feat: Version check (#51)

.vscode/settings.json

@@ -2,22 +2,35 @@
     "cSpell.words": [
         "Afero",
         "anchore",
+        "briandowns",
+        "codecov",
+        "Conda",
         "coverprofile",
         "cpes",
+        "CRAN",
         "cyclomatic",
         "cyclonedx",
         "Distro",
+        "DKFM",
+        "dpkg",
         "errcheck",
         "gofmt",
         "gomod",
+        "gookit",
+        "Hookz",
         "ignoretests",
         "incredibles",
         "Infof",
+        "kirinlabs",
         "kisielk",
+        "novulns",
         "OSSINDEX",
         "packageurl",
+        "Packagist",
         "rekor",
         "sbom",
+        "sboms",
+        "Smashicons",
         "Sonatype",
         "SPDXID",
         "structs",

README.md

@@ -166,7 +166,7 @@ This will save a file in your current folder in the format "YYYY-MM-DD-HH-MM-SS-
 
 ### Output to JSON
 
-```bomber``` can output vulnerability data in JSON format using the ```--output``` flag. The default output is to STDOUT. There is a ton of more inforamation in the JSON output than what gets displayed in the terminal. You'll be able to see a package description and what it's purpose is, what the vulnerability name is, a summary of the vulnerability, and more.
+```bomber``` can output vulnerability data in JSON format using the ```--output``` flag. The default output is to STDOUT. There is a ton of more information in the JSON output than what gets displayed in the terminal. You'll be able to see a package description and what it's purpose is, what the vulnerability name is, a summary of the vulnerability, and more.
 
 ![](img/bomber-json.png)
 

cmd/root.go

@@ -3,18 +3,20 @@ package cmd
 
 import (
 	"fmt"
-	"io/ioutil"
+	"io"
 	"log"
 	"os"
+	"strings"
 
+	"github.com/devops-kung-fu/common/github"
 	"github.com/devops-kung-fu/common/util"
 	"github.com/gookit/color"
 	"github.com/spf13/afero"
 	"github.com/spf13/cobra"
 )
 
 var (
-	version = "0.3.0"
+	version = "0.3.1"
 	output  string
 	//Afs stores a global OS Filesystem that is used throughout bomber
 	Afs = &afero.Afero{Fs: afero.NewOsFs()}
@@ -27,9 +29,10 @@ var (
 		Version: version,
 		PersistentPreRun: func(cmd *cobra.Command, args []string) {
 			if !debug {
-				log.SetOutput(ioutil.Discard)
+				log.SetOutput(io.Discard)
 			}
 			util.DoIf(output != "json", func() {
+				log.Println("Start")
 				fmt.Println()
 				color.Style{color.FgWhite, color.OpBold}.Println(" ██▄ ▄▀▄ █▄ ▄█ ██▄ ██▀ █▀▄")
 				color.Style{color.FgWhite, color.OpBold}.Println(" █▄█ ▀▄▀ █ ▀ █ █▄█ █▄▄ █▀▄")
@@ -38,6 +41,11 @@ var (
 				fmt.Println("https://github.com/devops-kung-fu/bomber")
 				fmt.Printf("Version: %s\n", version)
 				fmt.Println()
+
+				latestVersion, _ := github.LatestReleaseTag("devops-kung-fu", "bomber")
+				if !strings.Contains(latestVersion, version) {
+					color.Yellow.Printf("A newer version of bomber is available (%s)\n\n", latestVersion)
+				}
 			})
 		},
 	}

cmd/scan.go

@@ -101,7 +101,7 @@ var (
 			} else {
 				util.PrintInfo("No packages were detected. Nothing has been scanned.")
 			}
-
+			log.Println("Finished")
 		},
 	}
 )

