diff --git a/lib/snyk/config.go b/lib/snyk/config.go index 064f989..92ce0c8 100644 --- a/lib/snyk/config.go +++ b/lib/snyk/config.go @@ -17,16 +17,12 @@ package snyk type Config struct { - SnykAdvisorWebURL string - SnykVulnerabilityDBWebURL string - SnykAPIURL string - APIToken string + SnykAPIURL string + APIToken string } func DefaultConfig() *Config { return &Config{ - SnykAdvisorWebURL: "https://snyk.io/advisor", - SnykVulnerabilityDBWebURL: "https://security.snyk.io", - SnykAPIURL: "https://api.snyk.io", + SnykAPIURL: "https://api.snyk.io", } } diff --git a/lib/snyk/enrich.go b/lib/snyk/enrich.go index 6719c7e..1a9389a 100644 --- a/lib/snyk/enrich.go +++ b/lib/snyk/enrich.go @@ -24,12 +24,17 @@ import ( "github.com/snyk/parlay/lib/sbom" ) -func EnrichSBOM(conf *Config, doc *sbom.SBOMDocument, logger *zerolog.Logger) *sbom.SBOMDocument { +const ( + snykAdvisorWebURL = "https://snyk.io/advisor" + snykVulnerabilityDBWebURL = "https://security.snyk.io" +) + +func EnrichSBOM(cfg *Config, doc *sbom.SBOMDocument, logger *zerolog.Logger) *sbom.SBOMDocument { switch bom := doc.BOM.(type) { case *cdx.BOM: - enrichCycloneDX(conf, bom, logger) + enrichCycloneDX(cfg, bom, logger) case *spdx.Document: - enrichSPDX(conf, bom, logger) + enrichSPDX(cfg, bom, logger) } return doc diff --git a/lib/snyk/enrich_cyclonedx.go b/lib/snyk/enrich_cyclonedx.go index 4253253..faefd64 100644 --- a/lib/snyk/enrich_cyclonedx.go +++ b/lib/snyk/enrich_cyclonedx.go @@ -38,8 +38,8 @@ var cdxEnrichers = []cdxEnricher{ enrichCDXSnykVulnerabilityDBData, } -func enrichCDXSnykVulnerabilityDBData(conf *Config, component *cdx.Component, purl *packageurl.PackageURL) { - url := SnykVulnURL(conf, purl) +func enrichCDXSnykVulnerabilityDBData(cfg *Config, component *cdx.Component, purl *packageurl.PackageURL) { + url := SnykVulnURL(cfg, purl) if url != "" { ext := cdx.ExternalReference{ URL: url, @@ -54,8 +54,8 @@ func enrichCDXSnykVulnerabilityDBData(conf *Config, component *cdx.Component, pu } } -func enrichCDXSnykAdvisorData(conf *Config, component *cdx.Component, purl *packageurl.PackageURL) { - url := SnykAdvisorURL(conf, purl) +func enrichCDXSnykAdvisorData(cfg *Config, component *cdx.Component, purl *packageurl.PackageURL) { + url := SnykAdvisorURL(cfg, purl) if url != "" { ext := cdx.ExternalReference{ URL: url, @@ -70,14 +70,14 @@ func enrichCDXSnykAdvisorData(conf *Config, component *cdx.Component, purl *pack } } -func enrichCycloneDX(conf *Config, bom *cdx.BOM, logger *zerolog.Logger) *cdx.BOM { - auth, err := AuthFromToken(conf.APIToken) +func enrichCycloneDX(cfg *Config, bom *cdx.BOM, logger *zerolog.Logger) *cdx.BOM { + auth, err := AuthFromToken(cfg.APIToken) if err != nil { logger.Fatal().Err(err).Msg("Failed to authenticate") return nil } - orgID, err := SnykOrgID(conf, auth) + orgID, err := SnykOrgID(cfg, auth) if err != nil { logger.Error().Err(err).Msg("Failed to infer preferred Snyk organization") return