Пример #1
0
def main(args):
    global snyk_token, client, debug
    args = parse_command_line_args(args)
    debug = args.debug

    try:
        snyk_token = get_token()
    except Exception as e:
        log_error(
            "Error fetching Snyk token. Set SNYK_TOKEN env var or run `snyk auth <your-token>` (see https://github.com/snyk/snyk#installation)."
        )
        quit()

    token_is_valid = validate_token(snyk_token)
    if not token_is_valid:
        raise SnykTokenInvalidError("invalid token")

    user_agent_string = "snyk-threadfix/%s" % __version__
    client = snyk.SnykClient(snyk_token, user_agent=user_agent_string)

    project_ids = args.project_ids

    current_time = arrow.utcnow().replace(microsecond=0)
    current_time_str = current_time.isoformat().replace("+00:00", "Z")

    threadfix_json_obj = {
        "created": current_time_str,  # All timestamps are to be in yyyy-MM-dd'T'HH:mm:ss'Z' format
        "exported": current_time_str,  # All timestamps are to be in yyyy-MM-dd'T'HH:mm:ss'Z' format
        "collectionType": "DEPENDENCY",
        "source": "Snyk",
        "findings": [],
    }

    all_threadfix_findings = []

    try:
        for p_id in project_ids:
            threadfix_findings = create_threadfix_findings_data(args.org_id, p_id)
            all_threadfix_findings.extend(threadfix_findings)

        threadfix_json_obj["findings"] = all_threadfix_findings

        if args.output:
            write_to_threadfix_file(args.output, threadfix_json_obj)
        else:
            write_output_to_stdout(threadfix_json_obj)

    except snyk.errors.SnykOrganizationNotFoundError:
        log_error(
            "Error resolving org in Snyk. This is probably because your `--org-id` parameter value is invalid."
        )
        if debug:
            traceback.print_exc(file=sys.stderr)

    except snyk.errors.SnykNotFoundError:
        log_error(
            "Error resolving org / project(s) in Snyk. This is probably your `--org-id` or `--project-ids` parameters contains invalid value(s)."
        )
        if debug:
            traceback.print_exc(file=sys.stderr)
Пример #2
0
def get_snyk_org(snyk_api_key: str) -> (str, str):
    error = None
    org = None
    # create the snyk client
    try:
        client = snyk.SnykClient(snyk_api_key)
        # create the orgianzation to use for testing
        org = client.organizations.first()
    # if the api key is invalid, return an error
    except snyk.errors.SnykHTTPError:
        error = f"{ERROR_PREFIX} Provided Snyk API key is not valid."
    return error, org
Пример #3
0
def get_snyk_projects():
    """
    Return a list of all Snyk projects, or if a SNYK_ORG
    is specified all Snyk projects in that organization
    """
    try:
        token = os.environ["SNYK_TOKEN"]
    except KeyError:
        sys.exit("You must provide a SNYK_TOKEN to run Snyk Shell")

    api = os.environ.get("SNYK_API")
    if api:
        snyk_client = snyk.SnykClient(token, api)
    else:
        snyk_client = snyk.SnykClient(token)

    org_id = os.environ.get("SNYK_ORG")
    if org_id:
        org = snyk_client.organizations.get(org_id)
        return org.projects.all()
    else:
        return snyk_client.projects.all()
Пример #4
0
def run():
    try:
        token = os.environ["SNYK_TOKEN"]
    except KeyError:
        sys.exit("You must provide a SNYK_TOKEN to run Snyk Shell")
    client = snyk.SnykClient(token)
    organizations = client.organizations.all()
    projects = client.projects.all()

    shell = InteractiveShellEmbed(
        banner1=colored("Welcome to Snyk Shell", "blue"))

    shell(
        colored(
            "The following objects and methods are currently available:\n"
            "  client - An instance of the Snyk client, which can be used to make requests to the API\n"
            "  organizations - A prepopulated list of the Snyk organizations you are a member of\n"
            "  projects - A prepopulated list of all of your Snyk projects\n"
            "  pprint() - A pretty printer for objects returns by the API\n"))
snyktoken = os.environ['SNYK_TOKEN']

# very janky settings config
orgfile = sys.argv[1]
int_name = sys.argv[2]
setting = sys.argv[3]
set_val = sys.argv[4]

orgs = jopen(orgfile)

set_val = json.loads(str(set_val).lower())
setting = str(setting)

new_setting = {setting: set_val}

client = snyk.SnykClient(snyktoken)

for org in orgs:
    org_id = org['id']
    org_name = org['name']
    for integration in org['integrations']:
        int_id = integration['id']
        name = integration['name']
        # this check is technically redundant, but want to make sure before we update anything
        if name == int_name:
            callurl = f'org/{org_id}/integrations/{int_id}/settings'
            notice = f'updating {name} integration for org {org_name}'
            print(notice)
            resp = client.put(callurl, new_setting)
            if resp.status_code == 200:
                print(f'{org_name} has had setting of {setting} for {name} set to {set_val}')
Пример #6
0
ORGS = literal_eval(config['Github']['ORGS'])
excluded_repos = literal_eval(config['Github']['excluded_repos'])
# Snyk
SNYK_API_TOKEN = config['Snyk']['SNYK_API_TOKEN']
SNYK_ORG_ID = config['Snyk']['SNYK_ORG_ID']
SNYK_INTEGRATION_ID = config['Snyk']['SNYK_INTEGRATION_ID']
# Slack
slack = Slack(url=config['Slack']['webhook_alerts'])
# Days since run, linked to cron job duration. Basically, how do we determine a "new" repo is new to us
DAYS_SINCE_RUN = 10

# GHE API python wrapper
ghe = Github(base_url=f"https://{DOMAIN}/api/v3", login_or_token=GHE_ACCESS_TOKEN, per_page=1000)

# Snyk API python wrapper, get all existing project (aka onboarded GHE repos)
client = snyk.SnykClient(SNYK_API_TOKEN)
projects = client.organizations.get(SNYK_ORG_ID).projects.all()

archived_repos = []
new_repos = []
is_present = False
seen_repos = []

for watched_org in ORGS:
    org = ghe.get_organization(watched_org)
    for repo in org.get_repos(type="all"):
        seen_repos.append(repo.full_name)
        # check that a repo isn't on the excluded list
        if repo.full_name not in excluded_repos:
            # Build a list of archived repos
            if repo.archived: