From b49c30443c67cf02332b9debd7ca7488429fcc07 Mon Sep 17 00:00:00 2001 From: Torsten Cannell <38391283+Torsten1014@users.noreply.github.com> Date: Wed, 15 Jan 2025 13:12:58 -0800 Subject: [PATCH 01/13] test --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b241e6896f4..449a95f05fe 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ A vulnerable Node.js demo application, based on the [Dreamers Lab tutorial](http ## Features -This vulnerable apassa includes the following capabilities to experiment with: +This vulnerable apassa includes the following capabiasalities to experiment with: - [Exploitable packages](#exploiting-the-vulnerabilities) with known vulnerabilities - [Docker Image Scanning](#docker-image-scanning) for base images with known vulnerabilities in system libraries From e137ccf57189521b4e8b571810a884889b683ce5 Mon Sep 17 00:00:00 2001 From: Torsten Cannell <38391283+Torsten1014@users.noreply.github.com> Date: Wed, 19 Feb 2025 14:17:11 -0800 Subject: [PATCH 02/13] update gitignore --- .gitignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitignore b/.gitignore index c75c18c855c..f0155d96e63 100644 --- a/.gitignore +++ b/.gitignore @@ -12,3 +12,5 @@ npm-debug.log .idea/ .dccache +.vscode +venv \ No newline at end of file From c4569230ca30602019c87bbd12df355e27cf949e Mon Sep 17 00:00:00 2001 From: Torsten Cannell <38391283+Torsten1014@users.noreply.github.com> Date: Wed, 19 Feb 2025 14:37:59 -0800 Subject: [PATCH 03/13] add workflow for scm import --- .github/workflows/snyk-test-api-import.yml | 28 ++++++++++ scripts/import_repo.py | 65 ++++++++++++++++++++++ 2 files changed, 93 insertions(+) create mode 100644 .github/workflows/snyk-test-api-import.yml create mode 100644 scripts/import_repo.py diff --git a/.github/workflows/snyk-test-api-import.yml b/.github/workflows/snyk-test-api-import.yml new file mode 100644 index 00000000000..8cf4e733642 --- /dev/null +++ b/.github/workflows/snyk-test-api-import.yml @@ -0,0 +1,28 @@ +name: Import repo via API +on: push +jobs: + security: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@master + - name: Run Snyk to check for vulnerabilities + id: check_vuln + uses: snyk/actions/node@master + continue-on-error: true + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + args: --severity-threshold=critical + --json-file-output=snyk.json + - name: install requirements + run: | + python3 -m pip install --upgrade pip + if [ -f scripts/requirements.txt ]; then pip install -r scripts/requirements.txt; fi + - name: Create issues if vulnerabilies are found + id: create_issue + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + REPO_NAME=$(echo "${{ github.repository }}" | cut -d '/' -f 2) + python3 scripts/import_repo.py + --owner github.repository_owner --name "$REPO_NAME" --snyk-org env.SNYK_ORG --integration-id env.SNYK_INTEGRATION_ID --branch github.ref_name diff --git a/scripts/import_repo.py b/scripts/import_repo.py new file mode 100644 index 00000000000..b9cc4c4e2d8 --- /dev/null +++ b/scripts/import_repo.py @@ -0,0 +1,65 @@ +import os +import json +import requests +import argparse + +SNYK_TOKEN = os.getenv("SNYK_TOKEN") + + +class APIClient: + def __init__( + self, snyk_token, owner, name, snyk_org, integration_id, branch + ) -> None: + self.snyk_token = snyk_token + self.owner = owner + self.name = name + self.snyk_org = snyk_org + self.integration_id = integration_id + self.branch = branch + self.base_url = "https://api.snyk.io/v1" + + def import_repo(self) -> object: + request_url = f"{self.base_url}/org/{self.snyk_org}/integrations/{self.integration_id}/import" + headers = self._format_headers() + body = self._format_body() + response = requests.post( + request_url, + headers=headers, + data=body, + ) + return response + + def _format_body(self) -> object: + body = json.dumps( + {"target": {"owner": self.owner, "name": self.name, "branch": self.branch}} + ) + return body + + def _format_headers(self) -> object: + headers = { + "Content-Type": "application/json", + "Authorization": f"token {self.snyk_token}", + } + return