Added node.js security working group as db

Gopkg.toml

@@ -24,3 +24,11 @@
 [[constraint]]
   name = "github.com/docker/docker"
   version = "1.13.1"
+
+[[constraint]]
+  branch = "v25"
+  name = "gopkg.in/libgit2/git2go.v25"
+
+[[constraint]]
+  name = "github.com/mholt/archiver"
+  version = "2.0.0"

main.go

@@ -5,11 +5,13 @@ import (
 	"os"
 
 	"github.com/dgonzalez/gammaray/pathrunner"
+	"github.com/dgonzalez/gammaray/vulnfetcher/nodeswg"
 	"github.com/dgonzalez/gammaray/vulnfetcher/ossvulnfetcher"
 )
 
 // OSSIndexURL URL for OSSIndex. Is not a hardcoded value to facilitate testing.
 const OSSIndexURL = "https://ossindex.net/v2.0/package"
+const nodeswgURL = "https://github.com/nodejs/security-wg/archive/master.zip"
 
 func main() {
 	if len(os.Args) < 2 {
@@ -23,19 +25,33 @@ func main() {
 		os.Exit(1)
 	}
 
-	fetcher := ossvulnfetcher.New(OSSIndexURL)
+	ossFetcher := ossvulnfetcher.New(OSSIndexURL)
+	err = ossFetcher.Fetch()
+	if err != nil {
+		fmt.Println(err.Error())
+		os.Exit(1)
+	}
+
+	nodeswgFetcher := nodeswg.New(nodeswgURL)
+	err = nodeswgFetcher.Fetch()
+	if err != nil {
+		fmt.Println(err.Error())
+		os.Exit(1)
+	}
+
 	for _, singlePackage := range packages {
-		vulnerabilities, err := fetcher.Test(singlePackage.Name, singlePackage.Version)
+		vulnerabilitiesOSS, err := ossFetcher.Test(singlePackage.Name, singlePackage.Version)
+		//		vulnerabilitiesNodeSWG, err := nodeswgFetcher.Test()
 		if err != nil {
 			fmt.Println(err.Error())
 			os.Exit(1)
 		}
 
-		if len(vulnerabilities) > 0 {
-			fmt.Printf("Package: %s\n", singlePackage.Name)
-			for _, vulnerability := range vulnerabilities {
-				fmt.Printf("\t- Vulnerability:\n")
-				fmt.Printf("\t\t- CVE: %s\n\t\tTitle: %s\n\t\tVersions: %s\n\t\tMore Info: %s",
+		if len(vulnerabilitiesOSS) > 0 {
+			fmt.Printf("\tPackage: %s\n", singlePackage.Name)
+			for _, vulnerability := range vulnerabilitiesOSS {
+				fmt.Printf("\t\t- Vulnerability (OSS Index):\n")
+				fmt.Printf("\t\t\t- CVE: %s\n\t\tTitle: %s\n\t\tVersions: %s\n\t\tMore Info: [%s]\n",
 					vulnerability.CVE,
 					vulnerability.Title,
 					vulnerability.Versions,
@@ -44,6 +60,19 @@ func main() {
 			}
 		}
 
+		vulnerabilitiesNodeSWG, err := nodeswgFetcher.Test(singlePackage.Name, singlePackage.Version)
+		if len(vulnerabilitiesNodeSWG) > 0 {
+			fmt.Printf("\tPackage: %s\n", singlePackage.Name)
+			for _, vulnerability := range vulnerabilitiesNodeSWG {
+				fmt.Printf("\t\t- Vulnerability (Node Security Working Group):\n")
+				fmt.Printf("\t\t\t- CVE: %s\n\t\tTitle: %s\n\t\tVersions: %s\n\t\tMore Info: [%s]\n",
+					vulnerability.CVE,
+					vulnerability.Title,
+					vulnerability.Versions,
+					vulnerability.References,
+				)
+			}
+		}
 	}
 
