Feat/add snyk (#959)

Add [snyk cli](https://github.com/snyk/cli) for security scans.

As of 2025-01-20 I can't get this to test properly locally because it
says snyk isn't enabled. Not sure what might be misconfigured that's
causing that. Would love help.

---------

Co-authored-by: Tyler Jang <[email protected]>

.github/actions/linter_tests/action.yaml

@@ -20,6 +20,9 @@ inputs:
     description: Additional args to append to the test invocation
     required: false
     default: linters --
+  snyk-token:
+    description: Token to login for snyk test
+    required: true
   sourcery-token:
     description: Token to login for sourcery test
     required: true
@@ -103,6 +106,7 @@ runs:
         PLUGINS_TEST_LINTER_VERSION: ${{ inputs.linter-version }}
         PLUGINS_TEST_CLI_VERSION: ${{ inputs.cli-version }}
         PLUGINS_TEST_CLI_PATH: ${{ env.CLI_PATH }}
+        SNYK_TOKEN: ${{ inputs.snyk-token }}
         SOURCERY_TOKEN: ${{ inputs.sourcery-token }}
         # Debug recurrent eslint circular JSON errors
         DEBUG: Driver:eslint:*,Driver:nixpkgs-fmt:*,Driver:trunk-toolbox:*

.github/workflows/nightly.yaml

@@ -67,6 +67,7 @@ jobs:
         with:
           linter-version: ${{ matrix.linter-version }}
           ref-type: main
+          snyk-token: ${{ secrets.TRUNK_SNYK_TOKEN }}
           sourcery-token: ${{ secrets.TRUNK_SOURCERY_TOKEN }}
           trunk-staging-token: ${{ secrets.TRUNK_DEBUGGER_TOKEN }}
           trunk-prod-token: ${{ secrets.TRUNK_ORG_PROD_TOKEN }}
@@ -173,6 +174,7 @@ jobs:
           linter-version: ${{ matrix.linter-version }}
           append-args: linters -- --json --outputFile=${{ matrix.results-file }}-res.json
           ref-type: release
+          snyk-token: ${{ secrets.TRUNK_SNYK_TOKEN }}
           sourcery-token: ${{ secrets.TRUNK_SOURCERY_TOKEN }}
           trunk-staging-token: ${{ secrets.TRUNK_DEBUGGER_TOKEN }}
           trunk-prod-token: ${{ secrets.TRUNK_ORG_PROD_TOKEN }}
@@ -198,6 +200,7 @@ jobs:
       TRUNK_API_TOKEN: ${{ secrets.TRUNK_API_TOKEN }}
       TRUNK_OPEN_PR_APP_ID: ${{ secrets.TRUNK_OPEN_PR_APP_ID }}
       TRUNK_OPEN_PR_APP_PRIVATE_KEY: ${{ secrets.TRUNK_OPEN_PR_APP_PRIVATE_KEY }}
+      TRUNK_SNYK_TOKEN: ${{ secrets.TRUNK_SNYK_TOKEN }}
       TRUNK_SOURCERY_TOKEN: ${{ secrets.TRUNK_SOURCERY_TOKEN }}
       TRUNK_DEBUGGER_TOKEN: ${{ secrets.TRUNK_DEBUGGER_TOKEN }}
       TRUNK_ORG_PROD_TOKEN: ${{ secrets.TRUNK_ORG_PROD_TOKEN }}
@@ -254,6 +257,7 @@ jobs:
     uses: ./.github/workflows/upload_results.reusable.yaml
     secrets:
       TRUNKBOT_SLACK_BOT_TOKEN: ${{ secrets.TRUNKBOT_SLACK_BOT_TOKEN }}
+      TRUNK_SNYK_TOKEN: ${{ secrets.TRUNK_SNYK_TOKEN }}
       TRUNK_SOURCERY_TOKEN: ${{ secrets.TRUNK_SOURCERY_TOKEN }}
       TRUNK_DEBUGGER_TOKEN: ${{ secrets.TRUNK_DEBUGGER_TOKEN }}
       TRUNK_ORG_PROD_TOKEN: ${{ secrets.TRUNK_ORG_PROD_TOKEN }}

