.0?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/spf13/afero@v1.2.2", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/spf13/afero@v1.2.2?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/golang.org/x/text@v0.3.3", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/golang.org/x/text@v0.3.3?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [ + { + "ID": "CVE-2021-38561", + "Title": "[CVE-2021-38561] CWE-125: Out-of-bounds Read", + "Description": "golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.", + "CvssScore": "7.5", + "CvssVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cve": "CVE-2021-38561", + "Reference": "https://ossindex.sonatype.org/vulnerability/CVE-2021-38561?component-type=golang\u0026component-name=golang.org%2Fx%2Ftext\u0026utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Excluded": false + }, + { + "ID": "CVE-2022-32149", + "Title": "[CVE-2022-32149] CWE-772: Missing Release of Resource after Effective Lifetime", + "Description": "An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.", + "CvssScore": "7.5", + "CvssVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cve": "CVE-2022-32149", + "Reference": "https://ossindex.sonatype.org/vulnerability/CVE-2022-32149?component-type=golang\u0026component-name=golang.org%2Fx%2Ftext\u0026utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Excluded": false + } + ], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/spf13/cast@v1.3.1", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/spf13/cast@v1.3.1?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/spf13/jwalterweatherman@v1.1.0", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/spf13/jwalterweatherman@v1.1.0?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/spf13/pflag@v1.0.5", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/spf13/pflag@v1.0.5?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/subosito/gotenv@v1.2.0", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/subosito/gotenv@v1.2.0?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/go-ini/ini@v1.56.0", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/go-ini/ini@v1.56.0?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/go-yaml/yaml@v2.3.0", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/go-yaml/yaml@v2.3.0?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/spf13/viper@v1.7.0", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/spf13/viper@v1.7.0?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/golang.org/x/net@v0.0.0-20201021035429-f5854403a974", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/golang.org/x/net@v0.0.0-20201021035429-f5854403a974?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/dlclark/regexp2@v1.2.0", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/dlclark/regexp2@v1.2.0?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/dop251/goja@v0.0.0-20200526165454-f1752421c432", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/dop251/goja@v0.0.0-20200526165454-f1752421c432?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/go-sourcemap/sourcemap@v2.1.3", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/go-sourcemap/sourcemap@v2.1.3?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/google/uuid@v1.1.1", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/google/uuid@v1.1.1?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/sqreen/go-libsqreen@v0.7.1", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/sqreen/go-libsqreen@v0.7.1?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/github.com/mattn/go-sqlite3@v2.0.3", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/mattn/go-sqlite3@v2.0.3?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [], + "InvalidSemVer": false + } + ], + "excluded": null, + "exclusions": [], + "invalid": [], + "num_audited": 30, + "num_exclusions": 0, + "num_vulnerable": 1, + "version": "1.0.42", + "vulnerable": [ + { + "Coordinates": "pkg:golang/ariga.io/atlas@v0.29.0", + "Comment for tests":"not actually vulnerable, copied from go.mod, valid finding", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/golang.org/x/text@v0.3.3?