java-buildpack/lib/java_buildpack/framework/snyk_auto_patch.rb at master · AH7/java-buildpack · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
# Cloud Foundry Java Buildpack
# Copyright 2013-2017 the original author or authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

require 'fileutils'
require 'yaml'
require 'java_buildpack/component/versioned_dependency_component'
require 'java_buildpack/logging/logger_factory'
require 'java_buildpack/framework'
require 'net/http'
require 'json'
require 'rubygems'

SNYK_API_URL = "https://snyk.io/api/v1/test/maven"

module JavaBuildpack
  module Framework

    # Encapsulates the detect, compile, and release functionality for enabling cloud auto-reconfiguration in Spring
    # applications.
    class SnykAutoPatch < JavaBuildpack::Component::VersionedDependencyComponent

      # Creates an instance
      #
      # @param [Hash] context a collection of utilities used the component
      def initialize(context)
        super(context)
        @logger = JavaBuildpack::Logging::LoggerFactory.instance.get_logger SnykAutoPatch
      end

      # (see JavaBuildpack::Component::BaseComponent#compile)
      # This is to change the FS
      def compile
        pom_path = Dir.glob("#{@droplet.root}/**/pom.xml")[0]
        uri = URI.parse(SNYK_API_URL)
        req = Net::HTTP::Post.new(uri.to_s)
        https = Net::HTTP.new(uri.host,uri.port)
        https.use_ssl = true
        req['Content-Type'] = 'application/json'
        req['Authorization'] = 'token ' + @application.environment["SNYK_TOKEN"]
        if (pom_path) then
          data = File.read(pom_path)
        else
          data = ""
        end
        test_request = {
          'encoding' => 'plain',
          'files' => {
              'target' => {
                "contents": ""
              },
          }
        }

        additional = []
        jars = Dir.glob("#{@droplet.root}/WEB-INF/**/*.jar")
        jars.each do |jar|
            jar_pom_path = `unzip -Z1 #{jar} | grep "pom.xml"`
            if (jar_pom_path.length) > 0 then
                poms = jar_pom_path.split("\n")
                poms.each do |pom|
                    pom_content = `unzip -p #{jar} #{pom}`
                    # if no main pom files were found, using pom from first jar file as main pom for API call.
                    if data.empty? then
                      data = pom_content
                    else
                      additional.push({"contents" => pom_content})
                    end
                end
            end
        end
        test_request['files']['target']['contents'] = data
        test_request['files']['additional'] = additional;

        req.body = test_request.to_json
        response = https.request(req)
        res = JSON.parse(response.body)
        if res['ok'] then
          puts "Tested #{res['dependencyCount']} 0 vulnerabilties were found!"
        else
          issues = res.key?('issues') ? res['issues'] : res['vulnerabilities']
          vulns = issues['vulnerabilities']
          severityMap = {
            'high' => 3,
            'medium' => 2,
            'low' => 1
          }
          vulns.sort! do |vuln_a, vuln_b|
              vulna_map = severityMap[vuln_a['severity']]
              vulnb_map = severityMap[vuln_b['severity']]
              if (vulna_map > vulnb_map)
                1
              elsif (vulna_map < vulnb_map)
                -1
              else
                0
              end
          end
          puts "\nFounded #{vulns.length} vulnerabilities on #{res['dependencyCount']} dependencies\n"
          vulns.each do |vuln|
              severity = vuln['severity']
              if (severity == 'high') then
                  color = "\e[31m"
              elsif (severity == 'medium') then
                  color = "\e[1;33m"
              else
                  color = "\e[34m"
              end
              puts "\n#{color}✗ #{severity.capitalize} severity vulnerabiltity found in #{vuln['package']}\e[0m"
              puts "  Description: #{severity} severity vulnerabiltity found in #{vuln['package']}"
              puts "  Info: #{vuln['url']}"
              puts "  Introduce through: #{vuln['from'][0]}\n"
          end

          raise "Terminating droplet compilation as Snyk detected vulnerabilties..."
        end
      end

      # (see JavaBuildpack::Component::BaseComponent#release)
      # This is for runtime configuration (Env var and etc..)
      def release
      end

      protected

      # (see JavaBuildpack::Component::VersionedDependencyComponent#supports?)
      def supports?
        @configuration['enabled']
      end
    end

  end
end