shouldi: rust: Fix identification

pdxjohnny · pdxjohnny · commit ea9cb3242158 · 2020-08-02T19:25:35.000-07:00
The rust package we picked to evaluate (crates.io) contains both a package.json and a Cargo.toml. We were getting the results of the npm audit scan rather than the cargo audit scan due to there being the package.json file in the project's root. As well as the fact that the cargo audit wasn't running. Due to it checking for cargo.toml rather than Cargo.toml. This patch checks for both upper and lower case Cargo.toml files. We also switch to using GetMulti rather than GetSingle to get all static analysis scans that may have occurred. Fixes: #826 Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
diff --git a/examples/shouldi/shouldi/rust/analyze.py b/examples/shouldi/shouldi/rust/analyze.py
@@ -35,4 +35,9 @@ async def analyze_rust(self, repo):
             ]
         ):
             cargo_report = results[run_cargo_audit.op.outputs["report"].name]
-            return {"result": SA_RESULTS.spec(critical=cargo_report)}
+
+            return {
+                "result": SA_RESULTS.spec(
+                    report=cargo_report, **cargo_report["qualitative"]
+                )
+            }
diff --git a/examples/shouldi/shouldi/rust/cargo_audit.py b/examples/shouldi/shouldi/rust/cargo_audit.py
@@ -1,8 +1,11 @@
+import os
 import json
 import asyncio
+import itertools
+import contextlib
 from typing import Dict, Any
 
-from dffml import op, Definition
+from dffml import op, Definition, traverse_get
 
 package_src_dir = Definition(name="package_src_dir", primitive="str")
 cargo_audit_output = Definition(
@@ -48,8 +51,48 @@ async def run_cargo_audit(pkg: str) -> Dict[str, Any]:
     if len(stdout) == 0:
         raise CargoAuditError(stderr.decode())
 
-    cargo_audit_op = stdout.decode()
-    issues = json.loads(cargo_audit_op)
-    result = issues["vulnerabilities"]["count"]
+    cargo_report = json.loads(stdout.decode())
 
-    return {"report": result}
+    spec = {
+        "low": 0,
+        "medium": 0,
+        "high": 0,
+        "critical": 0,
+    }
+
+    for vuln in itertools.chain(
+        cargo_report["vulnerabilities"]["list"], cargo_report["warnings"],
+    ):
+        cvss = None
+        for path in [
+            ("kind", "unmaintained", "advisory", "cvss"),
+            ("advisory", "cvss"),
+        ]:
+            with contextlib.suppress(KeyError):
+                cvss = traverse_get(vuln, *path)
+                if cvss is None or isinstance(cvss, (float, int)):
+                    break
+        if cvss is None:
+            cvss = 0
+
+        # Rating   | CVSS Score
+        # ---------+-------------
+        # None     | 0.0
+        # Low      | 0.1 - 3.9
+        # Medium   | 4.0 - 6.9
+        # High     | 7.0 - 8.9
+        # Critical | 9.0 - 10.0
+        #
+        # Source: https://www.first.org/cvss/specification-document
+        if cvss >= 9.0:
+            spec["critical"] += 1
+        elif cvss >= 7.0:
+            spec["high"] += 1
+        elif cvss >= 4.0:
+            spec["medium"] += 1
+        else:
+            spec["low"] += 1
+
+    cargo_report["qualitative"] = spec
+
+    return {"report": cargo_report}
diff --git a/examples/shouldi/shouldi/rust/check.py b/examples/shouldi/shouldi/rust/check.py
@@ -11,7 +11,10 @@
     },
 )
 def has_package_cargo(repo: clone_git_repo.op.outputs["repo"].spec):
-    return {"result": pathlib.Path(repo.directory, "cargo.toml").is_file()}
+    return {
+        "result": pathlib.Path(repo.directory, "cargo.toml").is_file()
+        or pathlib.Path(repo.directory, "Cargo.toml").is_file()
+    }
 
 
 DATAFLOW = DataFlow.auto(has_package_cargo, GetSingle)
diff --git a/examples/shouldi/shouldi/use.py b/examples/shouldi/shouldi/use.py
@@ -2,7 +2,7 @@
 from typing import List
 
