Merge pull request #549 from KennaSecurity/SUP-1602-jesutorr

SUP-1602 Snyk task API migration from deprecated version to REST API version
KennaSecurity · Sep 4, 2024 · 980102c · 980102c
2 parents 6454ed6 + 0f5969d
commit 980102c
Show file tree

Hide file tree

Showing 14 changed files with 3,992 additions and 452 deletions.
diff --git a/Gemfile b/Gemfile
@@ -19,7 +19,7 @@ gem "aws-sdk-inspector2"
 gem "httparty"
 gem "ipaddress"
 gem "rest-client"
-gem "rexml", ">= 3.2.7"
+gem "rexml", ">= 3.3.3"
 gem "ruby-limiter"
 gem "sanitize"
 gem "strscan"

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -92,7 +92,7 @@ GEM
       netrc (~> 0.8)
     reverse_markdown (2.1.1)
       nokogiri
-    rexml (3.3.2)
+    rexml (3.3.5)
       strscan
     rspec (3.12.0)
       rspec-core (~> 3.12.0)
@@ -186,7 +186,7 @@ DEPENDENCIES
   pry
   pry-byebug
   rest-client
-  rexml (>= 3.2.7)
+  rexml (>= 3.3.3)
   rspec
   rspec-github
   rubocop
@@ -204,4 +204,4 @@ RUBY VERSION
    ruby 3.2.2p53
 
 BUNDLED WITH
-   2.4.10
+   2.5.15
diff --git a/log/vcr_debug.log b/log/vcr_debug.log
diff --git a/spec/fixtures/vcr_cassettes/snyk_v2_task_run.yml b/spec/fixtures/vcr_cassettes/snyk_v2_task_run.yml
diff --git a/spec/rspec_helper.rb b/spec/rspec_helper.rb
@@ -30,9 +30,11 @@
     AWS_ACCESS_KEY_ID
     AWS_SECRET_ACCESS_KEY
     GITHUB_TOKEN
+    SNYK_API_TOKEN
   ].each do |key|
     config.filter_sensitive_data("<#{key}>") { ENV[key] }
   end
+  config.debug_logger = File.open("log/vcr_debug.log", "w")
 end
 
