close feature 405, modelscan component

sg · sg · commit e6f4d8c9453f · 2024-10-09T14:05:38.000+01:00
diff --git a/components/producers/modelscan/examples/input.json b/components/producers/modelscan/examples/input.json
@@ -0,0 +1,59 @@
+{
+  "modelscan_version": "0.5.0",
+  "timestamp": "2024-01-25T17:56:00.855056",
+  "input_path": "/Users/mehrinkiani/Documents/modelscan/notebooks/XGBoostModels/unsafe_model.pkl",
+  "total_issues": 1,
+  "summary": {
+    "total_issues_by_severity": {
+      "LOW": 0,
+      "MEDIUM": 0,
+      "HIGH": 0,
+      "CRITICAL": 1
+    }
+  },
+  "issues_by_severity": {
+    "CRITICAL": [
+      {
+        "description": "Use of unsafe operator 'system' from module 'posix'",
+        "operator": "system",
+        "module": "posix",
+        "source": "/Users/mehrinkiani/Documents/modelscan/notebooks/XGBoostModels/unsafe_model.pkl",
+        "scanner": "modelscan.scanners.PickleUnsafeOpScan"
+      }
+    ],
+    "MEDIUM": [
+      {
+        "description": "Use of unsafe operator 'system' from module 'posix'",
+        "operator": "system",
+        "module": "posix",
+        "source": "/Users/mehrinkiani/Documents/modelscan/notebooks/XGBoostModels/unsafe_model.pkl",
+        "scanner": "modelscan.scanners.PickleUnsafeOpScan"
+      }
+    ],
+    "HIGH": [
+      {
+        "description": "Use of unsafe operator 'system' from module 'posix'",
+        "operator": "system",
+        "module": "posix",
+        "source": "/Users/mehrinkiani/Documents/modelscan/notebooks/XGBoostModels/unsafe_model.pkl",
+        "scanner": "modelscan.scanners.PickleUnsafeOpScan"
+      }
+    ],
+    "LOW": [
+      {
+        "description": "Use of unsafe operator 'system' from module 'posix'",
+        "operator": "system",
+        "module": "posix",
+        "source": "/Users/mehrinkiani/Documents/modelscan/notebooks/XGBoostModels/unsafe_model.pkl",
+        "scanner": "modelscan.scanners.PickleUnsafeOpScan"
+      }
+    ]
+  },
+  "errors": [],
+  "scanned": {
+    "total_scanned": 4,
+    "scanned_files": [
+      "/Users/mehrinkiani/Documents/modelscan/notebooks/XGBoostModels/unsafe_model.pkl"
+    ]
+  }
+}
diff --git a/components/producers/modelscan/examples/modelscan.pb b/components/producers/modelscan/examples/modelscan.pb
@@ -0,0 +1,6 @@
+
+�͙�햞�gosec�
+O/Users/mehrinkiani/Documents/modelscan/notebooks/XGBoostModels/unsafe_model.pkl%modelscan.scanners.PickleUnsafeOpScan3Use of unsafe operator 'system' from module 'posix':3Use of unsafe operator 'system' from module 'posix'Bunknown�
+O/Users/mehrinkiani/Documents/modelscan/notebooks/XGBoostModels/unsafe_model.pkl%modelscan.scanners.PickleUnsafeOpScan3Use of unsafe operator 'system' from module 'posix':3Use of unsafe operator 'system' from module 'posix'Bunknown�
+O/Users/mehrinkiani/Documents/modelscan/notebooks/XGBoostModels/unsafe_model.pkl%modelscan.scanners.PickleUnsafeOpScan3Use of unsafe operator 'system' from module 'posix':3Use of unsafe operator 'system' from module 'posix'Bunknown�
+O/Users/mehrinkiani/Documents/modelscan/notebooks/XGBoostModels/unsafe_model.pkl%modelscan.scanners.PickleUnsafeOpScan3Use of unsafe operator 'system' from module 'posix':3Use of unsafe operator 'system' from module 'posix'Bunknown
diff --git a/components/producers/modelscan/main.go b/components/producers/modelscan/main.go
@@ -0,0 +1,136 @@
+package main
+
+import (
+	"encoding/json"
+	"log"
+
+	v1 "github.com/ocurity/dracon/api/proto/v1"
