Skip to content

Commit

Permalink
nancy:chore - Error not handled by Horusec in Nancy tool
Browse files Browse the repository at this point in the history
**- What I did**
The nancy tool requires access to the Github API's, but when accessed several times without an identification
it is blocked until the user identifies himself using an authentication token that can be generated via Github,
so I created a validation for this scenario and the user can add this environment variable before starting an analysis.
**- How to verify it**
Run many times GoLang project and see follow error:
```bash
Invalid character 'E' looking for beginning of value
```
**- Description for the changelog**
Error not handled by Horusec in Nancy tool [#905](#905)

Signed-off-by: wilian <wilian.silva@zup.com.br>
  • Loading branch information
wiliansilvazup committed Dec 29, 2021
1 parent 0cc95bc commit 18a2a93
Show file tree
Hide file tree
Showing 3 changed files with 83 additions and 3 deletions.
7 changes: 7 additions & 0 deletions internal/helpers/messages/error.go
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,13 @@ const (
MsgErrorGemLockNotFound = "{HORUSEC_CLI} Error It looks like your project doesn't have a gemfile.lock file, " +
"it would be a good idea to commit it so horusec can check for vulnerabilities"
MsgErrorGetFilenameByExt = "Could not get filename by extension: "
MsgErrorNancyRateLimit = `{HORUSEC_CLI} Error when run Nancy tool because Failed to query the GitHub API for updates.
This is most likely due to GitHub rate-limiting on unauthenticated requests.
To make authenticated requests please:
1. Generate a token at https://github.com/settings/tokens
2. Set the token by setting the GITHUB_TOKEN environment variable.
Instructions for generating a token can be found at:
https://help.github.com/articles/creating-a-personal-access-token-for-the-command-line. `
)

// Block of messages usage into log of the level error
Expand Down
12 changes: 9 additions & 3 deletions internal/services/formatters/go/nancy/formatter.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ package nancy

import (
"encoding/json"
"errors"
"path/filepath"
"strings"

Expand All @@ -34,8 +35,10 @@ import (
)

const (
goModulesExt = ".mod"
goSumExt = ".sum"
goModulesExt = ".mod"
goSumExt = ".sum"
rateLimitValidation = "this is most likely due to github rate-limiting on unauthenticated requests"
rateLimitPrefix = "failed to query the github api for updates"
)

type Formatter struct {
Expand Down Expand Up @@ -66,10 +69,13 @@ func (f *Formatter) startNancy(projectSubPath string) (string, error) {
if err != nil {
return output, err
}

if output == "" {
return output, nil
}
if strings.HasPrefix(strings.ToLower(output), rateLimitPrefix) &&
strings.Contains(strings.ToLower(output), rateLimitValidation) {
return "", errors.New(messages.MsgErrorNancyRateLimit)
}

return output, f.processOutput(output, projectSubPath)
}
Expand Down
67 changes: 67 additions & 0 deletions internal/services/formatters/go/nancy/formatter_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ package nancy

import (
"errors"
"github.com/ZupIT/horusec/internal/helpers/messages"
"path/filepath"
"testing"

Expand Down Expand Up @@ -108,6 +109,24 @@ func TestParseOutput(t *testing.T) {
assert.True(t, analysis.HasErrors(), "Expected errors on analysis")
})

t.Run("should add error on analysis when output return rate limit requests", func(t *testing.T) {
analysis := new(analysis.Analysis)

cfg := config.New()

dockerAPIControllerMock := testutil.NewDockerMock()
dockerAPIControllerMock.On("SetAnalysisID")
dockerAPIControllerMock.On("CreateLanguageAnalysisContainer").Return(outputRateLimit, nil)

service := formatters.NewFormatterService(analysis, dockerAPIControllerMock, cfg)

formatter := NewFormatter(service)
formatter.StartAnalysis("")

assert.True(t, analysis.HasErrors(), "Expected errors on analysis")
assert.Equal(t, messages.MsgErrorNancyRateLimit, analysis.Errors)
})

t.Run("should add error on analysis when something went wrong executing container", func(t *testing.T) {
analysis := new(analysis.Analysis)

Expand Down Expand Up @@ -221,3 +240,51 @@ const output = `
]
}
`

const outputRateLimit = `Failed to query the GitHub API for updates.
This is most likely due to GitHub rate-limiting on unauthenticated requests.
To make authenticated requests please:
1. Generate a token at https://github.com/settings/tokens
2. Set the token by either adding it to your ~/.gitconfig or
setting the GITHUB_TOKEN environment variable.
Instructions for generating a token can be found at:
https://help.github.com/articles/creating-a-personal-access-token-for-the-command-line/
We call the GitHub releases API to look for new releases.
More information about that API can be found here: https://developer.github.com/v3/repos/releases/
: Get \"https://api.github.com/repos/sonatype-nexus-community/nancy/releases\": net/http: TLS handshake timeout
For more information, check the log file at /root/.ossindex/nancy.combined.log
nancy version: 1.0.28
Usage:
nancy sleuth [flags]
Examples:
go list -json -deps | nancy sleuth --username your_user --token your_token
nancy sleuth -p Gopkg.lock --username your_user --token your_token
Flags:
-e, --exclude-vulnerability CveListFlag Comma separated list of CVEs or OSS Index IDs to exclude (default [])
-x, --exclude-vulnerability-file string Path to a file containing newline separated CVEs or OSS Index IDs to be excluded (default \"./.nancy-ignore\")
-h, --help help for sleuth
-n, --no-color indicate output should not be colorized
-o, --output string Styling for output format. json, json-pretty, text, csv (default \"text\")
Global Flags:
-v, -- count Set log level, multiple v's is more verbose
-d, --db-cache-path string Specify an alternate path for caching responses from OSS Inde, example: /tmp
--loud indicate output should include non-vulnerable packages
-p, --path string Specify a path to a dep Gopkg.lock file for scanning
-q, --quiet indicate output should contain only packages with vulnerabilities (default true)
--skip-update-check Skip the check for updates.
-t, --token string Specify OSS Index API token for request
-u, --username string Specify OSS Index username for request
-V, --version Get the version
go list -m: dmitri.shuralyov.com/gpu/mtl@v0.0.0-20190408044501-666a987793e9: Get \"https://proxy.golang.org/dmitri.shuralyov.com/gpu/mtl/@v/v0.0.0-20190408044501-666a987793e9.mod\": net/http: TLS handshake timeout`

0 comments on commit 18a2a93

Please sign in to comment.