headers + + +if __name__ == "__main__": + parser = argparse.ArgumentParser(description="Import a repository to Snyk.") + parser.add_argument("--owner", required=True, help="Repository owner") + parser.add_argument("--name", required=True, help="Repository name") + parser.add_argument("--snyk-org", required=True, help="Snyk organization ID") + parser.add_argument("--integration-id", required=True, help="Snyk integration ID") + parser.add_argument("--branch", required=True, help="Repository branch") + + args = parser.parse_args() + + client = APIClient( + SNYK_TOKEN, + args.owner, + args.name, + args.snyk_org, + args.integration_id, + args.branch, + ) + response = client.import_repo() + print("status_code", response.status_code) From 778ffb1597e1239c564218f22aba796b89ef4580 Mon Sep 17 00:00:00 2001 From: Torsten Cannell <38391283+Torsten1014@users.noreply.github.com> Date: Wed, 19 Feb 2025 14:43:12 -0800 Subject: [PATCH 04/13] update wf --- .github/workflows/snyk-test-api-import.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/snyk-test-api-import.yml b/.github/workflows/snyk-test-api-import.yml index 8cf4e733642..1438b5ddac0 100644 --- a/.github/workflows/snyk-test-api-import.yml +++ b/.github/workflows/snyk-test-api-import.yml @@ -18,10 +18,8 @@ jobs: run: | python3 -m pip install --upgrade pip if [ -f scripts/requirements.txt ]; then pip install -r scripts/requirements.txt; fi - - name: Create issues if vulnerabilies are found - id: create_issue - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Import repo via API + id: import_repo run: | REPO_NAME=$(echo "${{ github.repository }}" | cut -d '/' -f 2) python3 scripts/import_repo.py From 497f8b372e723540671094e978049c022a42a5e3 Mon Sep 17 00:00:00 2001 From: Torsten Cannell <38391283+Torsten1014@users.noreply.github.com> Date: Wed, 19 Feb 2025 14:55:15 -0800 Subject: [PATCH 05/13] udpate wf --- .github/workflows/snyk-test-api-import.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/snyk-test-api-import.yml b/.github/workflows/snyk-test-api-import.yml index 1438b5ddac0..e8bc90b0e99 100644 --- a/.github/workflows/snyk-test-api-import.yml +++ b/.github/workflows/snyk-test-api-import.yml @@ -21,6 +21,6 @@ jobs: - name: Import repo via API id: import_repo run: | - REPO_NAME=$(echo "${{ github.repository }}" | cut -d '/' -f 2) + REPO_NAME=$(echo $GITHUB_REPOSITORY | cut -d '/' -f 2) python3 scripts/import_repo.py - --owner github.repository_owner --name "$REPO_NAME" --snyk-org env.SNYK_ORG --integration-id env.SNYK_INTEGRATION_ID --branch github.ref_name + --owner ${{ github.repository_owner }} --name $REPO_NAME --snyk-org vars.SNYK_ORG --integration-id vars.SNYK_INTEGRATION_ID --branch ${{ github.ref_name }} From 16bff5d61d371f650cc67cc1f0d1ab225625e7a9 Mon Sep 17 00:00:00 2001 From: Torsten Cannell <38391283+Torsten1014@users.noreply.github.com> Date: Wed, 19 Feb 2025 14:57:38 -0800 Subject: [PATCH 06/13] udpate wf --- .github/workflows/snyk-test-api-import.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/snyk-test-api-import.yml b/.github/workflows/snyk-test-api-import.yml index e8bc90b0e99..a142f9c889c 100644 --- a/.github/workflows/snyk-test-api-import.yml +++ b/.github/workflows/snyk-test-api-import.yml @@ -23,4 +23,4 @@ jobs: run: | REPO_NAME=$(echo $GITHUB_REPOSITORY | cut -d '/' -f 2) python3 scripts/import_repo.py - --owner ${{ github.repository_owner }} --name $REPO_NAME --snyk-org vars.SNYK_ORG --integration-id vars.SNYK_INTEGRATION_ID --branch ${{ github.ref_name }} + --owner ${{ github.repository_owner }} --name ${{ REPO_NAME }} --snyk-org ${{ vars.SNYK_ORG }}--integration-id ${{ vars.SNYK_INTEGRATION_ID }} --branch ${{ github.ref_name }} From 71437e0731c7ee1f0c8e8a5d558110eb1ece67f4 Mon Sep 17 00:00:00 2001 From: Torsten Cannell <38391283+Torsten1014@users.noreply.github.com> Date: Wed, 19 Feb 2025 15:06:45 -0800 Subject: [PATCH 07/13] udpate wf --- .github/workflows/snyk-test-api-import.yml | 24 +++++++++++----------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/snyk-test-api-import.yml