Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

horusec:fix - Errors reported in v2.8.0-beta.1 #1050

Merged
merged 1 commit into from
Apr 6, 2022
Merged

horusec:fix - Errors reported in v2.8.0-beta.1 #1050

merged 1 commit into from
Apr 6, 2022

Conversation

wiliansilvazup
Copy link
Contributor

@wiliansilvazup wiliansilvazup commented Mar 25, 2022
edited
Loading

In this commit I made some changes to the code to improve the
identification and generation of vulnerabilities pointed out by Horusec.

  • Now when Horusec identifies that there are duplicate hashes in its
    analysis by the same tool, all vulnerability descriptions will be grouped
    by the (x/x) separator * Possible vulnerability detected: demonstrating
    the amount of vulnerabilities that hash generated.
  • The Details field will be the last to be shown in each problem
    reported by Horusec in order to improve the experience and identification.
  • Tools like DotnetCLI, BundlerAudit, Trivy, Safety, Nancy were pointing
    out multiple vulnerabilities with the same hash because they couldn't find
    the exact line that contains the vulnerability. So an improvement has been
    implemented where using the file.GetDependencyInfo method will be a
    better way to identify the vulnerability
  • The Trivy tool was reporting problems finding the exact line so we
    noticed that when running the analysis on infrastructure configuration
    files the tool returns the line that has the problem,
    so now it can be more assertive with this improvement.
  • The BundlerAudit tool was quite complex in identifying vulnerabilities
    and with complex treatments, so we made an improvement so that the tool's
    output is in json format,
    so we will have better control of the information shown.
  • Tool versions update
    • horuszup/horusec-generic updated to v1.2.0
      • semgrep updated to v0.85.0 version
      • owasp-dependency-check updated to v6.5.3
      • updated trivy to v0.24.4 version
    • horuszup/horusec-go updated to v1.3.0
      • nancy updated to version v1.0.33
      • gosec updated to v2.11.0 version
    • horuszup/horusec-python updated to v1.0.1 version
      • updated bandit to v1.7.4 version
    • horuszup/horusec-ruby updated to v1.2.0
      • Ruby updated to v3.1-alpine version
  • The e2e tests broke due to the joining of the hashes so now they are more
    assertive and I made an improvement in the test of the Gitleaks tool
    because validating that the tool was not running was not a good practice.
    But to run e2e tests in the ../horusec-examples-vulnerabilities directory
    there must be our test repository.

Signed-off-by: Wilian Gabriel wilian.silva@zup.com.br

@wiliansilvazup wiliansilvazup force-pushed the hotfix/hash-duplicated branch 4 times, most recently from 8395602 to 7dc811a Compare March 27, 2022 12:43
@wiliansilvazup wiliansilvazup changed the title analyzer:fix - Output with duplicated hash horusec:fix - Errors reported in v2.8.0-beta.1 Mar 27, 2022
@wiliansilvazup wiliansilvazup force-pushed the hotfix/hash-duplicated branch 25 times, most recently from e99aae0 to 42e7b6c Compare March 27, 2022 18:41
nathanmartinszup
nathanmartinszup reviewed Mar 29, 2022
View reviewed changes
e2e/analysis/test_case.go Outdated Show resolved Hide resolved
e2e/commands/start/start_test.go Outdated Show resolved Hide resolved
e2e/commands/start/start_test.go Outdated Show resolved Hide resolved
internal/controllers/analyzer/analyzer.go Outdated Show resolved Hide resolved
.github/workflows/e2e.yml Show resolved Hide resolved
e2e/analysis/test_case.go Show resolved Hide resolved
internal/controllers/analyzer/analyzer.go Outdated Show resolved Hide resolved
internal/controllers/analyzer/analyzer.go Outdated Show resolved Hide resolved
internal/controllers/analyzer/analyzer.go Show resolved Hide resolved
internal/controllers/analyzer/analyzer.go Outdated Show resolved Hide resolved
@wiliansilvazup wiliansilvazup force-pushed the hotfix/hash-duplicated branch 2 times, most recently from 3ff9e69 to ce470b6 Compare March 29, 2022 16:37
matheusalcantarazup
matheusalcantarazup suggested changes Mar 29, 2022
View reviewed changes
internal/controllers/analyzer/analyzer.go Outdated Show resolved Hide resolved
internal/controllers/analyzer/analyzer.go Outdated Show resolved Hide resolved
internal/controllers/analyzer/analyzer.go Outdated Show resolved Hide resolved
internal/controllers/analyzer/analyzer.go Outdated Show resolved Hide resolved
internal/controllers/analyzer/analyzer.go Outdated Show resolved Hide resolved
internal/services/formatters/generic/trivy/formatter_test.go Show resolved Hide resolved
internal/services/formatters/generic/trivy/formatter_test.go Outdated Show resolved Hide resolved
internal/services/formatters/generic/trivy/formatter_test.go Show resolved Hide resolved
internal/utils/file/file.go Outdated Show resolved Hide resolved
internal/utils/file/file.go Outdated Show resolved Hide resolved
@wiliansilvazup wiliansilvazup force-pushed the hotfix/hash-duplicated branch 4 times, most recently from 9edd980 to 0349a13 Compare March 30, 2022 12:27
@wiliansilvazup wiliansilvazup force-pushed the hotfix/hash-duplicated branch from 0349a13 to 5d1e2f6 Compare March 30, 2022 16:21
matheusalcantarazup
matheusalcantarazup suggested changes Mar 31, 2022
View reviewed changes
Copy link
Contributor