+
+	"github.com/ocurity/dracon/components/producers"
+)
+
+func main() {
+	if err := producers.ParseFlags(); err != nil {
+		log.Fatal(err)
+	}
+
+	inFile, err := producers.ReadInFile()
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	var results ModelScanOut
+	if err := json.Unmarshal(inFile, &results); err != nil {
+		log.Fatal(err)
+	}
+
+	issues, err := parseIssues(&results)
+	if err != nil {
+		log.Fatal(err)
+	}
+	if err := producers.WriteDraconOut(
+		"modelscan",
+		issues,
+	); err != nil {
+		log.Fatal(err)
+	}
+}
+
+func parseIssues(out *ModelScanOut) ([]*v1.Issue, error) {
+	issues := []*v1.Issue{}
+	for _, crit := range out.IssuesBySeverity.Critical {
+		issues = append(issues,
+			&v1.Issue{
+				Target:      crit.Source,
+				Type:        crit.Scanner,
+				Description: crit.Description,
+				Title:       crit.Description,
+				Severity:    v1.Severity_SEVERITY_UNSPECIFIED,
+				Confidence:  v1.Confidence_CONFIDENCE_UNSPECIFIED,
+			})
+	}
+	for _, crit := range out.IssuesBySeverity.High {
+		issues = append(issues,
+			&v1.Issue{
+				Target:      crit.Source,
+				Type:        crit.Scanner,
+				Description: crit.Description,
+				Title:       crit.Description,
+				Severity:    v1.Severity_SEVERITY_UNSPECIFIED,
+				Confidence:  v1.Confidence_CONFIDENCE_UNSPECIFIED,
+			})
+	}
+	for _, crit := range out.IssuesBySeverity.Medium {
+		issues = append(issues,
+			&v1.Issue{
+				Target:      crit.Source,
+				Type:        crit.Scanner,
+				Description: crit.Description,
+				Title:       crit.Description,
+				Severity:    v1.Severity_SEVERITY_UNSPECIFIED,
+				Confidence:  v1.Confidence_CONFIDENCE_UNSPECIFIED,
+			})
+	}
+	for _, crit := range out.IssuesBySeverity.Low {
+		issues = append(issues,
+			&v1.Issue{
+				Target:      crit.Source,
+				Type:        crit.Scanner,
+				Description: crit.Description,
+				Title:       crit.Description,
+				Severity:    v1.Severity_SEVERITY_UNSPECIFIED,
+				Confidence:  v1.Confidence_CONFIDENCE_UNSPECIFIED,
+			})
+	}
+	return issues, nil
+}
+
+type ModelScanOut struct {
+	ModelscanVersion string `json:"modelscan_version"`
+	Timestamp        string `json:"timestamp"`
+	InputPath        string `json:"input_path"`
+	TotalIssues      int    `json:"total_issues"`
+	Summary          struct {
+		TotalIssuesBySeverity struct {
+			Low      int `json:"LOW"`
+			Medium   int `json:"MEDIUM"`
+			High     int `json:"HIGH"`
+			Critical int `json:"CRITICAL"`
+		} `json:"total_issues_by_severity"`
+	} `json:"summary"`
+	IssuesBySeverity struct {
+		Critical []struct {
+			Description string `json:"description"`
+			Operator    string `json:"operator"`
+			Module      string `json:"module"`
+			Source      string `json:"source"`
+			Scanner     string `json:"scanner"`
+		} `json:"CRITICAL"`
+		High []struct {
+			Description string `json:"description"`
+			Operator    string `json:"operator"`
+			Module      string `json:"module"`
+			Source      string `json:"source"`
+			Scanner     string `json:"scanner"`
+		} `json:"HIGH"`
+		Medium []struct {
+			Description string `json:"description"`
+			Operator    string `json:"operator"`
+			Module      string `json:"module"`
+			Source      string `json:"source"`
+			Scanner     string `json:"scanner"`
+		} `json:"MEDIUM"`
+		Low []struct {
+			Description string `json:"description"`
+			Operator    string `json:"operator"`
+			Module      string `json:"module"`