nil @@ -105,9 +105,9 @@ func enrichCycloneDX(conf *Config, bom *cdx.BOM, logger *zerolog.Logger) *cdx.BO return } for _, enrichFunc := range cdxEnrichers { - enrichFunc(conf, component, &purl) + enrichFunc(cfg, component, &purl) } - resp, err := GetPackageVulnerabilities(conf, &purl, auth, orgID) + resp, err := GetPackageVulnerabilities(cfg, &purl, auth, orgID) if err != nil { l.Err(err). Str("purl", purl.ToString()). @@ -206,7 +206,7 @@ func enrichCycloneDX(conf *Config, bom *cdx.BOM, logger *zerolog.Logger) *cdx.BO for _, sev := range *issue.Attributes.Severities { source := cdx.Source{ Name: "Snyk", - URL: snykVulnDBServer, + URL: snykVulnerabilityDBWebURL, } if sev.Score != nil { score := float64(*sev.Score) diff --git a/lib/snyk/enrich_spdx.go b/lib/snyk/enrich_spdx.go index 5c5ef4b..e295eeb 100644 --- a/lib/snyk/enrich_spdx.go +++ b/lib/snyk/enrich_spdx.go @@ -39,8 +39,8 @@ var spdxEnrichers = []spdxEnricher{ enrichSPDXSnykVulnerabilityDBData, } -func enrichSPDXSnykAdvisorData(conf *Config, component *spdx_2_3.Package, purl *packageurl.PackageURL) { - url := SnykAdvisorURL(conf, purl) +func enrichSPDXSnykAdvisorData(cfg *Config, component *spdx_2_3.Package, purl *packageurl.PackageURL) { + url := SnykAdvisorURL(cfg, purl) if url != "" { ext := &spdx_2_3.PackageExternalReference{ Locator: url, @@ -56,8 +56,8 @@ func enrichSPDXSnykAdvisorData(conf *Config, component *spdx_2_3.Package, purl * } } -func enrichSPDXSnykVulnerabilityDBData(conf *Config, component *spdx_2_3.Package, purl *packageurl.PackageURL) { - url := SnykVulnURL(conf, purl) +func enrichSPDXSnykVulnerabilityDBData(cfg *Config, component *spdx_2_3.Package, purl *packageurl.PackageURL) { + url := SnykVulnURL(cfg, purl) if url != "" { ext := &spdx_2_3.PackageExternalReference{ Locator: url, @@ -73,8 +73,8 @@ func enrichSPDXSnykVulnerabilityDBData(conf *Config, component *spdx_2_3.Package } } -func enrichSPDX(conf *Config, bom *spdx.Document, logger *zerolog.Logger) *spdx.Document { - auth, err := AuthFromToken(conf.APIToken) +func enrichSPDX(cfg *Config, bom *spdx.Document, logger *zerolog.Logger) *spdx.Document { + auth, err := AuthFromToken(cfg.APIToken) if err != nil { logger.Fatal(). Err(err). @@ -82,7 +82,7 @@ func enrichSPDX(conf *Config, bom *spdx.Document, logger *zerolog.Logger) *spdx. return nil } - orgID, err := SnykOrgID(conf, auth) + orgID, err := SnykOrgID(cfg, auth) if err != nil { logger.Fatal(). Err(err). @@ -110,9 +110,9 @@ func enrichSPDX(conf *Config, bom *spdx.Document, logger *zerolog.Logger) *spdx. return } for _, enrichFn := range spdxEnrichers { - enrichFn(conf, pkg, purl) + enrichFn(cfg, pkg, purl) } - resp, err := GetPackageVulnerabilities(conf, purl, auth, orgID) + resp, err := GetPackageVulnerabilities(cfg, purl, auth, orgID) if err != nil { l.Err(err). Str("purl", purl.ToString()). @@ -150,7 +150,7 @@ func enrichSPDX(conf *Config, bom *spdx.Document, logger *zerolog.Logger) *spdx. RefType: spdx.SecurityAdvisory, Locator: fmt.Sprintf( "%s/vuln/%s", - conf.SnykVulnerabilityDBWebURL, + snykVulnerabilityDBWebURL, url.PathEscape(*issue.Id)), } diff --git a/lib/snyk/package.go b/lib/snyk/package.go index becc4a7..f762e44 100644 --- a/lib/snyk/package.go +++ b/lib/snyk/package.go @@ -28,11 +28,7 @@ import ( "github.com/snyk/parlay/snyk/issues" ) -const ( - version = "2023-04-28" - snykAdvisorServer = "https://snyk.io/advisor" - snykVulnDBServer = "https://security.snyk.io" -) +const version = "2023-04-28" func purlToSnykAdvisor(purl *packageurl.PackageURL) string { return map[string]string{ @@ -43,12 +39,12 @@ func purlToSnykAdvisor(purl *packageurl.PackageURL) string { }[purl.Type] } -func SnykAdvisorURL(conf *Config, purl *packageurl.PackageURL) string { +func SnykAdvisorURL(cfg *Config, purl *packageurl.PackageURL) string { ecosystem := purlToSnykAdvisor(purl) if ecosystem == "" { return "" } - url := conf.SnykAdvisorWebURL + "/" + ecosystem + "/" + url := snykAdvisorWebURL + "/" + ecosystem + "/" if purl.Namespace != "" { url += purl.Namespace + "/" } @@ -73,12 +69,12 @@ func purlToSnykVulnDB(purl *packageurl.PackageURL) string { }[purl.Type] } -func SnykVulnURL(conf *Config, purl *packageurl.PackageURL) string { +func SnykVulnURL(cfg *Config, purl *packageurl.PackageURL) string { ecosystem := purlToSnykVulnDB(purl) if ecosystem == "" { return "" } - url := conf.SnykVulnerabilityDBWebURL + "/package/" + ecosystem + "/" + url := snykVulnerabilityDBWebURL + "/package/" + ecosystem + "/" if purl.Namespace != "" { url += purl.Namespace + "%2F" } @@ -86,8 +82,8 @@ func SnykVulnURL(conf *Config, purl *packageurl.PackageURL) string { return url } -func GetPackageVulnerabilities(conf *Config, purl *packageurl.PackageURL, auth *securityprovider.SecurityProviderApiKey, orgID *uuid.UUID) (*issues.FetchIssuesPerPurlResponse, error) { - client, err := issues.NewClientWithResponses(conf.SnykAPIURL, issues.WithRequestEditorFn(auth.Intercept)) +func GetPackageVulnerabilities(cfg *Config, purl *packageurl.PackageURL, auth *securityprovider.SecurityProviderApiKey, orgID *uuid.UUID) (*issues.FetchIssuesPerPurlResponse, error) { + client, err := issues.NewClientWithResponses(cfg.SnykAPIURL, issues.WithRequestEditorFn(auth.Intercept)) if err != nil { return nil, err } diff --git a/lib/snyk/self.go b/lib/snyk/self.go index 4c1b29a..17c4e1a 100644 --- a/lib/snyk/self.go +++ b/lib/snyk/self.go @@ -37,8 +37,8 @@ type selfDocument struct { } } -func SnykOrgID(conf *Config, auth *securityprovider.SecurityProviderApiKey) (*uuid.UUID, error) { - experimental, err := users.NewClientWithResponses(conf.SnykAPIURL, users.WithRequestEditorFn(auth.Intercept)) +func SnykOrgID(cfg *Config, auth *securityprovider.SecurityProviderApiKey) (*uuid.UUID, error) { + experimental, err := users.NewClientWithResponses(cfg.SnykAPIURL, users.WithRequestEditorFn(auth.Intercept)) if err != nil { return nil, err }