From 2a96e32cec52c1217c36ff20bce354e10c49f5ef Mon Sep 17 00:00:00 2001 From: joshua-ostrom Date: Wed, 27 Sep 2023 14:39:21 -0400 Subject: [PATCH 1/4] Version bumping golang gosec --- Dockerfile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 7a908a4c..a95f6144 100644 --- a/Dockerfile +++ b/Dockerfile @@ -78,16 +78,16 @@ RUN cd /home \ ### Golang # required for sift and gosec -ENV GOLANG_VERSION 1.20.2 -ENV GOLANG_DOWNLOAD_SHA256 4eaea32f59cde4dc635fbc42161031d13e1c780b87097f4b4234cfce671f1768 +ENV GOLANG_VERSION 1.21.1 +ENV GOLANG_DOWNLOAD_SHA256 b3075ae1ce5dab85f89bc7905d1632de23ca196bd8336afd93fa97434cfa55ae ENV GOLANG_TARBALL_FILE go$GOLANG_VERSION.linux-amd64.tar.gz ENV GOLANG_DOWNLOAD_URL https://golang.org/dl/${GOLANG_TARBALL_FILE} -ENV GOSEC_VERSION 2.15.0 +ENV GOSEC_VERSION 2.17.0 ENV GOSEC_TARBALL_FILE gosec_${GOSEC_VERSION}_linux_amd64.tar.gz ENV GOSEC_DOWNLOAD_URL https://github.com/securego/gosec/releases/download/v${GOSEC_VERSION}/${GOSEC_TARBALL_FILE} -ENV GOSEC_DOWNLOAD_SHA256 2312388e9ce0dcfed23893ffd2b719f9de5b1d262c84f4e3c8e2e2cb0d1785d2 +ENV GOSEC_DOWNLOAD_SHA256 e268c49e3382d43a1bd1a24d15f5c0e249841cd2a6befc53b5d7986f07a97d2f ENV GO111MODULE on RUN curl -fsSL "$GOLANG_DOWNLOAD_URL" -o golang.tar.gz \ From 708e8a6a3691b7ce80e5c0bb64e4143f1b228a53 Mon Sep 17 00:00:00 2001 From: joshua-ostrom Date: Wed, 27 Sep 2023 18:52:53 -0400 Subject: [PATCH 2/4] Bumping rails libraries --- Gemfile | 4 ++-- Gemfile.lock | 16 ++++++++-------- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/Gemfile b/Gemfile index 12755f28..ca340673 100644 --- a/Gemfile +++ b/Gemfile @@ -2,8 +2,8 @@ source 'https://rubygems.org' ruby '3.2.1' -gem 'activemodel', '~> 6.1.7.3' -gem 'activesupport', '~> 6.1.7.3' +gem 'activemodel', '~> 6.1.7.5' +gem 'activesupport', '~> 6.1.7.5' gem 'bugsnag', '~> 6.19.0' gem 'bundler', '= 2.4.8' gem 'cocoapods', '~> 1.12.0' diff --git a/Gemfile.lock b/Gemfile.lock index ad5f5e91..b01a6275 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -3,9 +3,9 @@ GEM specs: CFPropertyList (3.0.6) rexml - activemodel (6.1.7.3) - activesupport (= 6.1.7.3) - activesupport (6.1.7.3) + activemodel (6.1.7.6) + activesupport (= 6.1.7.6) + activesupport (6.1.7.6) concurrent-ruby (~> 1.0, >= 1.0.2) i18n (>= 1.6, < 2) minitest (>= 5.1) @@ -92,7 +92,7 @@ GEM rugged (>= 0.25.1) hashdiff (1.0.1) httpclient (2.8.3) - i18n (1.12.0) + i18n (1.14.1) concurrent-ruby (~> 1.0) json (2.6.3) json-schema (3.0.0) @@ -100,7 +100,7 @@ GEM method_source (1.0.0) mini_mime (1.0.2) mini_portile2 (2.8.0) - minitest (5.18.0) + minitest (5.20.0) molinillo (0.8.0) multipart-post (2.1.1) nanaimo (0.3.0) @@ -187,14 +187,14 @@ GEM colored2 (~> 3.1) nanaimo (~> 0.3.0) rexml (~> 3.2.4) - zeitwerk (2.6.7) + zeitwerk (2.6.12) PLATFORMS ruby DEPENDENCIES - activemodel (~> 6.1.7.3) - activesupport (~> 6.1.7.3) + activemodel (~> 6.1.7.5) + activesupport (~> 6.1.7.5) brakeman (= 5.4.1) bugsnag (~> 6.19.0) bundler (= 2.4.8) From ff26621e970d5d261ec3bc705bac96dc9f090256 Mon Sep 17 00:00:00 2001 From: joshua-ostrom Date: Thu, 28 Sep 2023 09:57:01 -0400 Subject: [PATCH 3/4] Bumped nokogiri and supplied config for ruby version --- Gemfile | 2 +- Gemfile.lock | 8 ++++---- salus.yaml | 6 ++++++ 3 files changed, 11 insertions(+), 5 deletions(-) diff --git a/Gemfile b/Gemfile index ca340673..ccfa9c3f 100644 --- a/Gemfile +++ b/Gemfile @@ -10,7 +10,7 @@ gem 'cocoapods', '~> 