 # Command line utility helpers and DataFlow specific classes
-from dffml import CMD, DataFlow, Input, GetSingle, run, config, field
+from dffml import CMD, DataFlow, Input, GetMulti, run, config, field
 
 # Allow users to give us a Git repo URL and we'll clone it and turn it into a
 # directory that will be scanned
@@ -33,10 +33,10 @@
     check_rust,
     analyze_rust,
     cleanup_git_repo,
-    GetSingle,
+    GetMulti,
 )
 DATAFLOW.seed.append(
-    Input(value=[SA_RESULTS.name,], definition=GetSingle.op.inputs["spec"],)
+    Input(value=[SA_RESULTS.name,], definition=GetMulti.op.inputs["spec"],)
 )
 
 # Allow for directory to be provided by user instead of the result of cloning a
diff --git a/examples/shouldi/tests/test_cargo_audit.py b/examples/shouldi/tests/test_cargo_audit.py
@@ -31,4 +31,6 @@ async def test_run(self, rust, cargo_audit, crates):
                     / "crates.io-8c1a7e29073e175f0e69e0e537374269da244cee"
                 )
             )
-            self.assertEqual(results["report"], 1)
+            self.assertEqual(
+                len(results["report"]["vulnerabilities"]["list"]), 1
+            )
diff --git a/examples/shouldi/tests/test_cli_use.py b/examples/shouldi/tests/test_cli_use.py
@@ -1,5 +1,6 @@
 import io
 import pathlib
+import subprocess
 from unittest.mock import patch
 
 from dffml import prepend_to_path, AsyncTestCase
@@ -46,19 +47,30 @@ async def test_use_javascript(self, node, javascript_algo):
     @cached_cargo_audit
     @cached_target_crates
     async def test_use_rust(self, rust, cargo_audit, crates):
-        if not (
-            cargo_audit
-            / "cargo-audit-0.11.2"
-            / "target"
-            / "release"
-            / "cargo-audit"
-        ).is_file():
-            await run_cargo_build(cargo_audit / "cargo-audit-0.11.2")
-
+        if not (rust / "rust-install" / "bin" / "cargo").is_file():
+            subprocess.check_call(
+                [
+                    str(
+                        rust
+                        / "rust-1.42.0-x86_64-unknown-linux-gnu"
+                        / "install.sh"
+                    ),
+                    f"--prefix={(rust / 'rust-install').resolve()}",
+                ]
+            )
         with prepend_to_path(
-            rust / "rust-1.42.0-x86_64-unknown-linux-gnu" / "cargo" / "bin",
+            rust / "rust-install" / "bin",
             cargo_audit / "cargo-audit-0.11.2" / "target" / "release",
         ):
+            if not (
+                cargo_audit
+                / "cargo-audit-0.11.2"
+                / "target"
+                / "release"
+                / "cargo-audit"
+            ).is_file():
+                await run_cargo_build(cargo_audit / "cargo-audit-0.11.2")
+
             with patch("sys.stdout", new_callable=io.StringIO) as stdout:
                 await ShouldI.cli(
                     "use",
@@ -68,4 +80,7 @@ async def test_use_rust(self, rust, cargo_audit, crates):
                     ),
                 )
             output = stdout.getvalue()
-            self.assertIn("high=2", output)
+            # cargo audit
+            self.assertIn("low=2,", output)
+            # npm audit
+            self.assertIn("high=6,", output)

Original file line number	Diff line number	Diff line change
`@@ -31,4 +31,6 @@ async def test_run(self, rust, cargo_audit, crates):`
`31`	`31`	`/ "crates.io-8c1a7e29073e175f0e69e0e537374269da244cee"`
`32`	`32`	`)`
`33`	`33`	`)`
`34`		`- self.assertEqual(results["report"], 1)`
	`34`	`+ self.assertEqual(`
	`35`	`+ len(results["report"]["vulnerabilities"]["list"]), 1`
	`36`	`+ )`