privado-inc / privado Goto Github PK

Describe the bug
In the data Safety tool, when I mark something as "non personal" in the section "Review Data Types and Occurences in code" or "false positive" in the section "Review Third Party integrations in your app", it seems not taken into account because these are still in the final report.

To Reproduce
Steps to reproduce the behavior:

1. Scan the code of an app
2. in the "Review Data Types and Occurences in code" mark something as "non personal"
3. in the "Review Third Party integrations in your app" mark something as "false positive"
4. In the summary and the generated reports (csv, pdf) the things I marked as "non personal" or "false positive" are still visible

Expected behavior
They should not be visible in the final report

Desktop (please complete the following information):

• OS: mac OS 12.1
• Browser Chrome
• Version 102.0.5005.61 (Build officiel) (x86_64)

Is your feature request related to a problem? Please describe.
When using external rules, it'd be helpful to know if the format of the rules is in accordance with what the tools expects.

Describe the solution you'd like
Add a command for validation of rules, which lets the user know if the custom rules are valid.

Describe the bug
Docker Container does not support proxy configuration or mirrors for maven repositories.

This means custom artifacts only available in local maven repositories or global ones that require proxy configurations to reach, will not be retrievable.

To Reproduce
Steps to reproduce the behavior:

1. Setup local artifactory mirror or similar
2. Push custom artifact to local mirror
3. Setup pom.xml in test-folder with dependency on custom artifact
4. Run `privado scan test-folder
5. See error in logs

Expected behavior
Container should use local ~/.m2/settings.xml configuration to access 3rd party mirrors or proxies.

Screenshots

[ERROR] The build could not read 1 project -> [Help 1]
[ERROR]   
[ERROR]   The project <project-name>:1.0.0-SNAPSHOT (/app/code/pom.xml) has 1 error
[ERROR]     Non-resolvable parent POM for <project-name>:1.0.0-SNAPSHOT: Could not transfer artifact <artifact>:pom:1.6.0 from/to default (https://jfrog.<custom-repo>.com/artifactory/maven): Transfer failed for https://jfrog.<custom-repo>.com/artifactory/maven/<artifact-path>-1.6.0.pom and 'parent.relativePath' points at wrong local POM @ line 11, column 13: Unknown host jfrog.<custom-repo>.com: No address associated with hostname -> [Help 2]
[ERROR] 

Desktop (please complete the following information):

• OS: Ubuntu 20.04.5 LTS
• Version: Privado CLI: Version v2.1.0 (linux-amd64)

Is your feature request related to a problem? Please describe.
Code is included in the scan results (as "excerpt") which is used to provide context for the finding. If someone chooses to use the Privacy View Cloud Dashboard, that code is uploaded to your cloud. I believe people will notice this and some will likely have a problem with it, especially since the github states ”Note that no code is sent to the cloud.”

Describe the solution you'd like
I suggest updating the language or asking the user if they want the code snippet to be included in the upload.

Is your feature request related to a problem? Please describe.
When insert query is fired with executeQuery its been marked as DB read.

Describe the solution you'd like
As of now, we identify DB read when JDBC executeQuery method is used and DB Write when the executeUpdate method is being called. We need to parse the query to check if a query is using insert, delete or update with JDBC executeQuery method.

This issue is reported by Here team.

Describe the bug
I tried to scan the following repo https://github.com/nccgroup/ScoutSuite I couldn't find the AWS sdk being identified. Event

To Reproduce
Steps to reproduce the behavior:

1. Clone the repository
2. privado scan <repo local path>
3. Go to the community dashboard page once the scan is done.
4. Select the inventory section. (Don't find AWS listed there)

Expected behavior
As this repo is using AWS SDK it should identify it under the Inventory section.

Is your feature request related to a problem? Please describe.
Currently, Privado only shows the set part in the Processing instances but for me to understand if it is actually the right field I would need to see the declaration of the field from where that personal data was tagged.

Describe the solution you'd like
A possible solution could be to show processing similar to data flows where the source becomes the declaration and the sink becomes the processing instance shown currently. One possible problem with this in UI could be if the same declaration is related to multiple processing instances, it could seem a lot like repetition so we can possibly consider smarter grouping.

Describe alternatives you've considered
Current alternative is to audit the code to go back and confirm the declaration.

Additional context
In the screenshot attached only one processing instance, it is easy to identify the processing by looking at code i.e. this.phoneNo all others require more context.

@luizleite-hotmart - Created this issue based on your suggestion. Please add more context if needed.

Describe the bug
Operating System: MacOS
Runt the Privado CLI, fill in all the sections, go to the final screen, and hit "Save as PDF". The downloaded report is blank.

To Reproduce
Steps to reproduce the behavior:

1. Run privado scan
2. Fill in all the sections, go to the final screen, and hit "Save as PDF"

Expected behavior
PDF report should be proper with all the data

Problems:

1. There is no way to run the complete scan process in a non-interactive way. The upload consent requires user input, which makes it incompatible with CI environments. The only workaround is to do something like: yes | privado scan <dir>, which might not be desirable.

2. Once consent is granted, there is no CLI way to skip specific results from being uploaded. The only option is to manually modify ~/.privado/config.json file.

Solution:
Introduce two flags, which override any existing consent, including the consent flow itself:

1. --upload: If specified, will automatically attempt to upload the scan result to Privado Privacy View Dashboard
2. --skip-upload: If specified, the result artifacts will not be uploaded to Privado Dashboard

Also relates to #48

Describe the bug
While running a privado scan the cli tried to download a latest docker image. It was observed that the image was getting pulled each time privado scan was executed. The Versions shown in scan logs were also the same every time.

Privado CLI Version: v2.2.3
Privado Core Version: 1.1.24
Privado Language Engine Version: 1.1.1494

Upon further debugging it was seen that there was an error message after downloading the image:

$ sudo docker pull public.ecr.aws/privado/privado:latest
latest: Pulling from privado/privado
1e4aec178e08: Already exists 
6c1024729fee: Already exists 
c3aa11fbc85a: Already exists 
aa54add66b3a: Already exists 
424a482a2426: Already exists 
dd5f058a2da2: Already exists 
a26613b8e79c: Extracting [==================================================>]  116.5MB/116.5MB
81c05861dd9f: Download complete 
8cb96d44b91c: Download complete 
b8175293c6ec: Download complete 
e1a7c84062da: Download complete 
d03dbf7539f0: Download complete 
25040cac1480: Download complete 
failed to register layer: Error processing tar file(exit status 1): write /usr/lib/jvm/java-11-openjdk-amd64/lib/server/libjvm.so: no space left on device

To Reproduce
This happens in case when there is some error within docker while/after downloading image.

• Fill up the disk space of machine.
• Try running privado scan
• No error is seen under Privado Cli Logs

Expected behavior
These ERROR messages from docker daemon should be surfaced into privado's output

Desktop (please complete the following information):

• OS: [Centos 8]
• Browser [N/A]
• Version [Privado CLI: Version v2.2.3 (linux-amd64)]

Describe the bug
Reported here in #21 by @MrCsabaToth

Problem: Does not populate ARCore-based PIIs

This is because Privado populates form values based on third parties only if data elements are detected independently. In cases where no corresponding elements were detected in the first place, we do not go back to populate elements based on third parties. As reported by the user, there were no elements scanned by the tool independent of a third party, and hence no data to be pre-filled even though we have data safety values for ARCore.

Expected behavior
The user expected data elements to be populated due to the usage of ARCore and camera permissions.

Is your feature request related to a problem? Please describe.
Currently the tool supports only Java as the language. It would be great if we have support for JavaScript as well.

Describe the bug
Getting Java.net.MalformedURLException when result is exported

To Reproduce
Steps to reproduce the behavior:

1. Scan a repo
2. In result exporting step, getting the following error

Expected behavior
No error when exporting

Additional context
Ran the scan in --debug mode to get the following error snapshot
Note - .privado/privado.json was generated, and able to upload it to dashboard, using upload command

Describe the bug
The scanner is abruptly getting terminated while scanning this repository - https://github.com/Khantanjil/Employees

To Reproduce
Steps to reproduce the behavior:

1. Clone the repository
2. privado scan <repo local path>
3. It will not finish the scan and terminate the process post Identifier Tagger.

