Implementing gosec scanner.

new-components/scanners/gosec/.env

@@ -0,0 +1,4 @@
+SMITHY_INSTANCE_ID=8d719c1c-c569-4078-87b3-4951bd4012ee
+SMITHY_LOG_LEVEL=debug
+SMITHY_BACKEND_STORE_TYPE=local
+GOSEC_RAW_OUT_FILE_PATH=gosec_out.json

new-components/scanners/gosec/README.md

@@ -0,0 +1,55 @@
+# gosec
+
+This is component implements a [scanner](https://github.com/smithy-security/smithy/blob/main/sdk/component/component.go)
+that parses [sarif](https://sarifweb.azurewebsites.net/) reports output
+by [gosec](https://github.com/securego/gosec) into [ocsf](https://github.com/ocsf) format.
+
+## Environment variables
+
+The component used environment variables for configuration.
+
+It requires the component
+environment variables defined [here](https://github.com/smithy-security/smithy/blob/main/sdk/README.md#component) as well
+as the following:
+
+| Environment Variable     | Type   | Required | Default | Description                             |
+|--------------------------|--------|----------|---------|-----------------------------------------|
+| GOSEC\_RAW\_OUT\_FILE\_PATH  | string | yes      | -       | The path where to find the gosec report |
+| GOSEC\_OUT\_FORMAT         | string | no       | json    | Format of the gosec report              |
+
+## How to run
+
+Execute:
+
+```shell
+docker-compose up --build --force-recreate --remove-orphans
+```
+
+Then shutdown with:
+
+```shell
+docker-compose down --rmi all
+```
+
+## Test data
+
+The `gosec.sarif` file used in tests was generated with the following steps:
+
+* Cloning:
+
+```shell
+git clone https://github.com/TheHackerDev/damn-vulnerable-golang
+```
+
+* Running gosec
+
+```shell
+docker run \
+  --platform linux/amd64 \
+  -v ./damn-vulnerable-golang:/go/damn-vulnerable-golang \
+  -it securego/gosec:2.15.0 \
+    -fmt=sarif \
+    -no-fail \
+    -out=./damn-vulnerable-golang/gosec.sarif \
+      damn-vulnerable-golang
+```

new-components/scanners/gosec/cmd/main.go

@@ -0,0 +1,36 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"time"
+
+	"github.com/smithy-security/smithy/sdk/component"
+
+	"github.com/smithy-security/smithy/new-components/scanners/gosec/internal/transformer"
+)
+
+func main() {
+	ctx, cancel := context.WithTimeout(context.Background(), 1*time.Minute)
+	defer cancel()
+
+	if err := Main(ctx); err != nil {
+		log.Fatalf("unexpected error: %v", err)
+	}
+}
+
+func Main(ctx context.Context, opts ...component.RunnerOption) error {
+	opts = append(opts, component.RunnerWithComponentName("gosec"))
+
+	ocsfTransformer, err := transformer.NewTransformerFromEnv()
+	if err != nil {
+		return fmt.Errorf("could not create transformer: %w", err)
+	}
+
+	if err := component.RunScanner(ctx, ocsfTransformer, opts...); err != nil {
+		return fmt.Errorf("could not run scanner: %w", err)
+	}
+
+	return nil
+}

new-components/scanners/gosec/docker-compose.yaml

@@ -0,0 +1,12 @@
+services:
+  scanner:
+    build:
+      context: ../..
+      args:
+        - COMPONENT_PATH=scanners/gosec
+        - COMPONENT_BINARY_SOURCE_PATH=cmd/main.go
+    platform: linux/amd64
+    volumes:
+      - ./internal/transformer/testdata:/workspace
+    env_file:
+      - .env

new-components/scanners/gosec/go.mod

@@ -0,0 +1,48 @@
+module github.com/smithy-security/smithy/new-components/scanners/gosec
+
+go 1.23.2
+
+require (
+	github.com/jonboulle/clockwork v0.4.0
+	github.com/owenrumney/go-sarif/v2 v2.3.3
+	github.com/smithy-security/pkg/env v0.0.1
+	github.com/smithy-security/smithy/sdk v0.0.2-alpha
+	github.com/stretchr/testify v1.9.0
+)
+
+require (
+	github.com/Masterminds/goutils v1.1.1 // indirect
+	github.com/Masterminds/semver/v3 v3.2.0 // indirect
+	github.com/Masterminds/sprig/v3 v3.2.3 // indirect
+	github.com/abice/go-enum v0.6.0 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/go-errors/errors v1.5.1 // indirect
+	github.com/golang/mock v1.6.0 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/huandu/xstrings v1.3.3 // indirect
+	github.com/imdario/mergo v0.3.13 // indirect
+	github.com/labstack/gommon v0.4.1 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mattn/go-sqlite3 v1.14.24 // indirect
+	github.com/mattn/goveralls v0.0.12 // indirect
+	github.com/mitchellh/copystructure v1.2.0 // indirect
+	github.com/mitchellh/reflectwalk v1.0.2 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	github.com/shopspring/decimal v1.2.0 // indirect
+	github.com/spf13/cast v1.3.1 // indirect
+	github.com/urfave/cli/v2 v2.26.0 // indirect
+	github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
+	go.uber.org/mock v0.5.0 // indirect
+	golang.org/x/crypto v0.3.0 // indirect
+	golang.org/x/mod v0.18.0 // indirect
+	golang.org/x/sync v0.8.0 // indirect
+	golang.org/x/sys v0.21.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/tools v0.22.0 // indirect
+	golang.org/x/tools/cmd/cover v0.1.0-deprecated // indirect
+	google.golang.org/protobuf v1.35.1 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+)