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [ + { + "ID": "CVE-2021-38561", + "Title": "[CVE-2021-38561] CWE-125: Out-of-bounds Read", + "Description": "golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.", + "CvssScore": "7.5", + "CvssVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cve": "CVE-2021-38561", + "Reference": "https://ossindex.sonatype.org/vulnerability/CVE-2021-38561?component-type=golang\u0026component-name=golang.org%2Fx%2Ftext\u0026utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Excluded": false + }, + { + "ID": "CVE-2022-32149", + "Title": "[CVE-2022-32149] CWE-772: Missing Release of Resource after Effective Lifetime", + "Description": "An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.", + "CvssScore": "7.5", + "CvssVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cve": "CVE-2022-32149", + "Reference": "https://ossindex.sonatype.org/vulnerability/CVE-2022-32149?component-type=golang\u0026component-name=golang.org%2Fx%2Ftext\u0026utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Excluded": false + } + ], + "InvalidSemVer": false + }, + { + "Coordinates": "pkg:golang/dario.cat/mergo@v1.0.1", + "Comment for tests":"not actually vulnerable, copied from go.mod", + "Reference": "https://ossindex.sonatype.org/component/pkg:golang/golang.org/x/text@v0.3.3?utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Vulnerabilities": [ + { + "ID": "CVE-2021-38561", + "Title": "[CVE-2021-38561] CWE-125: Out-of-bounds Read", + "Description": "golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.", + "CvssScore": "7.5", + "CvssVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cve": "CVE-2021-38561", + "Reference": "https://ossindex.sonatype.org/vulnerability/CVE-2021-38561?component-type=golang\u0026component-name=golang.org%2Fx%2Ftext\u0026utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Excluded": false + }, + { + "ID": "CVE-2022-32149", + "Title": "[CVE-2022-32149] CWE-772: Missing Release of Resource after Effective Lifetime", + "Description": "An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.", + "CvssScore": "7.5", + "CvssVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "Cve": "CVE-2022-32149", + "Reference": "https://ossindex.sonatype.org/vulnerability/CVE-2022-32149?component-type=golang\u0026component-name=golang.org%2Fx%2Ftext\u0026utm_source=nancy-client\u0026utm_medium=integration\u0026utm_content=1.0.42", + "Excluded": false + } + ], + "InvalidSemVer": false + } + ] +} diff --git a/new-components/scanners/nancy/internal/transformer/transformer.go b/new-components/scanners/nancy/internal/transformer/transformer.go new file mode 100644 index 000000000..e4329316f --- /dev/null +++ b/new-components/scanners/nancy/internal/transformer/transformer.go @@ -0,0 +1,455 @@ +package transformer + +import ( + "bufio" + "context" + "encoding/json" + "fmt" + "log/slog" + "os" + "path/filepath" + "regexp" + "strconv" + "strings" + + "github.com/go-errors/errors" + "github.com/jonboulle/clockwork" + "github.com/package-url/packageurl-go" + "github.com/smithy-security/pkg/env" + "google.golang.org/protobuf/encoding/protojson" + + "github.com/smithy-security/smithy/sdk/component" + ocsffindinginfo "github.com/smithy-security/smithy/sdk/gen/ocsf_ext/finding_info/v1" + ocsf "github.com/smithy-security/smithy/sdk/gen/ocsf_schema/v1" +) + +type ( + + // NancyTransformerOption allows customising the transformer. + NancyTransformerOption func(b *NancyTransformer) error + + // NancyOut represents the output of a nancy run that we care about. + NancyOut struct { + Vulnerable []NancyAdvisory `json:"vulnerable"` + Audited any // unused + Exclusions any // unused + Invalid any // unused + NumAudited int + NumVulnerable int + Version string + } + + // NancyAdvisories represents a nancy advisory section that we care about. + NancyAdvisory struct { + Coordinates string `json:"Coordinates"` + Reference string `json:"Reference"` + Vulnerabilities []*NancyVulnerability `json:"Vulnerabilities"` + } + + // NancyVulnerability represents a nancy vulnerability. + NancyVulnerability struct { + ID string `json:"Id"` + Title string `json:"Title"` + Description string `json:"Description"` + CvssScore string `json:"CvssScore"` + CvssVector string `json:"CvssVector"` + Cve string `json:"Cve"` + Cwe string `json:"Cwe"` + Reference string `json:"Reference"` + } + + // NancyTransformer represents the nancy output parser + NancyTransformer struct { + targetType ocsffindinginfo.DataSource_TargetType + clock clockwork.Clock + rawOutFilePath string + fileContents []byte + projectRoot string + goModPaths []string + } +) + +var ( + // Generic errors + + // ErrNilClock is thrown when the option setclock is called with empty clock + ErrNilClock = errors.Errorf("invalid nil clock") + // ErrEmptyTarget is thrown when the option set target