Expected behavior
It should scan the repository and show me the report post scanning the repository.

Describe the bug
Python: Support detecting payment gateways sdks. Below listed few well known payment gateways.

Stripe
Paypal
Alipay
Ebpay
Gopay
Wepay
Bitpay

Expected behavior
Should be able to identify above Payment SDKs within source code if used.

Describe the bug
Ran privado scan on a medium sized spring boot application:

sloccount output:

Totals grouped by language (dominant language first):
java:         69749 (97.19%)
xml:           1983 (2.76%)
sh:              35 (0.05%)

The program took an exorbitantly long time to process one section (APITagger took multiple hours) and is still not finished (been running for 24 hours already).

To Reproduce
Steps to reproduce the behavior:

$ privado scan --debug --skip-upload <repo>

I have no way to provide more concrete reproduction steps as the code base is proprietary and cannot be shared at the moment.

Expected behavior

• More verbose/granular logging mode to provide feedback for bugs or insights into solving the problem locally.

Screenshots

Notice the time stamp difference (and time completed):

2022-10-19 13:37:34.524 INFO CpgPass: Start of pass: ai.privado.tagger.sink.APITagger
2022-10-20 07:50:19.211 INFO CpgPass: Pass ai.privado.tagger.sink.APITagger completed in 8289656 ms (0% on mutations). 0 + 0 changes committed from 1 parts.

Examples of other checks taking ms of time

2022-10-19 13:37:34.462 INFO CpgPass: Start of pass: ai.privado.tagger.sink.RegularSinkTagger
2022-10-19 13:37:34.485 INFO CpgPass: Pass ai.privado.tagger.sink.RegularSinkTagger completed in 23 ms (2% on mutations). 625 + 625 changes committed from 1 parts.
2022-10-19 13:37:34.485 INFO CpgPass: Start of pass: ai.privado.tagger.sink.RegularSinkTagger
2022-10-19 13:37:34.515 INFO CpgPass: Pass ai.privado.tagger.sink.RegularSinkTagger completed in 29 ms (5% on mutations). 2075 + 2075 changes committed from 1 parts.
2022-10-19 13:37:34.515 INFO CpgPass: Start of pass: ai.privado.tagger.sink.RegularSinkTagger
2022-10-19 13:37:34.523 INFO CpgPass: Pass ai.privado.tagger.sink.RegularSinkTagger completed in 9 ms (0% on mutations). 35 + 35 changes committed from 1 parts.
2022-10-19 13:37:34.524 INFO CpgPass: Start of pass: ai.privado.tagger.sink.APITagger
2022-10-20 07:50:19.211 INFO CpgPass: Pass ai.privado.tagger.sink.APITagger completed in 8289656 ms (0% on mutations). 0 + 0 changes committed from 1 parts.
2022-10-20 07:50:19.211 INFO CpgPass: Start of pass: ai.privado.tagger.sink.APITagger
# Stuck here now...

Desktop:

• OS: Ubuntu 20.04.5 LTS
• Browser: Not relevant
• Version: Privado CLI: Version v2.1.0 (linux-amd64)

Additional context
Add any other context about the problem here.

Describe the bug
While scanning a opensource repository: https://github.com/Mikey778/flask-api-key-manager/blob/master/src/api_key_manager/util/email_helper.py#L21 found one of privacy sink is not tagged.

To Reproduce
Steps to reproduce the behavior:

1. Scan https://github.com/Mikey778/flask-api-key-manager

Expected behavior
Expecting smtplib shoud come under inventory tab once I upload the privado.json

Describe the bug
Section titles are too short to be distinguished properly.

To Reproduce
Open the Code Analysis pane of one project with both Java Database Connector (Write) and Java Database Connector (Read) findings, mouse over each title to distinguish which is which.

Expected behavior
As long as there is enough space to display the entire title, the title should be displayed entirely

Screenshots

Desktop (please complete the following information):

• Browser: Firefox

Is your feature request related to a problem? Please describe.
The dashboard currently shows if the project is using any of the cloud services, but not more information on which particular services are being used in the project.