@matheusalcantarazup matheusalcantarazup left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please also remove the output.txt empty file.

internal/controllers/analyzer/analyzer.go Show resolved Hide resolved
internal/controllers/analyzer/analyzer.go Show resolved Hide resolved
internal/services/formatters/csharp/dotnet_cli/formatter_test.go Outdated Show resolved Hide resolved
internal/services/formatters/generic/trivy/formatter.go Show resolved Hide resolved
internal/services/formatters/generic/trivy/output.go Outdated Show resolved Hide resolved
internal/services/formatters/python/safety/formatter.go Show resolved Hide resolved
internal/services/formatters/python/safety/formatter.go Outdated Show resolved Hide resolved
internal/services/formatters/python/safety/formatter_test.go Outdated Show resolved Hide resolved
internal/utils/file/file_test.go Outdated Show resolved Hide resolved
@wiliansilvazup wiliansilvazup force-pushed the hotfix/hash-duplicated branch from 5d1e2f6 to 7cd6810 Compare March 31, 2022 17:56
@wiliansilvazup
Copy link
Contributor Author

Please also remove the output.txt empty file.

done :)

@wiliansilvazup wiliansilvazup force-pushed the hotfix/hash-duplicated branch 3 times, most recently from e158d28 to 4bcf40e Compare April 4, 2022 11:43
@wiliansilvazup wiliansilvazup self-assigned this Apr 4, 2022
@wiliansilvazup wiliansilvazup requested review from matheusalcantarazup and removed request for iancardosozup April 4, 2022 11:46
@wiliansilvazup wiliansilvazup force-pushed the hotfix/hash-duplicated branch 4 times, most recently from a3734db to 3d871d0 Compare April 4, 2022 13:34
matheusalcantarazup
matheusalcantarazup approved these changes Apr 4, 2022
View reviewed changes
Copy link
Contributor

@matheusalcantarazup matheusalcantarazup left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm afraid about accepting this pr, but here we go.

@wiliansilvazup
horusec:fix - Errors reported in v2.8.0-beta.1
ba58229 
In this commit I made some changes to the code to improve the
identification and generation of vulnerabilities pointed out by Horusec.
* Now when Horusec identifies that there are duplicate hashes in its
analysis by the same tool, all vulnerability descriptions will be grouped
by the `(x/x) separator * Possible vulnerability detected:` demonstrating
the amount of vulnerabilities that hash generated.
* The `Details` field will be the last to be shown in each problem
reported by Horusec in order to improve the experience and identification.
* Tools like `DotnetCLI, BundlerAudit, Trivy, Safety, Nancy` were pointing
out multiple vulnerabilities with the same hash because they couldn't find
the exact line that contains the vulnerability. So an improvement has been
implemented where using the `file.GetDependencyInfo` method will be a
better way to identify the vulnerability
* The `Trivy` tool was reporting problems finding the exact line so we
noticed that when running the analysis on infrastructure configuration
files the tool returns the line that has the problem,
so now it can be more assertive with this improvement.
* The `BundlerAudit` tool was quite complex in identifying vulnerabilities
and with complex treatments, so we made an improvement so that the tool's
output is in json format,
so we will have better control of the information shown.
* Tool versions update
  * horuszup/horusec-generic updated to v1.2.0
    * semgrep updated to v0.85.0 version
    * owasp-dependency-check updated to v6.5.3
    * updated trivy to v0.24.4 version
  * horuszup/horusec-go updated to v1.3.0
    * nancy updated to version v1.0.33
    * gosec updated to v2.11.0 version
  * horuszup/horusec-python updated to v1.0.1 version
    * updated bandit to v1.7.4 version
  * horuszup/horusec-ruby updated to v1.2.0
    * Ruby updated to v3.1-alpine version
* The e2e tests broke due to the joining of the hashes so now they are more
assertive and I made an improvement in the test of the `Gitleaks` tool
because validating that the tool was not running was not a good practice.
But to run e2e tests in the `../horusec-examples-vulnerabilities` directory
there must be [our test repository](https://github.com/ZupIT/horusec-examples-vulnerabilities).