is called with empty target + ErrEmptyTarget = errors.Errorf("invalid empty target") + // ErrEmptyRawOutfilePath is thrown when the option raw outfile path is called with empty path + ErrEmptyRawOutfilePath = errors.Errorf("invalid raw out file path") + // ErrEmptyRawOutfileContents is thrown when the option raw outfile contents is called with empty contents + ErrEmptyRawOutfileContents = errors.Errorf("empty raw out file contents") + // ErrBadTargetType is thrown when the option set target type is called with an unspecified or empty target type + ErrBadTargetType = errors.New("invalid empty target type") + + // Nancy Parser Specific Errors + + // ErrNoLineRange is thrown when nancy produces a finding without a line range + ErrNoLineRange = errors.Errorf("nancy result does not contain a line range") + // ErrBadDataSource is thrown when nancy produces a finding that cannot have a datasource (e.g. no filename) + ErrBadDataSource = errors.Errorf("failed to marshal data source to JSON") + // ErrEmptyPath is thrown when called with an empty project root + ErrEmptyPath = errors.Errorf("called with an empty project root") + // ErrCouldNotFindPackage is thrown when nancy cannot find the dependency in any go.mod files + ErrCouldNotFindPackage = errors.Errorf("could not find package") +) + +// NancyTransformerWithClock allows customising the underlying clock. +func NancyTransformerWithClock(clock clockwork.Clock) NancyTransformerOption { + return func(g *NancyTransformer) error { + if clock == nil { + return ErrNilClock + } + g.clock = clock + return nil + } +} + +// NancyTransformerWithProjectRoot allows customising the path of the target project root +func NancyTransformerWithProjectRoot(path string) NancyTransformerOption { + return func(g *NancyTransformer) error { + if path == "" { + return ErrEmptyPath + } + g.projectRoot = path + return nil + } +} + +// NancyTransformerWithTarget allows customising the underlying target type. +func NancyTransformerWithTarget(target ocsffindinginfo.DataSource_TargetType) NancyTransformerOption { + return func(g *NancyTransformer) error { + if target == ocsffindinginfo.DataSource_TARGET_TYPE_UNSPECIFIED { + return ErrEmptyTarget + } + g.targetType = target + return nil + } +} + +// NancyRawOutFilePath allows customising the underlying raw out file path. +func NancyRawOutFilePath(path string) NancyTransformerOption { + return func(g *NancyTransformer) error { + if path == "" { + return ErrEmptyRawOutfilePath + } + g.rawOutFilePath = path + return nil + } +} + +// NancyRawOutFileContents allows customising the underlying raw out file contents. +func NancyRawOutFileContents(contents []byte) NancyTransformerOption { + return func(g *NancyTransformer) error { + if contents == nil { + return ErrEmptyRawOutfileContents + } + g.fileContents = contents + return nil + } +} + +// New returns a new nancy transformer. +func New(opts ...NancyTransformerOption) (*NancyTransformer, error) { + rawOutFilePath, err := env.GetOrDefault( + "NANCY_RAW_OUT_FILE_PATH", + "nancy.json", + env.WithDefaultOnError(true), + ) + if err != nil { + return nil, err + } + + tt, err := env.GetOrDefault( + "NANCY_TARGET_TYPE", + ocsffindinginfo.DataSource_TARGET_TYPE_REPOSITORY.String(), + env.WithDefaultOnError(true), + ) + if err != nil { + return nil, err + } + + projectRoot, err := env.GetOrDefault( + "NANCY_SCANNED_PROJECT_ROOT", + "", + env.WithDefaultOnError(true), + ) + if err != nil { + return nil, err + } + + t := NancyTransformer{ + rawOutFilePath: rawOutFilePath, + targetType: ocsffindinginfo.DataSource_TargetType(ocsffindinginfo.DataSource_TargetType_value[tt]), + clock: clockwork.NewRealClock(), + projectRoot: projectRoot, + } + + for _, opt := range opts { + if err := opt(&t); err != nil { + return nil, errors.Errorf("failed to apply option: %w", err) + } + } + + goModFiles, err := findFiles(t.projectRoot, "go.mod", "/vendor/") + if err != nil { + return nil, err + } + t.goModPaths = goModFiles + + switch { + case t.rawOutFilePath == "": + return nil, errors.New("invalid empty raw output file") + case t.targetType == ocsffindinginfo.DataSource_TARGET_TYPE_UNSPECIFIED: + return nil, ErrBadTargetType + case t.projectRoot == "": + return nil, errors.New("invalid project root, cannot be empty") + } + + return &t, nil +} + +// Transform transforms raw sarif findings into ocsf vulnerability findings. +func (b *NancyTransformer) Transform(ctx context.Context) ([]*ocsf.VulnerabilityFinding, error) { + logger := component.LoggerFromContext(ctx) + + logger.Debug("preparing to parse raw nancy output...") + if b.fileContents == nil { + inFile, err := os.ReadFile(b.rawOutFilePath) + if err != nil { + if os.IsNotExist(err) { + return nil, errors.Errorf("raw output file '%s' not found", b.rawOutFilePath) + } + return nil, errors.Errorf("failed to read raw output file '%s': %w", b.rawOutFilePath, err) + } + b.fileContents = inFile + } + var results NancyOut + if err := json.Unmarshal(b.fileContents, &results); err != nil { + return nil, errors.Errorf("could not unmarshal nancy output, err: %w", err) + } + vulns := make([]*ocsf.VulnerabilityFinding, 0) + + for _, res := range results.Vulnerable { + v, err := b.parseResult(res) + if err != nil { + return nil, errors.Errorf("could not parse nancy result, err: %w", err) + } + vulns = append(vulns, v...) + } + + logger.Debug( + "successfully parsed raw nancy findings to ocsf vulnerability findings!", + slog.Int("num_parsed_bandit_findings", len(vulns)), + ) + return vulns, nil +} + +func (b *NancyTransformer) cvssToSeverity(score float64) ocsf.VulnerabilityFinding_SeverityId { + switch { + case 0.1 <= score && score <= 3.9: + return ocsf.VulnerabilityFinding_SEVERITY_ID_LOW + case 4.0 <= score && score <= 6.9: + return ocsf.VulnerabilityFinding_SEVERITY_ID_MEDIUM + case 7.0 <= score && score <= 8.9: + return ocsf.VulnerabilityFinding_SEVERITY_ID_HIGH + case 9.0 <= score && score <= 10.0: + return ocsf.VulnerabilityFinding_SEVERITY_ID_CRITICAL + default: + return ocsf.VulnerabilityFinding_SEVERITY_ID_INFORMATIONAL + } +} + +func (b *NancyTransformer) parseResult(advisory NancyAdvisory) ([]*ocsf.VulnerabilityFinding, error) { + now := b.clock.Now().Unix() + confidenceID := ocsf.VulnerabilityFinding_CONFIDENCE_ID_HIGH + confidence := ocsf.VulnerabilityFinding_ConfidenceId_name[int32(confidenceID)] + results := []*ocsf.VulnerabilityFinding{} + affectedCode, err := b.mapCode(advisory) + if err != nil { + return nil, err + } + for _, vulnerability := range advisory.Vulnerabilities { + dataSource, err := b.mapDataSource(advisory) + if err != nil { + return nil, err + } + cvss, err := strconv.ParseFloat(vulnerability.CvssScore, 64) + if err != nil { + return nil, err + } + purl, err := packageurl.FromString(advisory.Coordinates) + if err != nil { + return nil, errors.Errorf("could not parse advisory coordinates to purl, coordinates: %s, err: %w", advisory.Coordinates, err) + } + finding := &ocsf.VulnerabilityFinding{ + + ActivityName: Ptr(ocsf.VulnerabilityFinding_ACTIVITY_ID_CREATE.String()), + ActivityId: ocsf.VulnerabilityFinding_ACTIVITY_ID_CREATE, + CategoryUid: ocsf.VulnerabilityFinding_CATEGORY_UID_FINDINGS, + ClassUid: ocsf.VulnerabilityFinding_CLASS_UID_VULNERABILITY_FINDING, + ClassName: Ptr(ocsf.VulnerabilityFinding_CLASS_UID_VULNERABILITY_FINDING.String()), + Confidence: &confidence, + + ConfidenceId: Ptr(ocsf.VulnerabilityFinding_ConfidenceId(confidenceID)), + Count: Ptr(int32(1)), + FindingInfo: &ocsf.FindingInfo{ + Uid: "Vulnerable-Go-Dependency", // TODO: make this a constant and share across SCA + CreatedTime: &now, + DataSources: []string{ + dataSource, + }, + Desc: &vulnerability.Description, + FirstSeenTime: &now, + LastSeenTime: &now, + ModifiedTime: &now, + ProductUid: Ptr("nancy"), + Title: vulnerability.Title, + }, + Message: &vulnerability.Description, + Severity: Ptr(ocsf.VulnerabilityFinding_SeverityId_name[int32(b.cvssToSeverity(cvss))]), + SeverityId: ocsf.VulnerabilityFinding_SeverityId(b.cvssToSeverity(cvss)), + StartTime: &now, + Status: Ptr(ocsf.VulnerabilityFinding_STATUS_ID_NEW.String()), + StatusId: Ptr(ocsf.VulnerabilityFinding_STATUS_ID_NEW), + Time: now, + TypeUid: int64( + ocsf.VulnerabilityFinding_CLASS_UID_VULNERABILITY_FINDING.Number()* + 100 + + ocsf.VulnerabilityFinding_ACTIVITY_ID_CREATE.Number(), + ), + Vulnerabilities: []*ocsf.Vulnerability{ + { + AffectedCode: affectedCode, + AffectedPackages: []*ocsf.AffectedPackage{ + { + PackageManager: &purl.Namespace, + Name: purl.Name, + Purl: Ptr(purl.String()), + Version: purl.Version, + Path: &purl.Subpath, + }, + }, + Cwe: b.optionallyMapCWE(vulnerability), + Desc: Ptr(vulnerability.Description), + FirstSeenTime: &now, + Cve: &ocsf.Cve{ + Cvss: []*ocsf.Cvss{ + { + VectorString: &vulnerability.CvssVector, + OverallScore: &cvss, + }, + }, + }, + LastSeenTime: &now, + Severity: Ptr(ocsf.VulnerabilityFinding_SeverityId_name[int32(b.cvssToSeverity(cvss))]), + Title: Ptr(vulnerability.Title), + VendorName: