def main(args):
global snyk_token, client, debug
args = parse_command_line_args(args)
debug = args.debug
try:
snyk_token = get_token()
except Exception as e:
log_error(
"Error fetching Snyk token. Set SNYK_TOKEN env var or run `snyk auth <your-token>` (see https://github.com/snyk/snyk#installation)."
)
quit()
token_is_valid = validate_token(snyk_token)
if not token_is_valid:
raise SnykTokenInvalidError("invalid token")
user_agent_string = "snyk-threadfix/%s" % __version__
client = snyk.SnykClient(snyk_token, user_agent=user_agent_string)
project_ids = args.project_ids
current_time = arrow.utcnow().replace(microsecond=0)
current_time_str = current_time.isoformat().replace("+00:00", "Z")
threadfix_json_obj = {
"created": current_time_str, # All timestamps are to be in yyyy-MM-dd'T'HH:mm:ss'Z' format
"exported": current_time_str, # All timestamps are to be in yyyy-MM-dd'T'HH:mm:ss'Z' format
"collectionType": "DEPENDENCY",
"source": "Snyk",
"findings": [],
}
all_threadfix_findings = []
try:
for p_id in project_ids:
threadfix_findings = create_threadfix_findings_data(args.org_id, p_id)
all_threadfix_findings.extend(threadfix_findings)
threadfix_json_obj["findings"] = all_threadfix_findings
if args.output:
write_to_threadfix_file(args.output, threadfix_json_obj)
else:
write_output_to_stdout(threadfix_json_obj)
except snyk.errors.SnykOrganizationNotFoundError:
log_error(
"Error resolving org in Snyk. This is probably because your `--org-id` parameter value is invalid."
)
if debug:
traceback.print_exc(file=sys.stderr)
except snyk.errors.SnykNotFoundError:
log_error(
"Error resolving org / project(s) in Snyk. This is probably your `--org-id` or `--project-ids` parameters contains invalid value(s)."
)
if debug:
traceback.print_exc(file=sys.stderr)
def get_snyk_org(snyk_api_key: str) -> (str, str):
error = None
org = None
# create the snyk client
try:
client = snyk.SnykClient(snyk_api_key)
# create the orgianzation to use for testing
org = client.organizations.first()
# if the api key is invalid, return an error
except snyk.errors.SnykHTTPError:
error = f"{ERROR_PREFIX} Provided Snyk API key is not valid."
return error, org
def get_snyk_projects():
"""
Return a list of all Snyk projects, or if a SNYK_ORG
is specified all Snyk projects in that organization
"""
try:
token = os.environ["SNYK_TOKEN"]
except KeyError:
sys.exit("You must provide a SNYK_TOKEN to run Snyk Shell")
api = os.environ.get("SNYK_API")
if api:
snyk_client = snyk.SnykClient(token, api)
else:
snyk_client = snyk.SnykClient(token)
org_id = os.environ.get("SNYK_ORG")
if org_id:
org = snyk_client.organizations.get(org_id)
return org.projects.all()
else:
return snyk_client.projects.all()
def run():
try:
token = os.environ["SNYK_TOKEN"]
except KeyError:
sys.exit("You must provide a SNYK_TOKEN to run Snyk Shell")
client = snyk.SnykClient(token)
organizations = client.organizations.all()
projects = client.projects.all()
shell = InteractiveShellEmbed(
banner1=colored("Welcome to Snyk Shell", "blue"))
shell(
colored(
"The following objects and methods are currently available:\n"
" client - An instance of the Snyk client, which can be used to make requests to the API\n"
" organizations - A prepopulated list of the Snyk organizations you are a member of\n"
" projects - A prepopulated list of all of your Snyk projects\n"
" pprint() - A pretty printer for objects returns by the API\n"))
snyktoken = os.environ['SNYK_TOKEN']
# very janky settings config
orgfile = sys.argv[1]
int_name = sys.argv[2]
setting = sys.argv[3]
set_val = sys.argv[4]
orgs = jopen(orgfile)
set_val = json.loads(str(set_val).lower())
setting = str(setting)
new_setting = {setting: set_val}
client = snyk.SnykClient(snyktoken)
for org in orgs:
org_id = org['id']
org_name = org['name']
for integration in org['integrations']:
int_id = integration['id']
name = integration['name']
# this check is technically redundant, but want to make sure before we update anything
if name == int_name:
callurl = f'org/{org_id}/integrations/{int_id}/settings'
notice = f'updating {name} integration for org {org_name}'
print(notice)
resp = client.put(callurl, new_setting)
if resp.status_code == 200:
print(f'{org_name} has had setting of {setting} for {name} set to {set_val}')
ORGS = literal_eval(config['Github']['ORGS'])
excluded_repos = literal_eval(config['Github']['excluded_repos'])
# Snyk
SNYK_API_TOKEN = config['Snyk']['SNYK_API_TOKEN']
SNYK_ORG_ID = config['Snyk']['SNYK_ORG_ID']
SNYK_INTEGRATION_ID = config['Snyk']['SNYK_INTEGRATION_ID']
# Slack
slack = Slack(url=config['Slack']['webhook_alerts'])
# Days since run, linked to cron job duration. Basically, how do we determine a "new" repo is new to us
DAYS_SINCE_RUN = 10
# GHE API python wrapper
ghe = Github(base_url=f"https://{DOMAIN}/api/v3", login_or_token=GHE_ACCESS_TOKEN, per_page=1000)
# Snyk API python wrapper, get all existing project (aka onboarded GHE repos)
client = snyk.SnykClient(SNYK_API_TOKEN)
projects = client.organizations.get(SNYK_ORG_ID).projects.all()
archived_repos = []
new_repos = []
is_present = False
seen_repos = []
for watched_org in ORGS:
org = ghe.get_organization(watched_org)
for repo in org.get_repos(type="all"):
seen_repos.append(repo.full_name)
# check that a repo isn't on the excluded list
if repo.full_name not in excluded_repos:
# Build a list of archived repos
if repo.archived: