snykout v0.2.1

A command line tool which provides an alternative interface to snyk test
  • v0.2.1 - August 31, 2020
  • v0.2.0 - August 31, 2020
  • v0.1.0 - August 31, 2020

SnykOut

Test

A command line tool which provides an alternative user interface to snyk test output.

Showing vulnerabilities in a table generated by Snykout

Example

snykout takes the JSON output from snyk test and provides a number of alternative presentations of the information. The basic output consists of a table of vulnerabilities.

$ snyk container test garethr/snykit --json | snykout -

+--------------------------------------------------------------------------------------------------------------------------------+
| Found 82 unique vulnerabiliies for garethr/snykit                                                                              |
+----------------------+------------+----------------+-------------------------------------------------+------------+------------+
| Package              | Severity   | ID             | Issue                                           | Installed  | Fixed in   |
+----------------------+------------+----------------+-------------------------------------------------+------------+------------+
| sqlite3/libsqlite3-0 | HIGH       | CVE-2020-9794  | Out-of-bounds Read                              | 3.27.2-3   |            |
| sqlite3/libsqlite3-0 | MEDIUM     | CVE-2019-16168 | Divide By Zero                                  | 3.27.2-3   |            |
| sqlite3/libsqlite3-0 | MEDIUM     | CVE-2020-13631 | CVE-2020-13631                                  | 3.27.2-3   |            |
| sqlite3/libsqlite3-0 | MEDIUM     | CVE-2020-13434 | Integer Overflow or Wraparound                  | 3.27.2-3   |            |
| sqlite3/libsqlite3-0 | MEDIUM     | CVE-2019-20218 | Improper Handling of Exceptional Conditions     | 3.27.2-3   |            |
| sqlite3/libsqlite3-0 | MEDIUM     | CVE-2020-11655 | Improper Input Validation                       | 3.27.2-3   |            |
| sqlite3/libsqlite3-0 | LOW        | CVE-2020-13871 | Use After Free                                  | 3.27.2-3   |            |
| sqlite3/libsqlite3-0 | LOW        | CVE-2020-13632 | NULL Pointer Dereference                        | 3.27.2-3   |            |
| sqlite3/libsqlite3-0 | LOW        | CVE-2020-13630 | Use After Free                                  | 3.27.2-3   |            |
| sqlite3/libsqlite3-0 | LOW        | CVE-2020-13435 | NULL Pointer Dereference                        | 3.27.2-3   |            |
| sqlite3/libsqlite3-0 | LOW        | CVE-2020-11656 | Use After Free                                  | 3.27.2-3   |            |
| sqlite3/libsqlite3-0 | LOW        | CVE-2020-9327  | NULL Pointer Dereference                        | 3.27.2-3   |            |
| sqlite3/libsqlite3-0 | LOW        | CVE-2019-19959 | CVE-2019-19959                                  | 3.27.2-3   |            |
| sqlite3/libsqlite3-0 | LOW        | CVE-2019-19923 | NULL Pointer Dereference                        | 3.27.2-3   |            |
| sqlite3/libsqlite3-0 | LOW        | CVE-2019-19924 | Improper Handling of Exceptional Conditions     | 3.27.2-3   |            |
| sqlite3/libsqlite3-0 | LOW        | CVE-2019-19925 | Unrestricted Upload of File with Dangerous Type | 3.27.2-3   |            |
| sqlite3/libsqlite3-0 | LOW        | CVE-2019-19603 | CVE-2019-19603                                  | 3.27.2-3   |            |
| sqlite3/libsqlite3-0 | LOW        | CVE-2019-19645 | Uncontrolled Recursion                          | 3.27.2-3   |            |
| sqlite3/libsqlite3-0 | LOW        | CVE-2019-19244 | Improper Input Validation                       | 3.27.2-3   |            |
| sqlite3/libsqlite3-0 | LOW        | CVE-2019-19242 | NULL Pointer Dereference                        | 3.27.2-3   |            |
| sqlite3/libsqlite3-0 | LOW        | CVE-2020-15358 | Out-of-bounds Write                             | 3.27.2-3   |            |
+----------------------+------------+----------------+-------------------------------------------------+------------+------------+