Ptr("nancy"), + }, + }, + } + results = append(results, finding) + } + return results, nil +} + +func (n *NancyTransformer) mapCode(r NancyAdvisory) ([]*ocsf.AffectedCode, error) { + pp, err := packageurl.FromString(r.Coordinates) + if err != nil { + return nil, fmt.Errorf("failed to parse purl: %w", err) + } + + substring := fmt.Sprintf("%s/%s", pp.Namespace, pp.Name) + version := pp.Version + result := []*ocsf.AffectedCode{} + found := false + for _, gomod := range n.goModPaths { + file, err := os.Open(gomod) + if err != nil { + return nil, errors.Errorf("Error opening file: %w", err) + } + defer file.Close() + + scanner := bufio.NewScanner(file) + lineNumber := 0 + + for scanner.Scan() { + lineNumber++ + line := scanner.Text() + if strings.Contains(line, substring) && strings.Contains(line, version) { + found = true + result = append(result, &ocsf.AffectedCode{ + File: &ocsf.File{ + Path: &gomod, + Name: "go.mod", + }, + StartLine: Ptr(int32(lineNumber)), + EndLine: Ptr(int32(lineNumber)), + }) + } + if err := scanner.Err(); err != nil { + return nil, err + } + } + } + if !found { + return nil, errors.Errorf("%w: '%s' in any go.mod in this project, list of go.mod files: '%v', tried to match substring '%s' and version: '%s'", ErrCouldNotFindPackage, r.Coordinates, n.goModPaths, substring, version) + } + return result, nil +} + +func findFiles(root, targetName, excludeFromPath string) ([]string, error) { + var matches []string + + err := filepath.Walk(root, func(path string, info os.FileInfo, err error) error { + if err != nil { + return err + } + + // Check if it's a file (not a directory) and matches the target name + if !info.IsDir() && info.Name() == targetName && !strings.Contains(path, excludeFromPath) { + matches = append(matches, path) + } + return nil + }) + + if err != nil { + return nil, errors.Errorf("error walking directory tree with root at: %s, err: %w", root, err) + } + return matches, nil +} + +func (*NancyTransformer) optionallyMapCWE(r *NancyVulnerability) *ocsf.Cwe { + re := regexp.MustCompile(`CWE-(\d+)`) + match := re.FindStringSubmatch(r.Title) + if len(match) > 1 { + return &ocsf.Cwe{ + Uid: match[1], + } + } else { + return nil + } +} + +func (b *NancyTransformer) mapDataSource(r NancyAdvisory) (string, error) { + dataSource := ocsffindinginfo.DataSource{ + TargetType: b.targetType, + Uri: &ocsffindinginfo.DataSource_URI{ + UriSchema: ocsffindinginfo.DataSource_URI_SCHEMA_PURL, + Path: r.Coordinates, + }, + LocationData: &ocsffindinginfo.DataSource_PurlFindingLocationData_{PurlFindingLocationData: &ocsffindinginfo.DataSource_PurlFindingLocationData{}}, // TODO : figure out what location data we would need here that is different that code + } + + toBytes, err := protojson.Marshal(&dataSource) + if err != nil { + return "", errors.Errorf("%w err:%w", ErrBadDataSource, err) + } + return string(toBytes), nil +} + +// Ptr returns the pointer to the passed value. +func Ptr[T any](v T) *T { + return &v +} diff --git a/new-components/scanners/nancy/internal/transformer/transformer_test.go b/new-components/scanners/nancy/internal/transformer/transformer_test.go new file mode 100644 index 000000000..aff7cdfd3 --- /dev/null +++ b/new-components/scanners/nancy/internal/transformer/transformer_test.go @@ -0,0 +1,246 @@ +package transformer + +import ( + _ "embed" + "os" + "path/filepath" + "testing" + + "github.com/stretchr/testify/require" + + "context" + "time" + + "github.com/jonboulle/clockwork" + "github.com/stretchr/testify/assert" + "google.golang.org/protobuf/encoding/protojson" + + ocsffindinginfo "github.com/smithy-security/smithy/sdk/gen/ocsf_ext/finding_info/v1" + ocsf "github.com/smithy-security/smithy/sdk/gen/ocsf_schema/v1" +) + +func fakeClock() *clockwork.FakeClock { + return clockwork.NewFakeClockAt(time.Date(2024, 11, 1, 0, 0, 0, 0, time.UTC)) +} + +func TestNancyTransformer_Transform(t *testing.T) { + var ( + clock = fakeClock() + ) + + t.Run("it should transform correctly the finding to ocsf format", func(t *testing.T) { + path, err := os.Getwd() + require.NoError(t, err) + ocsfTransformer, err := New( + NancyRawOutFilePath("./testdata/nancy.json"), + NancyTransformerWithTarget(ocsffindinginfo.DataSource_TARGET_TYPE_REPOSITORY), + NancyTransformerWithClock(clock), + NancyTransformerWithProjectRoot(filepath.Join(path, "../../")), + ) + require.NoError(t, err) + transformMethodTest(t, ocsfTransformer.Transform, nil, 4) + }) + + t.Run("it should error when it cannotfind the packages in go.mod