Skip to content

Commit

Permalink
fix: print debug output for issues during snyk enrich. (#49)
Browse files Browse the repository at this point in the history
Closes #47.
  • Loading branch information
mcombuechen authored Feb 1, 2024
1 parent 8ce0d37 commit cb64f57
Show file tree
Hide file tree
Showing 5 changed files with 77 additions and 34 deletions.
2 changes: 1 addition & 1 deletion internal/commands/snyk/enrich.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ func NewEnrichCommand(logger zerolog.Logger) *cobra.Command {
logger.Fatal().Err(err).Msg("Failed to read SBOM input")
}

snyk.EnrichSBOM(doc)
snyk.EnrichSBOM(doc, logger)

if err := doc.Encode(os.Stdout); err != nil {
logger.Fatal().Err(err).Msg("Failed to encode new SBOM")
Expand Down
7 changes: 4 additions & 3 deletions lib/snyk/enrich.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,17 +18,18 @@ package snyk

import (
cdx "github.com/CycloneDX/cyclonedx-go"
"github.com/rs/zerolog"
"github.com/spdx/tools-golang/spdx"

"github.com/snyk/parlay/lib/sbom"
)

func EnrichSBOM(doc *sbom.SBOMDocument) *sbom.SBOMDocument {
func EnrichSBOM(doc *sbom.SBOMDocument, logger zerolog.Logger) *sbom.SBOMDocument {
switch bom := doc.BOM.(type) {
case *cdx.BOM:
enrichCycloneDX(bom)
enrichCycloneDX(bom, logger)
case *spdx.Document:
enrichSPDX(bom)
enrichSPDX(bom, logger)
}

return doc
Expand Down
49 changes: 35 additions & 14 deletions lib/snyk/enrich_cyclonedx.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,40 +25,61 @@ import (
cdx "github.com/CycloneDX/cyclonedx-go"
"github.com/package-url/packageurl-go"
"github.com/remeh/sizedwaitgroup"
"github.com/rs/zerolog"

"github.com/snyk/parlay/snyk/issues"
)

func enrichCycloneDX(bom *cdx.BOM) *cdx.BOM {
func enrichCycloneDX(bom *cdx.BOM, logger zerolog.Logger) *cdx.BOM {
if bom.Components == nil {
return bom
}

wg := sizedwaitgroup.New(20)
var mutex = &sync.Mutex{}
vulnerabilities := make(map[cdx.Component][]issues.CommonIssueModelVTwo)

for i, component := range *bom.Components {
wg.Add()
go func(component cdx.Component, i int) {
// TODO: return when there is no usable Purl on the component.
purl, _ := packageurl.FromString(component.PackageURL) //nolint:errcheck
defer wg.Done()

purl, err := packageurl.FromString(component.PackageURL)
if err != nil {
logger.Debug().
Err(err).
Str("BOM-Ref", string(component.BOMRef)).
Msg("Could not identify package.")
return
}

resp, err := GetPackageVulnerabilities(purl)
if err != nil {
logger.Err(err).
Str("purl", purl.ToString()).
Msg("Failed to fetch vulnerabilities for package.")
return
}

if err == nil {
packageData := resp.Body
var packageDoc issues.IssuesWithPurlsResponse
if err := json.Unmarshal(packageData, &packageDoc); err == nil {
if packageDoc.Data != nil {
mutex.Lock()
vulnerabilities[component] = *packageDoc.Data
mutex.Unlock()
}
}
packageData := resp.Body
var packageDoc issues.IssuesWithPurlsResponse
if err := json.Unmarshal(packageData, &packageDoc); err != nil {
logger.Err(err).
Str("status", resp.Status()).
Msg("Failed to decode Snyk vulnerability response.")
return
}

if packageDoc.Data != nil {
mutex.Lock()
vulnerabilities[component] = *packageDoc.Data
mutex.Unlock()
}
wg.Done()
}(component, i)
}

wg.Wait()

var vulns []cdx.Vulnerability
for k, v := range vulnerabilities {
for _, issue := range v {
Expand Down
43 changes: 30 additions & 13 deletions lib/snyk/enrich_spdx.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ import (
"sync"

