Merge pull request #661 from snyk/feat/add-apprisk-opt-in-rules

feat: add apprisk rules opt-in injection
snyk · Nov 22, 2023 · 8c17ee7 · 8c17ee7
2 parents 885d186 + acec6d6
commit 8c17ee7
Show file tree

Hide file tree

Showing 22 changed files with 7,628 additions and 35 deletions.
diff --git a/client-templates/artifactory/.env.sample b/client-templates/artifactory/.env.sample
@@ -1,3 +1,5 @@
+BROKER_DOWNSTREAM_TYPE_ARTIFACTORY=true
+
 # your unique broker identifier
 BROKER_TOKEN=<broker-token>
 

diff --git a/client-templates/azure-repos/.env.sample b/client-templates/azure-repos/.env.sample
@@ -1,3 +1,4 @@
+BROKER_DOWNSTREAM_TYPE_AZURE_REPOS=true
 # Guide how to get/create the token https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops&tabs=preview-page
 # Scopes: Ensure Custom defined is selected and under Code select Read & write
 AZURE_REPOS_TOKEN=<token>

diff --git a/client-templates/bitbucket-server/.env.sample b/client-templates/bitbucket-server/.env.sample
@@ -1,3 +1,4 @@
+BROKER_DOWNSTREAM_TYPE_BITBUCKET_SERVER=true
 # your unique broker identifier
 BROKER_TOKEN=<broker-token>
 

diff --git a/client-templates/container-registry-agent/.env.sample b/client-templates/container-registry-agent/.env.sample
@@ -1,3 +1,4 @@
+BROKER_DOWNSTREAM_TYPE_CONTAINER_REGISTRY_AGENT=true
 # Your unique broker identifier, copied from snyk.io org settings page
 BROKER_TOKEN=<broker-token>
 

diff --git a/client-templates/github-com/.env.sample b/client-templates/github-com/.env.sample
@@ -1,3 +1,4 @@
+BROKER_DOWNSTREAM_TYPE_GITHUB=true
 # your unique broker identifier
 BROKER_TOKEN=<broker-token>
 

diff --git a/client-templates/github-enterprise/.env.sample b/client-templates/github-enterprise/.env.sample
@@ -1,3 +1,4 @@
+BROKER_DOWNSTREAM_TYPE_GITHUB_ENTERPRISE=true
 # your unique broker identifier
 BROKER_TOKEN=<broker-token>
 

diff --git a/client-templates/gitlab/.env.sample b/client-templates/gitlab/.env.sample
@@ -1,3 +1,4 @@
+BROKER_DOWNSTREAM_TYPE_GITLAB=true
 # your unique broker identifier
 BROKER_TOKEN=<broker-token>
 

diff --git a/client-templates/jira-bearer-auth/.env.sample b/client-templates/jira-bearer-auth/.env.sample
@@ -1,3 +1,4 @@
+BROKER_DOWNSTREAM_TYPE_JIRA_BEARER_AUTH=true
 # your unique broker identifier
 BROKER_TOKEN=<broker-token>
 

diff --git a/client-templates/jira/.env.sample b/client-templates/jira/.env.sample
@@ -1,3 +1,4 @@
+BROKER_DOWNSTREAM_TYPE_JIRA=true
 # your unique broker identifier
 BROKER_TOKEN=<broker-token>
 

diff --git a/client-templates/nexus/.env.sample b/client-templates/nexus/.env.sample
@@ -1,3 +1,4 @@
+BROKER_DOWNSTREAM_TYPE_NEXUS=true
 # your unique broker identifier
 BROKER_TOKEN=<broker-token>
 

diff --git a/client-templates/nexus2/.env.sample b/client-templates/nexus2/.env.sample
@@ -1,3 +1,4 @@
+BROKER_DOWNSTREAM_TYPE_NEXUS2=true
 # your unique broker identifier
 BROKER_TOKEN=<broker-token>
 

