Fixing eslint logic (#20)

Author: dacoburn

README.md

@@ -22,7 +22,7 @@ jobs:
         uses: actions/checkout@v4.2.1
 
       - name: Run Security Scan and Comment Action
-        uses: SocketDev/security-wrapper@1.0.16
+        uses: SocketDev/security-wrapper@1.0.17
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
 
@@ -45,6 +45,21 @@ jobs:
           bandit_rules: "B101,B102,B105,B106,B107,B110,B603,B605,B607"
           gosec_rules: "medium"
           gosec_exclude_dir: "tests,migrations,tests,test,.venv,venv"
+          eslint_rules: >
+            security/detect-eval-with-expression,
+            security/detect-non-literal-require,
+            security/detect-non-literal-fs-filename,
+            security/detect-buffer-noassert,
+            security/detect-new-buffer,
+            security/detect-unsafe-regex,
+            security/detect-disable-mustache-escape,
+            security/detect-no-csrf-before-method-override,
+            security/detect-pseudoRandomBytes,
+            security/detect-possible-timing-attacks,
+            security/detect-bidi-characters,
+            security/detect-child-process,
+            security/detect-non-literal-regexp,
+            security/detect-object-injection
 
           # Log forwarding
           sumo_logic_enabled: true

entrypoint.sh

@@ -13,22 +13,100 @@ GOSEC_RULES=${INPUT_GOSEC_RULES:-}
 TRIVY_EXCLUDE_DIR=${INPUT_TRIVY_EXCLUDE_DIR:-}
 TRIVY_RULES=${INPUT_TRIVY_RULES:-}
 
+
 # Run ESLint (JavaScript SAST) if enabled
-if [[ "$INPUT_JAVASCRIPT_SAST_ENABLED" == "true" ]]; then
-    echo "Running ESLint"
-    ESLINT_EXCLUDE_DIR=${INPUT_ESLINT_EXCLUDE_DIR:-}
-    ESLINT_RULES=${INPUT_ESLINT_RULES:-}
-
-    eslint_cmd="npx eslint $GITHUB_WORKSPACE --ext .js,.jsx --format json --output-file /tmp/eslint_output.json"
-    if [[ -n "$ESLINT_EXCLUDE_DIR" ]]; then
-      eslint_cmd+=" --ignore-pattern $ESLINT_EXCLUDE_DIR"
-    fi
-    if [[ -n "$ESLINT_RULES" ]]; then
-      eslint_cmd+=" --rule \"$ESLINT_RULES\""
-    fi
-    eval $eslint_cmd || :
+if [[ "${INPUT_JAVASCRIPT_SAST_ENABLED:-false}" == "true" ]]; then
+  echo "Running ESLint"
+  ESLINT_EXCLUDE_DIR=${INPUT_ESLINT_EXCLUDE_DIR:-}
+  ESLINT_RULES=${INPUT_ESLINT_RULES:-}
+
+  if [[ -z "$ESLINT_RULES" ]]; then
+    echo "Using default ESLint rules"
+    ESLINT_RULES=$(cat <<'EOF'
+security/detect-eval-with-expression,
+security/detect-non-literal-require,
+security/detect-non-literal-fs-filename,
+security/detect-buffer-noassert,
+security/detect-new-buffer,
+security/detect-unsafe-regex,
+security/detect-disable-mustache-escape,
+security/detect-no-csrf-before-method-override,
+security/detect-pseudoRandomBytes,
+security/detect-possible-timing-attacks,
+security/detect-bidi-characters,
+security/detect-child-process,
+security/detect-non-literal-regexp,
+security/detect-object-injection,
+@typescript-eslint/no-implied-eval,
+@typescript-eslint/no-throw-literal,
+@typescript-eslint/no-misused-promises,
+@typescript-eslint/no-unsafe-argument,
+@typescript-eslint/no-unsafe-assignment,
+@typescript-eslint/no-unsafe-call,
+@typescript-eslint/no-unsafe-member-access,
+@typescript-eslint/no-unsafe-return,
+@typescript-eslint/ban-ts-comment,
+@typescript-eslint/no-explicit-any,
+@typescript-eslint/explicit-module-boundary-types,
+@typescript-eslint/no-floating-promises,
+@typescript-eslint/no-for-in-array,
+@typescript-eslint/no-misused-new,
+@typescript-eslint/no-non-null-asserted-optional-chain,
+@typescript-eslint/no-non-null-assertion,
+@typescript-eslint/no-unnecessary-type-assertion,
+@typescript-eslint/prefer-optional-chain,
+@typescript-eslint/prefer-nullish-coalescing,
+@typescript-eslint/restrict-plus-operands,
+@typescript-eslint/restrict-template-expressions,
+@typescript-eslint/require-await,
+@typescript-eslint/unbound-method,
+@typescript-eslint/array-type,
+@typescript-eslint/ban-types,
+@typescript-eslint/consistent-type-assertions,
+@typescript-eslint/consistent-type-definitions,
+@typescript-eslint/explicit-function-return-type,
+@typescript-eslint/no-empty-interface,
+@typescript-eslint/no-inferrable-types,
+@typescript-eslint/no-invalid-void-type,
+@typescript-eslint/no-redeclare,
+@typescript-eslint/no-shadow,
+@typescript-eslint/no-unused-vars,
+@typescript-eslint/no-use-before-define,
+@typescript-eslint/prefer-as-const
+EOF
+)
+  fi
+
+  # Convert rule list to JSON map: "rule-name": "error"
+  ESLINT_RULES_JSON=$(echo "$ESLINT_RULES" | tr ',' '\n' | sed '/^\s*$/d' | awk '{printf "\"%s\": \"error\",\n", $0}' | sed '$s/,$//')
+
+  if [[ ! -f "$WORKSPACE/eslint.config.mjs" ]]; then
+    echo "Adding fallback ESLint config"
+    cat <<EOF > "$WORKSPACE/eslint.config.mjs"
+export default [
+  {
+    files: ['**/*.js', '**/*.jsx', '**/*.ts', '**/*.tsx'],
+    rules: {
+$ESLINT_RULES_JSON
+    },
+  },
+];
+EOF
+  fi
+
+  eslint_cmd="npx --yes eslint --config $WORKSPACE/eslint.config.mjs $WORKSPACE --ext .js,.jsx,.ts,.tsx --format json --output-file $OUTPUT_DIR/eslint_output.json"
+
+  if [[ -n "$ESLINT_EXCLUDE_DIR" ]]; then
+    IFS=',' read -ra EXCLUDES <<< "$ESLINT_EXCLUDE_DIR"
+    for exclude in "${EXCLUDES[@]}"; do
+      eslint_cmd+=" --ignore-pattern $exclude"
+    done
+  fi
+
+  eval $eslint_cmd || :
 fi
 