Describe the solution you'd like
Show the services at a more deeper level, ex - show Google Cloud Functions instead of just Google Cloud

Description
There's a small problem with the phone rule. In case the field is called phoneDetail will check correctly, but in case the field is just phone the regex would not get it

To Reproduce
Steps to reproduce the behavior:

1. Scan a repository containing a variable or a class attribute named as phone
2. Observe the results. There are no instances of 'phone' reported under the source -> Data.Sensitive.ContactData.PhoneNumber .

Expected behavior
phone should be reported as a source under Data.Sensitive.ContactData.PhoneNumber .

Desktop (please complete the following information):

• Reproduced across all architectures and operating systems.

Is your feature request related to a problem? Please describe.
Support to find the collections for FastAPI framework in python.
https://github.com/tiangolo/fastapi

from fastapi import FastAPI

app = FastAPI()

@app.get("/items/{item_id}")
def read_item(item_id: int, q: Union[str, None] = None):
    return {"item_id": item_id, "q": q}

Describe the solution you'd like
Add rules which can find the flows going from PIIs to FastAPI collection points..

Is your feature request related to a problem? Please describe.
Current privacy policy was more relevant to the Data Safety project and we need to update it.

Describe the solution you'd like
Update the privacy policy with details on telemetry events and align with the open source license.

Describe alternatives you've considered
NA

Additional context

Fixed few typos on docs and also made minor additions to make the intent clearer

The pull request for review is raised here

Describe the bug: Unhandled AccessDeniedException
Environment: CentOS VM created using VMWare ESXI Hypervisor

Observed Behaviour:
On running the scan in non-debug mode, the scan gets stuck after "Guessing language."
Upon running this with --debug, it shows an exception AccessDeniedException: /app/code raised from core.

Issues

• Gracefully catch & output the unhandled exception, and terminate the scan process
• Investigate the AccessDeniedException

Investigative Comments

• The user is root
• Has appropriate permissions & ownership to code files

Logs

[root@localhost sample_app]$ sudo /usr/local/bin/privado scan --debug BankingSystem-Backend/

> Scanning directory: /home/privado/dindia/sample_app/BankingSystem-Backend

> Pulling the latest image: public.ecr.aws/privado/privado:latest
Trying to pull repository public.ecr.aws/privado/privado ...
latest: Pulling from public.ecr.aws/privado/privado
Digest: sha256:47f9bd5a32ff4dbea131d39ed355ada0e9190416ffb61b70a2ecd686fa6278ba
Status: Image is up to date for public.ecr.aws/privado/privado:latest

> Starting container with the latest image
> Container ID: eb5c0af71802df04ab9af1b18bde7533f2ecc4d5221a1a59d5d5fcb377e38163

> Waiting for process to complete:
Privado CLI Version: v2.1.0
Privado Core Version: 1.1.0
Privado Main Version: 1.1.0