files", func(t *testing.T) { + path, err := os.Getwd() + require.NoError(t, err) + ocsfTransformer, err := New( + NancyRawOutFilePath("./testdata/nancy-incorrect-packages.json"), + NancyTransformerWithTarget(ocsffindinginfo.DataSource_TARGET_TYPE_REPOSITORY), + NancyTransformerWithClock(clock), + NancyTransformerWithProjectRoot(filepath.Join(path, "../../")), + ) + require.NoError(t, err) + transformMethodTest(t, ocsfTransformer.Transform, ErrCouldNotFindPackage, 0) + }) +} + +func assertValid(t *testing.T, finding *ocsf.VulnerabilityFinding, idx int, nowUnix, typeUID int64) { + assert.Equalf( + t, + ocsf.VulnerabilityFinding_ACTIVITY_ID_CREATE.String(), + *finding.ActivityName, + "Unexpected activity name for finding %d", idx, + ) + assert.Equalf( + t, + ocsf.VulnerabilityFinding_ACTIVITY_ID_CREATE, + finding.ActivityId, + "Unexpected activity id for finding %d", idx, + ) + assert.Equalf( + t, + ocsf.VulnerabilityFinding_CATEGORY_UID_FINDINGS, + finding.CategoryUid, + "Unexpected category uid for finding %d", idx, + ) + assert.Equalf( + t, + ocsf.VulnerabilityFinding_CLASS_UID_VULNERABILITY_FINDING, + finding.ClassUid, + "Unexpected category class uid for finding %d", idx, + ) + assert.Equalf( + t, + ocsf.VulnerabilityFinding_CLASS_UID_VULNERABILITY_FINDING.String(), + *finding.ClassName, + "Unexpected category class name for finding %d", idx, + ) + assert.Containsf( + t, + []string{ + ocsf.VulnerabilityFinding_CONFIDENCE_ID_HIGH.String(), + ocsf.VulnerabilityFinding_CONFIDENCE_ID_MEDIUM.String(), + ocsf.VulnerabilityFinding_CONFIDENCE_ID_LOW.String(), + }, + *finding.Confidence, + "Unexpected confidence name for finding %d", idx, + ) + assert.Containsf( + t, + []ocsf.VulnerabilityFinding_ConfidenceId{ + ocsf.VulnerabilityFinding_CONFIDENCE_ID_HIGH, + ocsf.VulnerabilityFinding_CONFIDENCE_ID_MEDIUM, + ocsf.VulnerabilityFinding_CONFIDENCE_ID_LOW, + }, + *finding.ConfidenceId, + "Unexpected confidence id for finding %d", idx, + ) + assert.NotNilf(t, finding.Count, "Unexpected count for finding %d", idx) + assert.NotEmptyf(t, finding.Message, "Unexpected empty message for finding %d", idx) + assert.Containsf( + t, + []ocsf.VulnerabilityFinding_SeverityId{ + ocsf.VulnerabilityFinding_SEVERITY_ID_HIGH, + ocsf.VulnerabilityFinding_SEVERITY_ID_MEDIUM, + ocsf.VulnerabilityFinding_SEVERITY_ID_LOW, + ocsf.VulnerabilityFinding_SEVERITY_ID_INFORMATIONAL, + }, + finding.SeverityId, + "Unexpected severity id %s for finding %d", finding.SeverityId, idx, + ) + assert.Containsf( + t, + []string{ + ocsf.VulnerabilityFinding_SEVERITY_ID_MEDIUM.String(), + ocsf.VulnerabilityFinding_SEVERITY_ID_HIGH.String(), + ocsf.VulnerabilityFinding_SEVERITY_ID_INFORMATIONAL.String(), + ocsf.VulnerabilityFinding_SEVERITY_ID_LOW.String(), + }, + *finding.Severity, + "Unexpected severity for finding %d", idx, + ) + assert.Equalf(t, nowUnix, *finding.StartTime, "Unexpected start time for finding %d", idx) + assert.Equalf( + t, + ocsf.VulnerabilityFinding_STATUS_ID_NEW.String(), + *finding.Status, + "Unexpected status for finding %d", + idx, + ) + assert.Equalf( + t, + ocsf.VulnerabilityFinding_STATUS_ID_NEW, + *finding.StatusId, + "Unexpected status id for finding %d", + idx, + ) + assert.Equalf(t, nowUnix, finding.Time, "Unexpected time for finding %d", idx) + assert.Equalf(t, typeUID, finding.TypeUid, "Unexpected type uid for finding %d", idx) + require.NotNilf(t, finding.FindingInfo, "Unexpected nil finding info for finding %d", idx) + findingInfo := finding.FindingInfo + assert.Equalf(t, nowUnix, *findingInfo.CreatedTime, "Unexpected finding info created time for finding %d", idx) + assert.Equalf(t, nowUnix, *findingInfo.FirstSeenTime, "Unexpected finding info first time seen for finding %d", idx) + assert.Equalf(t, nowUnix, *findingInfo.LastSeenTime, "Unexpected finding info last time seen for finding %d", idx) + assert.Equalf(t, nowUnix, *findingInfo.ModifiedTime, "Unexpected finding info modified time seen for finding %d", idx) + assert.NotEmptyf(t, *findingInfo.Desc, "Unexpected empty desc for finding %d", idx) + assert.NotEmptyf(t, findingInfo.Title, "Unexpected empty title for finding %d", idx) + assert.NotEmptyf(t, findingInfo.Uid, "Unexpected empty uid for finding %d", idx) + + var dataSource ocsffindinginfo.DataSource + require.Lenf( + t, + findingInfo.DataSources, + 1, "Unexpected number of data sources for finding %d. Expected 1", + idx, + ) + require.NoErrorf( + t, + protojson.Unmarshal([]byte(findingInfo.DataSources[0]), &dataSource), + "Unexpected