diff --git a/.github/workflows/kpi_scans.yml b/.github/workflows/kpi_scans.yml deleted file mode 100644 index 3f7467bde..000000000 --- a/.github/workflows/kpi_scans.yml +++ /dev/null @@ -1,61 +0,0 @@ -name: KPI Scans -on: - schedule: - - cron: '0 6 * * *' -jobs: - build_and_push_docker_image: - name: Build and push Docker image - runs-on: ubuntu-latest - steps: - - name: Login to DockerHub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Build and push - uses: docker/build-push-action@v5 - with: - push: true - tags: bearersh/kpi-scan:latest - file: ./kpi_scan/Dockerfile - load_repo_list: - name: Load KPI repo list - runs-on: ubuntu-latest - outputs: - matrix: ${{ steps.load_json.outputs.matrix }} - steps: - - uses: actions/checkout@v4 - - id: load_json - run : | - echo "matrix=$(npx --yes json5 ./kpi_scan/kpi_repo_list.json5)" >> $GITHUB_OUTPUT - build: - needs: [build_and_push_docker_image, load_repo_list] - name: Run KPI scans - runs-on: ubuntu-latest - strategy: - matrix: ${{fromJson(needs.load_repo_list.outputs.matrix)}} - steps: - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 - with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} - role-session-name: github-action-battle-test - aws-region: eu-west-1 - role-skip-session-tagging: true - role-duration-seconds: 3600 - - - name: Run task - run: | - aws ecs run-task \ - --cluster ${{ secrets.CLUSTER }} \ - --count 1 \ - --tags key=service,value=${TASK_DEFINITION} \ - --network-configuration "awsvpcConfiguration={subnets=['${{ secrets.SUBNET }}'],securityGroups=['${{ secrets.SECURITY_GROUP }}'],assignPublicIp=ENABLED}" \ - --launch-type FARGATE \ - --region eu-west-1 \ - --task-definition ${TASK_DEFINITION} \ - --overrides '{ "containerOverrides": [ { "name": "kpi-scan", "environment": [ { "name": "REPOSITORY_URL", "value": "${{ matrix.repository_url }}" }, { "name": "API_KEY", "value": "${{ secrets.KPI_SCAN_API_KEY }}" }, { "name": "API_HOST", "value": "${{ secrets.KPI_SCAN_HOST }}" } ] } ] }' - env: - TASK_DEFINITION: kpi-scan:3 diff --git a/.github/workflows/kpi_scans_staging.yml b/.github/workflows/kpi_scans_staging.yml deleted file mode 100644 index 807d2eded..000000000 --- a/.github/workflows/kpi_scans_staging.yml +++ /dev/null @@ -1,61 +0,0 @@ -name: KPI Staging Scans -on: - workflow_dispatch: - -jobs: - build_and_push_docker_image: - name: Build and push Docker image - runs-on: ubuntu-latest - steps: - - name: Login to DockerHub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Build and push - uses: docker/build-push-action@v5 - with: - push: true - tags: bearersh/kpi-scan:latest - file: ./kpi_scan/Dockerfile - load_repo_list: - name: Load KPI repo list - runs-on: ubuntu-latest - outputs: - matrix: ${{ steps.load_json.outputs.matrix }} - steps: - - uses: actions/checkout@v4 - - id: load_json - run : | - echo "matrix=$(npx --yes json5 ./kpi_scan/kpi_repo_list.json5)" >> $GITHUB_OUTPUT - build: - needs: [build_and_push_docker_image, load_repo_list] - name: Run Staging KPI scans - runs-on: ubuntu-latest - strategy: - matrix: ${{fromJson(needs.load_repo_list.outputs.matrix)}} - steps: - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 - with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} - role-session-name: github-action-battle-test - aws-region: eu-west-1 - role-skip-session-tagging: true - role-duration-seconds: 3600 - - - name: Run task - run: | - aws ecs run-task \ - --cluster ${{ secrets.CLUSTER }} \ - --count 1 \ - --tags key=service,value=${TASK_DEFINITION} \ - --network-configuration "awsvpcConfiguration={subnets=['${{ secrets.SUBNET }}'],securityGroups=['${{ secrets.SECURITY_GROUP }}'],assignPublicIp=ENABLED}" \ - --launch-type FARGATE \ - --region eu-west-1 \ - --task-definition ${TASK_DEFINITION} \ - --overrides '{ "containerOverrides": [ { "name": "kpi-scan", "environment": [ { "name": "REPOSITORY_URL", "value": "${{ matrix.repository_url }}" }, { "name": "API_KEY", "value": "${{ secrets.KPI_SCAN_STAGING_API_KEY }}" }, { "name": "API_HOST", "value": "${{ secrets.KPI_SCAN_STAGING_HOST }}" } ] } ] }' - env: - TASK_DEFINITION: kpi-scan:3 diff --git a/api/config.go b/api/config.go index 477963f43..78f430dba 100644 --- a/api/config.go +++ b/api/config.go @@ -13,30 +13,10 @@ type Endpoint struct { } type APIEndpoints struct { - RequestFileUpload Endpoint - ScanFinished Endpoint - FetchIgnores Endpoint - Hello Endpoint - Version Endpoint + Version Endpoint } var Endpoints = APIEndpoints{ - RequestFileUpload: Endpoint{ - HttpMethod: "POST", - Route: "/cloud/file_uploads", - }, - ScanFinished: Endpoint{ - HttpMethod: "POST", - Route: "/cloud/scans", - }, - FetchIgnores: Endpoint{ - HttpMethod: "GET", - Route: "/cloud/ignores", - }, - Hello: Endpoint{ - HttpMethod: "POST", - Route: "/cloud/hello", - }, Version: Endpoint{ HttpMethod: "GET", Route: "/r/version", diff --git a/api/fetch_ignores.go b/api/fetch_ignores.go deleted file mode 100644 index 1404854a9..000000000 --- a/api/fetch_ignores.go +++ /dev/null @@ -1,45 +0,0 @@ -package api - -import ( - "encoding/json" - - ignoretypes "github.com/bearer/bearer/internal/util/ignore/types" -) - -type CloudIgnoreData struct { - ProjectFound bool `json:"project_found"` - Ignores []string `json:"ignores"` - StaleIgnores []string `json:"stale_local_ignores"` - CloudIgnoredFingerprints map[string]ignoretypes.IgnoredFingerprint `json:"detailed_cloud_ignores"` -} - -type CloudIgnorePayload struct { - Project string `json:"project"` - LocalIgnores []string `json:"local_ignores"` - PullRequestNumber string `json:"pull_request_number,omitempty"` -} - -func (api *API) FetchIgnores(fullname string, pullRequestNumber string, localIgnores []string) (*CloudIgnoreData, error) { - endpoint := Endpoints.FetchIgnores - - bytes, err := api.makeRequest(endpoint.Route, endpoint.HttpMethod, - Message{ - Type: MessageTypeSuccess, - Data: CloudIgnorePayload{ - Project: fullname, - LocalIgnores: localIgnores, - PullRequestNumber: pullRequestNumber, - }, - }) - if err != nil { - return nil, err - } - - var cloudIgnoreData CloudIgnoreData - err = json.Unmarshal(bytes, &cloudIgnoreData) - if err != nil { - return nil, err - } - - return &cloudIgnoreData, err -} diff --git a/api/hello.go b/api/hello.go deleted file mode 100644 index 4022f77d4..000000000 --- a/api/hello.go +++ /dev/null @@ -1,8 +0,0 @@ -package api - -func (api *API) Hello() ([]byte, error) { - endpoint := Endpoints.Hello - response, err := api.makeRequest(endpoint.Route, endpoint.HttpMethod, nil) - - return response, err -} diff --git a/api/request_file_upload.go b/api/request_file_upload.go deleted file mode 100644 index 7a43e8073..000000000 --- a/api/request_file_upload.go +++ /dev/null @@ -1,42 +0,0 @@ -package api - -import ( - "encoding/json" -) - -type RequestFileUpload struct { - Checksum string `json:"checksum"` - ByteSize int `json:"byte_size"` - UUID string `json:"uuid"` - Prefix string `json:"prefix"` - ContentType string `json:"content_type"` - ContentEncoding string `json:"content_encoding"` -} - -type ActiveStorageDirectUpload struct { - URL string `json:"url"` - Headers map[string]string `json:"headers"` -} - -type FileUploadOffer struct { - SignedID string `json:"signed_id"` - UUID string `json:"uuid"` - DirectUpload ActiveStorageDirectUpload `json:"direct_upload"` -} - -func (api *API) RequestFileUpload(fileUpload RequestFileUpload, messageUuid MessageUuid) (*FileUploadOffer, error) { - endpoint := Endpoints.RequestFileUpload - bytes, err := api.makeRequest(endpoint.Route, endpoint.HttpMethod, fileUpload) - if err != nil { - return nil, err - } - - var fileUploadOffer FileUploadOffer - - err = json.Unmarshal(bytes, &fileUploadOffer) - if