2022-09-28 06:33:31.443 INFO ScanProcessor$: Caching rules
Configuration parsed...
Guessing source code language...
2022-09-28 06:33:31.465 DEBUG Main$: Failure from scan process:
java.nio.file.AccessDeniedException: /app/code
        at sun.nio.fs.UnixException.translateToIOException(UnixException.java:90) ~[?:?]
        at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106) ~[?:?]
        at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111) ~[?:?]
        at sun.nio.fs.UnixFileSystemProvider.newDirectoryStream(UnixFileSystemProvider.java:431) ~[?:?]
        at java.nio.file.Files.newDirectoryStream(Files.java:476) ~[?:?]
        at java.nio.file.FileTreeWalker.visit(FileTreeWalker.java:300) ~[?:?]
        at java.nio.file.FileTreeWalker.walk(FileTreeWalker.java:322) ~[?:?]
        at java.nio.file.FileTreeIterator.<init>(FileTreeIterator.java:71) ~[?:?]
        at java.nio.file.Files.walk(Files.java:3891) ~[?:?]
        at better.files.File.walk(File.scala:767) ~[com.github.pathikrit.better-files_2.13-3.9.1.jar:3.9.1]
        at better.files.File.listRecursively(File.scala:754) ~[com.github.pathikrit.better-files_2.13-3.9.1.jar:3.9.1]
        at io.joern.console.cpgcreation.package$.guessMajorityLanguageInDir(package.scala:59) ~[io.joern.console_2.13-1.1.1078.jar:1.1.1078]
        at io.joern.console.cpgcreation.package$.guessLanguage(package.scala:44) ~[io.joern.console_2.13-1.1.1078.jar:1.1.1078]
        at ai.privado.entrypoint.ScanProcessor$.processCPG(ScanProcessor.scala:281) ~[ai.privado.privado-core-1.1.0.jar:1.1.0]
        at ai.privado.entrypoint.ScanProcessor$.process(ScanProcessor.scala:259) ~[ai.privado.privado-core-1.1.0.jar:1.1.0]
        at ai.privado.entrypoint.Main$.$anonfun$main$1(Main.scala:39) ~[ai.privado.privado-core-1.1.0.jar:1.1.0]
        at ai.privado.metric.MetricHandler$.timeMetric(MetricHandler.scala:58) ~[ai.privado.privado-core-1.1.0.jar:1.1.0]
        at ai.privado.entrypoint.Main$.main(Main.scala:39) ~[ai.privado.privado-core-1.1.0.jar:1.1.0]
        at ai.privado.entrypoint.Main.main(Main.scala) ~[ai.privado.privado-core-1.1.0.jar:1.1.0]
2022-09-28 06:33:31.478 DEBUG Main$: Skipping auth flow due to scan failure

Describe the bug
I tried scanning the following repository - https://github.com/Luka-pp/Milestone-Project-3. Results are not showing Mongo storage being detected by the privado scanner. Even though the mongo database is being used in this repository

To Reproduce
Steps to reproduce the behavior:

1. Clone the repository
2. privado scan <repo local path>
3. Go to the community dashboard page once the scan is done.
4. Select the inventory section. (Don't find Mongo database listed there)

Expected behavior

It should show the Mongo database listed under the inventory section.

Describe the bug
Getting an error adding a custom rules folder to the CLI.

To Reproduce
Steps to reproduce the behavior:

1. Set up a repository for the scan. In my case, I used BankingSystem-Backend
2. Add a folder named rules inside the repository
3. Add java.yaml file inside the rules folder, to add those rules in the Java scanner
4. Run the scan with command privado scan <repo> -c <repo>/rules
5. Once the scan starts, you get an error ERROR ScanProcessor$: Rules path /app/external-rules is not accessible

Expected behavior
I was expecting the engine will accept the custom rule and detect elements in the code scan

Desktop (please complete the following information):

• OS: macOS Monterey 12.6
• Privado CLI Version: v2.1.0
• Privado Core Version: 1.1.0
• Privado Main Version: 1.1.0

Is your feature request related to a problem? Please describe.
For boto3 library segragate the AWS services
https://boto3.amazonaws.com/v1/documentation/api/latest/index.html#

# Get the service resource
sqs = boto3.resource('sqs')

# Create the queue. This returns an SQS.Queue instance
queue = sqs.create_queue(QueueName='test', Attributes={'DelaySeconds': '5'})

In above example we should be able to segragate or highlight sqs service is getting used as AWS SQS

Describe the bug

Starting container with the latest image
Container ID: 0274c8db4d8f44fae5aac464a26eb46735f60ed97f8a4b74313f5264aa06cc41
Received error: Error response from daemon: Ports are not available: exposing port TCP 0.0.0.0:3000 -> 0.0.0.0:0: listen tcp 0.0.0.0:3000: bind: address already in use

To Reproduce
Steps to reproduce the behavior:
Trying to run the docker container but no success - Keep getting this error. Tried to change the port, but container wont start

Screenshots

Describe the bug
In my app, I use some square libraries (Otto, Picasso, etc) and the tool think I'm using the Square SDK and need the purchase history

To Reproduce
Steps to reproduce the behavior:

1. Scan an empty app using a square library like Otto or Picasso
2. See that the generated report include the "purchase history"

Expected behavior
"Purchase history" should not appear in the reports

Desktop (please complete the following information):

• OS: MacOs 12.1
• Browser Chrome
• Version 102.0.5005.61 (Build officiel) (x86_64)

Describe the bug
SQlight database being used along with Flask framework in this repository https://github.com/Telegrammer/flask_github. Howevers its being not detected.