"github.com/remeh/sizedwaitgroup"
"github.com/rs/zerolog"
"github.com/spdx/tools-golang/spdx"
spdx_2_3 "github.com/spdx/tools-golang/spdx/v2/v2_3"

Expand All @@ -34,35 +35,50 @@ const (
snykVulnerabilityDB_URI = "https://security.snyk.io"
)

func enrichSPDX(bom *spdx.Document) *spdx.Document {
func enrichSPDX(bom *spdx.Document, logger zerolog.Logger) *spdx.Document {
mutex := &sync.Mutex{}
wg := sizedwaitgroup.New(20)
vulnerabilities := make(map[*spdx_2_3.Package][]issues.CommonIssueModelVTwo)

for i, pkg := range bom.Packages {
wg.Add()

go func(pkg *spdx_2_3.Package, i int) {
defer wg.Done()

purl, err := utils.GetPurlFromSPDXPackage(pkg)
if err != nil {
if err != nil || purl == nil {
logger.Debug().
Str("SPDXID", string(pkg.PackageSPDXIdentifier)).
Msg("Could not identify package.")
return
}

resp, err := GetPackageVulnerabilities(*purl)
if err != nil {
logger.Err(err).
Str("purl", purl.String()).
Msg("Failed to fetch vulnerabilities for package.")
return
}

if err == nil {
packageData := resp.Body
var packageDoc issues.IssuesWithPurlsResponse
if err := json.Unmarshal(packageData, &packageDoc); err == nil {
if packageDoc.Data != nil {
mutex.Lock()
vulnerabilities[pkg] = *packageDoc.Data
mutex.Unlock()
}
}
packageData := resp.Body
var packageDoc issues.IssuesWithPurlsResponse
if err := json.Unmarshal(packageData, &packageDoc); err != nil {
logger.Err(err).
Str("status", resp.Status()).
Msg("Failed to decode Snyk vulnerability response.")
return
}

if packageDoc.Data != nil {
mutex.Lock()
vulnerabilities[pkg] = *packageDoc.Data
mutex.Unlock()
}
wg.Done()
}(pkg, i)
}

wg.Wait()

for pkg, vulns := range vulnerabilities {
Expand All @@ -80,6 +96,7 @@ func enrichSPDX(bom *spdx.Document) *spdx.Document {
url.PathEscape(*issue.Id),
),
}

if issue.Attributes.Title != nil {
ref.ExternalRefComment = *issue.Attributes.Title
}
Expand Down
10 changes: 7 additions & 3 deletions lib/snyk/enrich_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import (

cdx "github.com/CycloneDX/cyclonedx-go"
"github.com/jarcoal/httpmock"
"github.com/rs/zerolog"
spdx "github.com/spdx/tools-golang/spdx/v2/common"
spdx_2_3 "github.com/spdx/tools-golang/spdx/v2/v2_3"
"github.com/stretchr/testify/assert"
Expand All @@ -27,8 +28,9 @@ func TestEnrichSBOM_CycloneDXWithVulnerabilities(t *testing.T) {
},
}
doc := &sbom.SBOMDocument{BOM: bom}
logger := zerolog.Nop()

EnrichSBOM(doc)
EnrichSBOM(doc, logger)

assert.NotNil(t, bom.Vulnerabilities)
assert.Len(t, *bom.Vulnerabilities, 1)
Expand All @@ -52,8 +54,9 @@ func TestEnrichSBOM_CycloneDXWithoutVulnerabilities(t *testing.T) {
},
}
doc := &sbom.SBOMDocument{BOM: bom}
logger := zerolog.Nop()

EnrichSBOM(doc)
EnrichSBOM(doc, logger)

assert.Nil(t, bom.Vulnerabilities, "should not extend vulnerabilities if there are none")
}
Expand All @@ -79,8 +82,9 @@ func TestEnrichSBOM_SPDXWithVulnerabilities(t *testing.T) {
},
}
doc := &sbom.SBOMDocument{BOM: bom}
logger := zerolog.Nop()

EnrichSBOM(doc)
EnrichSBOM(doc, logger)

vulnRef := bom.Packages[0].PackageExternalReferences[1]
assert.Equal(t, "SECURITY", vulnRef.Category)
Expand Down

0 comments on commit cb64f57

Please sign in to comment.