snyk-labs / snyk-threadfix Goto Github PK

View Code? Open in Web Editor NEW

2.0 4.0 6.0 353 KB

Show open source vulnerabilities from Snyk in ThreadFix

Home Page: https://snyk.io/

License: Other

Python 100.00%

snyk snyk-labs threadfix

snyk-threadfix's Introduction

snyk-threadfix

	develop
CI Status

The ThreadFix / Snyk integration allows you to view open source vulnerabilities identified by Snyk on the ThreadFix platform and direct you to comprehensive information and remediation guidance.

snyk-threadfix allows you to generate a .threadfix file from Snyk project data. It outputs JSON data in the ThreadFix file format - printing to standard out or a specified filename. It does not upload directly to ThreadFix at present but there is a ThreadFix API endpoint that you can use: ThreadFix Upload Scan API.

Installation

pip install snyk-threadfix

Configuration

You must first obtain a Snyk API token from your Snyk account. Once you have a token you must either install the Snyk CLI and run snyk auth <your-token> or simply run:

export SNYK_TOKEN=<your-token>

Usage

You must first identify your Snyk org ID. This is easy - simply log into your Snyk account, click on Settings, and find your Organization ID there. If you have multiple orgs in your Snyk account, make sure to first choose the one you want.

You must also identify the Snyk project ID's for which you would like to generate ThreadFix data. You can do this using the Snyk API, for example, using the List all projects endpoint. See also the pysnyk SDK. Another way of identifying the project IDs you want to use is simply by browsing to the desired project(s) with the Snyk UI and grabbing the UUID from the address bar of your browser.

Once you have a project ID or list of project IDs that you would like to generate a threadfix file for, run the following:

For a single project ID:

snyk-threadfix --org-id=<your-snyk-org-id> --project-ids=<snyk-project-id>

For multiple IDs:

snyk-threadfix --org-id=<your-snyk-org-id> --project-ids=<snyk-project-id-0>,<snyk-project-id-1>,<snyk-project-id-2>,...

ThreadFix JSON data will be output to standard out. If you would like to save the JSON to a file you can either pipe it to a file or use the --output parameter, for example:

snyk-threadfix --output=<your-desired-output-filename>.threadfix --org-id=<your-snyk-org-id> --project-ids=<snyk-project-id>

Additional input parameters are available:

snyk-threadfix --help

snyk-threadfix's People

Contributors

Stargazers

Watchers

Forkers

jgresty seanland vishal-thenge isabella232

snyk-threadfix's Issues

Something is broken and snyk-threadfix is not working in latest python env

here is the stack trace

/home/jenkins/.local/bin/snyk-threadfix --org-id aaff7f9f-1d7d-4ddf-8faa-1dcf1a0c5c7a --project-ids f1a3e9d7-0b29-454c-bdc1-8b0d1f245ff2 --debug
Traceback (most recent call last):
File "", line 67, in from_dict
File "", line 51, in from_dict
mashumaro.exceptions.MissingField: Field "fixedIn" of type List[str] is missing in FixInfo instance

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "", line 12, in from_dict
File "", line 12, in
File "", line 69, in from_dict
mashumaro.exceptions.InvalidFieldValue: Field "fixInfo" of type FixInfo in AggregatedIssue has invalid value {'isUpgradable': False, 'isPinnable': False, 'isPatchable': False, 'isFixable': False, 'isPartiallyFixable': False, 'nearestFixedInVersion': ''}