 module Kenna

diff --git a/spec/tasks/connectors/snyk_v2/fixtures/issues.json b/spec/tasks/connectors/snyk_v2/fixtures/issues.json
@@ -1,63 +1,178 @@
 {
-  "results": [
+  "jsonapi": {
+    "version": "1.0"
+  },
+  "links": {
+    "self": "/rest/orgs/abcd1234-5678-90ef-ghij-klmnopqrstuv/issues?version=2024-04-29&limit=10&created_after=2024-07-03T00:00:00Z&created_before=2024-08-02T00:00:00Z",
+    "first": "/rest/orgs/abcd1234-5678-90ef-ghij-klmnopqrstuv/issues?created_after=2024-07-03T00%3A00%3A00Z&created_before=2024-08-02T00%3A00%3A00Z&limit=10&version=2024-04-29",
+    "last": "/rest/orgs/abcd1234-5678-90ef-ghij-klmnopqrstuv/issues?created_after=2024-07-03T00%3A00%3A00Z&created_before=2024-08-02T00%3A00%3A00Z&ending_before=end&limit=10&version=2024-04-29",
+    "prev": "/rest/orgs/abcd1234-5678-90ef-ghij-klmnopqrstuv/issues?created_after=2024-07-03T00%3A00%3A00Z&created_before=2024-08-02T00%3A00%3A00Z&ending_before=eyJvcmdJZCI6ImUwMzE5ZDAxLTdhM2YtNDQyYS04ZTk0LTM2MTNiODFjNzA1YSIsInNldmVyaXR5IjozMCwiY3JlYXRlZEF0IjoiMjAyNC0wNy0wOFQxMDoxMzozNy41NDhaIiwiaWQiOiJlNjJjNTE2MS05YmI4LTQxYjMtOTg3Yi00ODdjODM4ODE4NDEiLCJ0b3RhbCI6eyJjYWxjdWxhdGVkQXQiOiIwMDAxLTAxLTAxVDAwOjAwOjAwWiJ9fQ%3D%3D&limit=10&version=2024-04-29",
+    "next": "/rest/orgs/abcd1234-5678-90ef-ghij-klmnopqrstuv/issues?created_after=2024-07-03T00%3A00%3A00Z&created_before=2024-08-02T00%3A00%3A00Z&limit=10&starting_after=eyJvcmdJZCI6ImUwMzE5ZDAxLTdhM2YtNDQyYS04ZTk0LTM2MTNiODFjNzA1YSIsInNldmVyaXR5IjozMCwiY3JlYXRlZEF0IjoiMjAyNC0wNy0xMVQwNjozMzozNS4yMDhaIiwiaWQiOiI2ZWFkOWFkZi03NjhiLTQyMWEtODQ0MC1iNWNmNjJlNDgxZTQiLCJ0b3RhbCI6eyJjYWxjdWxhdGVkQXQiOiIwMDAxLTAxLTAxVDAwOjAwOjAwWiJ9fQ%3D%3D&version=2024-04-29"
+  },
+  "data": [
     {
-      "issue": {
-        "url": "http://security.snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078",
-        "id": "SNYK-JAVA-COMMONSCOLLECTIONS-30078",
-        "title": "Deserialization of Untrusted Data",
-        "type": "vuln",
-        "package": "commons-collections:commons-collections",
-        "version": "3.1",
-        "severity": "critical",
-        "originalSeverity": null,
-        "uniqueSeveritiesList": [
-          "critical"
+      "id": "d62c5f6a-ABCD-41b3-EFGH-487c83881841",
+      "type": "issue",
+      "attributes": {
+        "classes": [
+          {
+            "id": "CWE-613",
+            "source": "CWE",
+            "type": "weakness"
+          }
         ],
-        "language": "java",
-        "packageManager": "maven",
-        "semver": {
-          "vulnerable": [
-            "[3.0,3.2.2)"
-          ]
+        "coordinates": [
+          {
+            "is_fixable_manually": false,
+            "is_fixable_snyk": true,
+            "is_fixable_upstream": false,
+            "is_patchable": false,
+            "is_pinnable": false,
+            "is_upgradeable": true,
+            "reachability": "no-info",
+            "representations": [
+              {
+                "dependency": {
+                  "package_name": "org.apache.tomcat.embed:tomcat-embed-core",
+                  "package_version": "9.0.12"
+                }
+              }
+            ]
+          }
+        ],
+        "created_at": "2024-07-08T10:13:37.548Z",
+        "effective_severity_level": "high",
+        "ignored": false,
+        "key": "SNYK-JAVA-DUMMYORGAPACHETOMCATEMBEDXX-7430175",
+        "problems": [
+          {
+            "id": "SNYK-JAVA-DUMMYORGAPACHETOMCATEMBEDXX-7430175",
+            "source": "SNYK",
+            "type": "vulnerability",
+            "updated_at": "2024-07-08T10:13:38.759844Z"
+          },
+          {
+            "id": "CVE-2024-34750",
+            "source": "NVD",
+            "type": "vulnerability",
+            "updated_at": "2024-07-08T10:13:38.759846Z",
+            "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34750"
+          }
+        ],
+        "risk": {
+          "factors": [],
+          "score": {
+            "model": "v1",
+            "value": 124
+          }
         },
-        "isIgnored": false,
-        "publicationTime": "2015-11-06T16:51:56.000Z",
-        "disclosureTime": "2015-11-06T16:51:56.000Z",
-        "isUpgradable": false,
-        "isPatchable": false,
-        "isPinnable": false,
-        "identifiers": {
-          "CVE": [
-            "CVE-2015-7501",
-            "CVE-2015-4852"
-          ],
-          "CWE": [
-            "CWE-502"
-          ]
+        "status": "open",
+        "title": "Insufficient Session Expiration",
+        "type": "package_vulnerability",
+        "updated_at": "2024-07-08T10:13:37.548Z"
+      },
+      "relationships": {
+        "organization": {
+          "data": {
+            "id": "abcd1234-5678-90ef-ghij-klmnopqrstuv",
+            "type": "organization"
+          },
+          "links": {
+            "related": "/orgs/abcd1234-5678-90ef-ghij-klmnopqrstuv"
+          }
         },
-        "credit": [
-          "Unknown"
+        "scan_item": {
+          "data": {
+            "id": "d1d1d1d1-ABCD-49b6-FFFF-8b0528afbe5b",
+            "type": "project"
+          },
+          "links": {
+            "related": "/orgs/abcd1234-5678-90ef-ghij-klmnopqrstuv/projects/d1d1d1d1-ABCD-49b6-FFFF-8b0528afbe5b"
+          }
+        }
+      }
+    },
+    {
+      "id": "7cfb92c9-WXYZ-55gc-IJKL-99f1fd01b412",
+      "type": "issue",
+      "attributes": {
+        "classes": [
+          {
+            "id": "CWE-613",
+            "source": "CWE",
+            "type": "weakness"
+          }
         ],
-        "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O",
-        "cvssScore": "9.8",
-        "patches": [],
-        "isPatched": false,
-        "exploitMaturity": "mature",
-        "reachability": "",
-        "priorityScore": 790,
-        "jiraIssueUrl": null
+        "coordinates": [
+          {
+            "is_fixable_manually": false,
+            "is_fixable_snyk": true,
+            "is_fixable_upstream": false,
+            "is_patchable": false,
+            "is_pinnable": false,
+            "is_upgradeable": true,
+            "reachability": "no-info",
+            "representations": [
+              {
+                "dependency": {
+                  "package_name": "org.apache.tomcat.embed:tomcat-embed-core",
+                  "package_version": "8.5.11"
+                }
+              }
+            ]
+          }
+        ],
+        "created_at": "2024-07-09T00:40:58.934Z",
+        "effective_severity_level": "high",
+        "ignored": false,
+        "key": "SNYK-JAVA-DUMMYORGAPACHETOMCATEMBEDXX-7430175",
+        "problems": [
+          {
+            "id": "SNYK-JAVA-DUMMYORGAPACHETOMCATEMBEDXX-7430175",
+            "source": "SNYK",
+            "type": "vulnerability",
+            "updated_at": "2024-07-09T00:41:00.779608Z"
+          },
+          {
+            "id": "CVE-2024-34750",
+            "source": "NVD",
+            "type": "vulnerability",
+            "updated_at": "2024-07-09T00:41:00.77961Z",
+            "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34750"
+          }
+        ],
+        "risk": {
+          "factors": [],
+          "score": {
+            "model": "v1",
+            "value": 124
+          }
+        },
+        "status": "open",
+        "title": "Insufficient Session Expiration",
+        "type": "package_vulnerability",
+        "updated_at": "2024-07-09T00:40:58.934Z"
       },
-      "isFixed": false,
-      "introducedDate": "2023-04-26",
-      "project": {
-        "url": "https://snyk.io/org/kenna-security-nfr-shared/project/9a134a37-7420-4418-9b85-b675ed9ac3dc",
-        "id": "9a134a37-7420-4418-9b85-b675ed9ac3dc",
-        "name": "JoyChou93/java-sec-code:pom.xml",
-        "source": "github",
-        "packageManager": "maven",
-        "targetFile": "pom.xml"
+      "relationships": {
+        "organization": {
+          "data": {
+            "id": "abcd1234-5678-90ef-ghij-klmnopqrstuv",
+            "type": "organization"
+          },
+          "links": {
+            "related": "/orgs/abcd1234-5678-90ef-ghij-klmnopqrstuv"
+          }
+        },
+        "scan_item": {
+          "data": {
+            "id": "cecdbd27-0d35-467d-bac8-19c96d9e5c88",
+            "type": "project"
+          },
+          "links": {
+            "related": "/orgs/abcd1234-5678-90ef-ghij-klmnopqrstuv/projects/cecdbd27-0d35-467d-bac8-19c96d9e5c88"
+          }
+        }
       }
     }
-  ],
-  "total": 1
-}
+  ]
+}