reachability enricher

Author: sg

new-components/enrichers/reachability/README.md

@@ -0,0 +1,29 @@
+# custom-annotation
+
+This component implements an [enricher](https://github.com/smithy-security/smithy/blob/main/sdk/component/component.go)
+This enricher performs reachability analysis using [atom](https://github.com/AppThreat/atom).
+
+## Environment variables
+
+The component uses environment variables for configuration.
+
+It requires the component
+environment variables defined [here](https://github.com/smithy-security/smithy/blob/main/sdk/README.md#component) as well as the following:
+
+| Environment Variable       | Type   | Required | Default | Description                                                             |
+|----------------------------|--------|----------|---------|-------------------------------------------------------------------------|
+| ATOM\_FILE\_PATH    | string | yes      | -       | Path to the file where atom has produced reachable slices.                     |
+
+## How to run
+
+Execute:
+
+```shell
+docker-compose up --build --force-recreate --remove-orphans
+```
+
+Then shutdown with:
+
+```shell
+docker-compose down --rmi all
+```

new-components/enrichers/reachability/cmd/main.go

@@ -0,0 +1,39 @@
+package main
+
+import (
+	"context"
+	"log"
+	"time"
+
+	"github.com/go-errors/errors"
+
+	"github.com/smithy-security/smithy/sdk/component"
+
+	"github.com/smithy-security/smithy/new-components/enrichers/reachability/internal/annotation"
+	"github.com/smithy-security/smithy/new-components/enrichers/reachability/internal/conf"
+)
+
+func main() {
+	ctx, cancel := context.WithTimeout(context.Background(), 1*time.Minute)
+	defer cancel()
+
+	if err := Main(ctx); err != nil {
+		log.Fatalf("unexpected error: %v", err)
+	}
+}
+
+func Main(ctx context.Context, opts ...component.RunnerOption) error {
+	opts = append(opts, component.RunnerWithComponentName("reachability"))
+
+	config, err := conf.New()
+	if err != nil {
+		return errors.Errorf("could not initialiaze config, err: %w", err)
+	}
+	annotator := annotation.NewReachabilityAnnotator(config)
+
+	if err := component.RunEnricher(ctx, annotator, opts...); err != nil {
+		return errors.Errorf("error enriching reachability annotation: %w", err)
+	}
+
+	return nil
+}

new-components/enrichers/reachability/docker-compose.yaml

@@ -0,0 +1,10 @@
+services:
+  enricher:
+    build:
+      context: ../..
+      args:
+        - COMPONENT_PATH=enrichers/custom-annotation
+        - COMPONENT_BINARY_SOURCE_PATH=cmd/main.go
+    platform: linux/amd64
+    env_file:
+      - .env