Currently, there is no mechanism to issue updates from the CLI. The only alternative is to perform a reinstallation manually.

Requirements:

• Check for update (#9)
• Download the latest release
• Update release binary

Critical Support:

• OS agnostic
• Appropriate permissions
• Atomic operation

command
~/.privado/bin/privado scan ends up with undescribed exception

Status: Image is up to date for public.ecr.aws/privado/cli:latest

Starting container with the latest image
Container ID: xxx

Waiting for process to complete:
( ● ) Scanning repository.. (3/-)
Some error occurred
Find more details below:
App: Encountered error: Exception. Feel free to open an issue or contact [email protected]

If this is an unexpected output, please try again or open an issue here: https://github.com/Privado-Inc/privado
Terminating..

Describe the bug
The documentation screenshots for the run of the scan show the results locally, but the latest version does not show the summary locally, only the URL is provided to the user

To Reproduce

1. Check the screen-grab on the 'Running a scan' page
2. On the GIF you will see that the output of the scan results are shown
3. But checking the source looks like local output is no longer part of the latest. I think this is the location, please review
4. So either the local output has to be enabled or the GIF needs to be updated

Expected behavior
The documentation should be updated to not have the summary results (or) the commented section in ScanProcessor.scala should be enabled

Screenshots

• Actual-Local-Scan-Results.png: The output
• Doc-Local-Scan-Results.png: The documentation

Desktop (please complete the following information):

• OS: Ubuntu 22.04
• Browser: Vivaldi 5.0
• Version : Privado CLI Version: v2.0.1, Privado Core Version: v1.0.1, Privado Main Version: v1.0.1

Additional context
I ran the scan using the example BankingSystem-Backend code
./privado scan BankingSystem-Backend

Under the contribute section, here at https://github.com/Privado-Inc/privado#contribute , a hyperlink can be provided along with the following text.

If you love this project and would like to contribute, please check out our contribution page.

Sometimes while uploading the results to the cloud UI dashboard, an error/failure is encountered. Would be great to have a command to upload the results file to the dashboard without having to run the entire scan again.

Bug report received as internal feedback, opening here for public tracking and validation:

Describe the bug
Operating System: Linux
Copy command exits the scanning process.

To Reproduce
Steps to reproduce the behavior:

1. Run privado scan <repo>
2. Press Ctrl+Shift+C to copy

Expected behavior
Do not exit

Requirements & Proposed Procedure:

• Add version information in Privado CLI: privado version
• Embed version information dynamically over build:
  • For releases, use respective tag
  • For latest tag, fetch the latest version from GitHub API
  • Replace version information using ldflags on build time

Requirements:

• Check for updates using release tag
• Relates to #8

Is your feature request related to a problem? Please describe.
Update Unity SDK values.

Describe the solution you'd like
Unity has recently launched documentation for Play Store Data Safety, we need to update our values to those.

Describe the bug
Home page https://github.com/Privado-Inc/privado#contribute describes
"If you love this project and would like to contribute, please check out our contribution page."

Without linking to the actual page. I was going to just submit a patch to fix it, but can't find the actual contribution page in the docs or site.

The current rule definition takes in a list of patterns; however, only the first one is tagged as a sink, and the rest of the patterns are ignored. This creates significant confusion, as any user-specified enhancements & patterns may not be detected.

Describe the bug
email validation links or password reset links risk leaking information (ex: https://email.auth.privado.ai/prod/redirect?code=&username=&clientId=&region=eu-west-1&email=&isCLI=true&website=). I’m certain all that GET data could be POSTed, encrypted, tokenized, or otherwise set up to prevent data leakage.
What’s up with the [email protected] sender for account registration and password resets? It makes it hard to find, but is also likely to make people wonder who Privado is sharing user data with.