err != nil { - return nil, err - } - - return &fileUploadOffer, nil -} diff --git a/api/s3/sign.go b/api/s3/sign.go deleted file mode 100644 index 3e17d450b..000000000 --- a/api/s3/sign.go +++ /dev/null @@ -1,44 +0,0 @@ -package s3 - -import ( - "crypto/md5" - "encoding/base64" - "fmt" - "io" - "os" - - "github.com/bearer/bearer/api" - "github.com/google/uuid" -) - -func SignForAPI(req *UploadRequestS3) (*api.RequestFileUpload, error) { - fileUuid := uuid.NewString() - - reportFile, err := os.Open(req.FilePath) - if err != nil { - return nil, fmt.Errorf("failed to open file for upload %e", err) - } - defer reportFile.Close() - - stats, err := reportFile.Stat() - if err != nil { - return nil, fmt.Errorf("failed to stat file %e", err) - } - - hash := md5.New() - _, err = io.Copy(hash, reportFile) - if err != nil { - return nil, fmt.Errorf("failed copying file content to hash %e", err) - } - - checksumMD5 := hash.Sum(nil) - - return &api.RequestFileUpload{ - Checksum: base64.StdEncoding.EncodeToString(checksumMD5[:]), - ByteSize: int(stats.Size()), - UUID: fileUuid, - Prefix: req.FilePrefix, - ContentType: req.ContentType, - ContentEncoding: req.ContentEncoding, - }, nil -} diff --git a/api/s3/upload.go b/api/s3/upload.go deleted file mode 100644 index 2c65aed8b..000000000 --- a/api/s3/upload.go +++ /dev/null @@ -1,88 +0,0 @@ -package s3 - -import ( - "fmt" - "io" - "net/http" - "os" - - "github.com/bearer/bearer/api" - "github.com/rs/zerolog/log" -) - -type UploadRequest struct { - Client *http.Client - FilePath string - FileSize int64 - URL string - Headers map[string]string -} - -type UploadRequestS3 struct { - Api *api.API - FilePath string - FilePrefix string - FileType string - ContentType string - ContentEncoding string -} - -func GetSignedURL(req UploadRequest) error { - reportFile, err := os.Open(req.FilePath) - if err != nil { - return fmt.Errorf("failed to open file for uploading: %s", err) - } - defer reportFile.Close() - - request, err := http.NewRequest("PUT", req.URL, reportFile) - request.ContentLength = req.FileSize - if err != nil { - return fmt.Errorf("failed to create upload request: %s", err) - } - defer request.Body.Close() - - for key, value := range req.Headers { - request.Header.Add(key, value) - } - - response, err := req.Client.Do(request) - if err != nil { - return fmt.Errorf("failed to upload file: %s", err) - } - defer response.Body.Close() - - if response.StatusCode < 200 || response.StatusCode >= 300 { - responseBody, _ := io.ReadAll(response.Body) - return fmt.Errorf("file upload returned error status: %d\n%s", response.StatusCode, string(responseBody)) - } - - return nil -} - -func UploadS3(req *UploadRequestS3) (fileUploadOffer *api.FileUploadOffer, err error) { - requestFileUploadAction, err := SignForAPI(req) - if err != nil { - return nil, err - } - - log.Debug().Msgf("Sending S3 upload request to Bearer API...") - fileUploadOffer, err = req.Api.RequestFileUpload(*requestFileUploadAction, "") - if err != nil { - return nil, err - } - - log.Debug().Msgf("Uploading file to Bearer S3...") - err = GetSignedURL(UploadRequest{ - Client: api.UploadClient, - FilePath: req.FilePath, - FileSize: int64(requestFileUploadAction.ByteSize), - URL: fileUploadOffer.DirectUpload.URL, - Headers: fileUploadOffer.DirectUpload.Headers, - }) - - if err != nil { - return nil, err - } - - return fileUploadOffer, nil -} diff --git a/api/scan_finished.go b/api/scan_finished.go deleted file mode 100644 index 140bc3b06..000000000 --- a/api/scan_finished.go +++ /dev/null @@ -1,18 +0,0 @@ -package api - -type ScanResult struct { - SignedID string `json:"signed_id"` -} - -func (api *API) ScanFinished(meta interface{}) error { - endpoint := Endpoints.ScanFinished - _, err := api.makeRequest( - endpoint.Route, - endpoint.HttpMethod, - Message{ - Type: MessageTypeSuccess, - Data: meta, - }) - - return err -} diff --git a/docs/_data/bearer.yaml b/docs/_data/bearer.yaml index 5beb9f170..db37b4231 100644 --- a/docs/_data/bearer.yaml +++ b/docs/_data/bearer.yaml @@ -1,13 +1,13 @@ name: bearer options: - - name: help - shorthand: h - default_value: "false" - usage: help for bearer + - name: help + shorthand: h + default_value: "false" + usage: help for bearer see_also: - - bearer completion - Generate the autocompletion script for the your shell. - - bearer ignore - Manage ignored fingerprints - - bearer init - Generates a default config to `bearer.yml` - - bearer scan - Scan a directory or file - - bearer version - Print the version + - bearer completion - Generate the autocompletion script for the your shell. + - bearer ignore - Manage ignored fingerprints + - bearer init - Generates a default config to `bearer.yml` + - bearer scan - Scan a directory or file + - bearer version - Print the version aliases: [] diff --git a/docs/_data/bearer_completion.yaml b/docs/_data/bearer_completion.yaml index 03f426bb8..3c850b87a 100644 --- a/docs/_data/bearer_completion.yaml +++ b/docs/_data/bearer_completion.yaml @@ -2,10 +2,10 @@ name: bearer completion synopsis: Generate the autocompletion script for the your shell. usage: bearer completion [command] options: - - name: help - shorthand: h - default_value: "false" - usage: help for completion + - name: help + shorthand: h + default_value: "false" + usage: help for completion see_also: - - "bearer - " + - 'bearer - ' aliases: [] diff --git a/docs/_data/bearer_ignore_add.yaml b/docs/_data/bearer_ignore_add.yaml index 2c6857643..e9f227cbf 100644 --- a/docs/_data/bearer_ignore_add.yaml +++ b/docs/_data/bearer_ignore_add.yaml @@ -2,67 +2,67 @@ name: bearer ignore add synopsis: Add an ignored fingerprint usage: bearer ignore add [flags] options: - - name: api-key - usage: Use your Bearer API Key to send the report to Bearer. - environment_variables: - - BEARER_API_KEY - - name: author - shorthand: a - usage: | - Add author information to this ignored finding. (default output of "git config user.name") - environment_variables: - - BEARER_AUTHOR - - name: comment - usage: Add a comment to this ignored finding. - environment_variables: - - BEARER_COMMENT - - name: config-file - default_value: bearer.yml - usage: Load configuration from the specified path. - environment_variables: - - BEARER_CONFIG_FILE - - name: debug - default_value: "false" - usage: Enable debug logs. Equivalent to --log-level=debug - environment_variables: - - BEARER_DEBUG - - name: disable-version-check - default_value: "false" - usage: Disable Bearer version checking - environment_variables: - - BEARER_DISABLE_VERSION_CHECK - - name: false-positive - default_value: "false" - usage: Mark an this ignored finding as false positive. - environment_variables: - - BEARER_FALSE_POSITIVE - - name: force - default_value: "false" - usage: Overwrite an existing ignored finding. - environment_variables: - - BEARER_FORCE - - name: help - shorthand: h - default_value: "false" - usage: help for add - - name: ignore-file - default_value: bearer.ignore - usage: Load ignore file from the specified path. - environment_variables: - - BEARER_IGNORE_FILE - - name: log-level - default_value: info - usage: Set log level (error, info, debug, trace) - environment_variables: - - BEARER_LOG_LEVEL - - name: no-color - default_value: "false" - usage: Disable color in output - environment_variables: - - BEARER_NO_COLOR + - name: api-key + usage: Use your Bearer API Key to send the report to Bearer. + environment_variables: + - BEARER_API_KEY + - name: author + shorthand: a + usage: | + Add author information to this ignored finding. (default output of "git config user.name") + environment_variables: + - BEARER_AUTHOR + - name: comment + usage: Add a