+
 # Run Bandit (Python SAST) if enabled
 if [[ "$INPUT_PYTHON_SAST_ENABLED" == "true" ]]; then
     echo "Running Bandit"
@@ -39,6 +117,7 @@ if [[ "$INPUT_PYTHON_SAST_ENABLED" == "true" ]]; then
     if [[ -n "$BANDIT_RULES" ]]; then
       bandit_cmd+=" --skip $BANDIT_RULES"
     fi
+    echo $bandit_cmd
     eval $bandit_cmd || :
 fi
 
@@ -95,6 +174,12 @@ if [[ "$INPUT_SECRET_SCANNING_ENABLED" == "true" ]]; then
 fi
 
 # Execute the custom Python script to process findings
-cd /
+if [ "$LOCAL_TESTING" != "true" ]; then
+  cd /
+fi
 mv /tmp/*.json .
-python socket_external_tools_runner.py
+if [ "$LOCAL_TESTING" != "true" ]; then
+  python socket_external_tools_runner.py
+else
+  python socket_external_tools_runner.py
+fi

eslint.config.mjs

@@ -0,0 +1,6 @@
+export default [
+  {
+    files: ['**/*.js', '**/*.jsx'],
+    rules: {},
+  },
+];

src/core/connectors/bandit/__init__.py

@@ -21,6 +21,8 @@ def process_output(cls, data: dict, cwd: str, plugin_name: str = "Bandit") -> di
         results = data.get(cls.result_key, [])
         for entry in results:
             test_result = cls.result_class(**entry, cwd=cwd)
+            if test_result.issue_severity.lower() not in cls.default_severities:
+                continue
             test_result.plugin_name = plugin_name
             test_result.file = test_result.filename  # Ensure compatibility with create_output()
 

src/core/connectors/classes.py

@@ -28,8 +28,14 @@ def set_url(self):
     def set_timestamp(self):
         self.timestamp = datetime.now(timezone.utc).strftime("%Y-%m-%d %H:%M:%S,%f")[:-3] + " +0000"
 