Signed-off-by: Wilian Gabriel <wilian.silva@zup.com.br>
@wiliansilvazup wiliansilvazup force-pushed the hotfix/hash-duplicated branch from 3d871d0 to ba58229 Compare April 4, 2022 14:20
@wiliansilvazup wiliansilvazup merged commit 4ff44db into main Apr 6, 2022
wiliansilvazup added a commit that referenced this pull request Apr 6, 2022
@wiliansilvazup
horusec:fix - Errors reported in v2.8.0-beta.1 (#1050)
e8eb1ba 
In this commit I made some changes to the code to improve the
identification and generation of vulnerabilities pointed out by Horusec.
* Now when Horusec identifies that there are duplicate hashes in its
analysis by the same tool, all vulnerability descriptions will be grouped
by the `(x/x) separator * Possible vulnerability detected:` demonstrating
the amount of vulnerabilities that hash generated.
* The `Details` field will be the last to be shown in each problem
reported by Horusec in order to improve the experience and identification.
* Tools like `DotnetCLI, BundlerAudit, Trivy, Safety, Nancy` were pointing
out multiple vulnerabilities with the same hash because they couldn't find
the exact line that contains the vulnerability. So an improvement has been
implemented where using the `file.GetDependencyInfo` method will be a
better way to identify the vulnerability
* The `Trivy` tool was reporting problems finding the exact line so we
noticed that when running the analysis on infrastructure configuration
files the tool returns the line that has the problem,
so now it can be more assertive with this improvement.
* The `BundlerAudit` tool was quite complex in identifying vulnerabilities
and with complex treatments, so we made an improvement so that the tool's
output is in json format,
so we will have better control of the information shown.
* Tool versions update
  * horuszup/horusec-generic updated to v1.2.0
    * semgrep updated to v0.85.0 version
    * owasp-dependency-check updated to v6.5.3
    * updated trivy to v0.24.4 version
  * horuszup/horusec-go updated to v1.3.0
    * nancy updated to version v1.0.33
    * gosec updated to v2.11.0 version
  * horuszup/horusec-python updated to v1.0.1 version
    * updated bandit to v1.7.4 version
  * horuszup/horusec-ruby updated to v1.2.0
    * Ruby updated to v3.1-alpine version
* The e2e tests broke due to the joining of the hashes so now they are more
assertive and I made an improvement in the test of the `Gitleaks` tool
because validating that the tool was not running was not a good practice.
But to run e2e tests in the `../horusec-examples-vulnerabilities` directory
there must be [our test repository](https://github.com/ZupIT/horusec-examples-vulnerabilities).

Signed-off-by: Wilian Gabriel <wilian.silva@zup.com.br>
(cherry picked from commit 4ff44db)
Signed-off-by: Wilian Gabriel <wilian.silva@zup.com.br>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nathanmartinszup nathanmartinszup nathanmartinszup approved these changes

@matheusalcantarazup matheusalcantarazup matheusalcantarazup approved these changes

@lucasbrunozup lucasbrunozup Awaiting requested review from lucasbrunozup

@oliveirafelipezup oliveirafelipezup Awaiting requested review from oliveirafelipezup

Assignees

@wiliansilvazup wiliansilvazup

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@wiliansilvazup @nathanmartinszup @matheusalcantarazup