+			Source      string `json:"source"`
+			Scanner     string `json:"scanner"`
+		} `json:"LOW"`
+	} `json:"issues_by_severity"`
+	Errors  []any `json:"errors"`
+	Scanned struct {
+		TotalScanned int      `json:"total_scanned"`
+		ScannedFiles []string `json:"scanned_files"`
+	} `json:"scanned"`
+}
diff --git a/components/producers/modelscan/main_test.go b/components/producers/modelscan/main_test.go
@@ -0,0 +1,109 @@
+package main
+
+import (
+	"encoding/json"
+	"testing"
+
+	v1 "github.com/ocurity/dracon/api/proto/v1"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestParseIssues(t *testing.T) {
+	var results ModelScanOut
+	err := json.Unmarshal([]byte(modelScanOut), &results)
+	require.NoError(t, err)
+
+	issues, err := parseIssues(&results)
+	require.NoError(t, err)
+	expectedIssue := []*v1.Issue{
+
+		{
+			Target:      "/Users/mehrinkiani/Documents/modelscan/notebooks/XGBoostModels/unsafe_model.pkl",
+			Type:        "modelscan.scanners.PickleUnsafeOpScan",
+			Title:       "Use of unsafe operator 'system' from module 'posix'",
+			Description: "Use of unsafe operator 'system' from module 'posix'",
+		},
+		{
+			Target:      "/Users/mehrinkiani/Documents/modelscan/notebooks/XGBoostModels/unsafe_model.pkl",
+			Type:        "modelscan.scanners.PickleUnsafeOpScan",
+			Title:       "Use of unsafe operator 'system' from module 'posix'",
+			Description: "Use of unsafe operator 'system' from module 'posix'",
+		},
+		{
+			Target:      "/Users/mehrinkiani/Documents/modelscan/notebooks/XGBoostModels/unsafe_model.pkl",
+			Type:        "modelscan.scanners.PickleUnsafeOpScan",
+			Title:       "Use of unsafe operator 'system' from module 'posix'",
+			Description: "Use of unsafe operator 'system' from module 'posix'",
+		},
+		{
+			Target:      "/Users/mehrinkiani/Documents/modelscan/notebooks/XGBoostModels/unsafe_model.pkl",
+			Type:        "modelscan.scanners.PickleUnsafeOpScan",
+			Title:       "Use of unsafe operator 'system' from module 'posix'",
+			Description: "Use of unsafe operator 'system' from module 'posix'",
+		},
+	}
+
+	require.Equal(t, expectedIssue, issues)
+}
+
+const modelScanOut = `{
+  "modelscan_version": "0.5.0",
+  "timestamp": "2024-01-25T17:56:00.855056",
+  "input_path": "/Users/mehrinkiani/Documents/modelscan/notebooks/XGBoostModels/unsafe_model.pkl",
+  "total_issues": 1,
+  "summary": {
+    "total_issues_by_severity": {
+      "LOW": 0,
+      "MEDIUM": 0,
+      "HIGH": 0,
+      "CRITICAL": 1
+    }
+  },
+  "issues_by_severity": {
+    "CRITICAL": [
+      {
+        "description": "Use of unsafe operator 'system' from module 'posix'",
+        "operator": "system",
+        "module": "posix",
+        "source": "/Users/mehrinkiani/Documents/modelscan/notebooks/XGBoostModels/unsafe_model.pkl",
+        "scanner": "modelscan.scanners.PickleUnsafeOpScan"
+      }
+    ],
+    "MEDIUM": [
+      {
+        "description": "Use of unsafe operator 'system' from module 'posix'",
+        "operator": "system",
+        "module": "posix",
+        "source": "/Users/mehrinkiani/Documents/modelscan/notebooks/XGBoostModels/unsafe_model.pkl",
+        "scanner": "modelscan.scanners.PickleUnsafeOpScan"
+      }
+    ],
+    "HIGH": [
+      {
+        "description": "Use of unsafe operator 'system' from module 'posix'",
+        "operator": "system",
+        "module": "posix",
+        "source": "/Users/mehrinkiani/Documents/modelscan/notebooks/XGBoostModels/unsafe_model.pkl",