go.mod

@@ -5,7 +5,7 @@ go 1.19
 require (
 	github.com/CycloneDX/cyclonedx-go v0.6.0
 	github.com/briandowns/spinner v1.19.0
-	github.com/devops-kung-fu/common v0.2.4
+	github.com/devops-kung-fu/common v0.2.5
 	github.com/gookit/color v1.5.2
 	github.com/jarcoal/httpmock v1.2.0
 	github.com/jedib0t/go-pretty/v6 v6.3.8
@@ -30,7 +30,7 @@ require (
 	github.com/rivo/uniseg v0.4.2 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
-	golang.org/x/sys v0.0.0-20220915200043-7b5979e65e41 // indirect
+	golang.org/x/sys v0.0.0-20220919091848-fb04ddd9f9c8 // indirect
 	golang.org/x/text v0.3.7 // indirect
 	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect

go.sum

@@ -57,8 +57,8 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/devops-kung-fu/common v0.2.4 h1:nhAQGDUiKW9h1Jh+jfCprRaF+T6C/k96HNYjeXt3dUI=
-github.com/devops-kung-fu/common v0.2.4/go.mod h1:Pw2S70uUEI+1WRFwjdZf2FaPzdOoLpL5CASW2NTOzCs=
+github.com/devops-kung-fu/common v0.2.5 h1:Ktyp1vsE2iyQPbazSxkQ1CiUq29FblQk/fYPHa09AzA=
+github.com/devops-kung-fu/common v0.2.5/go.mod h1:QV51eFibgEaYodlGnZgWd3IcZd+l44VQtULu6EheMV4=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
@@ -339,8 +339,8 @@ golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220915200043-7b5979e65e41 h1:ohgcoMbSofXygzo6AD2I1kz3BFmW1QArPYTtwEM3UXc=
-golang.org/x/sys v0.0.0-20220915200043-7b5979e65e41/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220919091848-fb04ddd9f9c8 h1:h+EGohizhe9XlX18rfpa8k8RAc5XyaeamM+0VHRd4lc=
+golang.org/x/sys v0.0.0-20220919091848-fb04ddd9f9c8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=

lib/bomloader_test.go

@@ -8,6 +8,7 @@ import (
 
 	cyclonedx "github.com/devops-kung-fu/bomber/formats/cyclonedx"
 	spdx "github.com/devops-kung-fu/bomber/formats/spdx"
+	syft "github.com/devops-kung-fu/bomber/formats/syft"
 )
 
 func TestLoad_cyclonedx(t *testing.T) {
@@ -44,6 +45,23 @@ func TestLoad_SPDX(t *testing.T) {
 	assert.Error(t, err)
 }
 
+func TestLoad_syft(t *testing.T) {
+	afs := &afero.Afero{Fs: afero.NewMemMapFs()}
+
+	err := afs.WriteFile("/test-syft.json", syft.TestBytes(), 0644)
+	assert.NoError(t, err)
+
+	files, _ := afs.ReadDir("/")
+	assert.Len(t, files, 1)
+	purls, err := Load(afs, []string{"/"})
+	assert.NoError(t, err)
+	assert.Len(t, purls, 1)
+	assert.Equal(t, "pkg:golang/github.com/CycloneDX/[email protected]", purls[0])
+
+	_, err = afs.ReadDir("/bad-dir")
+	assert.Error(t, err)
+}
+
 func TestLoad_BadJSON_SPDX(t *testing.T) {
 	afs := &afero.Afero{Fs: afero.NewMemMapFs()}
 

providers/ossindex/OSSIndex.go

@@ -60,6 +60,7 @@ func (Provider) Scan(purls []string, credentials *models.Credentials) (packages
 				return
 			}
 			for _, pkg := range responses {
+				log.Println("Purl:", pkg.Purl)
 				var tempPackage models.Package
 				var vulnerabilities []models.Vulnerability
 				tempPackage = pkg
@@ -82,6 +83,9 @@ func (Provider) Scan(purls []string, credentials *models.Credentials) (packages
 }
 
 func validateCredentials(credentials *models.Credentials) (err error) {
+	if credentials == nil {
+		return errors.New("credentials cannot be nil")
+	}
 	if credentials.Username == "" {
 		credentials.Username = os.Getenv("BOMBER_PROVIDER_USERNAME")
 	}

providers/ossindex/OSSIndex_test.go

@@ -4,6 +4,7 @@ import (
 	"os"
 	"testing"
 