 }

vulnfetcher/nodeswg/nodeswg.go

@@ -0,0 +1,105 @@
+package nodeswg
+
+import (
+	"encoding/json"
+	"io"
+	"net/http"
+	"os"
+	"path"
+	"path/filepath"
+	"strings"
+
+	"github.com/dgonzalez/gammaray/vulnfetcher"
+	"github.com/mholt/archiver"
+)
+
+// Fetcher fetches node community vulnerabilities
+type Fetcher struct {
+	DatabaseURL     string
+	vulnerabilities []Vulnerability
+}
+
+// Vulnerability a single vulnerability
+type Vulnerability struct {
+	Module             string   `json:"module_name"`
+	CVES               []string `json:"cves"`
+	VulnerableVersions string   `json:"vulnerable_versions"`
+	Title              string   `json:"title"`
+	References         string   `json:"references"`
+	Overview           string   `json:"overview"`
+}
+
+// New creates a NodeSWGFetcher
+func New(URL string) *Fetcher {
+	return &Fetcher{URL, make([]Vulnerability, 0)}
+}
+
+// Fetch builds the database from nodeswg on github
+func (n *Fetcher) Fetch() error {
+	destFilePath := path.Join(os.TempDir(), "nodeswg.zip")
+	unzipFolder := path.Join(os.TempDir(), "nodeswg")
+	vulnFolder := path.Join(unzipFolder, "security-wg-master", "vuln", "npm")
+
+	os.Mkdir(unzipFolder, os.ModePerm)
+
+	destFile, err := os.Create(destFilePath)
+	if err != nil {
+		return err
+	}
+	defer destFile.Close()
+
+	response, err := http.Get(n.DatabaseURL)
+	if err != nil {
+		return err
+	}
+	defer response.Body.Close()
+
+	_, err = io.Copy(destFile, response.Body)
+	if err != nil {
+		return err
+	}
+
+	archiver.Zip.Open(destFilePath, unzipFolder)
+
+	filepath.Walk(vulnFolder, func(path string, f os.FileInfo, err error) error {
+
+		if strings.HasSuffix(path, ".json") {
+			jsonFile, err := os.Open(path)
+			defer jsonFile.Close()
+			if err != nil {
+				return err
+			}
+
+			jsonParser := json.NewDecoder(jsonFile)
+			var nodeVulnerability Vulnerability
+			err = jsonParser.Decode(&nodeVulnerability)
+			if err != nil {
+				return err
+			}
+			n.vulnerabilities = append(n.vulnerabilities, nodeVulnerability)
+		}
+
+		return nil
+	})
+
+	return nil
+}
+
+// Test tests for a vulnerability
+func (n *Fetcher) Test(module string, version string) ([]vulnfetcher.Vulnerability, error) {
+	var vulnerabilities []vulnfetcher.Vulnerability
+
+	for _, vulnerability := range n.vulnerabilities {
+		if module == vulnerability.Module {
+			vulnerabilities = append(vulnerabilities, vulnfetcher.Vulnerability{
+				CVE:         strings.Join(vulnerability.CVES, " "),
+				Title:       vulnerability.Title,
+				Description: vulnerability.Overview,
+				Versions:    vulnerability.VulnerableVersions,
+				References:  vulnerability.References,
+			})
+		}
+	}
+
+	return vulnerabilities, nil
+}

vulnfetcher/ossvulnfetcher/osindexfetcher.go

@@ -42,8 +42,9 @@ func New(URL string) *OSSIndexFetcher {
 }
 
 // Fetch does nothing as it is API based. No need to download anything.
-func (n *OSSIndexFetcher) Fetch() {
+func (n *OSSIndexFetcher) Fetch() error {
 	// Nothing to do here. API based.
+	return nil
 }
 
 // Test tests for a package
@@ -81,7 +82,7 @@ func (n *OSSIndexFetcher) Test(name string, version string) ([]vulnfetcher.Vulne
 			Title:       vulnerability.Title,
 			Description: vulnerability.Description,
 			Versions:    strings.Join(vulnerability.Versions, " "),
-			References:  "[ " + strings.Join(vulnerability.References, " ") + " ]\n",
+			References:  strings.Join(vulnerability.References, " "),
 		}
 		vulnerabilities = append(vulnerabilities, processedVulnerability)
 	}

vulnfetcher/vulnfetcher.go

@@ -11,6 +11,6 @@ type Vulnerability struct {
 
 // VulnFetcher fetches vulnerabilities
 type VulnFetcher interface {
-	Fetch()
+	Fetch() error
 	Test(component string, version string) ([]Vulnerability, error)
 }