snyk / parlay Goto Github PK

View Code? Open in Web Editor NEW

100.0 10.0 15.0 357 KB

Enrich SBOMs with data from third party services

License: Apache License 2.0

Go 97.24% Shell 0.87% Makefile 1.89%

snyk cyclonedx sbom sbom-tool

parlay's Introduction

Parlay

Enriching SBOMs

parlay will take a CycloneDX (JSON, XML) or SPDX 2.3 (JSON) document and enrich it with information taken from external services. At present this includes:

By enrich, we mean add additional information. You put in an SBOM, and you get a richer SBOM back. In many cases SBOMs have a minimum of information, often just the name and version of a given package. By enriching that with additional information we can make better decisions about the packages we're using.

Enriching with ecosyste.ms

Let's take a simple CycloneDX SBOM of a Javascript application. Using parlay we enrich it using data from ecosyste.ms, adding information about the package license, external links, the maintainer and more.

$ cat testing/sbom.cyclonedx.json
...
{
	"bom-ref": "[email protected]",
	"type": "library",
	"name": "subtext",
	"version": "6.0.12",
	"purl": "pkg:npm/[email protected]"
}
...
$ cat testing/sbom.cyclonedx.json | parlay ecosystems enrich - | jq
...
{
	"bom-ref": "[email protected]",
	"type": "library",
	"supplier": {
		"name": "hapi.js",
		"url": [
			"https://hapi.dev"
		]
	},
	"author": "hapi.js",
	"name": "subtext",
	"version": "6.0.12",
	"description": "HTTP payload parsing",
	"licenses": [
		{
			"expression": "BSD-3-Clause"
		}
	],
	"purl": "pkg:npm/[email protected]",
	"externalReferences": [
		{
			"url": "https://github.com/hapijs/subtext",
			"type": "website"
		},
		{
			"url": "https://www.npmjs.com/package/subtext",
			"type": "distribution"
		},
		{
			"url": "https://github.com/hapijs/subtext",
			"type": "vcs"
		}
	],
	"properties": [
		{
			"name": "ecosystems:first_release_published_at",
			"value": "2014-09-29T01:56:03Z"
		},
		{
			"name": "ecosystems:latest_release_published_at",
			"value": "2019-01-31T19:36:58Z"
		}
	]
}
...

What about with SPDX? Let's take an SBOM containing a list of packages like so:

{
  "name": "concat-map",
  "SPDXID": "SPDXRef-7-concat-map-0.0.1",
  "versionInfo": "0.0.1",
  "downloadLocation": "NOASSERTION",
  "copyrightText": "NOASSERTION",
  "externalRefs": [
    {
      "referenceCategory": "PACKAGE-MANAGER",
      "referenceType": "purl",
      "referenceLocator": "pkg:npm/[email protected]"
    }
  ]
}

Running parlay ecosystems enrich <sbom.spdx.json> will add additional information:

{
  "name": "concat-map",
  "SPDXID": "SPDXRef-7-concat-map-0.0.1",
  "versionInfo": "0.0.1",
  "downloadLocation": "NOASSERTION",
+  "homepage": "https://github.com/ljharb/concat-map",
+  "licenseConcluded": "MIT",
  "copyrightText": "NOASSERTION",
+  "description": "concatenative mapdashery",
  "externalRefs": [
    {
      "referenceCategory": "PACKAGE-MANAGER",
      "referenceType": "purl",
      "referenceLocator": "pkg:npm/[email protected]"
    }
  ]

There are a few other utility commands for ecosyste.ms as well. The first returns raw JSON information about a specific package from ecosyste.ms:

parlay ecosystems package pkg:npm/snyk

You can also return raw JSON information about a specific repository:

parlay ecosystems repo https://github.com/open-policy-agent/conftest

Enriching with Snyk

parlay can also enrich an SBOM with Vulnerability information from Snyk.

It's important to note vulnerability data is moment-in-time information. By adding vulnerability information directly to the SBOM this makes the SBOM moment-in-time too.

Note the Snyk commands require you to be a Snyk customer, and require passing a valid Snyk API token in the SNYK_TOKEN environment variable.