error unmarshaling data source for finding %d", + idx, + ) + assert.Equalf( + t, + ocsffindinginfo.DataSource_TARGET_TYPE_REPOSITORY, + dataSource.TargetType, + "Unexpected data source target type for finding %d", + idx, + ) + require.NotNilf(t, dataSource.Uri, "Unexpected nil data source uri for finding %d", idx) + assert.Equalf( + t, + ocsffindinginfo.DataSource_URI_SCHEMA_PURL, + dataSource.Uri.UriSchema, + "Unexpected data source uri schema for finding %d", + idx, + ) + assert.NotEmptyf(t, dataSource.Uri.Path, "Unexpected empty data source path for finding %d", idx) + require.NotNilf(t, dataSource.LocationData, "Unexpected nil data source location data for finding %d", idx) + + require.Lenf(t, finding.Vulnerabilities, 1, "Unexpected number of vulnerabilities for finding %d. Expected 1", idx) + vulnerability := finding.Vulnerabilities[0] + assert.Equalf(t, nowUnix, *vulnerability.FirstSeenTime, "Unexpected vulnerability firsy time seen time for finding %d", idx) + assert.Equalf(t, nowUnix, *vulnerability.LastSeenTime, "Unexpected vulnerability firsy time seen time for finding %d", idx) + assert.Containsf( + t, + []string{ + ocsf.VulnerabilityFinding_SEVERITY_ID_MEDIUM.String(), + ocsf.VulnerabilityFinding_SEVERITY_ID_HIGH.String(), + ocsf.VulnerabilityFinding_SEVERITY_ID_LOW.String(), + ocsf.VulnerabilityFinding_SEVERITY_ID_INFORMATIONAL.String(), + }, + *vulnerability.Severity, + "Unexpected severity for vulnerability for finding %d", idx, + ) + assert.NotEmptyf(t, vulnerability.Title, "Unexpected empty title for vulnerability for finding %d", idx) + assert.NotEmptyf(t, vulnerability.Desc, "Unexpected empty desc for vulnerability for finding %d", idx) + require.Lenf(t, vulnerability.AffectedCode, 1, "Unexpected lenght for affected code for vulnerability for finding %d. Expected 1", idx) + + var affectedCode = vulnerability.AffectedCode[0] + require.NotNilf(t, affectedCode.File, "Unexpected nil file for vulnerability for finding %d", idx) + assert.NotEmptyf(t, affectedCode.File.Path, "Unexpected empty file path for vulnerability for finding %d", idx) + assert.NotEmptyf(t, affectedCode.File.Name, "Unexpected empty file name for vulnerability for finding %d", idx) + assert.NotNilf(t, affectedCode.StartLine, "Unexpected nil start line for vulnerability for finding %d", idx) + assert.NotNilf(t, affectedCode.EndLine, "Unexpected nil end line for vulnerability for finding %d", idx) + + require.NotNilf(t, vulnerability.Cwe, "Unexpected nil cwe for vulnerability for finding %d", idx) + assert.NotEmptyf(t, vulnerability.Cwe.Uid, "Unexpected empty value for uid in vulnerability for finding %d", idx) +} + +func transformMethodTest(t *testing.T, transformCallback func(ctx context.Context) ([]*ocsf.VulnerabilityFinding, error), expectedError error, expectedNumFindings int) { + t.Helper() + var ( + ctx, cancel = context.WithTimeout(context.Background(), time.Minute) + clock = clockwork.NewFakeClockAt(time.Date(2024, 11, 1, 0, 0, 0, 0, time.UTC)) + nowUnix = clock.Now().Unix() + typeUID = int64( + ocsf.VulnerabilityFinding_CLASS_UID_VULNERABILITY_FINDING.Number()* + 100 + + ocsf.VulnerabilityFinding_ACTIVITY_ID_CREATE.Number(), + ) + ) + + defer cancel() + findings, err := transformCallback(ctx) + if expectedError != nil { + require.ErrorIsf(t, err, expectedError, "did not receive the expected error, got %w, wanted %w", err, expectedError) + return + } + require.NoError(t, err) + require.NotEmpty(t, findings) + require.Equal(t, expectedNumFindings, len(findings)) + for idx, finding := range findings { + assertValid(t, finding, idx, nowUnix, typeUID) + } +} diff --git a/new-components/scanners/nancy/vendor/ariga.io/atlas/LICENSE b/new-components/scanners/nancy/vendor/ariga.io/atlas/LICENSE new file mode 100644 index 000000000..7a4a3ea24 --- /dev/null +++ b/new-components/scanners/nancy/vendor/ariga.io/atlas/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. \ No newline at end of file diff --git a/new-components/scanners/nancy/vendor/ariga.io/atlas/schemahcl/context.go b/new-components/scanners/nancy/vendor/ariga.io/atlas/schemahcl/context.go new file mode 100644 index 000000000..5790ea9f8 --- /dev/null +++ b/new-components/scanners/nancy/vendor/ariga.io/atlas/schemahcl/context.go @@ -0,0 +1,504 @@ +// Copyright 2021-present The Atlas Authors. All rights reserved. +// This source code is licensed under the Apache 2.0 license found +// in the LICENSE file in the root directory of this source tree. + +package