.github/workflows/pr.yaml

@@ -151,6 +151,7 @@ jobs:
         with:
           linter-version: KnownGoodVersion
           ref-type: main
+          snyk-token: ${{ secrets.TRUNK_SNYK_TOKEN }}
           sourcery-token: ${{ secrets.TRUNK_SOURCERY_TOKEN }}
           append-args:
             ${{ needs.detect_changes.outputs.all-linters }} ${{
@@ -167,6 +168,7 @@ jobs:
         with:
           linter-version: Latest
           ref-type: main
+          snyk-token: ${{ secrets.TRUNK_SNYK_TOKEN }}
           sourcery-token: ${{ secrets.TRUNK_SOURCERY_TOKEN }}
           append-args: ${{ needs.detect_changes.outputs.linters-files }}
           trunk-staging-token: ${{ secrets.TRUNK_DEBUGGER_TOKEN }}
@@ -262,6 +264,7 @@ jobs:
         with:
           linter-version: Latest
           ref-type: main
+          snyk-token: ${{ secrets.TRUNK_SNYK_TOKEN }}
           sourcery-token: ${{ secrets.TRUNK_SOURCERY_TOKEN }}
           cli-path: ${{ github.workspace }}\trunk.ps1
           append-args: ${{needs.detect_changes.outputs.linters-files }} -- --maxWorkers=5

.github/workflows/upload_results.reusable.yaml

@@ -34,6 +34,8 @@ on:
         required: false
       TRUNK_OPEN_PR_APP_PRIVATE_KEY:
         required: false
+      TRUNK_SNYK_TOKEN:
+        required: false
       TRUNK_SOURCERY_TOKEN:
         required: false
       TRUNK_DEBUGGER_TOKEN:
@@ -242,6 +244,7 @@ jobs:
           linter-version: Latest
           ref-type: main
           append-args: ${{ needs.upload_test_results.outputs.reruns }} -- -u
+          snyk-token: ${{ secrets.TRUNK_SNYK_TOKEN }}
           sourcery-token: ${{ secrets.TRUNK_SOURCERY_TOKEN }}
           trunk-staging-token: ${{ secrets.TRUNK_DEBUGGER_TOKEN }}
           trunk-prod-token: ${{ secrets.TRUNK_ORG_PROD_TOKEN }}

.github/workflows/windows_nightly.yaml

@@ -45,6 +45,7 @@ jobs:
         with:
           linter-version: ${{ matrix.linter-version }}
           ref-type: main
+          snyk-token: ${{ secrets.TRUNK_SNYK_TOKEN }}
           sourcery-token: ${{ secrets.TRUNK_SOURCERY_TOKEN }}
           cli-path: ${{ github.workspace }}\trunk.ps1
           # manually specify more parallelism to avoid bottlenecks

.gitignore

@@ -8,3 +8,6 @@ node_modules/
 out/
 
 junit.xml
+
+# Snyk
+.dccache

README.md

@@ -81,7 +81,7 @@ trunk check enable {linter}
 | Ruby            | [brakeman], [rubocop], [rufo], [semgrep], [standardrb]                                                                   |
 | Rust            | [clippy], [rustfmt]                                                                                                      |
 | Scala           | [scalafmt]                                                                                                               |
-| Security        | [checkov], [dustilock], [nancy], [osv-scanner], [tfsec], [trivy], [trufflehog], [terrascan]                              |
+| Security        | [checkov], [dustilock], [nancy], [osv-scanner], [snyk], [tfsec], [trivy], [trufflehog], [terrascan]                      |
 | SQL             | [sqlfluff], [sqlfmt], [sql-formatter], [squawk]                                                                          |
 | SVG             | [svgo]                                                                                                                   |
 | Swift           | [stringslint], [swiftlint], [swiftformat]                                                                                |
@@ -175,6 +175,7 @@ trunk check enable {linter}
 [sqlfluff]: https://github.com/sqlfluff/sqlfluff#readme
 [sqlfmt]: https://github.com/tconbeer/sqlfmt#readme
 [squawk]: https://github.com/sbdchd/squawk#readme
+[snyk]: https://github.com/snyk/cli#readme
 [standardrb]: https://github.com/testdouble/standard#readme
 [stringslint]: https://github.com/dral3x/StringsLint#readme
 [stylelint]: https://github.com/stylelint/stylelint#readme