The API base url can be set using the SNYK_API environment variable, and if missing it will default to https://api.snyk.io/rest.

parlay snyk enrich testing/sbom.cyclonedx.json

Snyk will add a new vulnerability attribute to the SBOM, for example:

"vulnerabilities": [
  {
    "bom-ref": "[email protected]",
    "id": "SNYK-JS-SUBTEXT-467257",
    "ratings": [
      {
        "source": {
          "name": "Snyk",
          "url": "https://security.snyk.io"
        },
        "score": 7.5,
        "severity": "high",
        "method": "CVSSv31",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
      }
    ],
    "cwes": [
      400
    ],
    "description": "Denial of Service (DoS)",
    "detail": "...",
    "advisories": [
      {
        "title": "GitHub Commit",
        "url": "https://github.com/brave-intl/subtext/commit/9557c115b1384191a0d6e4a9ea028fedf8b44ae6"
      },
      {
        "title": "GitHub Issue",
        "url": "https://github.com/hapijs/subtext/issues/72"
      },
      {
        "title": "NPM Security Advisory",
        "url": "https://www.npmjs.com/advisories/1168"
      }
    ],
    "created": "2019-09-19T10:25:11Z",
    "updated": "2020-12-14T14:41:09Z"
  }

For SPDX, vulnerability informatio is added as additional externalRefs:

{
  "referenceCategory": "SECURITY",
  "referenceType": "advisory",
  "referenceLocator": "https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-3050818",
  "comment": "Regular Expression Denial of Service (ReDoS)"
},
{
  "referenceCategory": "SECURITY",
  "referenceType": "advisory",
  "referenceLocator": "https://security.snyk.io/vuln/SNYK-JS-MINIMATCH-1019388",
  "comment": "Regular Expression Denial of Service (ReDoS)"
}

Return raw JSON information about vulnerabilities in a specific package from Snyk:

parlay snyk package pkg:npm/[email protected]

Enriching with OpenSSF Scorecard

The OpenSSF Scorecard project tests various aspects of a projects security posture and provides a score. parlay supports added a link to this data with the parlay scorecard enrich command.

You can use this like so:

parlay scorecard enrich testing/sbom2.cyclonedx.json

This will currently add an external reference to the Scorecard API which can be used to retrieve the full scorecard.

{
  "bom-ref": "103-org.springframework:[email protected]",
  "type": "library",
  "name": "org.springframework:spring-webmvc",
  "version": "5.3.3",
  "purl": "pkg:maven/org.springframework/[email protected]",
  "externalReferences": [
    {
      "url": "https://api.securityscorecards.dev/projects/github.com/spring-projects/spring-framework",
      "comment": "OpenSSF Scorecard",
      "type": "other"
    }
  ]
},

We're currently looking at the best way of encoding some of the scorecard data in the SBOM itself as well.

What about enriching with other data sources?

There are lots of other sources of package data, and it would be great to add support for them in parlay. Please open issues and PRs with ideas.

Pipes!

parlay is a fan of stdin and stdout. You can pipe SBOMs from other tools into parlay, and pipe between the separate enrich commands too.

Maybe you want to enrich an SBOM with both ecosyste.ms and Snyk data:

cat testing/sbom.cyclonedx.json | ./parlay e enrich - | ./parlay s enrich - | jq

Maybe you want to take the output from Syft and add vulnerabilitity data?

syft -o cyclonedx-json nginx | parlay s enrich - | jq

Maybe you want to geneate an SBOM with cdxgen, enrich that with extra information, and test that with bomber:

cdxgen -o | parlay e enrich -  | bomber scan --provider snyk -

The ecosyste.ms enrichment adds license information, which Bomber then surfaces:

■ Ecosystems detected: gem
■ Scanning 18 packages for vulnerabilities...
■ Vulnerability Provider: Snyk (https://security.snyk.io)

■ Files Scanned
        - (sha256:701770b2317ea8cbd03aa398ecb6a0381c85beaf24d46c45665b53331816e360)

