Fix bearer, add dependency findings

safejulian · safejulian · commit fe8d75588b51 · 2024-11-02T17:51:12.000+13:00
* Bearer script was too complicated and missed the nonzero exit code
* Dependencies tool will look for deprecated package management
  approaches
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -10,7 +10,6 @@ GEM
     rainbow (3.1.1)
     regexp_parser (2.7.0)
     rexml (3.3.6)
-      strscan
     rspec (3.13.0)
       rspec-core (~> 3.13.0)
       rspec-expectations (~> 3.13.0)
@@ -37,11 +36,11 @@ GEM
     rubocop-ast (1.28.0)
       parser (>= 3.2.1.0)
     ruby-progressbar (1.13.0)
-    strscan (3.1.0)
     unicode-display_width (2.4.2)
 
 PLATFORMS
   arm64-darwin-21
+  arm64-darwin-22
   x86_64-linux
 
 DEPENDENCIES
diff --git a/html_report.rb b/html_report.rb
@@ -100,6 +100,9 @@ def generate
     self
   end
 
+
+  # add in tool
+  #
   def results_matching(severity, rule_id)
     @results.select do |result|
       _description = result.description
@@ -115,7 +118,7 @@ def rules_and_descriptions(severity)
 
   def publish
     # generate erb template and write to the file from destination_path
-    File.open(@dest_path, 'w') do |file|
+    File.open(@dest_path, 'w+') do |file|
       html = ERB.new(self.class.template).result(binding)
       file.write(html)
     end
diff --git a/spec/bearer.sarif b/spec/bearer.sarif
diff --git a/spec/html_report_spec.rb b/spec/html_report_spec.rb
@@ -23,7 +23,7 @@
     it 'handles a directory of one or more sarif files' do
       report = HtmlReport.new("spec", nil)
       report.generate
-      expect(report.results.first.description.split("\n")[0]).to match "Suspicious use of netcat with IP address"
+      expect(report.results.first.description.split("\n")[0]).to match "Usage of hard-coded secret"
     end
 
     it 'publishes a simple html report' do
diff --git a/tools.d/bearer b/tools.d/bearer
@@ -4,6 +4,4 @@ set -euo pipefail
 which bearer > /dev/null || exit 1
 source=$1
 
-tmpdir=$(mktemp -d)
-bearer scan --quiet -f sarif "${source}" --output "${tmpdir}/bearer.sarif" 1>&2
-cat "${tmpdir}/bearer.sarif"
+bearer scan --quiet --exit-code 0 -f sarif "${source}"
diff --git a/tools.d/dependencies b/tools.d/dependencies
@@ -1,12 +1,10 @@
 #!/bin/bash
 
-# finds jar files or dlls that are checked into git repo, and checks if they are available in nuget
+# finds jar csproj_files or dlls that are checked into git repo, and checks if they are available in nuget
 # then reports via sarif format
 # usage: dependencies <path to repo>
 
 
-# rule: checked in dependencies
-# rule: vendor dependencies in repo
 set -euo pipefail
 which git > /dev/null || exit 1
 which dotnet > /dev/null || exit 1
@@ -47,7 +45,7 @@ report() {
 
 check_dll() {
   local file=$1
-  # ensure that the file isn't System. or Web.
+  # ensure that the csproj_file isn't System. or Web.
   # but report a more specific thing if it's a framework dependency
   dll_assembly_info "$source/$file" | grep -qE '^System.|^Web.|^Microsoft'
 }
@@ -59,22 +57,53 @@ check_jar() {
   jar_manifest_info "$source/$file" | grep -iqE 'apache|google|sun|oracle'
 }
 
-(cd "$source" && git ls-files | grep -E '\.jar$|\.dll$') | while read -r file; do
+find_package_config_files() {
+  find "$source" -iname "packages.config" | while read -r file; do
+    report "old-nuget-configuration" "Nuget dependencies should be declared in a PackageResource" "${file}"
+  done
+}
 
-  if [[ $file =~ \.dll ]] && check_dll "${file}"; then
-    report "checked-in-framework-dependencies" "Framework dependencies checked in to source control" "${file}"
-   elif [[ $file =~ \.jar ]] && check_jar "${file}"; then
-    report "checked-in-thirdparty-dependencies" "Third party dependencies checked in to source control" "${file}"
-  else
-    report "checked-in-dependencies" "dependencies checked in to source control" "${file}"
-   fi
+process_hint_paths() {
+  local csproj_file=$1
 
-done
+  grep -E '<HintPath>.*</HintPath>' "$csproj_file" | while read -r hint_path_entry; do
+    proj_dir=$(dirname "$csproj_file")
+    hintpath=$(echo "$hint_path_entry" | sed -E 's/.*<HintPath>(.*)<\/HintPath>.*/\1/' | sed -E 's/\\/\//g')
+    if [[ ! -f "${proj_dir}/$hintpath" ]]; then
+       report "hintpath-missing-file" "Missing DLL in Hint Path" "${csproj_file}"
+    fi
+  done
+}
+
+look_for_dependencies_in_source() {
+  (cd "$source" && git ls-files | grep -E '\.jar$|\.dll$') | while read -r file; do
+
+    if [[ $file =~ \.dll ]] && check_dll "${file}"; then
+      report "checked-in-framework-dependencies" "Framework dependencies checked in to source control" "${file}"
+     elif [[ $file =~ \.jar ]] && check_jar "${file}"; then
+      report "checked-in-thirdparty-dependencies" "Third party dependencies checked in to source control" "${file}"
+    else
+      report "checked-in-dependencies" "dependencies checked in to source control" "${file}"
+     fi
 
-find "$source" -iname "packages.config" | while read -r file; do
-  report "old-nuget-configuration" "Nuget dependencies should be declared in a PackageResource" "${file}"
+  done
+}
+
+look_for_busted_hint_paths() {
+# is there a csproj csproj_file with a Resource declared that has a HintPath attribute?  And does the Hintpath exist?
+# then does the Resource version match the version from the artifact in the HintPath?
+
+find "$source" -iname "*.csproj" | while read -r csproj_file; do
+  if grep -qi HintPath "$csproj_file"; then
+    process_hint_paths "$csproj_file"
+  fi
 done
+}
+
+look_for_busted_hint_paths
+find_package_config_files
+look_for_dependencies_in_source
 
-PATH="${brew_prefix}/opt/statica/libexec:.:$PATH" csv2sarif "depenencies" "0.1" "${findings_csv}"
+PATH="${brew_prefix}/opt/statica/libexec:.:$PATH" csv2sarif "dependencies" "0.1" "${findings_csv}"
 
 rm -rf "${tmp}"
