github.FillGitHubSecurityAlerts - Code Metrics - Inspection of "[WIP]feat(report): integrate to GitHub security al..." - future-architect/vuls - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Pull Request — master (#775)

by kota

created 2019-02-04 15:03 UTC

github.FillGitHubSecurityAlerts B

↳ Parent: github/github.go

Complexity

Conditions

Size

Total Lines	43
Code Lines	26

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
cc	5
eloc	26
dl	0
loc	43
rs	8.7893
c	0
b	0
f	0
nop	4

/* Vuls - Vulnerability Scanner
Copyright (C) 2016  Future Corporation , Japan.

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

package github

import (
	"bytes"
	"context"
	"encoding/json"
	"fmt"
	"io/ioutil"
	"net/http"

	"github.com/future-architect/vuls/models"
	"github.com/k0kubun/pp"
	"golang.org/x/oauth2"
)

// FillGitHubSecurityAlerts access to owner/repo on GitHub and fetch scurity alerts of the repository via GitHub API v4 GraphQL and then set to the given ScanResult.
// https://help.github.com/articles/about-security-alerts-for-vulnerable-dependencies/
func FillGitHubSecurityAlerts(r *models.ScanResult, owner, repo, token string) (nCVEs int, err error) {
	src := oauth2.StaticTokenSource(
		&oauth2.Token{AccessToken: token},
	)
	httpClient := oauth2.NewClient(context.Background(), src)

	//TODO Pagenation, Use GraphQL Library
	jsonStr := fmt.Sprintf(`{"query":
	"query FindIssueID { repository(owner:\"%s\", name:\"%s\") { name, vulnerabilityAlerts(first: 100) { edges { node { id, externalIdentifier, externalReference, fixedIn, packageName } } } } }"}`, owner, repo)
	req, err := http.NewRequest(
		"POST",
		"https://api.github.com/graphql",
		bytes.NewBuffer([]byte(jsonStr)),
	)
	if err != nil {
		return 0, err
	}
	req.Header.Set("Content-Type", "application/json")
	req.Header.Set("Accept", "application/vnd.github.vixen-preview+json")

	resp, err := httpClient.Do(req)
	if err != nil {
		return 0, err
	}
	defer resp.Body.Close()
	bodyBytes, err := ioutil.ReadAll(resp.Body)
	if err != nil {
		return 0, err
	}
	alerts := SecurityAlerts{}
	if err = json.Unmarshal(bodyBytes, &alerts); err != nil {
		return
	}

	// TODO add type field to models.Pakcage.
	// OS Packages ... osPkg
	// CPE ... CPE
	// GitHub ... GitHub
	// WordPress theme ... wpTheme
	// WordPress plugin ... wpPlugin
	// WordPress core ... wpCore
	pp.Println(alerts)
	return 0, err
}

//SecurityAlerts has detected CVE-IDs, PackageNames, Refs
type SecurityAlerts struct {
	Data struct {
		Repository struct {
			VulnerabilityAlerts struct {
				Edges []struct {
					Node struct {
						ID                 string `json:"id"`
						ExternalIdentifier string `json:"externalIdentifier"`
						ExternalReference  string `json:"externalReference"`
						FixedIn            string `json:"fixedIn"`
						PackageName        string `json:"packageName"`
					} `json:"node"`
				} `json:"edges"`
			} `json:"vulnerabilityAlerts"`
		} `json:"repository"`
	} `json:"data"`
}


1			/* Vuls - Vulnerability Scanner
2			Copyright (C) 2016 Future Corporation , Japan.
3
4			This program is free software: you can redistribute it and/or modify
5			it under the terms of the GNU General Public License as published by
6			the Free Software Foundation, either version 3 of the License, or
7			(at your option) any later version.
8
9			This program is distributed in the hope that it will be useful,
10			but WITHOUT ANY WARRANTY; without even the implied warranty of
11			MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12			GNU General Public License for more details.
13
14			You should have received a copy of the GNU General Public License
15			along with this program. If not, see <http://www.gnu.org/licenses/>.
16			*/
17
18			package github
19
20			import (
21			"bytes"
22			"context"
23			"encoding/json"
24			"fmt"
25			"io/ioutil"
26			"net/http"
27
28			"github.com/future-architect/vuls/models"
29			"github.com/k0kubun/pp"
30			"golang.org/x/oauth2"
31			)
32
33			// FillGitHubSecurityAlerts access to owner/repo on GitHub and fetch scurity alerts of the repository via GitHub API v4 GraphQL and then set to the given ScanResult.
34			// https://help.github.com/articles/about-security-alerts-for-vulnerable-dependencies/
35			func FillGitHubSecurityAlerts(r *models.ScanResult, owner, repo, token string) (nCVEs int, err error) {
36			src := oauth2.StaticTokenSource(
37			&oauth2.Token{AccessToken: token},
38			)
39			httpClient := oauth2.NewClient(context.Background(), src)
40
41			//TODO Pagenation, Use GraphQL Library
42			jsonStr := fmt.Sprintf(`{"query":
43			"query FindIssueID { repository(owner:\"%s\", name:\"%s\") { name, vulnerabilityAlerts(first: 100) { edges { node { id, externalIdentifier, externalReference, fixedIn, packageName } } } } }"}`, owner, repo)
44			req, err := http.NewRequest(
45			"POST",
46			"https://api.github.com/graphql",
47			bytes.NewBuffer([]byte(jsonStr)),
48			)
49			if err != nil {
50			return 0, err
51			}
52			req.Header.Set("Content-Type", "application/json")
53			req.Header.Set("Accept", "application/vnd.github.vixen-preview+json")
54
55			resp, err := httpClient.Do(req)
56			if err != nil {
57			return 0, err
58			}
59			defer resp.Body.Close()
60			bodyBytes, err := ioutil.ReadAll(resp.Body)
61			if err != nil {
62			return 0, err
63			}
64			alerts := SecurityAlerts{}
65			if err = json.Unmarshal(bodyBytes, &alerts); err != nil {
66			return
67			}
68
69			// TODO add type field to models.Pakcage.
70			// OS Packages ... osPkg
71			// CPE ... CPE
72			// GitHub ... GitHub
73			// WordPress theme ... wpTheme
74			// WordPress plugin ... wpPlugin
75			// WordPress core ... wpCore
76			pp.Println(alerts)
77			return 0, err
78			}
79
80			//SecurityAlerts has detected CVE-IDs, PackageNames, Refs
81			type SecurityAlerts struct {
82			Data struct {
83			Repository struct {
84			VulnerabilityAlerts struct {
85			Edges []struct {
86			Node struct {
87			ID string `json:"id"`
88			ExternalIdentifier string `json:"externalIdentifier"`
89			ExternalReference string `json:"externalReference"`
90			FixedIn string `json:"fixedIn"`
91			PackageName string `json:"packageName"`
92			} `json:"node"`
93			} `json:"edges"`
94			} `json:"vulnerabilityAlerts"`
95			} `json:"repository"`
96			} `json:"data"`
97			}
98

future-architect / vuls

Pull Request — master (#775)

github.FillGitHubSecurityAlerts B

Complexity

Size

Duplication

Importance

Duplication Side-by-Side

Filter issues like