linters/snyk/plugin.yaml

@@ -0,0 +1,66 @@
+version: 0.1
+downloads:
+  - name: snyk
+    downloads:
+      - url: https://downloads.snyk.io/cli/v${version}/snyk-${os}-${cpu}
+        cpu: arm_64
+        os:
+          macos: macos
+          linux: linux
+      - url: https://downloads.snyk.io/cli/v${version}/snyk-${os}
+        cpu: x86_64
+        os:
+          macos: macos
+          linux: linux
+      - url: https://downloads.snyk.io/cli/v${version}/snyk-win.exe
+        os: windows
+tools:
+  definitions:
+    - name: snyk
+      download: snyk
+      known_good_version: 1.1295.0
+      shims: [snyk]
+      health_checks:
+        - command: snyk --version
+          parse_regex: ${semver}
+lint:
+  definitions:
+    - name: snyk
+      tools: [snyk]
+      suggest_if: config_present
+      description: Security scanning tool for code, dependencies and containers
+      known_good_version: 1.1295.0
+      commands:
+        - name: test
+          files: [lockfile]
+          output: sarif
+          run: snyk test --sarif --skip-unresolved --file=${target}
+          success_codes: [0, 1] # Snyk returns 1 when vulnerabilities are found
+          read_output_from: stdout
+          batch: false
+          is_security: true
+        - name: code
+          files: [javascript, typescript, java, python]
+          output: sarif
+          run: snyk code test --sarif .
+          run_from: ${parent}
+          success_codes: [0, 1]
+          read_output_from: stdout
+          sandbox_type: copy_targets
+          batch: true
+          is_security: true
+        - name: container
+          files: [docker]
+          output: sarif
+          run: snyk container test --sarif ${target}
+          success_codes: [0, 1]
+          read_output_from: stdout
+          batch: true
+          is_security: true
+      direct_configs: [.snyk]
+      environment:
+        - name: SNYK_TOKEN
+          optional: true
+          value: ${env.SNYK_TOKEN}
+        - name: PATH
+          list: ["${linter}", "${env.PATH}"]

linters/snyk/snyk.test.ts

@@ -0,0 +1,4 @@
+import { customLinterCheckTest } from "tests";
+import { TEST_DATA } from "tests/utils";
+
+customLinterCheckTest({ linterName: "snyk", args: TEST_DATA, testName: "basic" });

linters/snyk/test_data/SqlInjectionLess4.java

@@ -0,0 +1,77 @@
+
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+ package org.owasp.webgoat.sql_injection.introduction;
+
+ import org.owasp.webgoat.assignments.AssignmentEndpoint;
+ import org.owasp.webgoat.assignments.AssignmentHints;
+ import org.owasp.webgoat.assignments.AttackResult;
+ import org.springframework.web.bind.annotation.PostMapping;
+ import org.springframework.web.bind.annotation.RequestParam;
+ import org.springframework.web.bind.annotation.ResponseBody;
+ import org.springframework.web.bind.annotation.RestController;
+
+ import javax.sql.DataSource;
+ import java.sql.*;
+
+ import static java.sql.ResultSet.*;
+
+
+ @RestController
+ @AssignmentHints(value = {"SqlStringInjectionHint4-1", "SqlStringInjectionHint4-2", "SqlStringInjectionHint4-3"})
+ public class SqlInjectionLesson4 extends AssignmentEndpoint {
+
+     private final DataSource dataSource;
+
+     public SqlInjectionLesson4(DataSource dataSource) {
+         this.dataSource = dataSource;
+     }
+
+     @PostMapping("/SqlInjection/attack4")
+     @ResponseBody
+     public AttackResult completed(@RequestParam String query) {
+         return injectableQuery(query);
+     }
+
+     protected AttackResult injectableQuery(String query) {
+         try (Connection connection = dataSource.getConnection()) {
+             try (Statement statement = connection.createStatement(TYPE_SCROLL_INSENSITIVE, CONCUR_READ_ONLY)) {
+                 statement.executeUpdate(query);
+                 connection.commit();
+                 ResultSet results = statement.executeQuery("SELECT phone from employees;");
+                 StringBuffer output = new StringBuffer();
+                 // user completes lesson if column phone exists
+                 if (results.first()) {
+                     output.append("<span class='feedback-positive'>" + query + "</span>");
+                     return success(this).output(output.toString()).build();
+                 } else {
+                     return failed(this).output(output.toString()).build();
+                 }
+             } catch (SQLException sqle) {
+                 return failed(this).output(sqle.getMessage()).build();
+             }
+         } catch (Exception e) {
+             return failed(this).output(this.getClass().getName() + " : " + e.getMessage()).build();
+         }
+     }
+ }