+------------------------------------------------------------------------------------------------------------------------------------------------------+
| Base image vulnerabilities from ruby:2.7.0-slim                                                                                                      |
+------------------------+------------+------------------+-------------------------------------------------------+------------------+------------------+
| Package                | Severity   | ID               | Issue                                                 | Installed        | Fixed in         |
+------------------------+------------+------------------+-------------------------------------------------------+------------------+------------------+
| perl/perl-base         | HIGH       | CVE-2020-10878   | Integer Overflow or Wraparound                        | 5.28.1-6         | 5.28.1-6+deb10u1 |
| apt/libapt-pkg5.0      | MEDIUM     | CVE-2020-3810    | Improper Input Validation                             | 1.8.2            | 1.8.2.1          |
| gcc-8/libstdc++6       | MEDIUM     | CVE-2018-12886   | Information Exposure                                  | 8.3.0-6          |                  |
| glibc/libc-bin         | MEDIUM     | CVE-2020-1752    | Use After Free                                        | 2.28-10          |                  |
| glibc/libc-bin         | MEDIUM     | CVE-2020-1751    | Out-of-bounds Write                                   | 2.28-10          |                  |
| libidn2/libidn2-0      | MEDIUM     | CVE-2019-12290   | Improper Input Validation                             | 2.0.5-1+deb10u1  |                  |
| pcre3/libpcre3         | MEDIUM     | CVE-2020-14155   | Integer Overflow or Wraparound                        | 2:8.39-12        |                  |
| perl/perl-base         | MEDIUM     | CVE-2020-10543   | Out-of-bounds Write                                   | 5.28.1-6         | 5.28.1-6+deb10u1 |
| perl/perl-base         | MEDIUM     | CVE-2020-12723   | Buffer Overflow                                       | 5.28.1-6         | 5.28.1-6+deb10u1 |
| apt/libapt-pkg5.0      | LOW        | CVE-2011-3374    | Improper Verification of Cryptographic Signature      | 1.8.2            |                  |
| bash                   | LOW        | CVE-2019-18276   | CVE-2019-18276                                        | 5.0-4            |                  |
| coreutils              | LOW        | CVE-2016-2781    | Improper Input Validation                             | 8.30-3           |                  |
| coreutils              | LOW        | CVE-2017-18018   | Race Condition                                        | 8.30-3           |                  |
| gcc-8/libstdc++6       | LOW        | CVE-2019-15847   | Insufficient Entropy                                  | 8.3.0-6          |                  |
| glibc/libc-bin         | LOW        | CVE-2010-4052    | Resource Management Errors                            | 2.28-10          |                  |
| glibc/libc-bin         | LOW        | CVE-2019-19126   | Information Exposure                                  | 2.28-10          |                  |
| glibc/libc-bin         | LOW        | CVE-2020-6096    | Integer Underflow                                     | 2.28-10          |                  |
| glibc/libc-bin         | LOW        | CVE-2019-9192    | Uncontrolled Recursion                                | 2.28-10          |                  |
| glibc/libc-bin         | LOW        | CVE-2018-20796   | Resource Management Errors                            | 2.28-10          |                  |
| glibc/libc-bin         | LOW        | CVE-2020-10029   | Out-of-Bounds                                         | 2.28-10          |                  |
| glibc/libc-bin         | LOW        | CVE-2016-10228   | Improper Input Validation                             | 2.28-10          |                  |
| glibc/libc-bin         | LOW        | CVE-2019-1010024 | Information Exposure                                  | 2.28-10          |                  |
| glibc/libc-bin         | LOW        | CVE-2019-1010025 | Use of Insufficiently Random Values                   | 2.28-10          |                  |
| glibc/libc-bin         | LOW        | CVE-2019-1010023 | Access Restriction Bypass                             | 2.28-10          |                  |
| glibc/libc-bin         | LOW        | CVE-2019-1010022 | Out-of-Bounds                                         | 2.28-10          |                  |
| glibc/libc-bin         | LOW        | CVE-2010-4051    | CVE-2010-4051                                         | 2.28-10          |                  |
| glibc/libc-bin         | LOW        | CVE-2010-4756    | Resource Management Errors                            | 2.28-10          |                  |
| gnupg2/gpgv            | LOW        | CVE-2019-14855   | Use of a Broken or Risky Cryptographic Algorithm      | 2.2.12-1+deb10u1 |                  |
| gnutls28/libgnutls30   | LOW        | CVE-2011-3389    | Improper Input Validation                             | 3.6.7-4+deb10u2  |                  |