comment to this ignored finding. + environment_variables: + - BEARER_COMMENT + - name: config-file + default_value: bearer.yml + usage: Load configuration from the specified path. + environment_variables: + - BEARER_CONFIG_FILE + - name: debug + default_value: "false" + usage: Enable debug logs. Equivalent to --log-level=debug + environment_variables: + - BEARER_DEBUG + - name: disable-version-check + default_value: "false" + usage: Disable Bearer version checking + environment_variables: + - BEARER_DISABLE_VERSION_CHECK + - name: false-positive + default_value: "false" + usage: Mark an this ignored finding as false positive. + environment_variables: + - BEARER_FALSE_POSITIVE + - name: force + default_value: "false" + usage: Overwrite an existing ignored finding. + environment_variables: + - BEARER_FORCE + - name: help + shorthand: h + default_value: "false" + usage: help for add + - name: ignore-file + default_value: bearer.ignore + usage: Load ignore file from the specified path. + environment_variables: + - BEARER_IGNORE_FILE + - name: log-level + default_value: info + usage: Set log level (error, info, debug, trace) + environment_variables: + - BEARER_LOG_LEVEL + - name: no-color + default_value: "false" + usage: Disable color in output + environment_variables: + - BEARER_NO_COLOR example: |- - # Add an ignored fingerprint to your ignore file - $ bearer ignore add --author Mish --comment "Possible false positive" + # Add an ignored fingerprint to your ignore file + $ bearer ignore add --author Mish --comment "Possible false positive" see_also: - - bearer ignore - Manage ignored fingerprints + - bearer ignore - Manage ignored fingerprints aliases: [] diff --git a/docs/_data/bearer_ignore_migrate.yaml b/docs/_data/bearer_ignore_migrate.yaml index 7200c563d..1511b0df6 100644 --- a/docs/_data/bearer_ignore_migrate.yaml +++ b/docs/_data/bearer_ignore_migrate.yaml @@ -2,52 +2,52 @@ name: bearer ignore migrate synopsis: Migrate ignored fingerprints from bearer.yml to ignore file usage: bearer ignore migrate [flags] options: - - name: api-key - usage: Use your Bearer API Key to send the report to Bearer. - environment_variables: - - BEARER_API_KEY - - name: config-file - default_value: bearer.yml - usage: Load configuration from the specified path. - environment_variables: - - BEARER_CONFIG_FILE - - name: debug - default_value: "false" - usage: Enable debug logs. Equivalent to --log-level=debug - environment_variables: - - BEARER_DEBUG - - name: disable-version-check - default_value: "false" - usage: Disable Bearer version checking - environment_variables: - - BEARER_DISABLE_VERSION_CHECK - - name: force - default_value: "false" - usage: Overwrite an existing ignored finding. - environment_variables: - - BEARER_FORCE - - name: help - shorthand: h - default_value: "false" - usage: help for migrate - - name: ignore-file - default_value: bearer.ignore - usage: Load ignore file from the specified path. - environment_variables: - - BEARER_IGNORE_FILE - - name: log-level - default_value: info - usage: Set log level (error, info, debug, trace) - environment_variables: - - BEARER_LOG_LEVEL - - name: no-color - default_value: "false" - usage: Disable color in output - environment_variables: - - BEARER_NO_COLOR + - name: api-key + usage: Use your Bearer API Key to send the report to Bearer. + environment_variables: + - BEARER_API_KEY + - name: config-file + default_value: bearer.yml + usage: Load configuration from the specified path. + environment_variables: + - BEARER_CONFIG_FILE + - name: debug + default_value: "false" + usage: Enable debug logs. Equivalent to --log-level=debug + environment_variables: + - BEARER_DEBUG + - name: disable-version-check + default_value: "false" + usage: Disable Bearer version checking + environment_variables: + - BEARER_DISABLE_VERSION_CHECK + - name: force + default_value: "false" + usage: Overwrite an existing ignored finding. + environment_variables: + - BEARER_FORCE + - name: help + shorthand: h + default_value: "false" + usage: help for migrate + - name: ignore-file + default_value: bearer.ignore + usage: Load ignore file from the specified path. + environment_variables: + - BEARER_IGNORE_FILE + - name: log-level + default_value: info + usage: Set log level (error, info, debug, trace) + environment_variables: + - BEARER_LOG_LEVEL + - name: no-color + default_value: "false" + usage: Disable color in output + environment_variables: + - BEARER_NO_COLOR example: |- - # Migrate existing ignored (excluded) fingerprints from bearer.yml file to ignore file - $ bearer ignore migrate + # Migrate existing ignored (excluded) fingerprints from bearer.yml file to ignore file + $ bearer ignore migrate see_also: - - bearer ignore - Manage ignored fingerprints + - bearer ignore - Manage ignored fingerprints aliases: [] diff --git a/docs/_data/bearer_ignore_pull.yaml b/docs/_data/bearer_ignore_pull.yaml deleted file mode 100644 index 1b26c5f81..000000000 --- a/docs/_data/bearer_ignore_pull.yaml +++ /dev/null @@ -1,48 +0,0 @@ -name: bearer ignore pull -synopsis: Pull ignored fingerprints from Cloud -usage: bearer ignore pull [flags] -options: - - name: api-key - usage: Use your Bearer API Key to send the report to Bearer. - environment_variables: - - BEARER_API_KEY - - name: config-file - default_value: bearer.yml - usage: Load configuration from the specified path. - environment_variables: - - BEARER_CONFIG_FILE - - name: debug - default_value: "false" - usage: Enable debug logs. Equivalent to --log-level=debug - environment_variables: - - BEARER_DEBUG - - name: disable-version-check - default_value: "false" - usage: Disable Bearer version checking - environment_variables: - - BEARER_DISABLE_VERSION_CHECK - - name: help - shorthand: h - default_value: "false" - usage: help for pull - - name: ignore-file - default_value: bearer.ignore - usage: Load ignore file from the specified path. - environment_variables: - - BEARER_IGNORE_FILE - - name: log-level - default_value: info - usage: Set log level (error, info, debug, trace) - environment_variables: - - BEARER_LOG_LEVEL - - name: no-color - default_value: "false" - usage: Disable color in output - environment_variables: - - BEARER_NO_COLOR -example: |- - # Pull ignored fingerprints from the Cloud (requires API key) - $ bearer ignore pull /path/to/your_project --api-key=XXXXX -see_also: - - bearer ignore - Manage ignored fingerprints -aliases: [] diff --git a/docs/_data/bearer_ignore_remove.yaml b/docs/_data/bearer_ignore_remove.yaml index 573a8d017..0d1b0f0b5 100644 --- a/docs/_data/bearer_ignore_remove.yaml +++ b/docs/_data/bearer_ignore_remove.yaml @@ -2,47 +2,47 @@ name: bearer ignore remove synopsis: Remove an ignored fingerprint usage: bearer ignore remove [flags] options: - - name: api-key - usage: Use your Bearer API Key to send the report to Bearer. - environment_variables: - - BEARER_API_KEY - - name: config-file - default_value: bearer.yml - usage: Load configuration from the specified path. - environment_variables: - - BEARER_CONFIG_FILE - - name: debug - default_value: "false" - usage: Enable debug logs. Equivalent to --log-level=debug - environment_variables: - - BEARER_DEBUG - - name: disable-version-check - default_value: "false" - usage: Disable Bearer version checking - environment_variables: - - BEARER_DISABLE_VERSION_CHECK - - name: help - shorthand: h - default_value: "false" - usage: help for remove - - name: ignore-file - default_value: bearer.ignore - usage: Load ignore file from the specified path. - environment_variables: - - BEARER_IGNORE_FILE - - name: log-level - default_value: info - usage: Set log level (error, info, debug, trace) - environment_variables: - - BEARER_LOG_LEVEL - - name: no-color - default_value: "false" - usage: Disable color in output - environment_variables: - - BEARER_NO_COLOR + - name: api-key + usage: Use your Bearer API Key to send the report to Bearer. + environment_variables: + - BEARER_API_KEY + - name: config-file + default_value: bearer.yml + usage: Load configuration from the specified path. + environment_variables: + - BEARER_CONFIG_FILE + - name: debug + default_value: "false" + usage: Enable debug logs. Equivalent to --log-level=debug + environment_variables: + - BEARER_DEBUG + - name: disable-version-check + default_value: "false" + usage: Disable Bearer version checking + environment_variables: + - BEARER_DISABLE_VERSION_CHECK + - name: help + shorthand: h + default_value: "false" + usage: help for remove + - name: ignore-file + default_value: bearer.ignore + usage: Load ignore file from the specified path. + environment_variables: + - BEARER_IGNORE_FILE + - name: log-level + default_value: info + usage: Set log level (error, info, debug, trace) + environment_variables: + - BEARER_LOG_LEVEL + - name: no-color + default_value: "false" + usage: Disable color in output + environment_variables: + - BEARER_NO_COLOR example: |- - # Remove an ignored fingerprint from your ignore file - $ bearer ignore remove + # Remove an ignored fingerprint from your ignore file + $ bearer ignore remove see_also: - - bearer ignore - Manage ignored fingerprints + - bearer ignore - Manage ignored fingerprints aliases: [] diff --git a/docs/_data/bearer_ignore_show.yaml b/docs/_data/bearer_ignore_show.yaml index b309a3b23..6f37c0f3b 100644 --- a/docs/_data/bearer_ignore_show.yaml +++ b/docs/_data/bearer_ignore_show.yaml @@ -2,52 +2,52 @@ name: bearer ignore show synopsis: Show an ignored fingerprint usage: bearer ignore show [flags] options: - - name: all - default_value: "false" - usage: Show all ignored fingerprints. - environment_variables: - - BEARER_ALL - - name: api-key - usage: Use your Bearer API Key to send the report to Bearer. - environment_variables: - - BEARER_API_KEY - - name: config-file - default_value: bearer.yml - usage: Load configuration from the specified path. - environment_variables: - - BEARER_CONFIG_FILE - - name: debug - default_value: "false" - usage: Enable debug logs. Equivalent to --log-level=debug - environment_variables: - - BEARER_DEBUG - - name: disable-version-check - default_value: "false" - usage: Disable Bearer version checking - environment_variables: - - BEARER_DISABLE_VERSION_CHECK - - name: help - shorthand: h - default_value: "false" - usage: help for show - - name: ignore-file - default_value: bearer.ignore - usage: Load ignore file from the specified path. - environment_variables: - - BEARER_IGNORE_FILE - - name: log-level - default_value: info - usage: Set log level (error, info, debug, trace) - environment_variables: - - BEARER_LOG_LEVEL - - name: no-color - default_value: "false" - usage: Disable color in output - environment_variables: - - BEARER_NO_COLOR + - name: all + default_value: "false" + usage: Show all ignored fingerprints. + environment_variables: + - BEARER_ALL + - name: api-key + usage: Use your Bearer API Key to send the report to Bearer. + environment_variables: + - BEARER_API_KEY + - name: config-file + default_value: bearer.yml + usage: Load configuration from the specified path. + environment_variables: + - BEARER_CONFIG_FILE + - name: debug + default_value: "false" + usage: Enable debug logs. Equivalent to --log-level=debug + environment_variables: + - BEARER_DEBUG + - name: disable-version-check + default_value: "false" + usage: Disable Bearer version checking + environment_variables: + - BEARER_DISABLE_VERSION_CHECK + - name: help + shorthand: h + default_value: "false" + usage: help for show + - name: ignore-file + default_value: bearer.ignore + usage: Load ignore file from the specified path. + environment_variables: + - BEARER_IGNORE_FILE + - name: log-level + default_value: info + usage: Set log level (error, info, debug, trace) + environment_variables: + - BEARER_LOG_LEVEL + - name: no-color + default_value: "false" + usage: Disable color in output + environment_variables: + - BEARER_NO_COLOR example: |- - # Show the details of an ignored fingerprint from your ignore file - $ bearer ignore show + # Show the details of an ignored fingerprint from your ignore file + $ bearer ignore show see_also: - - bearer ignore - Manage ignored fingerprints + - bearer ignore - Manage ignored fingerprints aliases: [] diff --git a/docs/_data/bearer_init.yaml b/docs/_data/bearer_init.yaml index 8cbfc17c1..05f8f3be8 100644 --- a/docs/_data/bearer_init.yaml +++ b/docs/_data/bearer_init.yaml @@ -2,10 +2,10 @@ name: bearer init synopsis: Generates a default config to `bearer.yml` usage: bearer init [flags] options: - - name: help - shorthand: h - default_value: "false" - usage: help for init + - name: help + shorthand: h + default_value: "false" + usage: help for init see_also: - - "bearer - " + - 'bearer - ' aliases: [] diff --git a/docs/_data/bearer_scan.yaml b/docs/_data/bearer_scan.yaml index 425f891d8..66b46ecde 100644 --- a/docs/_data/bearer_scan.yaml +++ b/docs/_data/bearer_scan.yaml @@ -2,175 +2,175 @@ name: bearer scan synopsis: Scan a directory or file usage: bearer scan [flags] options: - - name: api-key - usage: Use your Bearer API Key to send the report to Bearer. - environment_variables: - - BEARER_API_KEY - - name: config-file - default_value: bearer.yml - usage: Load configuration from the specified path. - environment_variables: - - BEARER_CONFIG_FILE - - name: context - usage: | - Expand context of schema classification e.g., --context=health, to include data types particular to health - environment_variables: - - BEARER_CONTEXT - - name: data-subject-mapping - usage: | - Override default data subject mapping by providing a path to a custom mapping JSON file - environment_variables: - - BEARER_DATA_SUBJECT_MAPPING - - name: debug - default_value: "false" - usage: Enable debug logs. Equivalent to --log-level=debug - environment_variables: - - BEARER_DEBUG - - name: diff - default_value: "false" - usage: | - Only report differences in findings relative to a base branch. - environment_variables: - - BEARER_DIFF - - name: disable-default-rules - default_value: "false" - usage: Disables all default and built-in rules. - environment_variables: - - BEARER_DISABLE_DEFAULT_RULES - - name: disable-domain-resolution - default_value: "true" - usage: | - Do not attempt to resolve detected domains during classification - environment_variables: - - BEARER_DISABLE_DOMAIN_RESOLUTION - - name: disable-version-check - default_value: "false" - usage: Disable Bearer version checking - environment_variables: - - BEARER_DISABLE_VERSION_CHECK - - name: domain-resolution-timeout - default_value: 3s - usage: | - Set timeout when attempting to resolve detected domains during classification, e.g. --domain-resolution-timeout=3s - environment_variables: - - BEARER_DOMAIN_RESOLUTION_TIMEOUT - - name: exit-code - default_value: "-1" - usage: | - Force a given exit code for the scan command. Set this to 0 (success) to always return a success exit code despite any findings from the scan. - environment_variables: - - BEARER_EXIT_CODE - - name: external-rule-dir - default_value: "[]" - usage: | - Specify directories paths that contain .yaml files with external rules configuration - environment_variables: - - BEARER_EXTERNAL_RULE_DIR - - name: fail-on-severity - default_value: critical,high,medium,low - usage: | - Specify which severities cause the report to fail. Works in conjunction with --exit-code. - environment_variables: - - BEARER_FAIL_ON_SEVERITY - - name: force - default_value: "false" - usage: Disable the cache and runs the detections again - environment_variables: - - BEARER_FORCE - - name: format - shorthand: f - usage: | - Specify report format (json, yaml, sarif, gitlab-sast, rdjson, html) - environment_variables: - - BEARER_FORMAT - - name: help - shorthand: h - default_value: "false" - usage: help for scan - - name: hide-progress-bar - default_value: "false" - usage: Hide progress bar from output - environment_variables: - - BEARER_HIDE_PROGRESS_BAR - - name: ignore-file - default_value: bearer.ignore - usage: Load ignore file from the specified path. - environment_variables: - - BEARER_IGNORE_FILE - - name: internal-domains - default_value: "[]" - usage: | - Define regular expressions for better classification of private or unreachable domains e.g. --internal-domains=".