■ Licenses Found: MIT, Apache-2.0, BSD-3-Clause, Ruby

Installation

parlay binaries are available from GitHub Releases. Just select the archive for your operating system and architecture. For instance, you could download for macOS ARM machines with the following, substituting {version} for the latest version number, for instance 0.1.4.

wget https://github.com/snyk/parlay/releases/download/v{version}/parlay_Darwin_arm64.tar.gz
tar -xvf parlay_Darwin_arm64.tar.gz

Supported package types

The various services used to enrich the SBOM data have data for a subset of purl types:

Ecosystems

apk
cargo
cocoapods
composer
gem
golang
hex
maven
npm
nuget
pypi

Snyk

apk
cargo
cocoapods
composer
deb
gem
golang
hex
maven
npm
nuget
pypi
rpm
swift

OpenSSF Scorecard

apk
cargo
cocoapods
composer
gem
golang
hex
maven
npm
nuget
pypi

Note that Scorecard data is available only for a subset of projects from supported Git repositories. See the Scorecard project for more information.

parlay's People

Contributors

Stargazers

Watchers

Forkers

ericsmalling torgo mcombuechen krishnaduttpanchagnula evelynmitchell lmaeda sumodgeorge ajistrying gwnlng ninjamast3r sanae-snyk smankah mikesnyk anshulsahu1990 jxdv

parlay's Issues

Snyk package and enrichment command runtime error on Windows

Running the example command below returns the following runtime error. Snyk Token is set correctly. I verified it is working on Linux via WSL. A similar error occurs when trying to run snyk enrich for a CycloneDX SBOM. I'm using this release https://github.com/snyk/parlay/releases/download/v0.1.5/parlay_Windows_x86_64.zip.

./parlay snyk package pkg:npm/[email protected]

panic: runtime error: invalid memory address or nil pointer dereference
[signal 0xc0000005 code=0x0 addr=0x0 pc=0x80a3ca]

goroutine 1 [running]:
github.com/snyk/parlay/lib/snyk.GetPackageVulnerabilities({{0xc00001e0f4, 0x3}, {0x0, 0x0}, {0xc00001e0f8, 0x7}, {0xc00001e100, 0x5}, {0xd89f00, 0x0, ...}, ...})
/home/runner/work/parlay/parlay/lib/snyk/package.go:56 +0x1ca
github.com/snyk/parlay/internal/commands/snyk.NewPackageCommand.func1(0xc000005500?, {0xc000090140, 0x1?, 0x1?})
/home/runner/work/parlay/parlay/internal/commands/snyk/packages.go:24 +0x1b8
github.com/spf13/cobra.(*Command).execute(0xc000005500, {0xc000090100, 0x1, 0x1})
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:944 +0x847
github.com/spf13/cobra.(*Command).ExecuteC(0xc000004300)
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1068 +0x3bd
github.com/spf13/cobra.(*Command).Execute(0xc000054000?)
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:992 +0x19
main.main()
/home/runner/work/parlay/parlay/main.go:26 +0x1e

Error when try to scan .xml SBOM

# parlay ecosystems enrich testing/sbom.cyclonedx.xml
2:00PM FTL Input needs to be a valid CycloneDX SBOM error="invalid character '<' looking for beginning of value"

I'm trying to enrich sbom from your testing directory.

getSnykOrg does not error on non-200 responses

When looking up user info to infer a user’s org ID, the getSnykOrg function will happily carry on even after non-200 OK responses (e.g. for bad API tokens), resulting in a nil UUID, resulting in a runtime panic.

Support for CycloneDX 1.5

Parlay is an awesome tool, thank you very much for it.