| gnutls28/libgnutls30   | LOW        | CVE-2020-11501   | Use of a Broken or Risky Cryptographic Algorithm      | 3.6.7-4+deb10u2  | 3.6.7-4+deb10u3  |
| gnutls28/libgnutls30   | LOW        | CVE-2020-13777   | Use of a Broken or Risky Cryptographic Algorithm      | 3.6.7-4+deb10u2  | 3.6.7-4+deb10u4  |
| libgcrypt20            | LOW        | CVE-2018-6829    | Information Exposure                                  | 1.8.4-5          |                  |
| libgcrypt20            | LOW        | CVE-2019-12904   | Cryptographic Issues                                  | 1.8.4-5          |                  |
| libgcrypt20            | LOW        | CVE-2019-13627   | Race Condition                                        | 1.8.4-5          |                  |
| libseccomp/libseccomp2 | LOW        | CVE-2019-9893    | Access Restriction Bypass                             | 2.3.3-4          |                  |
| libtasn1-6             | LOW        | CVE-2018-1000654 | Resource Management Errors                            | 4.13-3           |                  |
| lz4/liblz4-1           | LOW        | CVE-2019-17543   | Buffer Overflow                                       | 1.8.3-1          |                  |
| openssl/libssl1.1      | LOW        | CVE-2010-0928    | Cryptographic Issues                                  | 1.1.1d-0+deb10u2 |                  |
| openssl/libssl1.1      | LOW        | CVE-2019-1551    | Information Exposure                                  | 1.1.1d-0+deb10u2 |                  |
| openssl/libssl1.1      | LOW        | CVE-2020-1967    | NULL Pointer Dereference                              | 1.1.1d-0+deb10u2 | 1.1.1d-0+deb10u3 |
| openssl/libssl1.1      | LOW        | CVE-2007-6755    | Cryptographic Issues                                  | 1.1.1d-0+deb10u2 |                  |
| pcre3/libpcre3         | LOW        | CVE-2017-7245    | Out-of-Bounds                                         | 2:8.39-12        |                  |
| pcre3/libpcre3         | LOW        | CVE-2017-7246    | Out-of-Bounds                                         | 2:8.39-12        |                  |
| pcre3/libpcre3         | LOW        | CVE-2017-11164   | Resource Management Errors                            | 2:8.39-12        |                  |
| pcre3/libpcre3         | LOW        | CVE-2017-16231   | Out-of-Bounds                                         | 2:8.39-12        |                  |
| pcre3/libpcre3         | LOW        | CVE-2019-20838   | Out-of-bounds Read                                    | 2:8.39-12        |                  |
| perl/perl-base         | LOW        | CVE-2011-4116    | Link Following                                        | 5.28.1-6         |                  |
| shadow/passwd          | LOW        | CVE-2019-19882   | Incorrect Permission Assignment for Critical Resource | 1:4.5-1.1        |                  |
| shadow/passwd          | LOW        | CVE-2007-5686    | Access Restriction Bypass                             | 1:4.5-1.1        |                  |
| shadow/passwd          | LOW        | CVE-2018-7169    | Security Features                                     | 1:4.5-1.1        |                  |
| shadow/passwd          | LOW        | CVE-2013-4235    | Time-of-check Time-of-use (TOCTOU)                    | 1:4.5-1.1        |                  |
| systemd/libsystemd0    | LOW        | CVE-2013-4392    | Access Restriction Bypass                             | 241-7~deb10u3    |                  |
| systemd/libsystemd0    | LOW        | CVE-2019-9619    | CVE-2019-9619                                         | 241-7~deb10u3    |                  |
| systemd/libsystemd0    | LOW        | CVE-2019-3844    | Access Restriction Bypass                             | 241-7~deb10u3    |                  |
| systemd/libsystemd0    | LOW        | CVE-2019-3843    | Access Restriction Bypass                             | 241-7~deb10u3    |                  |
| systemd/libsystemd0    | LOW        | CVE-2018-20839   | Information Exposure                                  | 241-7~deb10u3    |                  |
| systemd/libsystemd0    | LOW        | CVE-2019-20386   | Missing Release of Resource after Effective Lifetime  | 241-7~deb10u3    |                  |
| systemd/libsystemd0    | LOW        | CVE-2020-1712    | Use After Free                                        | 241-7~deb10u3    | 241-7~deb10u4    |
| systemd/libsystemd0    | LOW        | CVE-2020-13776   | Improper Input Validation                             | 241-7~deb10u3    |                  |
| tar                    | LOW        | CVE-2005-2541    | CVE-2005-2541                                         | 1.30+dfsg-6      |                  |
| tar                    | LOW        | CVE-2019-9923    | NULL Pointer Dereference                              | 1.30+dfsg-6      |                  |
+------------------------+------------+------------------+-------------------------------------------------------+------------------+------------------+