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/home/jenkins/.local/bin/snyk-threadfix", line 8, in
sys.exit(run())
File "/home/jenkins/.local/lib/python3.10/site-packages/snyk_threadfix/main.py", line 327, in run
main(args)
File "/home/jenkins/.local/lib/python3.10/site-packages/snyk_threadfix/main.py", line 300, in main
threadfix_findings = create_threadfix_findings_data(args.org_id, p_id)
File "/home/jenkins/.local/lib/python3.10/site-packages/snyk_threadfix/main.py", line 245, in create_threadfix_findings_data
for i in p.vulnerabilities:
File "/home/jenkins/.local/lib/python3.10/site-packages/snyk/models.py", line 640, in vulnerabilities
aggregated_vulns = self.issueset_aggregated.filter(**vuln_filter).issues
File "/home/jenkins/.local/lib/python3.10/site-packages/snyk/managers.py", line 439, in filter
return self.klass.from_dict(resp.json())
File "", line 14, in from_dict
mashumaro.exceptions.InvalidFieldValue: Field "issues" of type List[AggregatedIssue] in IssueSetAggregated has invalid value [{'issueType': 'configuration', 'pkgName': '', 'pkgVersions': [], 'introducedThrough': [], 'isPatched': False, 'fixInfo': {'isUpgradable': False, 'isPinnable': False, 'isPatchable': False, 'isFixable': False, 'isPartiallyFixable': False, 'nearestFixedInVersion': ''}, 'id': '839501741', 'issueData': {'id': '839501741', 'title': 'Container could be running with outdated image', 'severity': 'low', 'originalSeverity': 'low', 'url': 'https://snyk.io/security-rules/SNYK-CC-K8S-42', 'description': 'The image policy does not prevent image reuse', 'disclosureTime': '2022-05-31T20:58:55+00:00', 'path': '[DocId: 0].spec.template.spec.containers[pet-pod].imagePullPolicy', 'violatedPolicyPublicId': 'SNYK-CC-K8S-42', 'CVSSv3': '', 'credit': [], 'identifiers': {}, 'language': '', 'nearestFixedInVersion': '', 'patches': [], 'semver': {'vulnerable': ''}, 'cvssScore': None, 'exploitMaturity': None, 'publicationTime': None}, 'isIgnored': False}, {'issueType': 'configuration', 'pkgName': '', 'pkgVersions': [], 'introducedThrough': [], 'isPatched': False, 'fixInfo': {'isUpgradable': False, 'isPinnable': False, 'isPatchable': False, 'isFixable': False, 'isPartiallyFixable': False, 'nearestFixedInVersion': ''}, 'id': '839501740', 'issueData': {'id': '839501740', 'title': 'Container is running without privilege escalation control', 'severity': 'medium', 'originalSeverity': 'medium', 'url': 'https://snyk.io/security-rules/SNYK-CC-K8S-9', 'description': 'allowPrivilegeEscalation attribute is not set to false', 'disclosureTime': '2022-05-31T20:58:55+00:00', 'path': '[DocId: 0].input.spec.template.spec.containers[pet-pod].securityContext.allowPrivilegeEscalation', 'violatedPolicyPublicId': 'SNYK-CC-K8S-9', 'CVSSv3': '', 'credit': [], 'identifiers': {}, 'language': '', 'nearestFixedInVersion': '', 'patches': [], 'semver': {'vulnerable': ''}, 'cvssScore': None, 'exploitMaturity': None, 'publicationTime': None}, 'isIgnored': False}, {'issueType': 'configuration', 'pkgName': '', 'pkgVersions': [], 'introducedThrough': [], 'isPatched': False, 'fixInfo': {'isUpgradable': False, 'isPinnable': False, 'isPatchable': False, 'isFixable': False, 'isPartiallyFixable': False, 'nearestFixedInVersion': ''}, 'id': '839501739', 'issueData': {'id': '839501739', 'title': 'Container is running without liveness probe', 'severity': 'low', 'originalSeverity': 'low', 'url': 'https://snyk.io/security-rules/SNYK-CC-K8S-41', 'description': 'Liveness probe is not defined', 'disclosureTime': '2022-05-31T20:58:55+00:00', 'path': '[DocId: 0].spec.template.spec.containers[pet-pod].livenessProbe', 'violatedPolicyPublicId': 'SNYK-CC-K8S-41', 'CVSSv3': '', 'credit': [], 'identifiers': {}, 'language': '', 'nearestFixedInVersion': '', 'patches': [], 'semver': {'vulnerable': ''}, 'cvssScore': None, 'exploitMaturity': None, 'publicationTime': None}, 'isIgnored': False}, {'issueType': 'configuration', 'pkgName': '', 'pkgVersions': [], 'introducedThrough': [], 'isPatched': False, 'fixInfo': {'isUpgradable': False, 'isPinnable': False, 'isPatchable': False, 'isFixable': False, 'isPartiallyFixable': False, 'nearestFixedInVersion': ''}, 'id': '839501738', 'issueData': {'id': '839501738', 'title': 'Container is running without memory limit', 'severity': 'low', 'originalSeverity': 'low', 'url': 'https://snyk.io/security-rules/SNYK-CC-K8S-4', 'description': 'Memory limit is not defined', 'disclosureTime': '2022-05-31T20:58:55+00:00', 'path': '[DocId: 0].input.spec.template.spec.containers[pet-pod].resources.limits.memory', 'violatedPolicyPublicId': 'SNYK-CC-K8S-4', 'CVSSv3': '', 'credit': [], 'identifiers': {}, 'language': '', 'nearestFixedInVersion': '', 'patches': [], 'semver': {'vulnerable': ''}, 'cvssScore': None, 'exploitMaturity': None, 'publicationTime': None}, 'isIgnored': False}, {'issueType': 'configuration', 'pkgName': '', 'pkgVersions': [], 'introducedThrough': [], 'isPatched': False, 'fixInfo': {'isUpgradable': False, 'isPinnable': False, 'isPatchable': False, 'isFixable': False, 'isPartiallyFixable': False, 'nearestFixedInVersion': ''}, 