+	"github.com/jarcoal/httpmock"
 	"github.com/stretchr/testify/assert"
 
 	"github.com/devops-kung-fu/bomber/models"
@@ -18,6 +19,9 @@ func TestInfo(t *testing.T) {
 func Test_validateCredentials(t *testing.T) {
 	// Back up any env tokens
 
+	err := validateCredentials(nil)
+	assert.Error(t, err)
+
 	username := os.Getenv("BOMBER_PROVIDER_USERNAME")
 	token := os.Getenv("BOMBER_PROVIDER_TOKEN")
 
@@ -28,7 +32,7 @@ func Test_validateCredentials(t *testing.T) {
 		Token:    "token",
 	}
 
-	err := validateCredentials(&credentials)
+	err = validateCredentials(&credentials)
 	assert.NoError(t, err)
 
 	credentials.Username = ""
@@ -48,3 +52,54 @@ func Test_validateCredentials(t *testing.T) {
 	os.Setenv("BOMBER_PROVIDER_USERNAME", username)
 	os.Setenv("BOMBER_PROVIDER_TOKEN", token)
 }
+
+func TestProvider_Scan_FakeCredentials(t *testing.T) {
+	httpmock.Activate()
+	defer httpmock.DeactivateAndReset()
+
+	httpmock.RegisterResponder("POST", OSSINDEX_URL,
+		httpmock.NewBytesResponder(200, ossTestResponse()))
+
+	credentials := models.Credentials{
+		Username: "test",
+		Token:    "token",
+	}
+
+	provider := Provider{}
+	packages, err := provider.Scan([]string{"pkg:golang/github.com/briandowns/[email protected]"}, &credentials)
+	assert.NoError(t, err)
+	assert.Equal(t, "pkg:gem/[email protected]", packages[0].Purl)
+	assert.Len(t, packages[0].Vulnerabilities, 1)
+	httpmock.GetTotalCallCount()
+}
+
+func ossTestResponse() []byte {
+	response := `
+	[
+		{
+			"coordinates": "pkg:gem/[email protected]",
+			"description": "TZInfo provides daylight savings aware transformations between times in different time zones.",
+			"reference": "https://ossindex.sonatype.org/component/pkg:gem/[email protected]?utm_source=mozilla&utm_medium=integration&utm_content=5.0",
+			"vulnerabilities": [
+			{
+				"id": "CVE-2022-31163",
+				"displayName": "CVE-2022-31163",
+				"title": "[CVE-2022-31163] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
+				"description": "TZInfo... ",
+				"cvssScore": 8.1,
+				"cvssVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
+				"cwe": "CWE-22",
+				"cve": "CVE-2022-31163",
+				"reference": "https://ossindex.sonatype.org/vulnerability/CVE-2022-31163?component-type=gem&component-name=tzinfo&utm_source=mozilla&utm_medium=integration&utm_content=5.0",
+				"externalReferences": [
+					"http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31163",
+					"https://github.com/tzinfo/tzinfo/releases/tag/v0.3.61",
+					"https://github.com/tzinfo/tzinfo/releases/tag/v1.2.10",
+					"https://github.com/tzinfo/tzinfo/security/advisories/GHSA-5cm2-9h8c-rvfx"
+				]
+			}
+			]
+		}
+	]`
+	return []byte(response)
+}

providers/osv/osv.go

@@ -107,6 +107,7 @@ func (Provider) Info() string {
 // Scan scans a list of Purls for vulnerabilities against OSV.dev. Note that credentials are not needed for OSV, so can be nil.
 func (Provider) Scan(purls []string, credentials *models.Credentials) (packages []models.Package, err error) {
 	for _, pp := range purls {
+		log.Println("Purl:", pp)
 		purl, e := packageurl.FromString(pp)
 		if e != nil {
 			err = e

renderers/html/html.go

@@ -53,68 +53,6 @@ func writeTemplate(afs *afero.Afero, filename string, results models.Results) (e
 	return
 }
 
