From a5f05f91b5fbaaeb42f5046fb690834fae833428 Mon Sep 17 00:00:00 2001 From: Simon Date: Tue, 11 Apr 2023 18:07:02 +0200 Subject: [PATCH] :alien: Added support for the new JSON Format (#34) * :see_no_evil: Added raw report to ignore * :memo: Moved warning to latest usage location * :alien: Adjusted coding to work with new JSON Stream format * :technologist: Added Github Actions Extension * :white_check_mark: Running Integration Tests for PRs * :wrench: Updated the default version to latest * :recycle: Refactored local execution Instead of a separate class now an function is leveraged. * :bento: Replaced static data with new format * :green_heart: Using path.join for access of static data * :bug: Fixed Path issue for Local vs Testing --- .devcontainer/devcontainer.json | 13 +- .github/workflows/integration.yml | 4 + .gitignore | 3 +- README.md | 4 +- action.yml | 4 +- hack/found.json | 811 ----------------------------- hack/found.stream | 824 ++++++++++++++++++++++++++++++ main.go | 10 +- pkg/sarif/reporter_test.go | 4 +- pkg/types/finding.go | 9 +- pkg/vulncheck/runner.go | 115 +++-- pkg/vulncheck/static_runner.go | 32 -- 12 files changed, 937 insertions(+), 896 deletions(-) delete mode 100644 hack/found.json create mode 100644 hack/found.stream delete mode 100644 pkg/vulncheck/static_runner.go diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 493d83d..6374f66 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -48,12 +48,13 @@ } }, "extensions": [ - "golang.Go", - "streetsidesoftware.code-spell-checker", - "premparihar.gotestexplorer", - "wayou.vscode-todo-highlight", - "bierner.github-markdown-preview" - ] + "golang.Go", + "streetsidesoftware.code-spell-checker", + "premparihar.gotestexplorer", + "wayou.vscode-todo-highlight", + "bierner.github-markdown-preview", + "GitHub.vscode-github-actions" + ] } }, // Set *default* container specific settings.json values on container create. diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index c7accfb..72661a7 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -1,5 +1,9 @@ name: Integration Test on: + pull_request: + branches-ignore: + - dependabot/github_actions/* + - dependabot/docker/* push: branches: - main diff --git a/.gitignore b/.gitignore index 6076df8..010da47 100644 --- a/.gitignore +++ b/.gitignore @@ -19,4 +19,5 @@ # Used for testing locally .env -hack/output.json \ No newline at end of file + +raw-report.json \ No newline at end of file diff --git a/README.md b/README.md index 93596de..69bcce6 100644 --- a/README.md +++ b/README.md @@ -39,6 +39,8 @@ Please be aware there will be no direct output to the console, all found vulnera This configuration uses a different version of go (1.18) scans ./... and will fail if at least one vulnerability was found. + > :warning: Choosing `vulncheck-version: latest` can include breaking changes to the JSON format, which will break this action. + ```yaml name: My Workflow on: [push, pull_request] @@ -166,6 +168,4 @@ jobs: > :warning: Please be aware that go-version should be a valid tag name for the [golang dockerhub image](https://hub.docker.com/_/golang/tags). -> :warning: New versions of govulncheck might introduce new report formats, breaking this action. Hence the default version is always the last known working version. - > :lock: Please be aware if the token is not specified it uses `github.token` for more details on that check [those docs](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) \ No newline at end of file diff --git a/action.yml b/action.yml index 68390fb..e06d95e 100644 --- a/action.yml +++ b/action.yml @@ -11,9 +11,9 @@ inputs: required: false default: "1.19" vulncheck-version: - description: "Version of govulncheck that should be used, by default v0.0.0-20230320232729-bfc1eaef17a4" + description: "Version of govulncheck that should be used, by default v0.0.0-20230331150530-a42f9910daf3" required: false - default: "v0.0.0-20230320232729-bfc1eaef17a4" + default: "v0.0.0-20230331150530-a42f9910daf3" github-token: description: "Github App token to upload sarif report. Needs write permissions for security_events. By default it will use 'github.token' value" default: ${{ github.token }} diff --git a/hack/found.json b/hack/found.json deleted file mode 100644 index 4a7b6ae..0000000 --- a/hack/found.json +++ /dev/null @@ -1,811 +0,0 @@ -[ - { - "OSV": { - "id": "GO-2022-1059", - "published": "2022-10-11T18:16:24Z", - "modified": "2022-11-21T19:50:45Z", - "aliases": [ - "CVE-2022-32149", - "GHSA-69ch-w2m2-3vjp" - ], - "details": "An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.", - "affected": [ - { - "package": { - "name": "golang.org/x/text", - "ecosystem": "Go" - }, - "ranges": [ - { - "type": "SEMVER", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "0.3.8" - } - ] - } - ], - "database_specific": { - "url": "https://pkg.go.dev/vuln/GO-2022-1059" - }, - "ecosystem_specific": { - "imports": [ - { - "path": "golang.org/x/text/language", - "symbols": [ - "MatchStrings", - "ParseAcceptLanguage" - ] - } - ] - } - } - ], - "references": [ - { - "type": "REPORT", - "url": "https://go.dev/issue/56152" - }, - { - "type": "FIX", - "url": "https://go.dev/cl/442235" - }, - { - "type": "WEB", - "url": "https://groups.google.com/g/golang-announce/c/-hjNw559_tE/m/KlGTfid5CAAJ" - } - ], - "credits": [ - { - "name": "Adam Korczynski (ADA Logics) and OSS-Fuzz" - } - ], - "schema_version": "1.3.1" - }, - "Modules": [ - { - "Path": "golang.org/x/text", - "FoundVersion": "v0.3.6", - "FixedVersion": "v0.3.8", - "Packages": [ - { - "Path": "golang.org/x/text/language", - "CallStacks": null - } - ] - } - ] - }, - { - "OSV": { - "id": "GO-2022-0957", - "published": "2022-08-25T06:28:20Z", - "modified": "2022-11-21T19:50:45Z", - "aliases": [ - "CVE-2020-36066", - "GHSA-wjm3-fq3r-5x46" - ], - "details": "A maliciously crafted JSON input can cause a denial of service attack.", - "affected": [ - { - "package": { - "name": "github.com/tidwall/gjson", - "ecosystem": "Go" - }, - "ranges": [ - { - "type": "SEMVER", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.6.5" - } - ] - } - ], - "database_specific": { - "url": "https://pkg.go.dev/vuln/GO-2022-0957" - }, - "ecosystem_specific": { - "imports": [ - { - "path": "github.com/tidwall/gjson", - "symbols": [ - "Get", - "GetBytes", - "GetMany", - "GetManyBytes", - "Result.Get", - "parseObject", - "queryMatches" - ] - } - ] - } - } - ], - "references": [ - { - "type": "FIX", - "url": "https://github.com/tidwall/match/commit/c2f534168b739a7ec1821a33839fb2f029f26bbc" - }, - { - "type": "WEB", - "url": "https://github.com/tidwall/gjson/commit/9f58baa7a613f89dfdc764c39e47fd3a15606153" - }, - { - "type": "WEB", - "url": "https://github.com/tidwall/gjson/issues/195" - } - ], - "schema_version": "1.3.1" - }, - "Modules": [ - { - "Path": "github.com/tidwall/gjson", - "FoundVersion": "v1.6.4", - "FixedVersion": "v1.6.5", - "Packages": [ - { - "Path": "github.com/tidwall/gjson", - "CallStacks": [ - { - "Symbol": "Get", - "Summary": "pkg/seconds/mixer.go:15:18: github.com/Templum/playground/pkg/seconds.Testcase calls github.com/tidwall/gjson.Get", - "Frames": [ - { - "PkgPath": "github.com/Templum/playground/pkg/seconds", - "FuncName": "Testcase", - "RecvType": "", - "Position": { - "Filename": "/workspaces/playground/pkg/seconds/mixer.go", - "Offset": 257, - "Line": 15, - "Column": 18 - } - }, - { - "PkgPath": "github.com/tidwall/gjson", - "FuncName": "Get", - "RecvType": "", - "Position": { - "Filename": "", - "Offset": 0, - "Line": 0, - "Column": 0 - } - } - ] - } - ] - } - ] - } - ] - }, - { - "OSV": { - "id": "GO-2022-0956", - "published": "2022-08-29T22:15:46Z", - "modified": "2023-02-08T18:46:18Z", - "aliases": [ - "CVE-2022-3064", - "GHSA-6q6q-88xp-6f2r" - ], - "details": "Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory.", - "affected": [ - { - "package": { - "name": "gopkg.in/yaml.v2", - "ecosystem": "Go" - }, - "ranges": [ - { - "type": "SEMVER", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.2.4" - } - ] - } - ], - "database_specific": { - "url": "https://pkg.go.dev/vuln/GO-2022-0956" - }, - "ecosystem_specific": { - "imports": [ - { - "path": "gopkg.in/yaml.v2", - "symbols": [ - "Decoder.Decode", - "Unmarshal", - "UnmarshalStrict", - "decoder.unmarshal", - "yaml_parser_increase_flow_level", - "yaml_parser_roll_indent" - ] - } - ] - } - } - ], - "references": [ - { - "type": "FIX", - "url": "https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5" - }, - { - "type": "WEB", - "url": "https://github.com/go-yaml/yaml/releases/tag/v2.2.4" - } - ], - "schema_version": "1.3.1" - }, - "Modules": [ - { - "Path": "gopkg.in/yaml.v2", - "FoundVersion": "v2.2.0", - "FixedVersion": "v2.2.4", - "Packages": [ - { - "Path": "gopkg.in/yaml.v2", - "CallStacks": [ - { - "Symbol": "Unmarshal", - "Summary": "pkg/yaml/testcase.go:28:20: github.com/Templum/playground/pkg/yaml.Testcase calls gopkg.in/yaml.v2.Unmarshal", - "Frames": [ - { - "PkgPath": "github.com/Templum/playground/pkg/yaml", - "FuncName": "Testcase", - "RecvType": "", - "Position": { - "Filename": "/workspaces/playground/pkg/yaml/testcase.go", - "Offset": 348, - "Line": 28, - "Column": 20 - } - }, - { - "PkgPath": "gopkg.in/yaml.v2", - "FuncName": "Unmarshal", - "RecvType": "", - "Position": { - "Filename": "", - "Offset": 0, - "Line": 0, - "Column": 0 - } - } - ] - } - ] - } - ] - } - ] - }, - { - "OSV": { - "id": "GO-2021-0265", - "published": "2022-08-15T18:06:07Z", - "modified": "2022-11-21T19:50:45Z", - "aliases": [ - "CVE-2021-42248", - "CVE-2021-42836", - "GHSA-c9gm-7rfj-8w5h", - "GHSA-ppj4-34rq-v8j9" - ], - "details": "A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time.", - "affected": [ - { - "package": { - "name": "github.com/tidwall/gjson", - "ecosystem": "Go" - }, - "ranges": [ - { - "type": "SEMVER", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.9.3" - } - ] - } - ], - "database_specific": { - "url": "https://pkg.go.dev/vuln/GO-2021-0265" - }, - "ecosystem_specific": { - "imports": [ - { - "path": "github.com/tidwall/gjson", - "symbols": [ - "Get", - "GetBytes", - "GetMany", - "GetManyBytes", - "Result.Get", - "parseObject", - "queryMatches" - ] - } - ] - } - } - ], - "references": [ - { - "type": "FIX", - "url": "https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96" - }, - { - "type": "WEB", - "url": "https://github.com/tidwall/gjson/issues/237" - }, - { - "type": "WEB", - "url": "https://github.com/tidwall/gjson/issues/236" - }, - { - "type": "WEB", - "url": "https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944" - } - ], - "schema_version": "1.3.1" - }, - "Modules": [ - { - "Path": "github.com/tidwall/gjson", - "FoundVersion": "v1.6.4", - "FixedVersion": "v1.9.3", - "Packages": [ - { - "Path": "github.com/tidwall/gjson", - "CallStacks": [ - { - "Symbol": "Get", - "Summary": "pkg/seconds/mixer.go:15:18: github.com/Templum/playground/pkg/seconds.Testcase calls github.com/tidwall/gjson.Get", - "Frames": [ - { - "PkgPath": "github.com/Templum/playground/pkg/seconds", - "FuncName": "Testcase", - "RecvType": "", - "Position": { - "Filename": "/workspaces/playground/pkg/seconds/mixer.go", - "Offset": 257, - "Line": 15, - "Column": 18 - } - }, - { - "PkgPath": "github.com/tidwall/gjson", - "FuncName": "Get", - "RecvType": "", - "Position": { - "Filename": "", - "Offset": 0, - "Line": 0, - "Column": 0 - } - } - ] - } - ] - } - ] - } - ] - }, - { - "OSV": { - "id": "GO-2021-0113", - "published": "2021-10-06T17:51:21Z", - "modified": "2023-02-02T17:52:29Z", - "aliases": [ - "CVE-2021-38561", - "GHSA-ppp9-7jff-5vj2" - ], - "details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.", - "affected": [ - { - "package": { - "name": "golang.org/x/text", - "ecosystem": "Go" - }, - "ranges": [ - { - "type": "SEMVER", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "0.3.7" - } - ] - } - ], - "database_specific": { - "url": "https://pkg.go.dev/vuln/GO-2021-0113" - }, - "ecosystem_specific": { - "imports": [ - { - "path": "golang.org/x/text/language", - "symbols": [ - "MatchStrings", - "MustParse", - "Parse", - "ParseAcceptLanguage" - ] - } - ] - } - } - ], - "references": [ - { - "type": "FIX", - "url": "https://go.dev/cl/340830" - }, - { - "type": "FIX", - "url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f" - } - ], - "credits": [ - { - "name": "Guido Vranken" - } - ], - "schema_version": "1.3.1" - }, - "Modules": [ - { - "Path": "golang.org/x/text", - "FoundVersion": "v0.3.6", - "FixedVersion": "v0.3.7", - "Packages": [ - { - "Path": "golang.org/x/text/language", - "CallStacks": [ - { - "Symbol": "MustParse", - "Summary": "pkg/seconds/mixer.go:12:29: github.com/Templum/playground/pkg/seconds.Testcase calls golang.org/x/text/language.MustParse", - "Frames": [ - { - "PkgPath": "github.com/Templum/playground/pkg/seconds", - "FuncName": "Testcase", - "RecvType": "", - "Position": { - "Filename": "/workspaces/playground/pkg/seconds/mixer.go", - "Offset": 204, - "Line": 12, - "Column": 29 - } - }, - { - "PkgPath": "golang.org/x/text/language", - "FuncName": "MustParse", - "RecvType": "", - "Position": { - "Filename": "", - "Offset": 0, - "Line": 0, - "Column": 0 - } - } - ] - } - ] - } - ] - } - ] - }, - { - "OSV": { - "id": "GO-2021-0061", - "published": "2021-04-14T20:04:52Z", - "modified": "2023-02-08T18:46:18Z", - "aliases": [ - "CVE-2021-4235", - "GHSA-r88r-gmrh-7j83" - ], - "details": "Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector.", - "affected": [ - { - "package": { - "name": "gopkg.in/yaml.v2", - "ecosystem": "Go" - }, - "ranges": [ - { - "type": "SEMVER", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.2.3" - } - ] - } - ], - "database_specific": { - "url": "https://pkg.go.dev/vuln/GO-2021-0061" - }, - "ecosystem_specific": { - "imports": [ - { - "path": "gopkg.in/yaml.v2", - "symbols": [ - "Decoder.Decode", - "Unmarshal", - "UnmarshalStrict", - "decoder.unmarshal" - ] - } - ] - } - } - ], - "references": [ - { - "type": "FIX", - "url": "https://github.com/go-yaml/yaml/pull/375" - }, - { - "type": "FIX", - "url": "https://github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241" - } - ], - "credits": [ - { - "name": "@simonferquel" - } - ], - "schema_version": "1.3.1" - }, - "Modules": [ - { - "Path": "gopkg.in/yaml.v2", - "FoundVersion": "v2.2.0", - "FixedVersion": "v2.2.3", - "Packages": [ - { - "Path": "gopkg.in/yaml.v2", - "CallStacks": [ - { - "Symbol": "Unmarshal", - "Summary": "pkg/yaml/testcase.go:28:20: github.com/Templum/playground/pkg/yaml.Testcase calls gopkg.in/yaml.v2.Unmarshal", - "Frames": [ - { - "PkgPath": "github.com/Templum/playground/pkg/yaml", - "FuncName": "Testcase", - "RecvType": "", - "Position": { - "Filename": "/workspaces/playground/pkg/yaml/testcase.go", - "Offset": 348, - "Line": 28, - "Column": 20 - } - }, - { - "PkgPath": "gopkg.in/yaml.v2", - "FuncName": "Unmarshal", - "RecvType": "", - "Position": { - "Filename": "", - "Offset": 0, - "Line": 0, - "Column": 0 - } - } - ] - } - ] - } - ] - } - ] - }, - { - "OSV": { - "id": "GO-2021-0054", - "published": "2021-04-14T20:04:52Z", - "modified": "2023-02-07T21:49:49Z", - "aliases": [ - "CVE-2020-36067", - "GHSA-p64j-r5f4-pwwx" - ], - "details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.", - "affected": [ - { - "package": { - "name": "github.com/tidwall/gjson", - "ecosystem": "Go" - }, - "ranges": [ - { - "type": "SEMVER", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.6.6" - } - ] - } - ], - "database_specific": { - "url": "https://pkg.go.dev/vuln/GO-2021-0054" - }, - "ecosystem_specific": { - "imports": [ - { - "path": "github.com/tidwall/gjson", - "symbols": [ - "Result.ForEach", - "unwrap" - ] - } - ] - } - } - ], - "references": [ - { - "type": "FIX", - "url": "https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b" - }, - { - "type": "WEB", - "url": "https://github.com/tidwall/gjson/issues/196" - } - ], - "credits": [ - { - "name": "@toptotu" - } - ], - "schema_version": "1.3.1" - }, - "Modules": [ - { - "Path": "github.com/tidwall/gjson", - "FoundVersion": "v1.6.4", - "FixedVersion": "v1.6.6", - "Packages": [ - { - "Path": "github.com/tidwall/gjson", - "CallStacks": null - } - ] - } - ] - }, - { - "OSV": { - "id": "GO-2020-0036", - "published": "2021-04-14T20:04:52Z", - "modified": "2023-01-14T00:31:02Z", - "aliases": [ - "CVE-2019-11254", - "GHSA-wxc4-f4m6-wwqv" - ], - "details": "Due to unbounded aliasing, a crafted YAML file can cause consumption of significant system resources. If parsing user supplied input, this may be used as a denial of service vector.", - "affected": [ - { - "package": { - "name": "gopkg.in/yaml.v2", - "ecosystem": "Go" - }, - "ranges": [ - { - "type": "SEMVER", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "2.2.8" - } - ] - } - ], - "database_specific": { - "url": "https://pkg.go.dev/vuln/GO-2020-0036" - }, - "ecosystem_specific": { - "imports": [ - { - "path": "gopkg.in/yaml.v2", - "symbols": [ - "Decoder.Decode", - "Unmarshal", - "UnmarshalStrict", - "yaml_parser_decrease_flow_level", - "yaml_parser_fetch_more_tokens", - "yaml_parser_fetch_stream_start", - "yaml_parser_fetch_value", - "yaml_parser_remove_simple_key", - "yaml_parser_save_simple_key" - ] - } - ] - } - } - ], - "references": [ - { - "type": "FIX", - "url": "https://github.com/go-yaml/yaml/pull/555" - }, - { - "type": "FIX", - "url": "https://github.com/go-yaml/yaml/commit/53403b58ad1b561927d19068c655246f2db79d48" - }, - { - "type": "WEB", - "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18496" - } - ], - "schema_version": "1.3.1" - }, - "Modules": [ - { - "Path": "gopkg.in/yaml.v2", - "FoundVersion": "v2.2.0", - "FixedVersion": "v2.2.8", - "Packages": [ - { - "Path": "gopkg.in/yaml.v2", - "CallStacks": [ - { - "Symbol": "Unmarshal", - "Summary": "pkg/yaml/testcase.go:28:20: github.com/Templum/playground/pkg/yaml.Testcase calls gopkg.in/yaml.v2.Unmarshal", - "Frames": [ - { - "PkgPath": "github.com/Templum/playground/pkg/yaml", - "FuncName": "Testcase", - "RecvType": "", - "Position": { - "Filename": "/workspaces/playground/pkg/yaml/testcase.go", - "Offset": 348, - "Line": 28, - "Column": 20 - } - }, - { - "PkgPath": "gopkg.in/yaml.v2", - "FuncName": "Unmarshal", - "RecvType": "", - "Position": { - "Filename": "", - "Offset": 0, - "Line": 0, - "Column": 0 - } - } - ] - } - ] - } - ] - } - ] - } -] \ No newline at end of file diff --git a/hack/found.stream b/hack/found.stream new file mode 100644 index 0000000..5425763 --- /dev/null +++ b/hack/found.stream @@ -0,0 +1,824 @@ +{ + "preamble": { + "go_version": "go1.19.6", + "tool_version": "govulncheck@v0.0.0", + "db": "https://vuln.go.dev", + "db_last_modified": "2023-03-31T20:58:11Z", + "query_kind": "Source", + "callstack_mode": "Compact" + } +} +{ + "progress": "Scanning your code and 58 packages across 6 dependent modules for known vulnerabilities..." +} +{ + "vulnerability": { + "osv": { + "id": "GO-2022-1059", + "published": "2022-10-11T18:16:24Z", + "modified": "2022-11-21T19:50:45Z", + "aliases": [ + "CVE-2022-32149", + "GHSA-69ch-w2m2-3vjp" + ], + "details": "An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.", + "affected": [ + { + "package": { + "name": "golang.org/x/text", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.3.8" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-1059" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/text/language", + "symbols": [ + "MatchStrings", + "ParseAcceptLanguage" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/56152" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/442235" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/-hjNw559_tE/m/KlGTfid5CAAJ" + } + ], + "credits": [ + { + "name": "Adam Korczynski (ADA Logics) and OSS-Fuzz" + } + ], + "schema_version": "1.3.1" + }, + "modules": [ + { + "path": "golang.org/x/text", + "found_version": "v0.3.6", + "fixed_version": "v0.3.8", + "packages": [ + { + "path": "golang.org/x/text/language" + } + ] + } + ] + } +} +{ + "vulnerability": { + "osv": { + "id": "GO-2022-0957", + "published": "2022-08-25T06:28:20Z", + "modified": "2022-11-21T19:50:45Z", + "aliases": [ + "CVE-2020-36066", + "GHSA-wjm3-fq3r-5x46" + ], + "details": "A maliciously crafted JSON input can cause a denial of service attack.", + "affected": [ + { + "package": { + "name": "github.com/tidwall/gjson", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.6.5" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0957" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/tidwall/gjson", + "symbols": [ + "Get", + "GetBytes", + "GetMany", + "GetManyBytes", + "Result.Get", + "parseObject", + "queryMatches" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/tidwall/match/commit/c2f534168b739a7ec1821a33839fb2f029f26bbc" + }, + { + "type": "WEB", + "url": "https://github.com/tidwall/gjson/commit/9f58baa7a613f89dfdc764c39e47fd3a15606153" + }, + { + "type": "WEB", + "url": "https://github.com/tidwall/gjson/issues/195" + } + ], + "schema_version": "1.3.1" + }, + "modules": [ + { + "path": "github.com/tidwall/gjson", + "found_version": "v1.6.4", + "fixed_version": "v1.6.5", + "packages": [ + { + "path": "github.com/tidwall/gjson", + "callstacks": [ + { + "symbol": "Get", + "summary": "pkg/seconds/mixer.go:15:18: github.com/Templum/playground/pkg/seconds.Testcase calls github.com/tidwall/gjson.Get", + "frames": [ + { + "package": "github.com/Templum/playground/pkg/seconds", + "function": "Testcase", + "position": { + "Filename": "/workspaces/playground/pkg/seconds/mixer.go", + "Offset": 257, + "Line": 15, + "Column": 18 + } + }, + { + "package": "github.com/tidwall/gjson", + "function": "Get", + "position": { + "Filename": "", + "Offset": 0, + "Line": 0, + "Column": 0 + } + } + ] + } + ] + } + ] + } + ] + } +} +{ + "vulnerability": { + "osv": { + "id": "GO-2022-0956", + "published": "2022-08-29T22:15:46Z", + "modified": "2023-02-08T18:46:18Z", + "aliases": [ + "CVE-2022-3064", + "GHSA-6q6q-88xp-6f2r" + ], + "details": "Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory.", + "affected": [ + { + "package": { + "name": "gopkg.in/yaml.v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.2.4" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2022-0956" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "gopkg.in/yaml.v2", + "symbols": [ + "Decoder.Decode", + "Unmarshal", + "UnmarshalStrict", + "decoder.unmarshal", + "yaml_parser_increase_flow_level", + "yaml_parser_roll_indent" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5" + }, + { + "type": "WEB", + "url": "https://github.com/go-yaml/yaml/releases/tag/v2.2.4" + } + ], + "schema_version": "1.3.1" + }, + "modules": [ + { + "path": "gopkg.in/yaml.v2", + "found_version": "v2.2.0", + "fixed_version": "v2.2.4", + "packages": [ + { + "path": "gopkg.in/yaml.v2", + "callstacks": [ + { + "symbol": "Unmarshal", + "summary": "pkg/yaml/testcase.go:28:20: github.com/Templum/playground/pkg/yaml.Testcase calls gopkg.in/yaml.v2.Unmarshal", + "frames": [ + { + "package": "github.com/Templum/playground/pkg/yaml", + "function": "Testcase", + "position": { + "Filename": "/workspaces/playground/pkg/yaml/testcase.go", + "Offset": 348, + "Line": 28, + "Column": 20 + } + }, + { + "package": "gopkg.in/yaml.v2", + "function": "Unmarshal", + "position": { + "Filename": "", + "Offset": 0, + "Line": 0, + "Column": 0 + } + } + ] + } + ] + } + ] + } + ] + } +} +{ + "vulnerability": { + "osv": { + "id": "GO-2021-0265", + "published": "2022-08-15T18:06:07Z", + "modified": "2022-11-21T19:50:45Z", + "aliases": [ + "CVE-2021-42248", + "CVE-2021-42836", + "GHSA-c9gm-7rfj-8w5h", + "GHSA-ppj4-34rq-v8j9" + ], + "details": "A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time.", + "affected": [ + { + "package": { + "name": "github.com/tidwall/gjson", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.9.3" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0265" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/tidwall/gjson", + "symbols": [ + "Get", + "GetBytes", + "GetMany", + "GetManyBytes", + "Result.Get", + "parseObject", + "queryMatches" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96" + }, + { + "type": "WEB", + "url": "https://github.com/tidwall/gjson/issues/237" + }, + { + "type": "WEB", + "url": "https://github.com/tidwall/gjson/issues/236" + }, + { + "type": "WEB", + "url": "https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944" + } + ], + "schema_version": "1.3.1" + }, + "modules": [ + { + "path": "github.com/tidwall/gjson", + "found_version": "v1.6.4", + "fixed_version": "v1.9.3", + "packages": [ + { + "path": "github.com/tidwall/gjson", + "callstacks": [ + { + "symbol": "Get", + "summary": "pkg/seconds/mixer.go:15:18: github.com/Templum/playground/pkg/seconds.Testcase calls github.com/tidwall/gjson.Get", + "frames": [ + { + "package": "github.com/Templum/playground/pkg/seconds", + "function": "Testcase", + "position": { + "Filename": "/workspaces/playground/pkg/seconds/mixer.go", + "Offset": 257, + "Line": 15, + "Column": 18 + } + }, + { + "package": "github.com/tidwall/gjson", + "function": "Get", + "position": { + "Filename": "", + "Offset": 0, + "Line": 0, + "Column": 0 + } + } + ] + } + ] + } + ] + } + ] + } +} +{ + "vulnerability": { + "osv": { + "id": "GO-2021-0113", + "published": "2021-10-06T17:51:21Z", + "modified": "2023-02-02T17:52:29Z", + "aliases": [ + "CVE-2021-38561", + "GHSA-ppp9-7jff-5vj2" + ], + "details": "Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.", + "affected": [ + { + "package": { + "name": "golang.org/x/text", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.3.7" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0113" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "golang.org/x/text/language", + "symbols": [ + "MatchStrings", + "MustParse", + "Parse", + "ParseAcceptLanguage" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://go.dev/cl/340830" + }, + { + "type": "FIX", + "url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f" + } + ], + "credits": [ + { + "name": "Guido Vranken" + } + ], + "schema_version": "1.3.1" + }, + "modules": [ + { + "path": "golang.org/x/text", + "found_version": "v0.3.6", + "fixed_version": "v0.3.7", + "packages": [ + { + "path": "golang.org/x/text/language", + "callstacks": [ + { + "symbol": "MustParse", + "summary": "pkg/seconds/mixer.go:12:29: github.com/Templum/playground/pkg/seconds.Testcase calls golang.org/x/text/language.MustParse", + "frames": [ + { + "package": "github.com/Templum/playground/pkg/seconds", + "function": "Testcase", + "position": { + "Filename": "/workspaces/playground/pkg/seconds/mixer.go", + "Offset": 204, + "Line": 12, + "Column": 29 + } + }, + { + "package": "golang.org/x/text/language", + "function": "MustParse", + "position": { + "Filename": "", + "Offset": 0, + "Line": 0, + "Column": 0 + } + } + ] + } + ] + } + ] + } + ] + } +} +{ + "vulnerability": { + "osv": { + "id": "GO-2021-0061", + "published": "2021-04-14T20:04:52Z", + "modified": "2023-02-08T18:46:18Z", + "aliases": [ + "CVE-2021-4235", + "GHSA-r88r-gmrh-7j83" + ], + "details": "Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector.", + "affected": [ + { + "package": { + "name": "gopkg.in/yaml.v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.2.3" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0061" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "gopkg.in/yaml.v2", + "symbols": [ + "Decoder.Decode", + "Unmarshal", + "UnmarshalStrict", + "decoder.unmarshal" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/go-yaml/yaml/pull/375" + }, + { + "type": "FIX", + "url": "https://github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241" + } + ], + "credits": [ + { + "name": "@simonferquel" + } + ], + "schema_version": "1.3.1" + }, + "modules": [ + { + "path": "gopkg.in/yaml.v2", + "found_version": "v2.2.0", + "fixed_version": "v2.2.3", + "packages": [ + { + "path": "gopkg.in/yaml.v2", + "callstacks": [ + { + "symbol": "Unmarshal", + "summary": "pkg/yaml/testcase.go:28:20: github.com/Templum/playground/pkg/yaml.Testcase calls gopkg.in/yaml.v2.Unmarshal", + "frames": [ + { + "package": "github.com/Templum/playground/pkg/yaml", + "function": "Testcase", + "position": { + "Filename": "/workspaces/playground/pkg/yaml/testcase.go", + "Offset": 348, + "Line": 28, + "Column": 20 + } + }, + { + "package": "gopkg.in/yaml.v2", + "function": "Unmarshal", + "position": { + "Filename": "", + "Offset": 0, + "Line": 0, + "Column": 0 + } + } + ] + } + ] + } + ] + } + ] + } +} +{ + "vulnerability": { + "osv": { + "id": "GO-2021-0054", + "published": "2021-04-14T20:04:52Z", + "modified": "2023-02-07T21:49:49Z", + "aliases": [ + "CVE-2020-36067", + "GHSA-p64j-r5f4-pwwx" + ], + "details": "Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.", + "affected": [ + { + "package": { + "name": "github.com/tidwall/gjson", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.6.6" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2021-0054" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/tidwall/gjson", + "symbols": [ + "Result.ForEach", + "unwrap" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b" + }, + { + "type": "WEB", + "url": "https://github.com/tidwall/gjson/issues/196" + } + ], + "credits": [ + { + "name": "@toptotu" + } + ], + "schema_version": "1.3.1" + }, + "modules": [ + { + "path": "github.com/tidwall/gjson", + "found_version": "v1.6.4", + "fixed_version": "v1.6.6", + "packages": [ + { + "path": "github.com/tidwall/gjson" + } + ] + } + ] + } +} +{ + "vulnerability": { + "osv": { + "id": "GO-2020-0036", + "published": "2021-04-14T20:04:52Z", + "modified": "2023-01-14T00:31:02Z", + "aliases": [ + "CVE-2019-11254", + "GHSA-wxc4-f4m6-wwqv" + ], + "details": "Due to unbounded aliasing, a crafted YAML file can cause consumption of significant system resources. If parsing user supplied input, this may be used as a denial of service vector.", + "affected": [ + { + "package": { + "name": "gopkg.in/yaml.v2", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.2.8" + } + ] + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2020-0036" + }, + "ecosystem_specific": { + "imports": [ + { + "path": "gopkg.in/yaml.v2", + "symbols": [ + "Decoder.Decode", + "Unmarshal", + "UnmarshalStrict", + "yaml_parser_decrease_flow_level", + "yaml_parser_fetch_more_tokens", + "yaml_parser_fetch_stream_start", + "yaml_parser_fetch_value", + "yaml_parser_remove_simple_key", + "yaml_parser_save_simple_key" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/go-yaml/yaml/pull/555" + }, + { + "type": "FIX", + "url": "https://github.com/go-yaml/yaml/commit/53403b58ad1b561927d19068c655246f2db79d48" + }, + { + "type": "WEB", + "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18496" + } + ], + "schema_version": "1.3.1" + }, + "modules": [ + { + "path": "gopkg.in/yaml.v2", + "found_version": "v2.2.0", + "fixed_version": "v2.2.8", + "packages": [ + { + "path": "gopkg.in/yaml.v2", + "callstacks": [ + { + "symbol": "Unmarshal", + "summary": "pkg/yaml/testcase.go:28:20: github.com/Templum/playground/pkg/yaml.Testcase calls gopkg.in/yaml.v2.Unmarshal", + "frames": [ + { + "package": "github.com/Templum/playground/pkg/yaml", + "function": "Testcase", + "position": { + "Filename": "/workspaces/playground/pkg/yaml/testcase.go", + "Offset": 348, + "Line": 28, + "Column": 20 + } + }, + { + "package": "gopkg.in/yaml.v2", + "function": "Unmarshal", + "position": { + "Filename": "", + "Offset": 0, + "Line": 0, + "Column": 0 + } + } + ] + } + ] + } + ] + } + ] + } +} diff --git a/main.go b/main.go index f283e05..ce802e4 100644 --- a/main.go +++ b/main.go @@ -18,21 +18,17 @@ func main() { Logger() // Main Logger workDir, _ := os.Getwd() + inLocalMode := os.Getenv("LOCAL") == "true" github := github.NewSarifUploader(logger) reporter := sarif.NewSarifReporter(logger, workDir) - scanner := vulncheck.NewScanner(logger, workDir) + scanner := vulncheck.NewScanner(logger, workDir, inLocalMode) if os.Getenv("DEBUG") == "true" { zerolog.SetGlobalLevel(zerolog.DebugLevel) logger.Debug().Msg("Enabled Debug Level logs") } - if os.Getenv("LOCAL") == "true" { - scanner = vulncheck.NewLocalScanner(logger, "/workspaces/govulncheck-action/hack/found.json") - logger.Debug().Msg("Enabled Local Development mode, scanner will return static result based on found.json") - } - info := action.ReadRuntimeInfoFromEnv() logger.Info(). @@ -53,8 +49,6 @@ func main() { logger.Error().Err(err).Msg("Scanning yielded error") os.Exit(2) } - - err = reporter.Convert(findings) if err != nil { diff --git a/pkg/sarif/reporter_test.go b/pkg/sarif/reporter_test.go index c5843ee..4d82302 100644 --- a/pkg/sarif/reporter_test.go +++ b/pkg/sarif/reporter_test.go @@ -4,6 +4,7 @@ import ( "bytes" "encoding/json" "io" + "os" "path" "testing" @@ -15,7 +16,8 @@ import ( ) func TestSarifReporter_Convert(t *testing.T) { - scanner := helper.NewLocalScanner(zerolog.Nop(), path.Join("..", "..", "hack", "found.json")) + wd, _ := os.Getwd() + scanner := helper.NewScanner(zerolog.Nop(), path.Join(wd, "..", ".."), true) result, _ := scanner.Scan() t.Run("Should convert a preprocessed report into sarif format", func(t *testing.T) { diff --git a/pkg/types/finding.go b/pkg/types/finding.go index 6697c8e..dedcf8d 100644 --- a/pkg/types/finding.go +++ b/pkg/types/finding.go @@ -6,7 +6,14 @@ import ( "golang.org/x/vuln/osv" ) -// Finding links to: https://github.com/golang/vuln/blob/55c64d8e26b914d8703299302be4997b6de580d0/internal/govulncheck/result.go#L38 +// StreamMessage links to: https://github.com/golang/vuln/blob/master/internal/govulncheck/result.go#L32-L38 +type StreamMessage struct { + Preamble *struct{} `json:"preamble,omitempty"` + Progress string `json:"progress,omitempty"` + Vulnerability *Finding `json:"vulnerability,omitempty"` +} + +// Finding links to: https://github.com/golang/vuln/blob/master/internal/govulncheck/result.go#L56-L68 type Finding struct { // OSV contains all data from the OSV entry for this vulnerability. Osv *osv.Entry diff --git a/pkg/vulncheck/runner.go b/pkg/vulncheck/runner.go index 13a75d1..4ea9457 100644 --- a/pkg/vulncheck/runner.go +++ b/pkg/vulncheck/runner.go @@ -2,9 +2,10 @@ package vulncheck import ( "encoding/json" - "errors" "os" "os/exec" + "path" + "strings" "github.com/Templum/govulncheck-action/pkg/types" "github.com/rs/zerolog" @@ -20,63 +21,113 @@ type Scanner interface { Scan() ([]types.Finding, error) } -type CmdScanner struct { - log zerolog.Logger - workDir string +type CLIScanner struct { + log zerolog.Logger + invokeCli CLIInvoker + workDir string } -func NewScanner(logger zerolog.Logger, workDir string) Scanner { - return &CmdScanner{log: logger, workDir: workDir} +type CLIInvoker