Are there any plans to support CycloneDX specification 1.5? A lot of tools generate only the newest version and it would be great if Parlay could be used for these SBOMs as well.

snyk enrich doesn't return vulnerabilities

when I run cat before_parlay.json | ./parlay ecosystems enrich - | ./parlay snyk enrich -

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.3",
  "serialNumber": "1",
  "version": 1,
  "metadata": {
    "timestamp": "1496244605"
  },
  "component": {
    "name": "api",
    "type": "application"
  },
  "components": [
    {
      "type": "library",
      "name": "request",
      "version": "2.88.0",
      "purl": "pkg:npm/[email protected]"
    }
  ]
}

I get

{"bomFormat":"CycloneDX","specVersion":"1.3","serialNumber":"1","version":1,"metadata":{"timestamp":"1496244605"},"components":[{"type":"library","supplier":{"name":"request"},"author":"request","name":"request","version":"2.88.0","description":"Simplified HTTP request client.","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/[email protected]","externalReferences":[{"url":"https://github.com/request/request","type":"website"},{"url":"https://www.npmjs.com/package/request","type":"distribution"},{"url":"https://github.com/request/request","type":"vcs"}],"properties":[{"name":"ecosystems:first_release_published_at","value":"2011-01-22T00:36:12Z"},{"name":"ecosystems:latest_release_published_at","value":"2020-02-11T16:35:36Z"}]}],"vulnerabilities":null}

no vulnerabilities, even that this library has:
https://security.snyk.io/package/npm/request/2.88.0

Add Snyk Advisor external reference links in the Snyk enricher

For supported ecosystems (Go, Python and npm) it would be nice to add the external reference to Snyk Advisor. Likely like so:

{
          "url": "https://snyk.io/advisor/golang/github.com/go-openapi/errors",
          "comment": "Snyk Advisor",
          "type": "other"
 }

Note this would not require API credentials.

scorecard enrich for xml sboms removes xmlns declarations

The XML processing for a CycloneDX SBOM (v1.5) seems to destroy the XML namespaces:

parlay scorecard enrich bom.cdx.xml

The xmlns declaration for the CycloneDX namespace gets stripped:

<bom xmlns:ns0="http://cyclonedx.org/schema/bom/1.5" ...>

ends up as:

<bom xmlns="" ...>

Version:

./parlay -v
0.4.0

Add a mechanism to get the version on the CLI

Currently you can't determine the version of parlay from within the CLI. It would be useful to add a --version or version command.

`snyk enrich` does not work in all regions

Getting the following error:
Failed to infer preferred Snyk organization error="Failed to get user info (401 Unauthorized)."

Add support for github purl-type

This is a suggestion to add support for github purl-type at snyk sbom enrichment of security vulnerabilities details.

Add a GitHub Action for parlay

It would be useful to have a GitHub Action for parlay, to make it easier to use as part of a pipeline. Speculating around the interface:

uses: snyk/parlay/action@v0
with:
  input: <some-sbom-path>
  enricher: snyk
  output: <new-sbom-path>

No information found for components with a group

My CycloneDX includes components like

    {
        "type": "library",
        "bom-ref": "@emotion/[email protected]",
        "group": "@emotion",
        "name": "react",
        "version": "11.11.3",
        "purl": "pkg:npm/%40emotion/[email protected]"
    },

Parly doesn't find any information for this component when using ecosystems enrich.

For other components like

    {
        "type": "library",
        "bom-ref": "[email protected]",
        "name": "regenerator-runtime",
        "version": "0.14.1",
        "purl": "pkg:npm/[email protected]"
    },

Parlay finds additional information.

The only differences is the group in the first kind of components. Do you have any idea, why it is not working with the group?

PURLs not resolving properly when enriching a CycloneDX SBOM with ecosyste.ms

I have a minimal CycloneDX 1.4 SBOM that I'm trying to enrich:

{
  "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "serialNumber": "urn:uuid:f3a24198-a2ef-492f-b122-a75453849d64",
  "version": 1,
  "components": [
    {
      "type": "library",
      "name": "github.com/Masterminds/semver",
      "version": "v1.5.0",
      "purl": "pkg:golang/github.com/Masterminds/[email protected]"
    }
  ]
}

If I run it through parlay I get exactly what I put in:

cat my-sbom.json | parlay ecosystems enrich -
{"$schema":"http://cyclonedx.org/schema/bom-1.4.schema.json","bomFormat":"CycloneDX","specVersion":"1.4","serialNumber":"urn:uuid:f3a24198-a2ef-492f-b122-a75453849d64","version":1,"components":[{"type":"library","name":"github.com/Masterminds/semver","version":"v1.5.0","purl":"pkg:golang/github.com/Masterminds/[email protected]"}]}

The issue occurs in this function, which tries to split the namespace and name. Because of how packageurl formats from strings as it does here, this causes the purl.Namespace != "" condition to be hit, making the purl actually requested from the sbom pkg:golang/github.com/Masterminds:[email protected], which fails to resolve.

