Feature/semgrep (#128)

* Adding semgrep to horus cli

* Adding semgrep languages, updating semprep formatter

* Adding method to get severity

* Fixing lint errors

* Fixing cli unity tests

* Improving code and adding unity tests

* Changing semgrep config to use docker hub image

* Updating api to accept new languages

* Fixing lint errors

* Adding workdir to generic scan

deployments/dockerfiles/semgrep/.semver.yaml

@@ -0,0 +1,4 @@
+alpha: 0
+beta: 0
+rc: 0
+release: v1.0.0

deployments/dockerfiles/semgrep/Dockerfile

@@ -0,0 +1,18 @@
+# Copyright 2020 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM python:3.6-alpine
+
+RUN apk add --no-cache git bash
+RUN python3 -m pip install semgrep

development-kit/pkg/entities/analyser/general/semgrep/analysis.go

@@ -0,0 +1,20 @@
+// Copyright 2020 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package semgrep
+
+type Analysis struct {
+	Results []Result `json:"results"`
+	Errors  []string `json:"errors"`
+}

development-kit/pkg/entities/analyser/general/semgrep/extra.go

@@ -0,0 +1,21 @@
+// Copyright 2020 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package semgrep
+
+type Extra struct {
+	Message  string `json:"message"`
+	Severity string `json:"severity"`
+	Code     string `json:"lines"`
+}

development-kit/pkg/entities/analyser/general/semgrep/position.go

@@ -0,0 +1,20 @@
+// Copyright 2020 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package semgrep
+
+type Position struct {
+	Line int `json:"line"`
+	Col  int `json:"col"`
+}

development-kit/pkg/entities/analyser/general/semgrep/result.go

@@ -0,0 +1,23 @@
+// Copyright 2020 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package semgrep
+
+type Result struct {
+	CheckID string   `json:"check_id"`
+	Path    string   `json:"path"`
+	Start   Position `json:"start"`
+	End     Position `json:"end"`
+	Extra   Extra    `json:"extra"`
+}

development-kit/pkg/enums/languages/languages.go

@@ -26,8 +26,13 @@ const (
 	Java       Language = "Java"
 	Kotlin     Language = "Kotlin"
 	Javascript Language = "JavaScript"
+	TypeScript Language = "TypeScript"
 	Leaks      Language = "Leaks"
 	HCL        Language = "HCL"
+	C          Language = "C"
+	PHP        Language = "PHP"
+	HTML       Language = "HTML"
+	Generic    Language = "Generic"
 	Unknown    Language = "Unknown"
 )
 
@@ -51,6 +56,7 @@ func SupportedLanguages() []Language {
 		Javascript,
 		Leaks,
 		HCL,
+		Generic,
 		Unknown,
 	}
 }
@@ -66,6 +72,7 @@ func (l Language) MapEnableLanguages() map[string]Language {
 		Kotlin.ToString():     Kotlin,
 		Javascript.ToString(): Javascript,
 		HCL.ToString():        HCL,
+		Generic.ToString():    Generic,
 	}
 }
 

development-kit/pkg/enums/languages/languages_test.go

@@ -27,7 +27,7 @@ func TestToString(t *testing.T) {
 
 func TestMapEnableLanguages(t *testing.T) {
 	t.Run("should map enable languages", func(t *testing.T) {
-		assert.Len(t, DotNet.MapEnableLanguages(), 9)
+		assert.Len(t, DotNet.MapEnableLanguages(), 10)
 	})
 }
 
@@ -43,6 +43,6 @@ func TestParseStringToLanguage(t *testing.T) {
 
 func TestSupportedLanguages(t *testing.T) {
 	t.Run("should return supported languages", func(t *testing.T) {
-		assert.Len(t, SupportedLanguages(), 10)
+		assert.Len(t, SupportedLanguages(), 11)
 	})
 }

development-kit/pkg/enums/tools/tools.go

@@ -30,6 +30,7 @@ const (
 	HorusecLeaks     Tool = "HorusecLeaks"
 	GitLeaks         Tool = "GitLeaks"
 	TfSec            Tool = "TfSec"
+	Semgrep          Tool = "Semgrep"
 )
 
 func (t Tool) ToString() string {

development-kit/pkg/usecases/analysis/analysis.go

@@ -136,6 +136,7 @@ func (au *UseCases) setupValidationVulnerabilities(vulnerability *horusecEntitie
 	)
 }
 
+// nolint
 func (au *UseCases) sliceTools() []interface{} {
 	return []interface{}{
 		tools.GoSec,
@@ -151,8 +152,11 @@ func (au *UseCases) sliceTools() []interface{} {
 		tools.HorusecJava,
 		tools.HorusecKotlin,
 		tools.HorusecLeaks,
+		tools.Semgrep,
 	}
 }
+
+// nolint
 func (au *UseCases) sliceLanguages() []interface{} {
 	return []interface{}{
 		languages.Go,
@@ -164,6 +168,12 @@ func (au *UseCases) sliceLanguages() []interface{} {
 		languages.Javascript,
 		languages.Leaks,
 		languages.HCL,
+		languages.PHP,
+		languages.TypeScript,
+		languages.C,
+		languages.HTML,
+		languages.Generic,
+		languages.Unknown,
 	}
 }
 func (au *UseCases) sliceSeverities() []interface{} {