*.my-company.com,private.sh" - environment_variables: - - BEARER_INTERNAL_DOMAINS - - name: log-level - default_value: info - usage: Set log level (error, info, debug, trace) - environment_variables: - - BEARER_LOG_LEVEL - - name: no-color - default_value: "false" - usage: Disable color in output - environment_variables: - - BEARER_NO_COLOR - - name: only-rule - default_value: "[]" - usage: | - Specify the comma-separated ids of the rules you would like to run. Skips all other rules. - environment_variables: - - BEARER_ONLY_RULE - - name: output - usage: Specify the output path for the report. - environment_variables: - - BEARER_OUTPUT - - name: parallel - default_value: "0" - usage: Specify the amount of parallelism to use during the scan - environment_variables: - - BEARER_PARALLEL - - name: quiet - default_value: "false" - usage: Suppress non-essential messages - environment_variables: - - BEARER_QUIET - - name: report - default_value: security - usage: Specify the type of report (security, privacy, dataflow). - environment_variables: - - BEARER_REPORT - - name: scanner - default_value: "[sast]" - usage: | - Specify which scanner to use e.g. --scanner=secrets, --scanner=secrets,sast - environment_variables: - - BEARER_SCANNER - - SCANNER - - name: severity - default_value: critical,high,medium,low,warning - usage: Specify which severities are included in the report. - environment_variables: - - BEARER_SEVERITY - - name: skip-path - default_value: "[]" - usage: | - Specify the comma separated files and directories to skip. Supports * syntax, e.g. --skip-path users/*.go,users/admin.sql - environment_variables: - - BEARER_SKIP_PATH - - name: skip-rule - default_value: "[]" - usage: | - Specify the comma-separated ids of the rules you would like to skip. Runs all other rules. - environment_variables: - - BEARER_SKIP_RULE - - name: skip-test - default_value: "true" - usage: Disable automatic skipping of test files - environment_variables: - - BEARER_SKIP_TEST + - name: api-key + usage: Use your Bearer API Key to send the report to Bearer. + environment_variables: + - BEARER_API_KEY + - name: config-file + default_value: bearer.yml + usage: Load configuration from the specified path. + environment_variables: + - BEARER_CONFIG_FILE + - name: context + usage: | + Expand context of schema classification e.g., --context=health, to include data types particular to health + environment_variables: + - BEARER_CONTEXT + - name: data-subject-mapping + usage: | + Override default data subject mapping by providing a path to a custom mapping JSON file + environment_variables: + - BEARER_DATA_SUBJECT_MAPPING + - name: debug + default_value: "false" + usage: Enable debug logs. Equivalent to --log-level=debug + environment_variables: + - BEARER_DEBUG + - name: diff + default_value: "false" + usage: | + Only report differences in findings relative to a base branch. + environment_variables: + - BEARER_DIFF + - name: disable-default-rules + default_value: "false" + usage: Disables all default and built-in rules. + environment_variables: + - BEARER_DISABLE_DEFAULT_RULES + - name: disable-domain-resolution + default_value: "true" + usage: | + Do not attempt to resolve detected domains during classification + environment_variables: + - BEARER_DISABLE_DOMAIN_RESOLUTION + - name: disable-version-check + default_value: "false" + usage: Disable Bearer version checking + environment_variables: + - BEARER_DISABLE_VERSION_CHECK + - name: domain-resolution-timeout + default_value: 3s + usage: | + Set timeout when attempting to resolve detected domains during classification, e.g. --domain-resolution-timeout=3s + environment_variables: + - BEARER_DOMAIN_RESOLUTION_TIMEOUT + - name: exit-code + default_value: "-1" + usage: | + Force a given exit code for the scan command. Set this to 0 (success) to always return a success exit code despite any findings from the scan. + environment_variables: + - BEARER_EXIT_CODE + - name: external-rule-dir + default_value: '[]' + usage: | + Specify directories paths that contain .yaml files with external rules configuration + environment_variables: + - BEARER_EXTERNAL_RULE_DIR + - name: fail-on-severity + default_value: critical,high,medium,low + usage: | + Specify which severities cause the report to fail. Works in conjunction with --exit-code. + environment_variables: + - BEARER_FAIL_ON_SEVERITY + - name: force + default_value: "false" + usage: Disable the cache and runs the detections again + environment_variables: + - BEARER_FORCE + - name: format + shorthand: f + usage: | + Specify report format (json, yaml, sarif, gitlab-sast, rdjson, html) + environment_variables: + - BEARER_FORMAT + - name: help + shorthand: h + default_value: "false" + usage: help for scan + - name: hide-progress-bar + default_value: "false" + usage: Hide progress bar from output + environment_variables: + - BEARER_HIDE_PROGRESS_BAR + - name: ignore-file + default_value: bearer.ignore + usage: Load ignore file from the specified path. + environment_variables: + - BEARER_IGNORE_FILE + - name: internal-domains + default_value: '[]' + usage: | + Define regular expressions for better classification of private or unreachable domains e.g. --internal-domains=".*.my-company.com,private.sh" + environment_variables: + - BEARER_INTERNAL_DOMAINS + - name: log-level + default_value: info + usage: Set log level (error, info, debug, trace) + environment_variables: + - BEARER_LOG_LEVEL + - name: no-color + default_value: "false" + usage: Disable color in output + environment_variables: + - BEARER_NO_COLOR + - name: only-rule + default_value: '[]' + usage: | + Specify the comma-separated ids of the rules you would like to run. Skips all other rules. + environment_variables: + - BEARER_ONLY_RULE + - name: output + usage: Specify the output path for the report. + environment_variables: + - BEARER_OUTPUT + - name: parallel + default_value: "0" + usage: Specify the amount of parallelism to use during the scan + environment_variables: + - BEARER_PARALLEL + - name: quiet + default_value: "false" + usage: Suppress non-essential messages + environment_variables: + - BEARER_QUIET + - name: report + default_value: security + usage: Specify the type of report (security, privacy, dataflow). + environment_variables: + - BEARER_REPORT + - name: scanner + default_value: '[sast]' + usage: | + Specify which scanner to use e.g. --scanner=secrets, --scanner=secrets,sast + environment_variables: + - BEARER_SCANNER + - SCANNER + - name: severity + default_value: critical,high,medium,low,warning + usage: Specify which severities are included in the report. + environment_variables: + - BEARER_SEVERITY + - name: skip-path + default_value: '[]' + usage: | + Specify the comma separated files and directories to