osv-scanner for sca + examples

Author: northdpole

components/scanners/osv-scanner/README.md

@@ -0,0 +1,21 @@
+# osv-scanner
+
+This component implements a [scanner](https://github.com/smithy-security/smithy/blob/main/sdk/component/component.go)
+that parses json reports output by [osv-scan](https://google.github.io/osv-scanner/) into [ocsf](https://github.com/ocsf) format.
+
+## Environment variables
+
+The component uses environment variables for configuration.
+
+It requires the component
+environment variables defined [here](https://github.com/smithy-security/smithy/blob/main/sdk/README.md#component) as well
+as the following:
+
+| Environment Variable     | Type   | Required | Default    | Description                                             |
+|--------------------------|--------|----------|------------|---------------------------------------------------------|
+| RAW\_OUT\_FILE\_PATH  | string | yes      | -          | The path where to find the osv-scan report                 |
+| TARGET\_TYPE         | string | false    | repository | The type of target that was used to generate the report |
+
+## Test data
+
+The `results.json` file used in tests was generated with the following steps:

components/scanners/osv-scanner/cmd/main.go

@@ -0,0 +1,37 @@
+package main
+
+import (
+	"context"
+	"log"
+	"time"
+
+	"github.com/go-errors/errors"
+
+	"github.com/smithy-security/smithy/new-components/scanners/osv-scanner/internal/transformer"
+	"github.com/smithy-security/smithy/sdk/component"
+)
+
+func main() {
+	ctx, cancel := context.WithTimeout(context.Background(), 1*time.Minute)
+	defer cancel()
+
+	if err := Main(ctx); err != nil {
+		log.Fatalf("unexpected error: %v", err)
+	}
+}
+
+// Main is the main entrypoint of this component
+func Main(ctx context.Context, opts ...component.RunnerOption) error {
+	opts = append(opts, component.RunnerWithComponentName("bandit"))
+
+	ocsfTransformer, err := transformer.New()
+	if err != nil {
+		return errors.Errorf("could not create transformer: %w", err)
+	}
+
+	if err := component.RunScanner(ctx, ocsfTransformer, opts...); err != nil {
+		return errors.Errorf("could not run scanner: %w", err)
+	}
+
+	return nil
+}

components/scanners/osv-scanner/component.yaml

@@ -0,0 +1,18 @@
+name: osv-scanner
+description: "Scans projects with google's osv-scanner, parses sarif findings into OCSF format"
+type: scanner
+steps:
+  - name: scanner
+    image: components/scanners/osv-scanner/scanner
+    executable: /bin/bash
+    env_vars: 
+      RAW_OUT_FILE: "{{ scratchWorkspace }}/output.json"
+    args:
+      - -c
+      - /entrypoint.sh scan source -r --format=sarif --call-analysis=true {{ sourceCodeWorkspace }}
+  - name: parser
+    image: components/scanners/osv-scanner
+    env_vars:
+      RAW_OUT_FILE: "{{ scratchWorkspace }}/output.json"
+      SCANNED_PROJECT_ROOT: "{{ sourceCodeWorkspace }}"
+    executable: /bin/app