1.12.0' gem 'deepsort', '~> 0.4.5' gem 'faraday', '~> 1.3' gem 'github-linguist', '~> 7.13.0' -gem 'nokogiri', '~> 1.13.6' +gem 'nokogiri', '~> 1.14.3' gem 'parser', '~> 3.1.3' gem 'rgl', '~> 0.5.9' gem 'rubyzip', '~> 2.3.2' diff --git a/Gemfile.lock b/Gemfile.lock index b01a6275..3b01a828 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -99,14 +99,14 @@ GEM addressable (>= 2.8) method_source (1.0.0) mini_mime (1.0.2) - mini_portile2 (2.8.0) + mini_portile2 (2.8.4) minitest (5.20.0) molinillo (0.8.0) multipart-post (2.1.1) nanaimo (0.3.0) nap (1.1.0) netrc (0.11.0) - nokogiri (1.13.10) + nokogiri (1.14.5) mini_portile2 (~> 2.8.0) racc (~> 1.4) pairing_heap (1.0.0) @@ -121,7 +121,7 @@ GEM byebug (~> 11.0) pry (>= 0.13, < 0.15) public_suffix (4.0.7) - racc (1.6.1) + racc (1.7.1) rainbow (3.0.0) regexp_parser (1.8.2) rexml (3.2.5) @@ -204,7 +204,7 @@ DEPENDENCIES faraday (~> 1.3) github-linguist (~> 7.13.0) json-schema (~> 3.0) - nokogiri (~> 1.13.6) + nokogiri (~> 1.14.3) parser (~> 3.1.3) pry (~> 0.14) pry-byebug (~> 3.10) diff --git a/salus.yaml b/salus.yaml index bee898cb..63460b69 100644 --- a/salus.yaml +++ b/salus.yaml @@ -28,3 +28,9 @@ scanner_configs: - spec/fixtures/gosec/multifolder_goapp - spec/fixtures/gosec/recursive_vulnerable_goapp - spec/fixtures/gosec/multi_goapps + RubyVersionScanner: + warn: + min_version: '3.0.0' + max_version: '3.1.0' + error: + min_version: '3.0.0' From 0ec9d567aa42f64796257f9d5824ee0e567d30f8 Mon Sep 17 00:00:00 2001 From: joshua-ostrom Date: Thu, 28 Sep 2023 20:21:55 -0400 Subject: [PATCH 4/4] Fixing specs --- lib/salus/scanners/base.rb | 13 ---------- .../success_with_exceptions/salus-sarif.yaml | 12 +++++++++- spec/lib/salus/scanners/yarn_audit_spec.rb | 24 ++++++++++--------- spec/lib/sarif/cargo_audit_sarif_spec.rb | 2 +- spec/lib/sarif/npm_audit_sarif_spec.rb | 1 + 5 files changed, 26 insertions(+), 26 deletions(-) diff --git a/lib/salus/scanners/base.rb b/lib/salus/scanners/base.rb index 48d70441..035368b1 100644 --- a/lib/salus/scanners/base.rb +++ b/lib/salus/scanners/base.rb @@ -532,19 +532,6 @@ def build_options(prefix:, suffix:, separator:, args:, join_by: ',', config_over join_by: join_by, regex: type_value ) - # In new versions of gosec, nosec-tag matches the exact string - # For example, In previous versions; - # - running the command `gosec -nosec-tag=falsepositive .` - # would match all occurrences of /* #falsepositive */ in go files - # In current versions: - # - running the command `gosec -nosec-tag=falsepositive .` - # would match only match /* falsepositive */ in go files - # - you would have to modify your string to match #falsepositive - # running the command `gosec -nosec-tag=#falsepositive .` - # would match all occurrences of /* #falsepositive */ in go files - # To prevent salus functionality from changing, this line adds a pound - # sign to alternative nosec string - result = "-nosec-tag=##{config_value} " if result.include? "-nosec-tag=" result else warning = "Could not interpolate config for #{keyword} "\ diff --git a/spec/fixtures/npm_audit/success_with_exceptions/salus-sarif.yaml b/spec/fixtures/npm_audit/success_with_exceptions/salus-sarif.yaml index 2a60ddca..0c8fc56e 100644 --- a/spec/fixtures/npm_audit/success_with_exceptions/salus-sarif.yaml +++ b/spec/fixtures/npm_audit/success_with_exceptions/salus-sarif.yaml @@ -20,4 +20,14 @@ scanner_configs: advisory_id: "1091018", changed_by: "joshua.ostrom", notes: "See https://www.npmjs.com/advisories/48. We're not vulnerable to this because this is a regex dos and we have nothing that puts user input into it. The impact is also minimal.", - } \ No newline at end of file + } + - { + advisory_id: "1091686", + changed_by: "joshua.ostrom", + notes: "False positive", + } + - { + advisory_id: "1091710", + changed_by: "joshua.ostrom", + notes: "False positive", + } diff --git a/spec/lib/salus/scanners/yarn_audit_spec.rb b/spec/lib/salus/scanners/yarn_audit_spec.rb index 0aa64e7f..b7b84dc7 100644 --- a/spec/lib/salus/scanners/yarn_audit_spec.rb +++ b/spec/lib/salus/scanners/yarn_audit_spec.rb @@ -71,7 +71,7 @@ expect(scanner.report.to_h.fetch(:passed)).to eq(false) vulns = JSON.parse(scanner.report.to_h[:info][:stdout]).sort { |a, b| a["ID"] <=> b["ID"] } - expect(vulns.size).to eq(17) + expect(vulns.size).to eq(18) vulns.each do |vul| ["Package", "Patched in", "Dependency of", "More info", "Severity", "Title"].each do |attr| @@ -81,22 +81,24 @@ expect(vul["ID"]).to be_kind_of(Integer) end - id_vuls = vulns.find { |v| v['ID'] == 1_091_360 } + id_vuls = vulns.find { |v| v['ID'] == 1_091_832 } + # vul has 1 dependency of - expected_vul = { "Package" => "trim-newlines", - "Patched in" => ">=3.0.1", - "Dependency of" => "gulp-cssmin", - "More info" => "https://www.npmjs.com/advisories/1091360", + expected_vul = { "Package" => "lodash", + "Patched in" => ">=4.17.21", + "Dependency of" => "gulp-modify-file", + "More info" => "https://www.npmjs.com/advisories/1091832", "Severity" => "high", - "Title" => "Uncontrolled Resource Consumption in trim-newlines", - "ID" => 1_091_360 } + "Title" => "Command Injection in lodash", + "ID" => 1_091_832 } + expect(id_vuls).to eq(expected_vul) id_vuls_w_paths = scanner.instance_variable_get(:@vulns_w_paths) - .find { |v| v['ID'] == 1_091_360 } + .find { |v| v['ID'] == 1_091_832 } - expected_vul['Path'] = "gulp-cssmin > gulp-util > "\ - "dateformat > meow > trim-newlines" + expected_vul['Path'] = "gulp-modify-file > gulp > "\ + "vinyl-fs > glob-watcher > gaze > globule > lodash" expect(id_vuls_w_paths).to eq(expected_vul) end diff --git a/spec/lib/sarif/cargo_audit_sarif_spec.rb b/spec/lib/sarif/cargo_audit_sarif_spec.rb index 597f1afa..8112fda3 100644 --- a/spec/lib/sarif/cargo_audit_sarif_spec.rb +++ b/spec/lib/sarif/cargo_audit_sarif_spec.rb @@ -34,7 +34,7 @@ "title": { "text": "MultiDecoder::read() drops uninitialized memory of"\ " arbitrary type on panic in client code" }, "severity": { "text": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, - "cwe": { "text": "[\"CVE-2019-15552\"]" }, + "cwe": { "text": "[\"CVE-2019-15552\", \"GHSA-rpcm-whqc-jfw8\"]" }, "patched_versions": { "text": "[\">=0.1.25\"]" }, "unaffected_versions": { "text": "[\"<0.1.14\"]" } }, help_url: "https://github.com/sile/libflate/issues/35", diff --git a/spec/lib/sarif/npm_audit_sarif_spec.rb b/spec/lib/sarif/npm_audit_sarif_spec.rb index 6f720cfa..a5d9d96e 100644 --- a/spec/lib/sarif/npm_audit_sarif_spec.rb +++ b/spec/lib/sarif/npm_audit_sarif_spec.rb @@ -165,6 +165,7 @@ report = Salus::Report.new(project_name: "Neon Genesis") report.add_scan_report(scanner.report, required: false) report_object = JSON.parse(report.to_sarif)['runs'][0] + expect(report_object['results'].length).to eq(0) expect(report_object['invocations'][0]['executionSuccessful']).to eq(true) end