+    # Add a method to convert the object to a dictionary
+    def to_json(self):
+        """Convert the object to a dictionary for JSON serialization."""
+        return self.__dict__
+
+    # Ensure the object string representation works well with JSON
     def __str__(self):
-        return json.dumps(self.__dict__)
+        return json.dumps(self.to_json())
 
 
 class BanditTestResult(BaseTestResult):
@@ -104,6 +110,7 @@ def __init__(self, **kwargs):
         self.timestamp = ""
         self.plugin_name = "ESLint"
         self.rule_id = ""
+        self.severity = ""
         super().__init__(**kwargs)
 
     def set_url(self):

src/core/connectors/eslint/__init__.py

@@ -103,6 +103,8 @@ def process_output(cls, data: list, cwd: str, plugin_name: str = "ESLint", retur
                     issue_text=issue_text,
                     cwd=cwd
                 )
+                if test_result.severity not in cls.default_severities:
+                    continue
                 test_result.plugin_name = plugin_name
                 test_name = cls.get_test_name(test_result)
                 test_result.use_custom = True

src/core/connectors/gosec/__init__.py

@@ -21,6 +21,8 @@ def process_output(cls, data: dict, cwd: str, plugin_name: str = "Gosec") -> dic
         results = data.get(cls.result_key, [])
         for entry in results:
             test_result = cls.result_class(**entry, cwd=cwd)
+            if test_result.severity.lower() not in cls.default_severities:
+                continue
             test_result.plugin_name = plugin_name
             test_result.file = test_result.file  # Ensure compatibility with create_output()
 

src/core/connectors/trufflehog/__init__.py

@@ -30,7 +30,8 @@ def process_output(cls, data: dict, cwd: str, plugin_name: str = "Trufflehog", s
                     continue
 
                 test_result = cls.result_class(**entry, cwd=cwd)
-
+                if test_result.severity.lower() not in cls.default_severities:
+                    continue
                 test_result.plugin_name = plugin_name
                 test_result.file = entry.get("SourceMetadata", {}).get("Data", {}).get("Filesystem", {}).get("file", "")
                 test_result.file = test_result.file.replace(cwd, '').lstrip("/")

src/core/plugins/microsoft_sentinel/sentinel.py

@@ -200,13 +200,18 @@ def normalize_events(events: list, plugin_name: str):
         """Detects event type and normalizes them for Sentinel ingestion."""
         formatted_events = []
 
-        for event in events:
-            if isinstance(event, str):
+        for event_details in events:
+            if type(event_details) == str:
                 try:
-                    event = json.loads(event)  # Convert from string if necessary
+                    event = json.loads(event_details)
+                    if type(event) == str:
+                        event = json.loads(event)
                 except json.JSONDecodeError:
-                    print(f"Skipping invalid event: {event}")
+                    print(f"Skipping invalid event: {event_details}")
                     continue  # Skip invalid JSON entries
+            else:
+                event = event_details
+
 
             if "plugin_name" in event:
                 if "bandit" in plugin_name.lower():

src/socket_external_tools_runner.py

@@ -1,5 +1,6 @@
 import json
 import logging
+import argparse
 import os
 import glob
 import inspect
@@ -67,66 +68,70 @@ def consolidate_trivy_results(pattern: str) -> dict:
     "eslint": "ESLint"
 }
 
-# Load results
-results = {
-    "bandit": load_json("bandit_output.json", "Bandit"),
-    "gosec": load_json("gosec_output.json", "Gosec"),
-    "trufflehog": load_json("trufflehog_output.json", "Trufflehog"),
-    "trivy_image": consolidate_trivy_results("trivy_image_*.json"),
-    "trivy_dockerfile": consolidate_trivy_results("trivy_dockerfile_*.json"),
-    "eslint": load_json("eslint_output.json", "ESLint")
-}
+def main():
+    # Load results
+    results = {
+        "bandit": load_json("bandit_output.json", "Bandit"),
+        "gosec": load_json("gosec_output.json", "Gosec"),
+        "trufflehog": load_json("trufflehog_output.json", "Trufflehog"),
+        "trivy_image": consolidate_trivy_results("trivy_image_*.json"),
+        "trivy_dockerfile": consolidate_trivy_results("trivy_dockerfile_*.json"),
+        "eslint": load_json("eslint_output.json", "ESLint")
+    }
 
-if any(results.values()):
-    if not SCM_DISABLED:
-        scm = SCM()
-        tool_outputs = {}
-        tool_events = {}
+    if any(results.values()):
+        if not SCM_DISABLED:
+            scm = SCM()
+            tool_outputs = {}
+            tool_events = {}
 