skip. Supports * syntax, e.g. --skip-path users/*.go,users/admin.sql + environment_variables: + - BEARER_SKIP_PATH + - name: skip-rule + default_value: '[]' + usage: | + Specify the comma-separated ids of the rules you would like to skip. Runs all other rules. + environment_variables: + - BEARER_SKIP_RULE + - name: skip-test + default_value: "true" + usage: Disable automatic skipping of test files + environment_variables: + - BEARER_SKIP_TEST example: |4- # Scan a local project, including language-specific files $ bearer scan /path/to/your_project see_also: - - "bearer - " + - 'bearer - ' aliases: - - s + - s diff --git a/docs/_data/bearer_version.yaml b/docs/_data/bearer_version.yaml index 94086d8d3..bf6b91c3d 100644 --- a/docs/_data/bearer_version.yaml +++ b/docs/_data/bearer_version.yaml @@ -2,44 +2,44 @@ name: bearer version synopsis: Print the version usage: bearer version [flags] options: - - name: api-key - usage: Use your Bearer API Key to send the report to Bearer. - environment_variables: - - BEARER_API_KEY - - name: config-file - default_value: bearer.yml - usage: Load configuration from the specified path. - environment_variables: - - BEARER_CONFIG_FILE - - name: debug - default_value: "false" - usage: Enable debug logs. Equivalent to --log-level=debug - environment_variables: - - BEARER_DEBUG - - name: disable-version-check - default_value: "false" - usage: Disable Bearer version checking - environment_variables: - - BEARER_DISABLE_VERSION_CHECK - - name: help - shorthand: h - default_value: "false" - usage: help for version - - name: ignore-file - default_value: bearer.ignore - usage: Load ignore file from the specified path. - environment_variables: - - BEARER_IGNORE_FILE - - name: log-level - default_value: info - usage: Set log level (error, info, debug, trace) - environment_variables: - - BEARER_LOG_LEVEL - - name: no-color - default_value: "false" - usage: Disable color in output - environment_variables: - - BEARER_NO_COLOR + - name: api-key + usage: Use your Bearer API Key to send the report to Bearer. + environment_variables: + - BEARER_API_KEY + - name: config-file + default_value: bearer.yml + usage: Load configuration from the specified path. + environment_variables: + - BEARER_CONFIG_FILE + - name: debug + default_value: "false" + usage: Enable debug logs. Equivalent to --log-level=debug + environment_variables: + - BEARER_DEBUG + - name: disable-version-check + default_value: "false" + usage: Disable Bearer version checking + environment_variables: + - BEARER_DISABLE_VERSION_CHECK + - name: help + shorthand: h + default_value: "false" + usage: help for version + - name: ignore-file + default_value: bearer.ignore + usage: Load ignore file from the specified path. + environment_variables: + - BEARER_IGNORE_FILE + - name: log-level + default_value: info + usage: Set log level (error, info, debug, trace) + environment_variables: + - BEARER_LOG_LEVEL + - name: no-color + default_value: "false" + usage: Disable color in output + environment_variables: + - BEARER_NO_COLOR see_also: - - "bearer - " + - 'bearer - ' aliases: [] diff --git a/e2e/flags/.snapshots/TestApiKeyFlags-bad-api-key b/e2e/flags/.snapshots/TestApiKeyFlags-bad-api-key deleted file mode 100644 index 7efdba46c..000000000 --- a/e2e/flags/.snapshots/TestApiKeyFlags-bad-api-key +++ /dev/null @@ -1,5 +0,0 @@ -{} - --- -Analyzing codebase - diff --git a/e2e/flags/.snapshots/TestApiKeyFlags-bad-api-key-with-stderr b/e2e/flags/.snapshots/TestApiKeyFlags-bad-api-key-with-stderr deleted file mode 100644 index 898aa85c0..000000000 --- a/e2e/flags/.snapshots/TestApiKeyFlags-bad-api-key-with-stderr +++ /dev/null @@ -1,11 +0,0 @@ -{} - --- -Analyzing codebase -Loading rules -Scanning target e2e/flags/testdata/ok -Running Detectors -Generating dataflow -Evaluating rules -Failed to send data to Bearer Cloud. API key does not appear to be valid for my.bearer.sh. - diff --git a/e2e/flags/api_key_test.go b/e2e/flags/api_key_test.go deleted file mode 100644 index 8ae4687c1..000000000 --- a/e2e/flags/api_key_test.go +++ /dev/null @@ -1,29 +0,0 @@ -package flags_test - -import ( - "path/filepath" - "testing" - - "github.com/bearer/bearer/e2e/internal/testhelper" -) - -func TestApiKeyFlags(t *testing.T) { - t.Parallel() - arguments := []string{ - "scan", - filepath.Join("e2e", "flags", "testdata", "ok"), - "--disable-version-check", - "--disable-default-rules", - "--external-rule-dir", "e2e/testdata/rules", - "--api-key", - "123", - "--format", - "json", - } - tests := []testhelper.TestCase{ - testhelper.NewTestCase("bad-api-key-with-stderr", arguments, testhelper.TestCaseOptions{DisplayStdErr: true, IgnoreForce: false}), - testhelper.NewTestCase("bad-api-key", arguments, testhelper.TestCaseOptions{DisplayStdErr: false, IgnoreForce: false}), - } - - testhelper.RunTests(t, tests) -} diff --git a/internal/commands/artifact/run.go b/internal/commands/artifact/run.go index ce5b3aaac..2c6a6b64d 100644 --- a/internal/commands/artifact/run.go +++ b/internal/commands/artifact/run.go @@ -15,7 +15,6 @@ import ( "golang.org/x/exp/maps" - "github.com/bearer/bearer/api" "github.com/bearer/bearer/internal/commands/artifact/scanid" "github.com/bearer/bearer/internal/commands/process/filelist" "github.com/bearer/bearer/internal/commands/process/filelist/files" @@ -232,7 +231,7 @@ func (r *runner) scanBaseBranch( return result, nil } -func getIgnoredFingerprints(client *api.API, settings settings.Config, gitContext *gitrepository.Context, pullRequestNumber string) ( +func getIgnoredFingerprints(settings settings.Config) ( useCloudIgnores bool, ignoredFingerprints map[string]ignoretypes.IgnoredFingerprint, staleIgnoredFingerprintIds []string, @@ -243,22 +242,6 @@ func getIgnoredFingerprints(client *api.API, settings settings.Config, gitContex return useCloudIgnores, ignoredFingerprints, staleIgnoredFingerprintIds, err } - if client != nil && client.Error == nil { - useCloudIgnores, ignoredFingerprints, staleIgnoredFingerprintIds, err = ignore.GetIgnoredFingerprintsFromCloud( - client, - gitContext.FullName, - pullRequestNumber, - localIgnoredFingerprints, - ) - if err != nil { - return useCloudIgnores, ignoredFingerprints, staleIgnoredFingerprintIds, err - } - } - - if useCloudIgnores { - return useCloudIgnores, ignoredFingerprints, staleIgnoredFingerprintIds, nil - } - return false, localIgnoredFingerprints, []string{}, nil } @@ -308,10 +291,7 @@ func Run(ctx context.Context, opts flagtypes.Options) (err error) { return err } scanSettings.CloudIgnoresUsed, scanSettings.IgnoredFingerprints, scanSettings.StaleIgnoredFingerprintIds, err = getIgnoredFingerprints( - opts.GeneralOptions.Client, scanSettings, - gitContext, - opts.PullRequestNumber, ) if err != nil { return err @@ -403,7 +383,6 @@ func (r *runner) Report( if err != nil { return false, err } - reportoutput.UploadReportToCloud(reportData, r.scanSettings, r.gitContext) endTime := time.Now() diff --git a/internal/commands/ignore.go b/internal/commands/ignore.go index 06da08bb9..c6f77722b 100644 --- a/internal/commands/ignore.go +++ b/internal/commands/ignore.go @@ -11,7 +11,6 @@ import ( "github.com/spf13/cobra" "github.com/spf13/viper" - "github.com/bearer/bearer/internal/commands/process/gitrepository" "github.com/bearer/bearer/internal/flag" "github.com/bearer/bearer/internal/util/ignore" ignoretypes "github.com/bearer/bearer/internal/util/ignore/types" @@ -28,7 +27,6 @@ Available Commands: add Add an ignored fingerprint show Show an ignored fingerprint remove Remove an ignored fingerprint - pull Pull ignored fingerprints from Cloud migrate Migrate ignored fingerprints Examples: @@ -41,9 +39,6 @@ Examples: # Remove an ignored