new-components/enrichers/reachability/internal/annotation/annotation.go

@@ -0,0 +1,194 @@
+package annotation
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+
+	"github.com/go-errors/errors"
+
+	"github.com/smithy-security/smithy/sdk/component"
+	vf "github.com/smithy-security/smithy/sdk/component/vulnerability-finding"
+	ocsf "github.com/smithy-security/smithy/sdk/gen/ocsf_schema/v1"
+
+	"github.com/smithy-security/smithy/new-components/enrichers/reachability/internal/atom"
+	"github.com/smithy-security/smithy/new-components/enrichers/reachability/internal/atom/purl"
+	"github.com/smithy-security/smithy/new-components/enrichers/reachability/internal/conf"
+	"github.com/smithy-security/smithy/new-components/enrichers/reachability/internal/logging"
+	"github.com/smithy-security/smithy/new-components/enrichers/reachability/internal/search"
+)
+
+type (
+	reachabilityAnnotator struct {
+		cfg            *conf.Conf
+		atomReader     *atom.Reader
+		annotationName string
+		providerName   string
+	}
+)
+
+// NewReachabilityAnnotator returns a new reachability enricher.
+func NewReachabilityAnnotator(cfg *conf.Conf) *reachabilityAnnotator {
+	return &reachabilityAnnotator{
+		cfg:            cfg,
+		annotationName: "Reachable-Code",
+		providerName:   "reachability-enricher",
+	}
+}
+
+// Annotate adds annotated values to passed findings.
+func (ca *reachabilityAnnotator) Annotate(
+	ctx context.Context,
+	findings []*vf.VulnerabilityFinding,
+) ([]*vf.VulnerabilityFinding, error) {
+	var (
+		logger = component.LoggerFromContext(ctx).
+			With(slog.Int("num_findings", len(findings))).
+			With(slog.String("provider_name", ca.providerName))
+	)
+
+	logger.Debug("preparing to annotate findings...")
+
+	purlParser, err := purl.NewParser()
+	if err != nil {
+		return nil, errors.Errorf("could not initialize purl parser: %w", err)
+	}
+
+	ar, err := atom.NewReader(ca.cfg.ATOMFilePath, purlParser)
+	if err != nil {
+		return nil, errors.Errorf("could not initialize atom reader: %w", err)
+	}
+	ca.atomReader = ar
+	findings, err = ca.Enrich(ctx, findings)
+	if err != nil {
+		return nil, errors.Errorf("could not enrich findings err: %w", err)
+	}
+	logger.Debug("findings annotated successfully!")
+	return findings, nil
+}
+
+// Enrich looks for untagged inputs and processes them outputting if any of them is reachable.
+// The reachability checks leverage atom - https://github.com/AppThreat/atom.
+func (ca *reachabilityAnnotator) Enrich(ctx context.Context, findings []*vf.VulnerabilityFinding) ([]*vf.VulnerabilityFinding, error) {
+	var (
+		logger = logging.FromContext(ctx).With(
+			slog.String("atom_file_path", ca.cfg.ATOMFilePath),
+		)
+	)
+
+	logger.Debug("running enrichment step")
+	logger.Debug("preparing to read response...")
+
+	logger = logger.With(slog.Int("num_tagged_resources", len(findings)))
+	logger.Debug("preparing to read atom file...")
+
+	reachablesRes, err := ca.atomReader.Read(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("could not read atom reachables from path %s: %w", ca.cfg.ATOMFilePath, err)
+	}
+
+	logger = logger.With(slog.Int("num_atom_reachables", len(reachablesRes.Reachables)))
+	logger.Debug("successfully read atom file!")
+	logger.Debug("preparing to check for reachable purls...")
+
+	reachablePurls, err := ca.atomReader.ReachablePurls(ctx, reachablesRes)
+	if err != nil {
+		return nil, fmt.Errorf("could not get reachable purls: %w", err)
+	}
+
+	logger = logger.With(slog.Int("num_reachable_purls", len(reachablePurls)))
+	logger.Debug("successfully checked for reachable purls!")
+	logger.Debug("preparing to create a new searcher...")
+
+	searcher, err := search.NewSearcher(reachablesRes.Reachables, reachablePurls)
+	if err != nil {
+		return nil, fmt.Errorf("could not create searcher: %w", err)
+	}
+
+	logger.Debug("successfully created a new searcher!")
+	logger.Debug("preparing to check for reachable targets...")
+	numEnriched := 0
+	numReachable := 0
+	atomPurlParser, err := purl.NewParser()
+	if err != nil {
+		return nil, errors.Errorf("could not initialize atom purl parser err: %w", err)
+	}
+	for idx, finding := range findings {
+		logger := logger.With(
+			slog.String("vendor", *finding.Finding.FindingInfo.ProductUid),
+			slog.Any("scan_id", finding.ID),
+			slog.Int("num_vulns", len(finding.Finding.Vulnerabilities)),
+		)
+		logger.Debug("preparing to enrich issues in target...")
+		for _, vuln := range finding.Finding.Vulnerabilities {
+			for _, pkg := range vuln.AffectedPackages {
+				parsedPurls, err := atomPurlParser.ParsePurl(*pkg.Purl)
+				if err != nil {
+					logger.Error(
+						"could not search affected package. Continuing...",
+						slog.String("err", err.Error()))
+					continue
+				}
+				var reachable bool
+				var reachableEnrichment *ocsf.Enrichment
+				for _, p := range parsedPurls {
+					re, reached, err := ca.isReachable(searcher, p)
+					if err != nil {
+						logger.Error(
+							"could not search affected package. Continuing...",
+							slog.String("err", err.Error()),
+						)
+						continue
+					}
+					reachable = reached
+					reachableEnrichment = re
+					if reached {
+						break
+					}
+				}
+				if reachable {
+					numReachable += 1
+				}
+				numEnriched += 1
+				findings[idx].Finding.Enrichments = append(findings[idx].Finding.Enrichments, reachableEnrichment)
+			}
+			for _, code := range vuln.AffectedCode {
+				reachableEnrichment, reachable, err := ca.isReachable(searcher, ca.makeCodeString(code))
+				if err != nil {
+					logger.Error(
+						"could not search affected package. Continuing...",
+						slog.String("err", err.Error()),
+					)
+				}
+				if reachable {
+					numReachable += 1
+				}
+				numEnriched += 1
+				findings[idx].Finding.Enrichments = append(findings[idx].Finding.Enrichments, reachableEnrichment)
+			}
+		}
+
+		logger = logger.With(slog.Int("num_enriched_issues", numEnriched))
+		logger = logger.With(slog.Int("num_reachable_issues", numReachable))
+		logger.Debug("successfully enriched issues in target!")
+	}
+	logger.Debug("completed enrichment step!")
+	return findings, nil
+}
+
+func (ca *reachabilityAnnotator) makeCodeString(c *ocsf.AffectedCode) string {
+	return fmt.Sprintf("%s:%d-%d", *c.File.Path, *c.StartLine, *c.EndLine)
+}
+
+func (ca *reachabilityAnnotator) isReachable(searcher *search.Searcher, target string) (*ocsf.Enrichment, bool, error) {
+	// Search.
+	ok, err := searcher.Search(target)
+	if err != nil {
+		return nil, false, err
+	}
+	return &ocsf.Enrichment{
+		Name:     ca.annotationName,
+		Value:    fmt.Sprintf("%t", ok),
+		Provider: &ca.providerName,
+	}, ok, nil
+}