Merge pull request #206 from AOrps/aorps/graphql-add

Push top-level summary at endpoint
ossf · Aug 15, 2023 · f360f5c · f360f5c
2 parents 07f7302 + 2ba0a4a
commit f360f5c
Show file tree

Hide file tree

Showing 3 changed files with 83 additions and 6 deletions.
diff --git a/Mentorship/Software Requirements - Analyzer.md b/Mentorship/Software Requirements - Analyzer.md
@@ -43,17 +43,17 @@ stateDiagram-v2
 ## Requirements
 - Use Case #1 & #2 should be designed and implemented
 ### Use Case 1
-- [ ] Push 'summary-results.sarif' to the triage-portal
-- [ ] Triage Portal credentials should be supported as environment variable (be sure to change the .env template)
-- [ ] Triage Portal Credentials should be passed as parameters when running the ./runtools.sh command
+- [x] Push 'summary-results.sarif' to the triage-portal
+- [x] Triage Portal credentials should be supported as environment variable (be sure to change the .env template)
+- [x] Triage Portal Credentials should be passed as parameters when running the ./runtools.sh command
 - Exception Handling on the following:
   - [ ] Triage Portal isn't available
 	- [ ] Perform 3 Retry Attempts, then default to stdout
   - [ ] Triage Portal does not support or issue with the formatting
   - [ ] User hasn't supplied enough information to connect to triage portal
 - [ ] Error should be returned to the user via stdout with a standard log message and HTTP error code, if necessary. 
   - If error occurs on the triage portal, then user should get the HTTP code plus error message
-- [ ] Should be able to scan all packages (with a Focus on being more or less compatible with JavaScript [npm], Java [maven] and Python [PyPi]) 
+- [x] Should be able to scan all packages (with a Focus on being more or less compatible with JavaScript [npm], Java [maven] and Python [PyPi]) 
 
 
 ### Use Case 2

diff --git a/omega/analyzer/README.md b/omega/analyzer/README.md
@@ -97,6 +97,23 @@ docker run --rm --entrypoint /bin/bash --env-file .env openssf/omega-toolshed:la
 ```
 -->
 
+### Local Usage
+There are currently 2 ways of getting the tar file to run the analyzer locally, through libraries.io or github. Here is a working example of one might have to wget to get it on the container. Then you can use the `?local=true` from [./worker/tools/runtools.sh](./worker/tools/runtools.sh) to check for packages. Naturally, as virtue of running it locally, you lose the ability to use `@latest` as the `<version_number>`in the package format (`pkg:npm/left-pad@<version_number>`) and need to explicitly write the verison number
+
+Here's an wget example using `chalk` from `npm` (as of Aug 2023):
+| Source       | (wget) Pattern
+| :----------- | :-------
+| libraries.io | https://registry.npmjs.org/chalk/-/chalk-5.3.0.tgz 
+| Github       | https://github.com/chalk/chalk/archive/refs/tags/v5.3.0.tar.gz
+
+
+
+### Usage with the Omega Triage Portal
+- If you are running it locally:
+```bash
+docker run --env-file <.env file> --net="host" --rm -it openssf/omega-toolsheed -u <username> -p <password> -t <triage portal endpoint> "pkg:<pkg_name>"
+```
+- Need the extra `--net="host"` so that docker can speak to the portal running on the host machine
 
 ## License
 

diff --git a/omega/analyzer/worker/tools/runtools.sh b/omega/analyzer/worker/tools/runtools.sh
@@ -52,6 +52,19 @@ OPTIONS (OPTS):
 	-a : Run scan with assertion
 	   Show the results of the scan with the assertion
 
+	-u : Username (Triage Portal)
+	   User for the Triage Portal 
+
+        -p : Password (Triage Portal)
+	   Password for the Triage Portal
+
+	-t : Triage Portal Endpoint
+	   Endpoint
+
+	-T : Triage Portal (Auto)
+	   Runs query again using, -u and -p and -t but from environment varaibles
+	
+
 	-... more       
 
 OUTPUT:
@@ -93,11 +106,17 @@ function get_previous_version()
 }
 
 OPTS_INSERT_ASSERTION=
+OPTS_TRIAGE_USERNAME=
+OPTS_TRIAGE_PASSWORD=
+OPTS_TRIAGE_ENDPOINT=
 
-while getopts 'ha' opt; do
+while getopts 'hau:p:t:' opt; do
     case "$opt" in
 	h) usage;;
 	a) OPTS_INSERT_ASSERTION=1;;
+	u) OPTS_TRIAGE_USERNAME="$OPTARG";;
+	p) OPTS_TRIAGE_PASSWORD="$OPTARG";;
+	t) OPTS_TRIAGE_ENDPOINT="$OPTARG";;
     esac
 done
 
@@ -149,7 +168,7 @@ PACKAGE_DIR=$(echo "${PACKAGE_PURL_PARSED}" | grep "PACKAGE_DIR:" | cut -d: -f2-
 PACKAGE_DIR_NOVERSION=$(echo "${PACKAGE_PURL_PARSED}" | grep "PACKAGE_DIR_NOVERSION:" | cut -d: -f2-)
 PACKAGE_PURL_LOCAL_SOURCE=$(echo "${PACKAGE_PURL_PARSED}" | grep -qi "PACKAGE_QUALIFIER_LOCAL_SOURCE:true" && echo true || echo false)
 
-PACKAGE_OVERRIDE_PREVIOUS_VERSION="$2"
+#PACKAGE_OVERRIDE_PREVIOUS_VERSION="$2" # TODO: add this as an argument
 
 ANALYZER_VERSION="0.8.6"
 ANALYSIS_DATE=$(date)
@@ -178,10 +197,12 @@ printf " ${DARKGRAY}/ ${YELLOW}"
 printf "%s" "${PACKAGE_PURL_VERSION}"
 printf "${BLUE}...${NC}\n"
 
+
 # attempts to dynamically resolve the version of the pkg
 if [ "${PACKAGE_PURL_VERSION,,}" == "latest" ]; then
     OPTION_DYNAMIC_VERSION_RESOLUTION=1
     PACKAGE_PURL_VERSION=$(get_previous_version)
+    # #get_previous_version
     PURL=$(echo $PURL | sed "s/latest/${PACKAGE_PURL_VERSION}/g")
     PACKAGE_VERSION_ENCODED=$(echo $PACKAGE_VERSION_ENCODED | sed "s/latest/${PACKAGE_PURL_VERSION}/g")
     PACKAGE_PURL=$(echo $PACKAGE_PURL | sed "s/latest/${PACKAGE_PURL_VERSION}/g")
@@ -749,6 +770,45 @@ if [ -f /opt/result/summary-console.txt ]; then
 fi
 printf "${NC}\n\n"
 
+event start uploadFile
+function uploadFile() {
+    user="$1"
+    pass="$2"
+    endpoint="$3"
+    file="$4"
+    pkg_format="$5"
+    f_checksum=$(openssl md5 $file | awk '{print $2}')
+
+    csrf=$(curl -i --location "$endpoint" \
+		--header 'Content-Type: application/json' \
+		--header 'Cookie: csrftoken=' 2>/dev/null | grep -o 'csrftoken=[A-Za-z0-9]*;' | \
+	       rev | cut -c 1 --complement | rev | awk -F'=' '{print $2}')
+
+    data='{"query":"mutation ($password: String = \"'$pass'\", $username: String = \"'$user'\") { tokenAuth(password: $password, username: $username) {   token }}","variables":{}}'
+
+    token=$(curl --location "$endpoint" \
+		 --header "X-CSRFToken: $csrf" \
+		 --header 'Content-Type: application/json' \
+		 --header "Cookie: csrftoken=$csrf" \
+		 --data "$data" 2>/dev/null | jq '.data.tokenAuth.token' | sed 's/"//g')
+
+
+    operations='{"query": "mutation ($file: Upload!, $checksum: String!, $packageUrl: String!) { uploadFile(file: $file, checksum: $checksum, packageUrl: $packageUrl) { success, errors } }", "variables": { "file": null, "checksum": "'$f_checksum'", "packageUrl": "'$pkg_format'" } }'
+
+    curl --location "$endpoint" \
+	 --header "X-CSRFToken: $csrf" \
+	 --header "Authorization: JWT $token" \
+	 --header "Cookie: csrftoken=$csrf" \
+	 --form operations="$operations"  \
+	 --form 'map="{ \"0\": [\"variables.file\"]}"' \
+	 --form "0=@\"$file\""
+}
+
+SUMMARY_UPLOAD_FILE="$(find $EXPORT_DIR -name 'summary-results.sarif' )"
+
+uploadFile $OPTS_TRIAGE_USERNAME $OPTS_TRIAGE_PASSWORD $OPTS_TRIAGE_ENDPOINT "${SUMMARY_UPLOAD_FILE}" "${PACKAGE_PURL}"
+event stop uploadFile
+
 event stop runtools
 
 cp /tmp/events.txt "$EXPORT_DIR/summary-telemetry-events.txt"