Categorygithub.com/smithy-security/smithycomponentsproducers

package

0.59.2

Repository: https://github.com/smithy-security/smithy.git

Documentation: pkg.go.dev

# README

Producers

A producer is a program that parses the output of a tool and converts it into Smithy compatible file that can be used by the enrichers and consumers.

Writing Producers

Producers can be written in any language that supports protobufs, we have examples in Golang and Python. They are all structured the same way:

Parse program arguments:
1. in: the raw tool results file location
2. out: where to place the Smithy compatible output file location
Parse the in file into Protobufs (LaunchToolResponse)
Add metadata to Protobufs (e.g. git/source-code information)
Write the protobuf bytes to the out file

Producer API

For convenience, there are helper functions in the ./producers pkg/module for Golang/Python.

The WriteSmithyOut/write_smithy_out method expects a list of issues to write as the LaunchToolResponse protobuf. Your producer should parse the output of a tool results into Issue protobufs which are then passed into this method.

# Packages

aggregator

No description provided by the author

brakeman

No description provided by the author

cdxgen

Package main of the cdxgen producer parses the CycloneDX output of cdxgen and create a singular Smithy issue from it.

checkov

No description provided by the author

dependency-check

No description provided by the author

dependency-track

Package main of the dependency track producer reads a dependency track export and translates it to smithy format.

docker-trivy

No description provided by the author

github-codeql

No description provided by the author

github-dependabot

No description provided by the author

golang-gosec

No description provided by the author

golang-nancy

No description provided by the author

java-findsecbugs

No description provided by the author

kics

No description provided by the author

ossf-scorecard

No description provided by the author

python-bandit

No description provided by the author

python-pip-safety

No description provided by the author

semgrep

No description provided by the author

snyk-docker

No description provided by the author

terraform-tfsec

No description provided by the author

testsslsh

No description provided by the author

trufflehog

Package main implements the binary for parsing trufflehog results into the smithy format.

typescript-eslint

No description provided by the author

typescript-yarn-audit

No description provided by the author

zaproxy

No description provided by the author

# Functions

EnsureValidFileTarget

EnsureValidFileTarget takes a file target string from an untrusted source, e.g.

EnsureValidPURLTarget

EnsureValidPURLTarget takes a purl target string from an untrusted source, e.g.

GetFileTarget

GetFileTarget returns a file target string for a given file path.

GetPartsFromFileTarget

GetPartsFromFileTarget takes a file target string and returns the parts.

GetPURLTarget

GetPURLTarget returns a purl target string for a given package.

ParseFlags

ParseFlags will parse the input flags for the producer and perform simple validation.

ParseMultiJSONMessages

ParseMultiJSONMessages provides method to parse tool results in JSON format.

ReadInFile

ReadInFile returns the contents of the file given by InResults.

TestEndToEnd

TestEndToEnd is a helper function to test the end-to-end functionality of a producer.

WriteSmithyOut

WriteSmithyOut provides a generic method to write the resulting protobuf to the output file.

# Constants

SourceDir

No description provided by the author

# Variables

Append

Append flag will append to the outfile instead of overwriting, useful when there's multiple inresults.

InResults

InResults represents incoming tool output.

OutFile

OutFile points to the protobuf file where smithy results will be written.