If I force the purl to pkg:golang/github.com/Masterminds/[email protected] enrichment works properly.

Support enriching SPDX SBOMs

Currently parlay only support CycloneDX. Implementing for SPDX would be useful, though not all information may be applicable to the SPDX spec.

No error message for invalid token for snyk enrich and package

In Windows and WSL, if you set an invalid token or no token, parlay snyk enrich command will just output the content of the input SBOM file without any error message so you have no idea what is going on. The command 'parlay snyk package' will result in the following error without a valid token in Windows but it will produce an error message "Must provide a SNYK_TOKEN environment variable" in WSL.

panic: runtime error: invalid memory address or nil pointer dereference
[signal 0xc0000005 code=0x0 addr=0x0 pc=0x121ebaa]

goroutine 1 [running]:
github.com/snyk/parlay/lib/snyk.GetPackageVulnerabilities({{0xc00002013c, 0x3}, {0x0, 0x0}, {0xc000020140, 0x7}, {0xc000020148, 0x5}, {0x17085c0, 0x0, ...}, ...})
/home/runner/work/parlay/parlay/lib/snyk/package.go:56 +0x1ca
github.com/snyk/parlay/internal/commands/snyk.NewPackageCommand.func1(0xc000005500?, {0xc00017a4f0, 0x1?, 0x1?})
/home/runner/work/parlay/parlay/internal/commands/snyk/packages.go:24 +0x1b8
github.com/spf13/cobra.(*Command).execute(0xc000005500, {0xc00017a4b0, 0x1, 0x1})
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:944 +0x847
github.com/spf13/cobra.(*Command).ExecuteC(0xc000004300)
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1068 +0x3bd
github.com/spf13/cobra.(*Command).Execute(0xc000050000?)
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:992 +0x19
main.main()
/home/runner/work/parlay/parlay/main.go:26 +0x1e

Add Snyk Vulnerability DB external reference links in the Snyk enricher

For supported ecosystems it would be nice to add the external reference to the Snyk Vulnerability database. Likely like so:

{
"url": "https://security.snyk.io/package/pip/django",
"comment": "Snyk Vulnerability DB",
"type": "other"
}

Note this would not require API credentials.

Snyk enrich is looking up user info per package

When enriching an SBOM, the snyk command will fetch user data to infer the user’s org ID per package. Since the org ID is unlikely to change while an SBOM is being enriched, it should rather be looked up once and injected in subsequent requests.

Should enrichment modify or add to the tools noted in the SBOM

Good question from @rnjudge https://twitter.com/rosejudge5/status/1666879138739916800

how is SBOM creation metadata handled when the SBOM is changed? Is the document creation metadata changed to reflect the new creator?

Warrants investigation. Parlay is adding to, rather than recreating, the original content. You ideally still want to know what tool generated the list of packages, but (separately) knowing that some of the information came from Parlay would be useful.

Debug messages

We have a --debug flag, but need to add useful debug messages throughout the various commands being run.

Document/formalise use of Parlay as a library

While Parlay can be used as a CLI tool, it should also be possible to use it as a library. This isn't formalised at all yet however, or documented. This could be used in tools that build SBOMs to automatically enrich them at creation.

operation system package don't work

I run cat before_parlay.json | ./parlay ecosystems enrich -

on:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.3",
  "serialNumber": "1",
  "version": 1,
  "metadata": {
    "timestamp": "1496244605"
  },
  "component": {
    "name": "api",
    "type": "application"
  },
  "components": [
    {
      "type": "library",
      "name": "musl",
      "version": "1.2.3-r3",
      "purl": "pkg:apk/alpine/[email protected]?arch=x86_64"
    }
  ]
}

and the result is not enriched.
Here is the ecosyste.ms link

Add enrichment using the Scorecards API

The OpenSSF Scorecards project now has an API. Needs some discussion of how best to add Scorecard data to an SBOM.