fingerprint from your ignore file $ bearer ignore remove - # Pull ignored fingerprints from the Cloud (requires API key) - $ bearer ignore pull /path/to/your_project --api-key=XXXXX - # Migrate existing ignored (excluded) fingerprints from bearer.yml file $ bearer ignore migrate @@ -61,7 +56,6 @@ Examples: newIgnoreShowCommand(), newIgnoreAddCommand(), newIgnoreRemoveCommand(), - newIgnorePullCommand(), newIgnoreMigrateCommand(), ) @@ -314,99 +308,6 @@ $ bearer ignore remove `, return cmd } -func newIgnorePullCommand() *cobra.Command { - var flags = flag.Flags{flag.GeneralFlagGroup} - - cmd := &cobra.Command{ - Use: "pull ", - Short: "Pull ignored fingerprints from Cloud", - Example: `# Pull ignored fingerprints from the Cloud (requires API key) -$ bearer ignore pull /path/to/your_project --api-key=XXXXX`, - PreRunE: func(cmd *cobra.Command, args []string) error { - if err := flags.Bind(cmd); err != nil { - return fmt.Errorf("flag bind error: %w", err) - } - - return nil - }, - RunE: func(cmd *cobra.Command, args []string) error { - setLogLevel(cmd) - - options, err := flags.ToOptions(args) - if err != nil { - return fmt.Errorf("flag error: %s", err) - } - - if len(args) == 0 { - return cmd.Help() - } else { - options.Target = args[0] - } - - // confirm overwrite if ignore file exists - ignoreFilePath, _, fileExists, err := ignore.GetIgnoreFilePath(options.GeneralOptions.IgnoreFile, &options.Target) - if err != nil { - return fmt.Errorf("file error: %s", err) - } - - if fileExists { - overwriteApproved := requestConfirmation("Warning: this action will overwrite your current ignore file. Continue?") - if !overwriteApproved { - cmd.Printf("Okay, pull cancelled!\n") - return nil - } - } - - gitContext, err := gitrepository.NewContext(&options) - if err != nil { - return fmt.Errorf("failed to get git context: %w", err) - } - - data, err := options.GeneralOptions.Client.FetchIgnores(gitContext.FullName, "", []string{}) - if err != nil { - return fmt.Errorf("cloud error: %s", err) - } - - if !data.ProjectFound { - // no project - cmd.Printf("Project %s not found in Cloud. Pull cancelled.", gitContext.FullName) - return nil - } - - cloudIgnoresCount := len(data.CloudIgnoredFingerprints) - if cloudIgnoresCount == 0 { - // project found but no ignores - cmd.Printf("No ignores for project %s found in the Cloud. Pull cancelled", gitContext.FullName) - return nil - } - - // project found and we have ignores - write to ignore - cmd.Printf("Pulling %d ignores from the Cloud:\n", cloudIgnoresCount) - for fingerprintId, fingerprint := range data.CloudIgnoredFingerprints { - if fingerprint.Comment == nil { - cmd.Printf("\t- %s\n", fingerprintId) - } else { - cmd.Printf("\t- %s (%s)\n", fingerprintId, *fingerprint.Comment) - } - } - cmd.Printf("\n") - - if err = writeIgnoreFile(data.CloudIgnoredFingerprints, ignoreFilePath); err != nil { - return fmt.Errorf("error writing to file: %s", err) - } - - cmd.Printf("Pull successful! To view updated ignore file, run: bearer ignore show --all\n") - return nil - }, - SilenceErrors: false, - SilenceUsage: false, - } - flags.AddFlags(cmd) - cmd.SetUsageTemplate(fmt.Sprintf(scanTemplate, flags.Usages(cmd))) - - return cmd -} - func newIgnoreMigrateCommand() *cobra.Command { flags := flag.Flags{ flag.GeneralFlagGroup, diff --git a/internal/flag/general_flags.go b/internal/flag/general_flags.go index c38222a23..d5c0eb1ac 100644 --- a/internal/flag/general_flags.go +++ b/internal/flag/general_flags.go @@ -1,11 +1,8 @@ package flag import ( - "fmt" - "github.com/bearer/bearer/api" flagtypes "github.com/bearer/bearer/internal/flag/types" - pointer "github.com/bearer/bearer/internal/util/pointers" "github.com/rs/zerolog/log" ) @@ -119,18 +116,7 @@ func (generalFlagGroup) SetOptions(options *flagtypes.Options, args []string) er var client *api.API apiKey := getString(APIKeyFlag) if apiKey != "" { - client = api.New(api.API{ - Host: getString(HostFlag), - Token: apiKey, - }) - - _, err := client.Hello() - if err != nil { - log.Debug().Msgf("couldn't initialize client -> %s", err.Error()) - client.Error = pointer.String(fmt.Sprintf("API key does not appear to be valid for %s.", client.Host)) - } else { - log.Debug().Msgf("Initialized client for report") - } + log.Debug().Msgf("API Key is no longer used please remove it from your config") } debug := getBool(DebugFlag) diff --git a/internal/github_api/version_check.go b/internal/github_api/version_check.go deleted file mode 100644 index ac551a399..000000000 --- a/internal/github_api/version_check.go +++ /dev/null @@ -1,29 +0,0 @@ -package github_api - -import ( - "context" - "fmt" - "strings" - - "github.com/bearer/bearer/cmd/bearer/build" - "github.com/bearer/bearer/internal/util/output" - "github.com/google/go-github/github" - "github.com/rs/zerolog/log" -) - -func VersionCheck(ctx context.Context, disableVersionCheck bool, Quiet bool) { - if disableVersionCheck { - log.Debug().Msgf("Version checking disabled. Skipping version check") - } else { - client := github.NewClient(nil) - release, _, err := client.Repositories.GetLatestRelease(ctx, "bearer", "bearer") - if err != nil { - log.Debug().Msgf("couldn't retrieve latest release from GitHub %s", err) - } else { - version := strings.TrimPrefix(*release.Name, "v") - if version != build.Version && build.Version != "dev" && !Quiet { - output.StdErrLog(fmt.Sprintf("You are running an outdated version of Bearer CLI, %s is now available. You can find update instructions at https://docs.bearer.com/reference/installation/#updating-bearer", *release.Name)) - } - } - } -} diff --git a/internal/report/output/output.go b/internal/report/output/output.go index bf9da13ca..1f0405ffe 100644 --- a/internal/report/output/output.go +++ b/internal/report/output/output.go @@ -7,7 +7,6 @@ import ( "github.com/google/uuid" "github.com/hhatto/gocloc" - "golang.org/x/exp/slices" "github.com/bearer/bearer/internal/commands/process/gitrepository" "github.com/bearer/bearer/internal/commands/process/settings" @@ -75,14 +74,6 @@ func GetData( return data, err } -func UploadReportToCloud(report *types.ReportData, config settings.Config, gitContext *gitrepository.Context) { - if slices.Contains([]string{flag.ReportSecurity, flag.ReportSaaS}, config.Report.Report) { - if config.Client != nil && config.Client.Error == nil { - saas.SendReport(config, report, gitContext) - } - } -} - func GetDataflow( reportData *types.ReportData, report globaltypes.Report, diff --git a/internal/report/output/saas/saas.go b/internal/report/output/saas/saas.go index f81beb617..b63f1b41a 100644 --- a/internal/report/output/saas/saas.go +++ b/internal/report/output/saas/saas.go @@ -3,15 +3,11 @@ package saas import ( "compress/gzip" "errors" - "fmt" "os" "strings" - "github.com/rs/zerolog/log" "golang.org/x/exp/maps" - "github.com/bearer/bearer/api" - "github.com/bearer/bearer/api/s3" "github.com/bearer/bearer/cmd/bearer/build" "github.com/bearer/bearer/internal/commands/process/gitrepository" "github.com/bearer/bearer/internal/commands/process/settings" @@ -20,7 +16,6 @@ import ( "github.com/bearer/bearer/internal/report/output/types" "github.com/bearer/bearer/internal/util/file" util "github.com/bearer/bearer/internal/util/output" - pointer "github.com/bearer/bearer/internal/util/pointers" ) func GetReport( @@ -58,32 +53,6 @@ func GetReport( return nil } -func SendReport(config settings.Config, reportData *types.ReportData, gitContext *gitrepository.Context) { - if reportData.SaasReport == nil { - err := GetReport(reportData, config, gitContext, true) - if err != nil { - errorMessage := fmt.Sprintf("Unable to calculate Metadata. %s", err) - log.Debug().Msgf(errorMessage) - config.Client.Error = &errorMessage - return - } - } - - tmpDir, filename, err := createBearerGzipFileReport(config, reportData) - if err != nil { - config.Client.Error = pointer.String("Could not compress report.") - log.Debug().Msgf("error creating report %s", err) - } - - defer os.RemoveAll(*tmpDir) - - err = sendReportToBearer(config.Client, &reportData.SaasReport.Meta, filename) - if err != nil { - config.Client.Error = pointer.String("Report upload failed.") - log.Debug().Msgf("error sending report to Bearer cloud: %s", err) - } -} - func translateFindingsBySeverity[F securitytypes.GenericFinding](someFindingsBySeverity map[string][]F) map[string][]saas.SaasFinding { saasFindingsBySeverity := make(map[string][]saas.SaasFinding) for _, severity := range maps.Keys(someFindingsBySeverity) { @@ -99,28 +68,6 @@ func translateFindingsBySeverity[F securitytypes.GenericFinding](someFindingsByS return saasFindingsBySeverity } -func sendReportToBearer(client *api.API, meta *saas.Meta, filename *string) error { - fileUploadOffer, err := s3.UploadS3(&s3.UploadRequestS3{ - Api: client, - FilePath: *filename, - FilePrefix: "bearer_security_report", - ContentType: "application/json", - ContentEncoding: "gzip", - }) - if err != nil { - return err - } - - meta.SignedID = fileUploadOffer.SignedID - - err = client.ScanFinished(meta) - if err != nil { - return err - } - - return nil -} - func getDiscoveredFiles(config settings.Config, files []string) []string { filenames := make([]string, len(files)) diff --git a/internal/util/ignore/ignore.go b/internal/util/ignore/ignore.go index e3881906c..73cfa4c44 100644 --- a/internal/util/ignore/ignore.go +++ b/internal/util/ignore/ignore.go @@ -9,11 +9,8 @@ import ( "strings" "time" - "golang.org/x/exp/maps" - "github.com/fatih/color" - "github.com/bearer/bearer/api" types "github.com/bearer/bearer/internal/util/ignore/types" pointer "github.com/bearer/bearer/internal/util/pointers" ) @@ -49,39 +46,6 @@ func GetIgnoredFingerprints(filePath string, target *string) (ignoredFingerprint return ignoredFingerprints, ignoreFilePath, true, err } -func GetIgnoredFingerprintsFromCloud( - client *api.API, - fullname string, - pullRequestNumber string, - localIgnores map[string]types.IgnoredFingerprint, -) ( - useCloudIgnores bool, - ignoredFingerprints map[string]types.IgnoredFingerprint, - staleIgnoredFingerprintIds []string, - err error, -) { - - data, err := client.FetchIgnores(fullname, pullRequestNumber, maps.Keys(localIgnores)) - if err != nil { - return useCloudIgnores, ignoredFingerprints, staleIgnoredFingerprintIds, err - } - - ignoredFingerprints = make(map[string]types.IgnoredFingerprint) - for _, fingerprint := range data.Ignores { - item := types.IgnoredFingerprint{} - - _, persistedInCloud := data.CloudIgnoredFingerprints[fingerprint] - if !persistedInCloud { - // it is a new addition; use information from ignore file - item = localIgnores[fingerprint] - } - - ignoredFingerprints[fingerprint] = item - } - - return data.ProjectFound, ignoredFingerprints, data.StaleIgnores, nil -} - func MergeIgnoredFingerprints(fingerprintsToIgnore map[string]types.IgnoredFingerprint, ignoredFingerprints map[string]types.IgnoredFingerprint, force bool) error { for key, value := range fingerprintsToIgnore { if !force { diff --git a/kpi_scan/Dockerfile b/kpi_scan/Dockerfile deleted file mode 100644 index ba3dbee3a..000000000 --- a/kpi_scan/Dockerfile +++ /dev/null @@ -1,14 +0,0 @@ -FROM ubuntu - -RUN apt-get update && apt-get install -y curl git jq ca-certificates -RUN update-ca-certificates -RUN apt-get install apt-transport-https - -RUN echo "deb [trusted=yes] https://apt.fury.io/bearer/ /" > /etc/apt/sources.list.d/fury.list -RUN apt-get update && apt-get install -y bearer - -RUN mkdir /app -ADD ./kpi_scan/run.sh /app/ -WORKDIR /app - -CMD ["/app/run.sh"] diff --git a/kpi_scan/README.md b/kpi_scan/README.md deleted file mode 100644 index d550d0125..000000000 --- a/kpi_scan/README.md +++ /dev/null @@ -1,13 +0,0 @@ -# KPI Scan docker image - -This docker image is ubuntu with a script to download the latest Bearer CLI -and run it for a given REPOSITORY_URL and API_KEY. - -## Building - -The image must be built and deployed manually. For MacOS: - -```sh -$ docker buildx build --platform=linux/amd64 -t bearersh/kpi-scan . -$ docker push bearersh/kpi-scan:latest -``` diff --git a/kpi_scan/kpi_repo_list.json5 b/kpi_scan/kpi_repo_list.json5 deleted file mode 100644 index 51df03503..000000000 --- a/kpi_scan/kpi_repo_list.json5 +++ /dev/null @@ -1,39 +0,0 @@ -{ - "include": [ - // ruby - { "name": "railsgoat", "repository_url": "https://github.com/Bearer/railsgoat" }, - { "name": "mastodon", "repository_url": "https://github.com/mastodon/mastodon" }, - { "name": "frab", "repository_url": "https://github.com/frab/frab" }, - { "name": "discourse", "repository_url": "https://github.com/discourse/discourse" }, - { "name": "diaspora", "repository_url": "https://github.com/diaspora/diaspora" }, - { "name": "gitlab", "repository_url": "https://gitlab.com/gitlab-org/gitlab" }, - { "name": "chatwoot", "repository_url": "https://github.com/chatwoot/chatwoot" }, - { "name": "postal", "repository_url": "https://github.com/postalserver/postal" }, - { "name": "forem", "repository_url": "https://github.com/forem/forem" }, - { "name": "openstreetmap-website", "repository_url": "https://github.com/openstreetmap/openstreetmap-website" }, - { "name": "loomio", "repository_url": "https://github.com/loomio/loomio" }, - { "name": "rdv-solidarites.fr", "repository_url": "https://github.com/betagouv/rdv-solidarites.fr" }, - // javascript - { "name": "juice-shop", "repository_url": "https://github.com/Bearer/juice-shop" }, - { "name": "NodeGoat", "repository_url": "https://github.com/Bearer/NodeGoat" }, - { "name": "chapter", "repository_url": "https://github.com/freeCodeCamp/chapter" }, - { "name": "Ghost", "repository_url": "https://github.com/TryGhost/Ghost" }, - { "name": "wekan", "repository_url": "https://github.com/wekan/wekan" }, - { "name": "backstage", "repository_url": "https://github.com/backstage/backstage" }, - { "name": "medusa", "repository_url": "https://github.com/medusajs/medusa" }, - { "name": "ToolJet", "repository_url": "https://github.com/ToolJet/ToolJet" }, - { "name": "grafana", "repository_url": "https://github.com/grafana/grafana" }, - { "name": "mattermost-server", "repository_url": "https://github.com/mattermost/mattermost-server" }, - { "name": "Rocket.Chat", "repository_url": "https://github.com/RocketChat/Rocket.Chat" }, - // java - { "name": "WebGoat", "repository_url": "https://github.com/Bearer/WebGoat" }, - { "name": "BenchmarkJava", "repository_url": "https://github.com/OWASP-Benchmark/BenchmarkJava" }, - // php - { "name": "OWASPWebGoatPHP", "repository_url": "https://github.com/OWASP/OWASPWebGoatPHP" }, - { "name": "Vulnerable-Web-Application", "repository_url": "https://github.com/OWASP/Vulnerable-Web-Application" }, - { "name": "mediawiki", "repository_url": "https://github.com/wikimedia/mediawiki" }, - // golang - { "name": "Vulnerability-goapp", "repository_url": "https://github.com/Hardw01f/Vulnerability-goapp" }, - { "name": "govwa", "repository_url": "https://github.com/0c34/govwa" } - ] -} diff --git a/kpi_scan/run.sh b/kpi_scan/run.sh deleted file mode 100755 index b4647d8ac..000000000 --- a/kpi_scan/run.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash - -set -eu - -echo -echo "Cloning $REPOSITORY_URL" -git clone --depth=1 --single-branch "$REPOSITORY_URL" /tmp/repository -cd /tmp/repository - -echo -echo "Scanning" -bearer scan . "--host=$API_HOST" --api-key "$API_KEY"