As well as the standard table output, snykout also supports:

  • --wide which will show additional information about CVSS and CWE
  • --json for a standardized JSON output suitable for further processing
  • --markdown which will output tables as Markdown which can be copied into documentation
  • As well as taking input on STDIN, snykout can also be pointed directly at a file, eg, snykout fixtures/example.json

Open Policy Agent

snykout is also designed to work well with Open Policy Agent. This allows for writing arbitrary powerful policies against the resulting set of vulnerabilities. Take the following example which defines policies to catch cryptography issues.

package main

deny[msg] {
  issue = input.vulnerabilities[index]
  issue.cwe[_] = "CWE-327"
  issue.severity = "high"

  msg = sprintf("High severity cryptography issue (CWE-327). package: %v", [issue.name])
}

warn[msg] {
  issue = input.vulnerabilities[index]
  issue.cwe[_] = "CWE-327"
  issue.severity != "high"

  msg = sprintf("Cryptography issue (CWE-327). package: %v severity: %v", [issue.name, issue.severity])
}

You can use Conftest to run the policies.

$ conftest test fixtures/snykout.json
WARN - fixtures/snykout.json - Cryptography issue (CWE-327). package: gnupg2/gpgv severity: low
WARN - fixtures/snykout.json - Cryptography issue (CWE-327). package: gnutls28/libgnutls30 severity: low
FAIL - fixtures/snykout.json - High severity issue found. package: perl/perl-base issue: Integer Overflow or Wraparound
FAIL - fixtures/snykout.json - High severity issue found. package: sqlite3/libsqlite3-0 issue: Out-of-bounds Read
FAIL - fixtures/snykout.json - High severity issue found. package: sqlite3 issue: Out-of-bounds Read

5 tests, 0 passed, 2 warnings, 3 failures, 0 exceptions

You can do everything in one line as well if you prefer.

$ snyk container test garethr/snykit --json | snykout - --json | conftest test -

Usage

You can see usage instructions for snykout from the inline help:

$ snykout
  snykout - Show vulnerability information from Snyk test output

  Usage:
    snykout [flags] [arguments]

  Commands:
    help [command]  Help about any command.

  Flags:
    -h, --help         Help for this command.
        --json         Output results as JSON
        --markdown     Output results as Markdown
    -o, --output FILE  Output results as JSON
        --pretty       Make JSON results more human readable
        --wide         Output additional information in the table
        --yaml         Output results as YAML

Installation

Precompiled executables are available Linux and macOS environments. These are available from Releases. You can grab those quickly with wget like so for Linux:

wget -o snykout https://github.com/garethr/snykout/releases/download/v0.1.0/snykout_v0.1.0_linux-amd64
chmod +x snykout

And for macOS:

wget -o snykout https://github.com/garethr/snykout/releases/download/v0.1.0/snykout_v0.1.0_darwin-amd64
chmod +x snykout

Known issues

snykout is experimental, and will definitely have bugs at this stage. In particular anything that outputs multiple results is not yet handled, for instance --all-projects.

Owner
github statistic
  • 2
  • 0
  • 2
  • 0
  • 5 months ago
  • August 31, 2020
License

Other

Links
Synced at

Fri, 18 Jun 2021 19:59:52 GMT