b/.github/workflows/snyk-test-api-import.yml index a142f9c889c..e7999a3bfe9 100644 --- a/.github/workflows/snyk-test-api-import.yml +++ b/.github/workflows/snyk-test-api-import.yml @@ -4,16 +4,16 @@ jobs: security: runs-on: ubuntu-latest steps: - - uses: actions/checkout@master - - name: Run Snyk to check for vulnerabilities - id: check_vuln - uses: snyk/actions/node@master - continue-on-error: true - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - with: - args: --severity-threshold=critical - --json-file-output=snyk.json + # - uses: actions/checkout@master + # - name: Run Snyk to check for vulnerabilities + # id: check_vuln + # uses: snyk/actions/node@master + # continue-on-error: true + # env: + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + # with: + # args: --severity-threshold=critical + # --json-file-output=snyk.json - name: install requirements run: | python3 -m pip install --upgrade pip @@ -21,6 +21,6 @@ jobs: - name: Import repo via API id: import_repo run: | - REPO_NAME=$(echo $GITHUB_REPOSITORY | cut -d '/' -f 2) + REPO_NAME=$(echo $GITHUB_REPOSITORY | cut -d '/' -f 2) && python3 scripts/import_repo.py - --owner ${{ github.repository_owner }} --name ${{ REPO_NAME }} --snyk-org ${{ vars.SNYK_ORG }}--integration-id ${{ vars.SNYK_INTEGRATION_ID }} --branch ${{ github.ref_name }} + --owner ${{ github.repository_owner }} --name $REPO_NAME --snyk-org ${{ vars.SNYK_ORG }}--integration-id ${{ vars.SNYK_INTEGRATION_ID }} --branch ${{ github.ref_name }} From 6efd533d3668d02b5288e7f209284a187e5bab88 Mon Sep 17 00:00:00 2001 From: Torsten Cannell <38391283+Torsten1014@users.noreply.github.com> Date: Wed, 19 Feb 2025 15:10:47 -0800 Subject: [PATCH 08/13] udpate wf --- .github/workflows/snyk-test-api-import.yml | 26 +++++++++++++--------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/.github/workflows/snyk-test-api-import.yml b/.github/workflows/snyk-test-api-import.yml index e7999a3bfe9..22972560bd4 100644 --- a/.github/workflows/snyk-test-api-import.yml +++ b/.github/workflows/snyk-test-api-import.yml @@ -4,23 +4,27 @@ jobs: security: runs-on: ubuntu-latest steps: - # - uses: actions/checkout@master - # - name: Run Snyk to check for vulnerabilities - # id: check_vuln - # uses: snyk/actions/node@master - # continue-on-error: true - # env: - # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - # with: - # args: --severity-threshold=critical - # --json-file-output=snyk.json + - uses: actions/checkout@master + - name: Run Snyk to check for vulnerabilities + id: check_vuln + uses: snyk/actions/node@master + continue-on-error: true + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + args: --severity-threshold=critical + --json-file-output=snyk.json - name: install requirements run: | python3 -m pip install --upgrade pip if [ -f scripts/requirements.txt ]; then pip install -r scripts/requirements.txt; fi + - name: Get repo name and set as environment variable + id: get_repo_name + run: | + REPO_NAME=$(echo $GITHUB_REPOSITORY | cut -d '/' -f 2) + echo "REPO_NAME=$REPO_NAME" >> $GITHUB_ENV - name: Import repo via API id: import_repo run: | - REPO_NAME=$(echo $GITHUB_REPOSITORY | cut -d '/' -f 2) && python3 scripts/import_repo.py --owner ${{ github.repository_owner }} --name $REPO_NAME --snyk-org ${{ vars.SNYK_ORG }}--integration-id ${{ vars.SNYK_INTEGRATION_ID }} --branch ${{ github.ref_name }} From 959ab52ea70d33a11e142f01a9a55110050a8ae9 Mon Sep 17 00:00:00 2001 From: Torsten Cannell <38391283+Torsten1014@users.noreply.github.com> Date: Wed, 19 Feb 2025 15:22:07 -0800 Subject: [PATCH 09/13] udpate wf --- .github/workflows/snyk-test-api-import.