'id': '839501737', 'issueData': {'id': '839501737', 'title': 'Container does not drop all default capabilities', 'severity': 'medium', 'originalSeverity': 'medium', 'url': 'https://snyk.io/security-rules/SNYK-CC-K8S-6', 'description': 'All default capabilities are not explicitly dropped', 'disclosureTime': '2022-05-31T20:58:55+00:00', 'path': '[DocId: 0].input.spec.template.spec.containers[pet-pod].securityContext.capabilities.drop', 'violatedPolicyPublicId': 'SNYK-CC-K8S-6', 'CVSSv3': '', 'credit': [], 'identifiers': {}, 'language': '', 'nearestFixedInVersion': '', 'patches': [], 'semver': {'vulnerable': ''}, 'cvssScore': None, 'exploitMaturity': None, 'publicationTime': None}, 'isIgnored': False}, {'issueType': 'configuration', 'pkgName': '', 'pkgVersions': [], 'introducedThrough': [], 'isPatched': False, 'fixInfo': {'isUpgradable': False, 'isPinnable': False, 'isPatchable': False, 'isFixable': False, 'isPartiallyFixable': False, 'nearestFixedInVersion': ''}, 'id': '839501736', 'issueData': {'id': '839501736', 'title': 'Container is running with writable root filesystem', 'severity': 'low', 'originalSeverity': 'low', 'url': 'https://snyk.io/security-rules/SNYK-CC-K8S-8', 'description': 'readOnlyRootFilesystem attribute is not set to true', 'disclosureTime': '2022-05-31T20:58:55+00:00', 'path': '[DocId: 0].input.spec.template.spec.containers[pet-pod].securityContext.readOnlyRootFilesystem', 'violatedPolicyPublicId': 'SNYK-CC-K8S-8', 'CVSSv3': '', 'credit': [], 'identifiers': {}, 'language': '', 'nearestFixedInVersion': '', 'patches': [], 'semver': {'vulnerable': ''}, 'cvssScore': None, 'exploitMaturity': None, 'publicationTime': None}, 'isIgnored': False}, {'issueType': 'configuration', 'pkgName': '', 'pkgVersions': [], 'introducedThrough': [], 'isPatched': False, 'fixInfo': {'isUpgradable': False, 'isPinnable': False, 'isPatchable': False, 'isFixable': False, 'isPartiallyFixable': False, 'nearestFixedInVersion': ''}, 'id': '839501735', 'issueData': {'id': '839501735', 'title': 'Container has no CPU limit', 'severity': 'low', 'originalSeverity': 'low', 'url': 'https://snyk.io/security-rules/SNYK-CC-K8S-5', 'description': 'Container has no CPU limit', 'disclosureTime': '2022-05-31T20:58:55+00:00', 'path': '[DocId: 0].input.spec.template.spec.containers[pet-pod].resources.limits.cpu', 'violatedPolicyPublicId': 'SNYK-CC-K8S-5', 'CVSSv3': '', 'credit': [], 'identifiers': {}, 'language': '', 'nearestFixedInVersion': '', 'patches': [], 'semver': {'vulnerable': ''}, 'cvssScore': None, 'exploitMaturity': None, 'publicationTime': None}, 'isIgnored': False}, {'issueType': 'configuration', 'pkgName': '', 'pkgVersions': [], 'introducedThrough': [], 'isPatched': False, 'fixInfo': {'isUpgradable': False, 'isPinnable': False, 'isPatchable': False, 'isFixable': False, 'isPartiallyFixable': False, 'nearestFixedInVersion': ''}, 'id': '839501734', 'issueData': {'id': '839501734', 'title': 'Container is running without root user control', 'severity': 'medium', 'originalSeverity': 'medium', 'url': 'https://snyk.io/security-rules/SNYK-CC-K8S-10', 'description': 'Container is running without root user control', 'disclosureTime': '2022-05-31T20:58:55+00:00', 'path': '[DocId: 0].input.spec.template.spec.containers[pet-pod].securityContext.runAsNonRoot', 'violatedPolicyPublicId': 'SNYK-CC-K8S-10', 'CVSSv3': '', 'credit': [], 'identifiers': {}, 'language': '', 'nearestFixedInVersion': '', 'patches': [], 'semver': {'vulnerable': ''}, 'cvssScore': None, 'exploitMaturity': None, 'publicationTime': None}, 'isIgnored': False}]
jenkins@fe72ebb7af05:/app$

Please stop using poetry-version which has a bug and is no longer maintained

Hello.

I'm an author of one of the dependencies you use in your project: poetry-version (I found this using the search on GitHub). I have to admit that I've made a bug in my library, which makes it work incorrectly in some cases (it fails to extract the version). Moreover, this project is no longer maintained. I advise switching to another simple approach of extracting the version of the package (Option 2): python-poetry/poetry#2366 (comment).

I'm sorry for the inconvenience.

Adjust pysnyk usage to avoid calling deprecated API endpoints

The project issues endpoint (/api/v1/org//project//issues) has been turned off for most users of the API, and will be removed entirely in the near future.

This package still (via pysnyk) references this deprecated issues endpoint which causes failures in usage. To update snyk-threadfix to use the recommended Aggregated Issues endpoint, a few things need to happen:

On this line the call to p.vulnerabilities needs to be changed to p.issueset_aggregated and then the results filtered to exclude license issues.
create_finding_data needs a bit of rearranging - it would need to unpack the package versions from the aggregated data and return an array of findings instead. There’s also a few fields that would need to be got from different parts of the API - like language and packageManager, possibly others.

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.