-// func genTemplate(output string) (t *template.Template) {
-
-// 	content := `#!/bin/bash
-
-// # This file was generated by Hookz
-// # For more information, check out https://github.com/devops-kung-fu/hookz
-
-// echo -e "\n$(tput bold)Hookz$(tput sgr0)"
-// echo -e "DKFM - DevOps Kung Fu Mafia"
-// echo -e "https://github.com/devops-kung-fu/hookz"
-// echo -e "Version: 2.4.2"
-// echo
-
-// shasum=$(cat .git/hooks/hookz.shasum)
-// check=$(shasum -a 256 .hookz.yaml | cut -d " " -f 1)
-
-// if [ "$check" != "$shasum" ]; then
-// 	echo -e "$(tput setab 124 && tput setaf 248;) FAIL $(tput sgr0) Configuration change detected"
-// 	echo
-// 	echo "It appears your configuration has changed."
-// 	echo "Please regenerate your hooks with the following"
-// 	echo "command and try again."
-// 	echo
-// 	echo "        hookz reset [--verbose] [--debug] [--verbose-output]"
-// 	echo
-// 	echo "Run 'hookz --help' for usage."
-// 	echo
-// 	exit 1
-// fi
-
-// echo -e "$(tput bold)Hookz$(tput sgr0): Running $(basename $0)"
-
-// {{range .}}
-
-// {{if .Debug}}
-// 	echo -e "$(tput setaf 5) >> START:$(tput sgr0) {{.Name}}"
-// {{end}}
-
-// if ! [ -x "$(command -v  {{.ShortCommand}})" ]; then
-// 	echo -e "$(tput setab 214 && tput setaf 238;) WARN $(tput sgr0) $(tput bold)Hooks$(tput sgr0): {{.ShortCommand}} cannot be run. Command doesn't exist.({{.Type}})"
-// else
-
-// {{.FullCommand}}
-// commandexit=$?
-// if [ $commandexit -eq 0 ]
-// 	then
-// 			echo -e "$(tput setab 34 && tput setaf 238;) PASS $(tput sgr0) $(tput bold)Hookz$(tput sgr0): {{.Name}} ({{.Type}})"
-// 	else
-// 			echo -e "$(tput setab 124 && tput setaf 248;) FAIL $(tput sgr0) $(tput bold)Hookz$(tput sgr0): {{.Name}} ({{.Type}})"
-// 			exit $commandexit
-// 	fi
-// fi
-// {{if .Debug}}
-// 	echo -e "$(tput setaf 5) >> END:$(tput sgr0) {{.Name}}"
-// 	echo -e "$(tput setaf 248;)----------------------------------------------------------------------------------------$(tput sgr0)"
-// {{end}}
-
-// {{end}}
-// `
-// 	return template.Must(template.New(output).Parse(content))
-// }
-
 func genTemplate(output string) (t *template.Template) {
 
 	content := `

renderers/rendererfactory_test.go

@@ -5,6 +5,7 @@ import (
 
 	"github.com/stretchr/testify/assert"
 
+	"github.com/devops-kung-fu/bomber/renderers/html"
 	"github.com/devops-kung-fu/bomber/renderers/json"
 	"github.com/devops-kung-fu/bomber/renderers/stdout"
 )
@@ -18,6 +19,10 @@ func TestNewProvider(t *testing.T) {
 	assert.NoError(t, err)
 	assert.IsType(t, json.Renderer{}, renderer)
 
+	renderer, err = NewRenderer("html")
+	assert.NoError(t, err)
+	assert.IsType(t, html.Renderer{}, renderer)
+
 	_, err = NewRenderer("test")
 	assert.Error(t, err)
 }

renderers/stdout/stdout.go

@@ -21,7 +21,7 @@ func (Renderer) Render(results models.Results) (err error) {
 		return
 	}
 	vulnCount := vulnerabilityCount(results.Packages)
-	log.Println("Rendering Packages:", results.Packages)
+	log.Println("Rendering Packages:", len(results.Packages))
 	t := table.NewWriter()
 	t.SetOutputMirror(os.Stdout)
 	rowConfigAutoMerge := table.RowConfig{AutoMerge: true}