horusec-cli/README.md

@@ -175,6 +175,7 @@ The configuration file receive an object with the content follow:
 	        "kotlin":     [],
 	        "javaScript": [],
 	        "leaks":      [],
+            "generic":    [],
                 "hlc":        []    
       }
 }
@@ -300,6 +301,7 @@ The interface of languages accepts is:
     javaScript []string
     leaks      []string
     hlc        []string
+    generic    []string
 }
 ```
 

horusec-cli/cmd/horusec/start/start_test.go

@@ -443,7 +443,7 @@ func TestStartCommand_Execute(t *testing.T) {
 		assert.Contains(t, output, "FOLDER BEFORE THE ANALYSIS FINISH! Don’t worry, we’ll remove it after the analysis ends automatically! Project sent to folder in location:")
 		assert.Contains(t, output, "Hold on! Horusec still analysis your code. Timeout in: 600s")
 		assert.Contains(t, output, "{HORUSEC_CLI} No authorization token was found, your code it is not going to be sent to horusec. Please enter a token with the -a flag to configure and save your analysis")
-		assert.Contains(t, output, "[HORUSEC] 6 VULNERABILITIES WERE FOUND IN YOUR CODE SENT TO HORUSEC, SEE MORE DETAILS IN DEBUG LEVEL AND TRY AGAIN")
+		assert.Contains(t, output, "[HORUSEC] 6 VULNERABILITIES WERE FOUND IN YOUR CODE SENT TO HORUSEC, TO SEE MORE DETAILS USE THE LOG LEVEL AS DEBUG AND TRY AGAIN")
 		promptMock.AssertNotCalled(t, "Ask")
 		assert.NoError(t, os.RemoveAll(dstZip))
 	})

horusec-cli/config/config.go

@@ -113,6 +113,7 @@ const (
 	//   kotlin string
 	//   javaScript string
 	//   git string
+	//   generic string
 	// }
 	// Validation: It is mandatory to be valid interface of workdir to proceed
 	EnvWorkDirPath = "HORUSEC_CLI_WORK_DIR"

horusec-cli/internal/controllers/analyser/analyser.go

@@ -16,7 +16,6 @@ package analyser
 
 import (
 	"fmt"
-	"github.com/google/uuid"
 	"log"
 	"os"
 	"os/signal"
@@ -25,6 +24,8 @@ import (
 	"strings"
 	"time"
 
+	"github.com/google/uuid"
+
 	"github.com/ZupIT/horusec/horusec-cli/internal/services/formatters/java/horusecjava"
 	"github.com/ZupIT/horusec/horusec-cli/internal/services/formatters/kotlin/horuseckotlin"
 
@@ -41,6 +42,7 @@ import (
 	dockerClient "github.com/ZupIT/horusec/horusec-cli/internal/services/docker/client"
 	"github.com/ZupIT/horusec/horusec-cli/internal/services/formatters"
 	"github.com/ZupIT/horusec/horusec-cli/internal/services/formatters/dotnet/scs"
+	"github.com/ZupIT/horusec/horusec-cli/internal/services/formatters/generic/semgrep"
 	"github.com/ZupIT/horusec/horusec-cli/internal/services/formatters/golang/gosec"
 	"github.com/ZupIT/horusec/horusec-cli/internal/services/formatters/hcl"
 	"github.com/ZupIT/horusec/horusec-cli/internal/services/formatters/javascript/npmaudit"
@@ -180,6 +182,7 @@ func (a *Analyser) mapDetectVulnerabilityByLanguage() map[languages.Language]fun
 		languages.Python:     a.detectVulnerabilityPython,
 		languages.Ruby:       a.detectVulnerabilityRuby,
 		languages.HCL:        a.detectVulnerabilityHCL,
+		languages.Generic:    a.detectVulnerabilityGeneric,
 	}
 }
 
@@ -236,6 +239,11 @@ func (a *Analyser) detectVulnerabilityHCL(projectSubPath string) {
 	go hcl.NewFormatter(a.formatterService).StartAnalysis(projectSubPath)
 }
 
+func (a *Analyser) detectVulnerabilityGeneric(projectSubPath string) {
+	a.monitor.AddProcess(1)
+	go semgrep.NewFormatter(a.formatterService).StartAnalysis(projectSubPath)
+}
+
 func (a *Analyser) shouldAnalysePath(projectSubPath string) bool {
 	pathToFilter := a.config.GetFilterPath()
 	if pathToFilter == "" {

horusec-cli/internal/controllers/language_detect/language_detect.go

@@ -30,7 +30,7 @@ import (
 	"github.com/ZupIT/horusec/development-kit/pkg/utils/logger"
 	"github.com/ZupIT/horusec/horusec-cli/config"
 	"github.com/ZupIT/horusec/horusec-cli/internal/helpers/messages"
-	doublestar "github.com/bmatcuk/doublestar/v2"
+	"github.com/bmatcuk/doublestar/v2"
 	"github.com/google/uuid"
 )
 
@@ -51,7 +51,7 @@ func NewLanguageDetect(configs *config.Config, analysisID uuid.UUID) Interface {
 }
 
 func (ld *LanguageDetect) LanguageDetect(directory string) ([]languages.Language, error) {
-	langs := []string{languages.Leaks.ToString()}
+	langs := []string{languages.Leaks.ToString(), languages.Generic.ToString()}
 	languagesFound, err := ld.getLanguages(directory)
 	if err != nil {
 		logger.LogErrorWithLevel(messages.MsgErrorDetectLanguage, err, logger.ErrorLevel)