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/snyk-test-api-import.yml b/.github/workflows/snyk-test-api-import.yml index 22972560bd4..d7225365586 100644 --- a/.github/workflows/snyk-test-api-import.yml +++ b/.github/workflows/snyk-test-api-import.yml @@ -21,10 +21,9 @@ jobs: - name: Get repo name and set as environment variable id: get_repo_name run: | - REPO_NAME=$(echo $GITHUB_REPOSITORY | cut -d '/' -f 2) - echo "REPO_NAME=$REPO_NAME" >> $GITHUB_ENV + echo "REPO_NAME=$(echo $GITHUB_REPOSITORY | cut -d '/' -f 2)" >> $GITHUB_ENV - name: Import repo via API id: import_repo run: | python3 scripts/import_repo.py - --owner ${{ github.repository_owner }} --name $REPO_NAME --snyk-org ${{ vars.SNYK_ORG }}--integration-id ${{ vars.SNYK_INTEGRATION_ID }} --branch ${{ github.ref_name }} + --owner ${{ github.repository_owner }} --name ${{ env.REPO_NAME }} --snyk-org ${{ vars.SNYK_ORG }}--integration-id ${{ vars.SNYK_INTEGRATION_ID }} --branch ${{ github.ref_name }} From b3d1d19eb152ccc7c32ff1f534973d3949dfe3fa Mon Sep 17 00:00:00 2001 From: Torsten Cannell <38391283+Torsten1014@users.noreply.github.com> Date: Wed, 19 Feb 2025 15:24:06 -0800 Subject: [PATCH 10/13] udpate wf --- .github/workflows/snyk-test-api-import.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/snyk-test-api-import.yml b/.github/workflows/snyk-test-api-import.yml index d7225365586..d055130ad34 100644 --- a/.github/workflows/snyk-test-api-import.yml +++ b/.github/workflows/snyk-test-api-import.yml @@ -26,4 +26,4 @@ jobs: id: import_repo run: | python3 scripts/import_repo.py - --owner ${{ github.repository_owner }} --name ${{ env.REPO_NAME }} --snyk-org ${{ vars.SNYK_ORG }}--integration-id ${{ vars.SNYK_INTEGRATION_ID }} --branch ${{ github.ref_name }} + --owner ${{ github.repository_owner }} --name ${{ env.REPO_NAME }} --snyk-org ${{ vars.SNYK_ORG }} --integration-id ${{ vars.SNYK_INTEGRATION_ID }} --branch ${{ github.ref_name }} From bb2b35b34a84459284dfc7df6895db86ec592499 Mon Sep 17 00:00:00 2001 From: Torsten Cannell <38391283+Torsten1014@users.noreply.github.com> Date: Wed, 19 Feb 2025 15:27:10 -0800 Subject: [PATCH 11/13] udpate wf --- .github/workflows/snyk-test-api-import.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/snyk-test-api-import.yml b/.github/workflows/snyk-test-api-import.yml index d055130ad34..58c7109fceb 100644 --- a/.github/workflows/snyk-test-api-import.yml +++ b/.github/workflows/snyk-test-api-import.yml @@ -25,5 +25,4 @@ jobs: - name: Import repo via API id: import_repo run: | - python3 scripts/import_repo.py - --owner ${{ github.repository_owner }} --name ${{ env.REPO_NAME }} --snyk-org ${{ vars.SNYK_ORG }} --integration-id ${{ vars.SNYK_INTEGRATION_ID }} --branch ${{ github.ref_name }} + python3 scripts/import_repo.py --owner ${{ github.repository_owner }} --name ${{ env.REPO_NAME }} --snyk-org ${{ vars.SNYK_ORG }} --integration-id ${{ vars.SNYK_INTEGRATION_ID }} --branch ${{ github.ref_name }} From 76c2e4bb4692106fc4d913ef868440cd52e4c0ad Mon Sep 17 00:00:00 2001 From: Torsten Cannell <38391283+Torsten1014@users.noreply.github.com> Date: Wed, 19 Feb 2025 15:32:00 -0800 Subject: [PATCH 12/13] udpate wf --- scripts/import_repo.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/import_repo.py b/scripts/import_repo.py index b9cc4c4e2d8..914b02f6b2e 100644 --- a/scripts/import_repo.py +++ b/scripts/import_repo.py @@ -62,4 +62,4 @@ def _format_headers(self) -> object: args.branch, ) response = client.import_repo() - print("status_code", response.status_code) + print("status_code", response.status_code, response.text) From 13b1e95628ecc94fdafcb8ddfa5d99d0f0139eb1 Mon Sep 17 00:00:00 2001 From: Torsten Cannell <38391283+Torsten1014@users.noreply.github.com> Date: Wed, 19 Feb 2025 15:33:32 -0800 Subject: [PATCH 13/13] udpate wf --- .github/workflows/snyk-test-api-import.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/snyk-test-api-import.yml b/.github/workflows/snyk-test-api-import.yml index 58c7109fceb..637123e6aa6 100644 --- a/.github/workflows/snyk-test-api-import.yml +++ b/.github/workflows/snyk-test-api-import.yml @@ -24,5 +24,7 @@ jobs: echo "REPO_NAME=$(echo $GITHUB_REPOSITORY | cut -d '/' -f 2)" >> $GITHUB_ENV - name: Import repo via API id: import_repo + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} run: | python3 scripts/import_repo.py --owner ${{ github.repository_owner }} --name ${{ env.REPO_NAME }} --snyk-org ${{ vars.SNYK_ORG }} --integration-id ${{ vars.SNYK_INTEGRATION_ID }} --branch ${{ github.ref_name }}