components/scanners/osv-scanner/internal/transformer/transformer.go

@@ -0,0 +1,160 @@
+package transformer
+
+import (
+	"context"
+	"log/slog"
+	"os"
+
+	"github.com/go-errors/errors"
+	"github.com/jonboulle/clockwork"
+	"github.com/smithy-security/pkg/env"
+	"github.com/smithy-security/pkg/sarif"
+	sarifschemav210 "github.com/smithy-security/pkg/sarif/spec/gen/sarif-schema/v2-1-0"
+
+	"github.com/smithy-security/smithy/sdk/component"
+	ocsffindinginfo "github.com/smithy-security/smithy/sdk/gen/ocsf_ext/finding_info/v1"
+	ocsf "github.com/smithy-security/smithy/sdk/gen/ocsf_schema/v1"
+)
+
+type (
+
+	// OSVScannerTransformerOption allows customising the transformer.
+	OSVScannerTransformerOption func(b *OSVScannerTransformer) error
+
+	// OSVScannerTransformer represents the osv-scanner output parser
+	OSVScannerTransformer struct {
+		targetType   ocsffindinginfo.DataSource_TargetType
+		clock        clockwork.Clock
+		rawOutFile   string
+		fileContents []byte
+		projectRoot  string
+	}
+)
+
+var (
+
+	// Generic errors
+
+	// ErrNilClock is thrown when the option setclock is called with empty clock
+	ErrNilClock = errors.Errorf("invalid nil clock")
+	// ErrEmptyTarget is thrown when the option set target is called with empty target
+	ErrEmptyTarget = errors.Errorf("invalid empty target")
+	// ErrEmptyRawOutfilePath is thrown when the option raw outfile path is called with empty path
+	ErrEmptyRawOutfilePath = errors.Errorf("invalid raw out file path")
+	// ErrEmptyRawOutfileContents is thrown when the option raw outfile contents is called with empty contents
+	ErrEmptyRawOutfileContents = errors.Errorf("empty raw out file contents")
+	// ErrBadTargetType is thrown when the option set target type is called with an unspecified or empty target type
+	ErrBadTargetType = errors.New("invalid empty target type")
+
+	// OSVScanner Parser Specific Errors
+	// ErrEmptyPath is thrown when called with an empty project root
+	ErrEmptyPath = errors.Errorf("called with an empty project root")
+	// ErrNoLineRange is thrown when osv-scanner produces a finding without a line range
+	ErrNoLineRange = errors.Errorf("osv-scanner result does not contain a line range")
+	// ErrBadDataSource is thrown when osv-scanner produces a finding that cannot have a datasource (e.g. no filename)
+	ErrBadDataSource = errors.Errorf("failed to marshal data source to JSON")
+	// ErrCouldNotFindPackage is thrown when nancy cannot find the dependency in any go.mod files
+	ErrCouldNotFindPackage = errors.Errorf("could not find package")
+)
+
+// OSVScanneryTransformerWithClock allows customising the underlying clock.
+func OSVScannerTransformerWithClock(clock clockwork.Clock) OSVScannerTransformerOption {
+	return func(g *OSVScannerTransformer) error {
+		if clock == nil {
+			return ErrNilClock
+		}
+		g.clock = clock
+		return nil
+	}
+}
+
+// OSVScannerRawOutFileGlob allows customising the underlying raw out file path.
+func OSVScannerRawOutFileGlob(path string) OSVScannerTransformerOption {
+	return func(g *OSVScannerTransformer) error {
+		if path == "" {
+			return ErrEmptyRawOutfilePath
+		}
+		g.rawOutFile = path
+		return nil
+	}
+}
+
+// OSVScannerRawOutFileContents allows customising the underlying raw out file contents.
+func OSVScannerRawOutFileContents(contents []byte) OSVScannerTransformerOption {
+	return func(g *OSVScannerTransformer) error {
+		if contents == nil {
+			return ErrEmptyRawOutfileContents
+		}
+		g.fileContents = contents
+		return nil
+	}
+}
+
+// OSVScannerTransformerWithProjectRoot allows customising the path of the target project root
+func OSVScannerTransformerWithProjectRoot(path string) OSVScannerTransformerOption {
+	return func(g *OSVScannerTransformer) error {
+		if path == "" {
+			return ErrEmptyPath
+		}
+		g.projectRoot = path
+		return nil
+	}
+}
+
+// New returns a new osv-scanner transformer.
+func New(opts ...OSVScannerTransformerOption) (*OSVScannerTransformer, error) {
+	rawOutFile, err := env.GetOrDefault(
+		"RAW_OUT_FILE",
+		"",
+		env.WithDefaultOnError(false),
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	t := OSVScannerTransformer{
+		clock:      clockwork.NewRealClock(),
+		targetType: ocsffindinginfo.DataSource_TARGET_TYPE_REPOSITORY,
+		rawOutFile: rawOutFile,
+	}
+
+	for _, opt := range opts {
+		if err := opt(&t); err != nil {
+			return nil, errors.Errorf("failed to apply option: %w", err)
+		}
+	}
+	return &t, nil
+}
+
+// Transform transforms raw sarif findings into ocsf vulnerability findings.
+func (b *OSVScannerTransformer) Transform(ctx context.Context) ([]*ocsf.VulnerabilityFinding, error) {
+	logger := component.LoggerFromContext(ctx)
+
+	logger.Debug("preparing to parse raw osv-scanner output...")
+	fileContents, err := os.ReadFile(b.rawOutFile)
+	if err != nil {
+		return nil, errors.Errorf("could not read file %s", b.rawOutFile)
+	}
+	var report sarifschemav210.SchemaJson
+	if err := report.UnmarshalJSON(fileContents); err != nil {
+		return nil, errors.Errorf("failed to parse raw semgrep output: %w", err)
+	}
+
+	transformer, err := sarif.NewTransformer(&report,
+		"",
+		sarif.TargetTypeRepository,
+		b.clock, sarif.RealUUIDProvider{})
+	if err != nil {
+		return nil, err
+	}
+	vulns, err := transformer.ToOCSF(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	logger.Debug(
+		"successfully parsed raw osv-scanner findings to ocsf vulnerability findings!",
+		slog.Int("num_parsed_findings", len(vulns)),
+	)
+	return vulns, nil
+}