func(workDir string, command string, flag string, pkg string) ([]byte, error) + +func NewScanner(logger zerolog.Logger, workDir string, inLocalMode bool) Scanner { + scanner := CLIScanner{log: logger, workDir: workDir} + + if inLocalMode { + scanner.invokeCli = staticLocalCli + } else { + scanner.invokeCli = vulncheckCli + } + + return &scanner } -func (r *CmdScanner) Scan() ([]types.Finding, error) { +func (r *CLIScanner) Scan() ([]types.Finding, error) { pkg := os.Getenv(envPackage) r.log.Info().Msgf("Running govulncheck for package %s in dir %s", pkg, r.workDir) - cmd := exec.Command(command, flag, pkg) - cmd.Dir = r.workDir + out, cmdErr := r.invokeCli(r.workDir, command, flag, pkg) - out, cmdErr := cmd.Output() + if os.Getenv("DEBUG") == "true" { + r.dumpRawReport(string(out)) + } + + // govulncheck exits with none zero exit code if any vulnerability are found if err, ok := cmdErr.(*exec.ExitError); ok { + // Only if stderr is present the CLI failed if len(err.Stderr) > 0 { r.log.Error(). Err(err). Str("Stderr", string(err.Stderr)). Msg("govulncheck exited with none 0 code") } - - } else if cmdErr != nil { - return nil, cmdErr } - var result []types.Finding - err := json.Unmarshal(out, &result) - if err != nil { - r.log.Debug().Str("Stdout", string(out)).Msg("govulncheck had following raw output") - r.log.Error().Err(err).Msg("parsing govulncheck output yielded error") - return nil, errors.New("scan failed to produce proper report") - } + report := r.findFindingsInStream(out) r.log.Info().Msg("Successfully scanned project") + return report, nil +} - if os.Getenv("DEBUG") == "true" { - fileName := "raw-report.json" - reportFile, err := os.Create(fileName) +// findFindingsInStream is going over the raw output of govulncheck which at the moment contains multiple json objects and tries to locate the report +func (r *CLIScanner) findFindingsInStream(stream []byte) []types.Finding { + var findings []types.Finding + MESSAGE_SEPARATOR := "\n{\n" - r.log.Debug().Str("fileName", fileName).Msg("Making a copy of the raw vulncheck json report which can be exposed for debugging") + messages := strings.SplitN(string(stream), MESSAGE_SEPARATOR, -1) - if err != nil { - r.log.Debug().Err(err).Msg("Failed to create copy will proceed with normal flow") - return result, nil + for _, rawMsg := range messages { + // Fixing broken JSON where needed + if !strings.HasPrefix(rawMsg, "{") { + rawMsg = "{\n" + rawMsg } - defer reportFile.Close() - - _, err = reportFile.Write(out) + var msg types.StreamMessage + err := json.Unmarshal([]byte(rawMsg), &msg) if err != nil { - r.log.Debug().Err(err).Msg("Failed to write copy to disk will proceed with normal flow") + r.log.Warn().Str("Message", rawMsg).Msg("Found message in stream that could not be parsed") + continue + } + + if msg.Vulnerability != nil { + findings = append(findings, *msg.Vulnerability) } } - return result, nil + return findings +} + +// dumpRawReport takes the raw report and writes it to raw-report.json if something fails it will proceed with the regular flow +func (r *CLIScanner) dumpRawReport(rawReport string) { + fileName := "raw-report.json" + reportFile, err := os.Create(fileName) + + r.log.Debug().Str("fileName", fileName).Msg("Making a copy of the raw vulncheck json report which can be exposed for debugging") + + if err != nil { + r.log.Debug().Err(err).Msg("Failed to create copy will proceed with normal flow") + return + } + + defer reportFile.Close() + + _, err = reportFile.Write([]byte(rawReport)) + if err != nil { + r.log.Debug().Err(err).Msg("Failed to write copy to disk will proceed with normal flow") + } +} + +// vulncheckCli +func vulncheckCli(workDir string, command string, flag string, pkg string) ([]byte, error) { + cmd := exec.Command(command, flag, pkg) + cmd.Dir = workDir + + out, err := cmd.Output() + return out, err +} + +func staticLocalCli(workDir string, command string, flag string, pkg string) ([]byte, error) { + path := path.Join(workDir, "hack", "found.stream") + out, _ := os.ReadFile(path) + + return out, nil } diff --git a/pkg/vulncheck/static_runner.go b/pkg/vulncheck/static_runner.go deleted file mode 100644 index 9072ff6..0000000 --- a/pkg/vulncheck/static_runner.go +++ /dev/null @@ -1,32 +0,0 @@ -package vulncheck - -import ( - "encoding/json" - "errors" - "os" - - "github.com/Templum/govulncheck-action/pkg/types" - "github.com/rs/zerolog" -) - -type StaticScanner struct { - log zerolog.Logger - path string -} - -func NewLocalScanner(logger zerolog.Logger, pathToFile string) Scanner { - return &StaticScanner{log: logger, path: pathToFile} -} - -func (r *StaticScanner) Scan() ([]types.Finding, error) { - out, _ := os.ReadFile(r.path) - - var result []types.Finding - err := json.Unmarshal(out, &result) - if err != nil { - return nil, errors.New("scan failed to produce proper report") - } - - r.log.Debug().Msgf("Successfully parsed report located at %s", r.path) - return result, nil -}