close #542 nancy rewritten to work with the new sdk

new-components/scanners/nancy/.env

@@ -0,0 +1,7 @@
+# This is for local setup only.
+SMITHY_INSTANCE_ID=8d719c1c-c569-4078-87b3-4951bd4012ee
+SMITHY_LOG_LEVEL=debug
+SMITHY_IS_LOCAL=false
+NANCY_RAW_OUT_FILE_PATH=nancy.json
+NANCY_TARGET_TYPE=TARGET_TYPE_REPOSITORY
+NANCY_SCANNED_PROJECT_ROOT=""

new-components/scanners/nancy/README.md

@@ -0,0 +1,49 @@
+# nancy
+
+This component implements a [scanner](https://github.com/smithy-security/smithy/blob/main/sdk/component/component.go)
+that parses json reports output by [nancy](https://github.com/securego/gosec) into [ocsf](https://github.com/ocsf) format.
+
+## Environment variables
+
+The component uses environment variables for configuration.
+
+It requires the component
+environment variables defined [here](https://github.com/smithy-security/smithy/blob/main/sdk/README.md#component) as well
+as the following:
+
+| Environment Variable     | Type   | Required | Default    | Description                                             |
+|--------------------------|--------|----------|------------|---------------------------------------------------------|
+| NANCY\_RAW\_OUT\_FILE\_PATH  | string | yes      | -          | The path where to find the gosec report                 |
+| NANCY\_TARGET\_TYPE         | string | false    | repository | The type of target that was used to generate the report |
+| NANCY\_SCANNED\_PROJECT\_ROOT         | string | false    |  | The root of the project being scanned, used to find go.mod files and point at lines where fixes are needed |
+
+## How to run
+
+Execute:
+
+```shell
+docker-compose up --build --force-recreate --remove-orphans
+```
+
+Then shutdown with:
+
+```shell
+docker-compose down --rmi all
+```
+
+## Test data
+
+The `nancy.json` file used in tests was generated with the following steps:
+
+* Cloning:
+
+```shell
+git clone https://github.com/smithy-security/e2e-monorepo
+```
+
+* Running nancy
+
+```shell
+cd $location-of-e2e-monorepo-or-any-vulnerable-go-application && go list -json -deps ./... | docker run -v `pwd`:/code -i docker.io/sonatypecommunity/nancy:v1.0.42-alpine  nancy sleuth -o json  > nancy.json
+
+```

new-components/scanners/nancy/cmd/main.go

@@ -0,0 +1,37 @@
+package main
+
+import (
+	"context"
+	"log"
+	"time"
+
+	"github.com/go-errors/errors"
+
+	"github.com/smithy-security/smithy/new-components/scanner/nancy/internal/transformer"
+	"github.com/smithy-security/smithy/sdk/component"
+)
+
+func main() {
+	ctx, cancel := context.WithTimeout(context.Background(), 1*time.Minute)
+	defer cancel()
+
+	if err := Main(ctx); err != nil {
+		log.Fatalf("unexpected error: %v", err)
+	}
+}
+
+// Main is the main entrypoint of this component
+func Main(ctx context.Context, opts ...component.RunnerOption) error {
+	opts = append(opts, component.RunnerWithComponentName("bandit"))
+
+	ocsfTransformer, err := transformer.New()
+	if err != nil {
+		return errors.Errorf("could not create transformer: %w", err)
+	}
+
+	if err := component.RunScanner(ctx, ocsfTransformer, opts...); err != nil {
+		return errors.Errorf("could not run scanner: %w", err)
+	}
+
+	return nil
+}

new-components/scanners/nancy/docker-compose.yaml

@@ -0,0 +1,12 @@
+services:
+  scanner:
+    build:
+      context: ../..
+      args:
+        - COMPONENT_PATH=scanners/bandit
+        - COMPONENT_BINARY_SOURCE_PATH=cmd/main.go
+    platform: linux/amd64
+    volumes:
+      - ./internal/transformer/testdata:/workspace
+    env_file:
+      - .env

new-components/scanners/nancy/go.mod

@@ -0,0 +1,67 @@
+module github.com/smithy-security/smithy/new-components/scanner/nancy
+
+go 1.23.3
+
+require (
+	github.com/go-errors/errors v1.5.1
+	github.com/jonboulle/clockwork v0.5.0
+	github.com/smithy-security/pkg/env v0.0.1
+	github.com/smithy-security/smithy/new-components/scanners/gosec v0.0.0-20250114182125-ae2b90b14ae1
+	github.com/smithy-security/smithy/sdk v0.0.4-alpha
+	github.com/stretchr/testify v1.10.0
+	google.golang.org/protobuf v1.36.3
+)
+
+require (
+	ariga.io/atlas v0.29.0 // indirect
+	dario.cat/mergo v1.0.1 // indirect
+	github.com/Masterminds/goutils v1.1.1 // indirect
+	github.com/Masterminds/semver/v3 v3.3.1 // indirect
+	github.com/Masterminds/sprig/v3 v3.3.0 // indirect
+	github.com/abice/go-enum v0.6.0 // indirect
+	github.com/agext/levenshtein v1.2.3 // indirect
+	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
+	github.com/bmatcuk/doublestar v1.3.4 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.5 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/go-openapi/inflect v0.19.0 // indirect
+	github.com/golang/mock v1.6.0 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/hashicorp/hcl/v2 v2.18.1 // indirect
+	github.com/huandu/xstrings v1.5.0 // indirect
+	github.com/jackc/pgpassfile v1.0.0 // indirect
+	github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect
+	github.com/jackc/pgx/v5 v5.6.0 // indirect
+	github.com/labstack/gommon v0.4.2 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mattn/go-sqlite3 v1.14.24 // indirect
+	github.com/mattn/goveralls v0.0.12 // indirect
+	github.com/mitchellh/copystructure v1.2.0 // indirect
+	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/mitchellh/reflectwalk v1.0.2 // indirect
+	github.com/package-url/packageurl-go v0.1.0
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	github.com/shopspring/decimal v1.4.0 // indirect
+	github.com/smithy-security/pkg/sarif v0.0.1 // indirect
+	github.com/spf13/cast v1.7.0 // indirect
+	github.com/sqlc-dev/sqlc v1.27.0 // indirect
+	github.com/urfave/cli/v2 v2.27.5 // indirect
+	github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect
+	github.com/zclconf/go-cty v1.14.4 // indirect
+	go.uber.org/mock v0.5.0 // indirect
+	golang.org/x/crypto v0.31.0 // indirect
+	golang.org/x/mod v0.22.0 // indirect
+	golang.org/x/net v0.32.0 // indirect
+	golang.org/x/sync v0.10.0 // indirect
+	golang.org/x/sys v0.28.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
+	golang.org/x/tools v0.28.0 // indirect
+	golang.org/x/tools/cmd/cover v0.1.0-deprecated // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240528184218-531527333157 // indirect
+	google.golang.org/grpc v1.65.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+)