diff --git a/config.default.json b/config.default.json
@@ -1,3 +1,16 @@
 {
-  "BROKER_SERVER_UNIVERSAL_CONFIG_ENABLED": false
-}
+  "BROKER_SERVER_UNIVERSAL_CONFIG_ENABLED": false,
+  "SUPPORTED_BROKER_TYPES": [
+    "artifactory",
+    "azure-repos",
+    "bitbucket-server",
+    "container-registry-agent",
+    "github-enterprise",
+    "github",
+    "gitlab",
+    "jira-bearer-auth",
+    "jira",
+    "nexus",
+    "nexus2"
+  ]
+}
diff --git a/defaultFilters/apprisk/azure-repos.json b/defaultFilters/apprisk/azure-repos.json
@@ -0,0 +1,182 @@
+[
+  {
+    "//": "get core api's location for sanity check",
+    "method": "OPTIONS",
+    "path": "/${AZURE_REPOS_ORG}/_apis/Location",
+    "origin": "https://${AZURE_REPOS_HOST}",
+    "auth": {
+      "scheme": "basic",
+      "token": "${BROKER_CLIENT_VALIDATION_BASIC_AUTH}"
+    }
+  },
+  {
+    "//": "get resource access for sanity check",
+    "method": "GET",
+    "path": "/${AZURE_REPOS_ORG}/_apis/ResourceAreas",
+    "origin": "https://${AZURE_REPOS_HOST}",
+    "auth": {
+      "scheme": "basic",
+      "token": "${BROKER_CLIENT_VALIDATION_BASIC_AUTH}"
+    }
+  },
+  {
+    "//": "get specific repository for given organisation",
+    "method": "GET",
+    "path": "/${AZURE_REPOS_ORG}/_apis/git/repositories/:repo",
+    "origin": "https://${AZURE_REPOS_HOST}",
+    "auth": {
+      "scheme": "basic",
+      "token": "${BROKER_CLIENT_VALIDATION_BASIC_AUTH}"
+    }
+  },
+  {
+    "//": "get list of refs",
+    "method": "GET",
+    "path": "/${AZURE_REPOS_ORG}/_apis/git/repositories/:repo/refs",
+    "origin": "https://${AZURE_REPOS_HOST}",
+    "auth": {
+      "scheme": "basic",
+      "token": "${BROKER_CLIENT_VALIDATION_BASIC_AUTH}"
+    }
+  },
+  {
+    "//": "pull teams",
+    "method": "GET",
+    "path": "/${AZURE_REPOS_ORG}/_apis/teams",
+    "origin": "https://${AZURE_REPOS_HOST}",
+    "auth": {
+      "scheme": "basic",
+      "token": "${BROKER_CLIENT_VALIDATION_BASIC_AUTH}"
+    }
+  },
+  {
+    "//": "pull users via graph api",
+    "method": "GET",
+    "path": "/:owner/_apis/graph/users",
+    "origin": "https://vssps.dev.azure.com/",
+    "auth": {
+      "scheme": "basic",
+      "token": "${BROKER_CLIENT_VALIDATION_BASIC_AUTH}"
+    }
+  },
+  {
+    "//": "get api's connection status",
+    "method": "GET",
+    "path": "/${AZURE_REPOS_ORG}/_apis/connectionData",
+    "origin": "https://${AZURE_REPOS_HOST}",
+    "auth": {
+      "scheme": "basic",
+      "token": "${BROKER_CLIENT_VALIDATION_BASIC_AUTH}"
+    }
+  },
+  {
+    "//": "get core",
+    "method": "OPTIONS",
+    "path": "/${AZURE_REPOS_ORG}/_apis/core",
+    "origin": "https://${AZURE_REPOS_HOST}",
+    "auth": {
+      "scheme": "basic",
+      "token": "${BROKER_CLIENT_VALIDATION_BASIC_AUTH}"
+    }
+  },
+  {
+    "//": "get git",
+    "method": "OPTIONS",
+    "path": "/${AZURE_REPOS_ORG}/_apis/git",
+    "origin": "https://${AZURE_REPOS_HOST}",
+    "auth": {
+      "scheme": "basic",
+      "token": "${BROKER_CLIENT_VALIDATION_BASIC_AUTH}"
+    }
+  },
+  {
+    "//": "get list of repositories for given organisation",
+    "method": "GET",
+    "path": "/${AZURE_REPOS_ORG}/:project/_apis/git/repositories",
+    "origin": "https://${AZURE_REPOS_HOST}",
+    "auth": {
+      "scheme": "basic",
+      "token": "${BROKER_CLIENT_VALIDATION_BASIC_AUTH}"
+    }
+  },
+  {
+    "//": "get list of projects for given organisation",
+    "method": "GET",
+    "path": "/${AZURE_REPOS_ORG}/_apis/projects",
+    "origin": "https://${AZURE_REPOS_HOST}",
+    "auth": {
+      "scheme": "basic",
+      "token": "${BROKER_CLIENT_VALIDATION_BASIC_AUTH}"
+    }
+  },
+  {
+    "//": "pull teams",
+    "method": "GET",
+    "path": "/${AZURE_REPOS_ORG}/_apis/projects/:repo/teams",
+    "origin": "https://${AZURE_REPOS_HOST}",
+    "auth": {
+      "scheme": "basic",
+      "token": "${BROKER_CLIENT_VALIDATION_BASIC_AUTH}"
+    }
+  },
+  {
+    "//": "get list of commits for given repository",
+    "method": "GET",
+    "path": "/${AZURE_REPOS_ORG}/:project/_apis/git/repositories/:repo/commits",
+    "origin": "https://${AZURE_REPOS_HOST}",
+    "auth": {
+      "scheme": "basic",
+      "token": "${BROKER_CLIENT_VALIDATION_BASIC_AUTH}"
+    }
+  },
+  {
+    "//": "get list of team's members",
+    "method": "GET",
+    "path": "/${AZURE_REPOS_ORG}/_apis/projects/:project/teams/:team/members",
+    "origin": "https://${AZURE_REPOS_HOST}",
+    "auth": {
+      "scheme": "basic",
+      "token": "${BROKER_CLIENT_VALIDATION_BASIC_AUTH}"
+    }
+  },
+  {
+    "//": "get list project's languages",
+    "method": "OPTIONS",
+    "path": "/${AZURE_REPOS_ORG}/_apis/projectanalysis",
+    "origin": "https://${AZURE_REPOS_HOST}",
+    "auth": {
+      "scheme": "basic",
+      "token": "${BROKER_CLIENT_VALIDATION_BASIC_AUTH}"
+    }
+  },
+  {
+    "//": "pull project's languages metrics",
+    "method": "OPTIONS",
+    "path": "/${AZURE_REPOS_ORG}/:project/_apis/projectanalysis/languagemetrics",
+    "origin": "https://${AZURE_REPOS_HOST}",
+    "auth": {
+      "scheme": "basic",
+      "token": "${BROKER_CLIENT_VALIDATION_BASIC_AUTH}"
+    }
+  },
+  {
+    "//": "expend team",
+    "method": "GET",
+    "path": "/${AZURE_REPOS_ORG}/_apis/projects/:project/teams/:team",
+    "origin": "https://${AZURE_REPOS_HOST}",
+    "auth": {
+      "scheme": "basic",
+      "token": "${BROKER_CLIENT_VALIDATION_BASIC_AUTH}"
+    }
+  }, {
+    "//": "get releases",
+    "method": "OPTIONS",
+    "path": "/${AZURE_REPOS_ORG}/_apis/Release",
+    "origin": "https://${AZURE_REPOS_HOST}",
+    "auth": {
+      "scheme": "basic",
+      "token": "${BROKER_CLIENT_VALIDATION_BASIC_AUTH}"
+    }
+  }
+
+]
diff --git a/defaultFilters/apprisk/bitbucket-server.json b/defaultFilters/apprisk/bitbucket-server.json
@@ -0,0 +1,90 @@
+[
+  {
+    "//": "used to get repo's commits",
+    "method": "GET",
+    "path": "/projects/:projectKey/repos/:repo/commits",
+    "origin": "https://${BITBUCKET_API}",
+    "auth": {
+      "scheme": "basic",
+      "username": "${BITBUCKET_USERNAME}",
+      "password": "${BITBUCKET_PASSWORD}"
+    }
+  },
+  {
+    "//": "used to get specific commit",
+    "method": "GET",
+    "path": "/projects/:projectKey/repos/:repo/commits/:commit/diff",
+    "origin": "https://${BITBUCKET_API}",
+    "auth": {
+      "scheme": "basic",
+      "username": "${BITBUCKET_USERNAME}",
+      "password": "${BITBUCKET_PASSWORD}"
+    }
+  },
+  {
+    "//": "list commit for a given repo",
+    "method": "GET",
+    "path": "/:workspace/:repo/commits",
+    "origin": "https://${BITBUCKET}",
+    "auth": {
+      "scheme": "basic",
+      "username": "${BITBUCKET_USERNAME}",
+      "password": "${BITBUCKET_PASSWORD}"
+    }
+  },
+  {
+    "//": "get a specific commit diff stats identified by the commit hash or name of a branch",
+    "method": "GET",
+    "path": "/:workspace/:repo/diffstat/commits/:sha",
+    "origin": "https://${BITBUCKET}",
+    "auth": {
+      "scheme": "basic",
+      "username": "${BITBUCKET_USERNAME}",
+      "password": "${BITBUCKET_PASSWORD}"
+    }
+  },
+  {
+    "//": "list the user's workspaces - AppRisk connector",
+    "method": "GET",
+    "path": "/workspaces",
+    "origin": "https://${BITBUCKET_API}",
+    "auth": {
+      "scheme": "basic",
+      "username": "${BITBUCKET_USERNAME}",
+      "password": "${BITBUCKET_PASSWORD}"
+    }
+  },
+  {
+    "//": "list the user's workspaces - AppRisk connector",
+    "method": "GET",
+    "path": "/projects",
+    "origin": "https://${BITBUCKET_API}",
+    "auth": {
+      "scheme": "basic",
+      "username": "${BITBUCKET_USERNAME}",
+      "password": "${BITBUCKET_PASSWORD}"
+    }
+  },
+  {
+    "//": "used to get groups",
+    "method": "GET",
+    "path": "/admin/groups",
+    "origin": "https://${BITBUCKET_API}",
+    "auth": {
+      "scheme": "basic",
+      "username": "${BITBUCKET_USERNAME}",
+      "password": "${BITBUCKET_PASSWORD}"
+    }
+  },
+  {
+    "//": "used to get group's members",
+    "method": "GET",
+    "path": "/admin/groups/more-members",
+    "origin": "https://${BITBUCKET_API}",
+    "auth": {
+      "scheme": "basic",
+      "username": "${BITBUCKET_USERNAME}",
+      "password": "${BITBUCKET_PASSWORD}"
+    }
+  }
+]