schemahcl + +import ( + "context" + "fmt" + "reflect" + "strconv" + "strings" + + "github.com/hashicorp/hcl/v2" + "github.com/hashicorp/hcl/v2/gohcl" + "github.com/hashicorp/hcl/v2/hclsyntax" + "github.com/zclconf/go-cty/cty" + "github.com/zclconf/go-cty/cty/convert" +) + +// blockVar is an HCL resource that defines an input variable to the Atlas DDL document. +type blockVar struct { + Name string `hcl:",label"` + Type cty.Value `hcl:"type"` + Default cty.Value `hcl:"default,optional"` + Description string `hcl:"description,optional"` +} + +// setInputVals sets the input values into the evaluation context. HCL documents can define +// input variables in the document body by defining "variable" blocks: +// +// variable "name" { +// type = string // also supported: number, bool +// default = "rotemtam" +// } +func (s *State) setInputVals(ctx *hcl.EvalContext, body hcl.Body, input map[string]cty.Value) error { + var doc struct { + Vars []*blockVar `hcl:"variable,block"` + Remain hcl.Body `hcl:",remain"` + } + if diag := gohcl.DecodeBody(body, ctx, &doc); diag.HasErrors() { + return diag + } + ctxVars := make(map[string]cty.Value) + for _, v := range doc.Vars { + var vv cty.Value + switch iv, ok := input[v.Name]; { + case !v.Type.Type().IsCapsuleType(): + return fmt.Errorf( + "invalid type %q for variable %q. Valid types are: string, number, bool, list, map, or set", + v.Type.AsString(), v.Name, + ) + case ok: + vv = iv + case v.Default != cty.NilVal: + vv = v.Default + default: + return fmt.Errorf("missing value for required variable %q", v.Name) + } + vt := v.Type.EncapsulatedValue().(*cty.Type) + // In case the input value is a primitive type and the expected type is a list, + // wrap it as a list because the variable type may not be known to the caller. + if vt.IsListType() && vv.Type().Equals(vt.ElementType()) { + vv = cty.ListVal([]cty.Value{vv}) + } + cv, err := convert.Convert(vv, *vt) + if err != nil { + return fmt.Errorf("variable %q: %w", v.Name, err) + } + ctxVars[v.Name] = cv + } + mergeCtxVar(ctx, ctxVars) + return nil +} + +// evalReferences evaluates local and data blocks. +func (s *State) evalReferences(ctx *hcl.EvalContext, body *hclsyntax.Body) error { + type node struct { + addr [3]string + edges func() []hcl.Traversal + value func() (cty.Value, error) + } + var ( + initblk []*node + goctx = s.config.ctx + typeblk = make(map[string]bool) + nodes = make(map[[3]string]*node) + blocks = make(hclsyntax.Blocks, 0, len(body.Blocks)) + ) + if goctx == nil { + goctx = context.Background() + } + for _, b := range body.Blocks { + switch b := b; { + case b.Type == BlockData: + if len(b.Labels) < 2 { + return fmt.Errorf("data block %q must have exactly 2 labels", b.Type) + } + h, ok := s.config.datasrc[b.Labels[0]] + if !ok { + return fmt.Errorf("missing data source handler for %q", b.Labels[0]) + } + // Data references are combined from + // "data", "source" and "name" labels. + addr := [3]string{RefData, b.Labels[0], b.Labels[1]} + nodes[addr] = &node{ + addr: addr, + value: func() (cty.Value, error) { return h(goctx, ctx, b) }, + edges: func() []hcl.Traversal { return bodyVars(b.Body) }, + } + case b.Type == BlockLocals: + for k, v := range b.Body.Attributes { + k, v := k, v + // Local references are combined from + // "local" and "name" labels. + addr := [3]string{RefLocal, k, ""} + nodes[addr] = &node{ + addr: addr, + edges: func() []hcl.Traversal { return hclsyntax.Variables(v.Expr) }, + value: func() (cty.Value, error) { + v, diags := v.Expr.Value(ctx) + if diags.HasErrors() { + return cty.NilVal, diags + } + return v, nil + }, + } + } + case s.config.initblk[b.Type] != nil: + if len(b.Labels) != 0 { + return fmt.Errorf("init block %q cannot have labels", b.Type) + } + addr := [3]string{b.Type, "", ""} + if nodes[addr] != nil { + return fmt.Errorf("duplicate init block %q", b.Type) + } + h := s.config.initblk[b.Type] + n := &node{ + addr: addr, + value: func() (cty.Value, error) { return h(goctx, ctx, b) }, + edges: func() []hcl.Traversal { return bodyVars(b.Body) }, + } + nodes[addr] = n + initblk = append(initblk, n) + case s.config.typedblk[b.Type] != nil: + typeblk[b.Type] = true + if len(b.Labels) < 2 { + return fmt.Errorf("%s block must have exactly 2 labels", b.Type) + } + k, ok := s.config.typedblk[b.Type] + if !ok || k[b.Labels[0]] == nil { + return fmt.Errorf("missing %s block handler for %q", b.Type, b.Labels[0]) + } + h := k[b.Labels[0]] + // Typed block references are combined from + // "", "