diff --git a/internal/helpers/messages/error.go b/internal/helpers/messages/error.go index e9d4e69a4..f91aa213c 100644 --- a/internal/helpers/messages/error.go +++ b/internal/helpers/messages/error.go @@ -39,6 +39,13 @@ const ( MsgErrorGemLockNotFound = "{HORUSEC_CLI} Error It looks like your project doesn't have a gemfile.lock file, " + "it would be a good idea to commit it so horusec can check for vulnerabilities" MsgErrorGetFilenameByExt = "Could not get filename by extension: " + MsgErrorNancyRateLimit = `{HORUSEC_CLI} Error when run Nancy tool because Failed to query the GitHub API for updates. +This is most likely due to GitHub rate-limiting on unauthenticated requests. +To make authenticated requests please: + 1. Generate a token at https://github.com/settings/tokens + 2. Set the token by setting the GITHUB_TOKEN environment variable. +Instructions for generating a token can be found at: +https://help.github.com/articles/creating-a-personal-access-token-for-the-command-line. ` ) // Block of messages usage into log of the level error diff --git a/internal/services/formatters/go/nancy/formatter.go b/internal/services/formatters/go/nancy/formatter.go index b06c042a7..2a22f0222 100644 --- a/internal/services/formatters/go/nancy/formatter.go +++ b/internal/services/formatters/go/nancy/formatter.go @@ -16,6 +16,7 @@ package nancy import ( "encoding/json" + "errors" "path/filepath" "strings" @@ -34,8 +35,10 @@ import ( ) const ( - goModulesExt = ".mod" - goSumExt = ".sum" + goModulesExt = ".mod" + goSumExt = ".sum" + rateLimitValidation = "this is most likely due to github rate-limiting on unauthenticated requests" + rateLimitPrefix = "failed to query the github api for updates" ) type Formatter struct { @@ -66,10 +69,13 @@ func (f *Formatter) startNancy(projectSubPath string) (string, error) { if err != nil { return output, err } - if output == "" { return output, nil } + if strings.HasPrefix(strings.ToLower(output), rateLimitPrefix) && + strings.Contains(strings.ToLower(output), rateLimitValidation) { + return "", errors.New(messages.MsgErrorNancyRateLimit) + } return output, f.processOutput(output, projectSubPath) } diff --git a/internal/services/formatters/go/nancy/formatter_test.go b/internal/services/formatters/go/nancy/formatter_test.go index 0c87b51c6..d9872dc5a 100644 --- a/internal/services/formatters/go/nancy/formatter_test.go +++ b/internal/services/formatters/go/nancy/formatter_test.go @@ -16,6 +16,7 @@ package nancy import ( "errors" + "github.com/ZupIT/horusec/internal/helpers/messages" "path/filepath" "testing" @@ -108,6 +109,24 @@ func TestParseOutput(t *testing.T) { assert.True(t, analysis.HasErrors(), "Expected errors on analysis") }) + t.Run("should add error on analysis when output return rate limit requests", func(t *testing.T) { + analysis := new(analysis.Analysis) + + cfg := config.New() + + dockerAPIControllerMock := testutil.NewDockerMock() + dockerAPIControllerMock.On("SetAnalysisID") + dockerAPIControllerMock.On("CreateLanguageAnalysisContainer").Return(outputRateLimit, nil) + + service := formatters.NewFormatterService(analysis, dockerAPIControllerMock, cfg) + + formatter := NewFormatter(service) + formatter.StartAnalysis("") + + assert.True(t, analysis.HasErrors(), "Expected errors on analysis") + assert.Equal(t, messages.MsgErrorNancyRateLimit, analysis.Errors) + }) + t.Run("should add error on analysis when something went wrong executing container", func(t *testing.T) { analysis := new(analysis.Analysis) @@ -221,3 +240,51 @@ const output = ` ] } ` + +const outputRateLimit = `Failed to query the GitHub API for updates. + +This is most likely due to GitHub rate-limiting on unauthenticated requests. + +To make authenticated requests please: + + 1. Generate a token at https://github.com/settings/tokens + 2. Set the token by either adding it to your ~/.gitconfig or + setting the GITHUB_TOKEN environment variable. + +Instructions for generating a token can be found at: +https://help.github.com/articles/creating-a-personal-access-token-for-the-command-line/ + +We call the GitHub releases API to look for new releases. +More information about that API can be found here: https://developer.github.com/v3/repos/releases/ + +: Get \"https://api.github.com/repos/sonatype-nexus-community/nancy/releases\": net/http: TLS handshake timeout + +For more information, check the log file at /root/.ossindex/nancy.combined.log +nancy version: 1.0.28 + +Usage: + nancy sleuth [flags] + +Examples: + go list -json -deps | nancy sleuth --username your_user --token your_token + nancy sleuth -p Gopkg.lock --username your_user --token your_token + +Flags: + -e, --exclude-vulnerability CveListFlag Comma separated list of CVEs or OSS Index IDs to exclude (default []) + -x, --exclude-vulnerability-file string Path to a file containing newline separated CVEs or OSS Index IDs to be excluded (default \"./.nancy-ignore\") + -h, --help help for sleuth + -n, --no-color indicate output should not be colorized + -o, --output string Styling for output format. json, json-pretty, text, csv (default \"text\") + +Global Flags: + -v, -- count Set log level, multiple v's is more verbose + -d, --db-cache-path string Specify an alternate path for caching responses from OSS Inde, example: /tmp + --loud indicate output should include non-vulnerable packages + -p, --path string Specify a path to a dep Gopkg.lock file for scanning + -q, --quiet indicate output should contain only packages with vulnerabilities (default true) + --skip-update-check Skip the check for updates. + -t, --token string Specify OSS Index API token for request + -u, --username string Specify OSS Index username for request + -V, --version Get the version + +go list -m: dmitri.shuralyov.com/gpu/mtl@v0.0.0-20190408044501-666a987793e9: Get \"https://proxy.golang.org/dmitri.shuralyov.com/gpu/mtl/@v/v0.0.0-20190408044501-666a987793e9.mod\": net/http: TLS handshake timeout`