Is your feature request related to a problem? Please describe.
The approach to results storage is extremely interesting but also potentially problematic. At present, a repo’s scan result is stored into [repo]/.privado/privado.json, meaning it lands inside the repo. Practically, this means the results will likely be lost when the repo is removed and recloned.

Describe the solution you'd like
I would love to see the results persist in some way without having to copy or move them myself. Maybe this would mean storing the results in ~/.privado/results/ for example. This would allow users to view historical results easily and maybe give the Cloud Viewer a “trend” view for repos. It always feels good to see the Risk rating decrease over time… and it’s nice to be able to notice a sudden spike in Risk if that happens.

Google renamed the data elements, categories, report format, along with some other minor requirements on 24th February 2022.

Filing upgrade request to reflect the same. Reference (find the section "changelog"):
https://support.google.com/googleplay/android-developer/answer/10787469?hl=en#zippy=%2Cfebruary

Is your feature request related to a problem? Please describe.
Currently we only show sinks under inventory where there is a valid flow, this becomes a problem when we start investigating why certain flows are missing. Sometimes that could happen because source might not be tagged or if we are still improving the flow detections. Debug also becomes easier for users.

Describe the solution you'd like
Show all sinks under Inventory tab with -- under flows.

Describe alternatives you've considered

Additional context

Problem: Currently, there is no way to pass JVM flags to the underlying scan engine. This is especially crucial for memory allocation flags such as Xmx or Xms. A way to pass these JVM options would be desirable.

Solution: Since, JVM also reads from JAVA_TOOL_OPTIONS environment variable, introduce a CLI flag for scan command such as --jvm-args <value> which sets the JAVA_TOOL_OPTIONS variable to the specified <value>.

Describe the bug
Unable to install privado on a Ubuntu instance using wsl

To Reproduce
Steps to reproduce the behavior:

1. Open cmd on windows
2. wsl -d Ubuntu
3. curl -o- https://raw.githubusercontent.com/Privado-Inc/privado-cli/main/install.sh | bash
   % Total % Received % Xferd Average Speed Time Time Time Current
   Dload Upload Total Spent Left Speed
   100 3504 100 3504 0 0 8443 0 --:--:-- --:--:-- --:--:-- 8423

Is your feature request related to a problem? Please describe.
The app makes an assumption that I didn’t like: it assumes that if I want the results uploaded once, then I must want them uploaded always. On the first run, the user is prompted if they want to upload the results in order to visualize them (Do you want to visualize these results on our Privacy View Cloud Dashboard? (Y/n)). Is the user selects “Y”, "syncToPrivadoCloud": true is added to ~/.privado/config.json and the user is never prompted again. In my own work environment, there are certain repos that I would never allow to leave my computer and other repos that would not be a problem.

Describe the solution you'd like
I suggest adding the option “always” to that prompt, and making “Y/n” apply only to the current scan. (Maybe also consider adding CLI options like --upload-results which would skip the prompt and be more convenient for automation)

Describe the bug
I compiled privado from the repository. Then I scanned an Android app repository with privado. At the end of the scan a web UI on localhost:3000 is provided but it blanks out with "Failed to load data"

To Reproduce
Steps to reproduce the behavior:

1. Distro: Devuan GNU/Linux 5 (daedalus/ceres). Kernel: Linux asus 5.18.0-1-amd64 #1 SMP PREEMPT_DYNAMIC Debian 5.18.2-1 (2022-06-06) x86_64 GNU/Linux
2. I'm scanning https://github.com/CsabaConsulting/ARPhysics
3. Went through the README steps of compile from source: cloned the privado repo, installed golang, I already had docker, compiled. No error messages.
4. Authenticated myself, got the json in email
5. Bootstrapped provado with the json
6. privado scan ARPhsyics

Expected behavior
I assume the localhost:3000 should show some dashboard of the scan. It actually flashes for 100ms before the error is shown.

Screenshots

Additional context
I don't think it's the particular Android app. Looks like a Django instance is running inside the Docker and the DATABASE is not configured? I don't see a configuration file for that the first blink.