Some conversation in the context of CycloneDX in the CycloneDX Slack. The new annotations in the upcoming v1.5 look like the best option.

Snyk enrichement returns null always

Hello,

So I have tried using the snyk enrichement on parlay, and no matter what type of SBOM that I provide it with, it always returns the value null, even if I use the example found in the blog post announcing parlay, I get the same result

{
  "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "serialNumber": "urn:uuid:f3a24198-a2ef-492f-b122-a75453849d64",
  "version": 1,
  "components": [
    {
      "type": "library",
      "name": "subtext",
      "version": "6.0.12",
      "purl": "pkg:npm/[email protected]"
    }
  ],
  "vulnerabilities": null
}

No enrichment for nested components in CycloneDX

CycloneDX SBOMs can have components embedded in a component, see https://cyclonedx.org/docs/1.5/json/#components_items_components. I have generated a SBOM with cyclonedx-npm and got this:

        {
            "type": "library",
            "bom-ref": "[email protected]",
            "supplier": {
                "name": "Kent C. Dodds",
                "url": [
                    "https://kentcdodds.com"
                ]
            },
            "author": "Kent C. Dodds",
            "name": "match-sorter",
            "version": "6.3.4",
            "description": "Simple, expected, and deterministic best-match sorting of an array in JavaScript",
            "licenses": [
                {
                    "expression": "MIT"
                }
            ],
            "purl": "pkg:npm/[email protected]",
            "components": [
                {
                    "type": "library",
                    "bom-ref": "[email protected]|[email protected]",
                    "name": "remove-accents",
                    "version": "0.5.0",
                    "purl": "pkg:npm/[email protected]"
                }
            ]
        },

This example contains information gathered by Parlay for the match-sorter, but nothing was found for the included remove-accents.

Would it possible for Parlay to traverse through the components?

Add support for enrichment using deps.dev

the deps.dev API contains interesting package and repository information for a small number of ecosystems, including Scorecard data. I have an open question that likely wants clarifying around the license for the data however.

Snyk cmd missing debug output

The snyk command does not properly add to debugger output. Specifically, the logger instance is not being passed down to internal function calls and errors remain unhandled, while stdout with an unenriched SBOM suggests that everything went according to plan.

Unable to install

Attempting to install v0.1.4 on a Mac (Apple M1 Max)

Installation docs show:

wget https://github.com/snyk/parlay/releases/download/v{version}/parlay_{version}_Darwin_arm64.tar.gz
tar -xvf parlay_{version}_Darwin_arm64.tar.gz

*Note that the v in download/v{version}/ should be removed resulting in download/v{version}/

Inserting a version (v0.1.4) results in the following commands:

wget https://github.com/snyk/parlay/releases/v0.1.4/parlay_v0.1.4_Darwin_arm64.tar.gz
tar -xvf parlay_v0.1.4_Darwin_arm64.tar.gz

This fails with the following response:

--2023-06-09 13:15:09--  https://github.com/snyk/parlay/releases/v0.1.4/parlay_v0.1.4_Darwin_arm64.tar.gz
Resolving github.com (github.com)... 192.30.255.112
Connecting to github.com (github.com)|192.30.255.112|:443... connected.
HTTP request sent, awaiting response... 404 Not Found
2023-06-09 13:15:10 ERROR 404: Not Found.

tar: Error opening archive: Failed to open 'parlay_v0.1.4_Darwin_arm64.tar.gz'

Replacing the first line of the command with the following results in a successful download of the file:

wget https://github.com/snyk/parlay/releases/tag/v0.1.4/parlay_v0.1.4_Darwin_arm64.tar.gz

But the command tar -xvf parlay_v0.1.4_Darwin_arm64.tar.gz or tar -xzf parlay_v0.1.4_Darwin_arm64.tar.gz results in an error:

tar: Error opening archive: Unrecognized archive format

I wasn't able to move the needle further with manual downloads or unzip attempts.