-        for key, data in results.items():
-            if data:
-                tool_marker = marker.replace("REPLACE_ME", TOOL_NAMES[key])
-                tool_class = TOOL_CLASSES[key]
-                if SEVERITIES:
-                    tool_class.default_severities = SEVERITIES
+            for key, data in results.items():
+                if data:
+                    tool_marker = marker.replace("REPLACE_ME", TOOL_NAMES[key])
+                    tool_class = TOOL_CLASSES[key]
+                    if SEVERITIES:
+                        tool_class.default_severities = SEVERITIES
 
-                supports_show_unverified = "show_unverified" in inspect.signature(tool_class.process_output).parameters
-                if supports_show_unverified:
-                    show_unverified = os.getenv("INPUT_TRUFFLEHOG_SHOW_UNVERIFIED", "false").lower() == "true"
-                    tool_outputs[key], tool_results = tool_class.create_output(
-                        data,
-                        tool_marker,
-                        scm.github.repo,
-                        scm.github.commit,
-                        scm.github.cwd,
-                        show_unverified=show_unverified
-                    )
-                else:
-                    tool_outputs[key], tool_results = tool_class.create_output(
-                        data, tool_marker, scm.github.repo, scm.github.commit, scm.github.cwd
-                    )
-                tool_events[key] = tool_outputs[key].get("events", [])
-                if tool_events[key]:
-                    scm.github.post_comment(TOOL_NAMES[key], tool_marker, tool_results)
+                    supports_show_unverified = "show_unverified" in inspect.signature(tool_class.process_output).parameters
+                    if supports_show_unverified:
+                        show_unverified = os.getenv("INPUT_TRUFFLEHOG_SHOW_UNVERIFIED", "false").lower() == "true"
+                        tool_outputs[key], tool_results = tool_class.create_output(
+                            data,
+                            tool_marker,
+                            scm.github.repo,
+                            scm.github.commit,
+                            scm.github.cwd,
+                            show_unverified=show_unverified
+                        )
+                    else:
+                        tool_outputs[key], tool_results = tool_class.create_output(
+                            data, tool_marker, scm.github.repo, scm.github.commit, scm.github.cwd
+                        )
+                    tool_events[key] = tool_outputs[key].get("events", [])
+                    if tool_events[key]:
+                        scm.github.post_comment(TOOL_NAMES[key], tool_marker, tool_results)
 
-        print("Issues detected with Security Tools. Please check PR comments")
-    else:
-        tool_events = {
-            key: TOOL_CLASSES[key].process_output(data, GIT_DIR, TOOL_NAMES[key])
-            for key, data in results.items() if data
-        }
+            print("Issues detected with Security Tools. Please check PR comments")
+        else:
+            tool_events = {
+                key: TOOL_CLASSES[key].process_output(data, GIT_DIR, TOOL_NAMES[key])
+                for key, data in results.items() if data
+            }
 
-    if sumo_client:
-        print("Issues detected with Security Tools. Please check Sumologic Events")
-        for key, events in tool_events.items():
-            print(errors) if (errors := sumo_client.send_events(events.get("events"), "../" + key + "_output.json")) else []
+        if sumo_client:
+            print("Issues detected with Security Tools. Please check Sumologic Events")
+            for key, events in tool_events.items():
+                print(errors) if (errors := sumo_client.send_events(events.get("events"), "../" + key + "_output.json")) else []
 
-    if ms_sentinel:
-        print("Issues detected with Security Tools. Please check Microsoft Sentinel Events")
-        for key, events in tool_events.items():
-            sentinel_name = f"SocketSecurityTools{TOOL_NAMES[key]}"
-            formatted_events = [json.dumps(event) for event in events.get("events", [])]
-            print(errors) if (errors := ms_sentinel.send_events(formatted_events, sentinel_name)) else []
-    exit(1)
-else:
-    print("No issues detected with Socket Security Tools")
+        if ms_sentinel:
+            print("Issues detected with Security Tools. Please check Microsoft Sentinel Events")
+            for key, events in tool_events.items():
+                sentinel_name = f"SocketSecurityTools{TOOL_NAMES[key]}"
+                formatted_events = [json.dumps(event, default=lambda o: o.to_json()) for event in events.get("events", [])]
+                print(errors) if (errors := ms_sentinel.send_events(formatted_events, sentinel_name)) else []
+        exit(1)
+    else:
+        print("No issues detected with Socket Security Tools")
+
+if __name__ == "__main__":
+    main()