+        "scanner": "modelscan.scanners.PickleUnsafeOpScan"
+      }
+    ],
+    "LOW": [
+      {
+        "description": "Use of unsafe operator 'system' from module 'posix'",
+        "operator": "system",
+        "module": "posix",
+        "source": "/Users/mehrinkiani/Documents/modelscan/notebooks/XGBoostModels/unsafe_model.pkl",
+        "scanner": "modelscan.scanners.PickleUnsafeOpScan"
+      }
+    ]
+  },
+  "errors": [],
+  "scanned": {
+    "total_scanned": 4,
+    "scanned_files": [
+      "/Users/mehrinkiani/Documents/modelscan/notebooks/XGBoostModels/unsafe_model.pkl"
+    ]
+  }
+}
+`
diff --git a/components/producers/modelscan/task.yaml b/components/producers/modelscan/task.yaml
@@ -0,0 +1,57 @@
+---
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  name: producer-modelscan
+  labels:
+    v1.dracon.ocurity.com/component: producer
+    v1.dracon.ocurity.com/test-type: sast
+    v1.dracon.ocurity.com/language: python
+spec:
+  description: Analyse Go source code to look for security issues.
+  params:
+  - name: producer-modelscan-relative-path-to-model
+    type: string
+  volumes:
+    - name: scratch
+      emptyDir: {}
+  workspaces:
+    - name: output
+      description: The workspace containing the source-code to scan.
+  steps:
+  - name: run-modelscan
+    image: python:alpine
+    script: |
+      pip install 'modelscan[ tensorflow, h5py ]'
+      modelscan \
+      --path "$(workspaces.output.path)/source-code/$(params.producer-modelscan-relative-path-to-model)" \
+      --reporting-format json \
+      --output-file /scratch/out.json
+
+      exitCode=$?
+      if [[ $exitCode -eq 1 ]]; then
+        echo "ModelScan found vulnerabilities"
+        exit 0
+      else if [[ $exitCode -eq 2 ]]; then
+        echo "ModelScan failed, error while scanning"
+        exit $exitCode
+      else if [[ $exitCode -eq 3 ]]; then
+        echo "ModelScan did not find any supported files while scanning"
+        exit $exitCode
+      else if [[ $exitCode -eq 4 ]]; then
+        echo "ModelScan encountered an error whle parsing CLI variables, the task definition has a bug"
+        exit $exitCode
+      fi
+    volumeMounts:
+    - mountPath: /scratch
+      name: scratch
+  - name: produce-issues
+    imagePullPolicy: IfNotPresent
+    image: '{{ default "ghcr.io/ocurity/dracon" .Values.image.registry }}/components/producers/modelscan:{{ .Chart.AppVersion }}'
+    command: ["/app/components/producers/modelscan/modelscan-parser"]
+    args:
+    - "-in=/scratch/out.json"
+    - "-out=$(workspaces.output.path)/.dracon/producers/modelscan.pb"
+    volumeMounts:
+    - mountPath: /scratch
+      name: scratch

-Original file line number
+Diff line change
@@ @@ -0,0 +1,6 @@ @@
++
 +�͙�햞�gosec�
 +O/Users/mehrinkiani/Documents/modelscan/notebooks/XGBoostModels/unsafe_model.pkl%modelscan.scanners.PickleUnsafeOpScan3Use of unsafe operator 'system' from module 'posix':3Use of unsafe operator 'system' from module 'posix'Bunknown�
 +O/Users/mehrinkiani/Documents/modelscan/notebooks/XGBoostModels/unsafe_model.pkl%modelscan.scanners.PickleUnsafeOpScan3Use of unsafe operator 'system' from module 'posix':3Use of unsafe operator 'system' from module 'posix'Bunknown�
 +O/Users/mehrinkiani/Documents/modelscan/notebooks/XGBoostModels/unsafe_model.pkl%modelscan.scanners.PickleUnsafeOpScan3Use of unsafe operator 'system' from module 'posix':3Use of unsafe operator 'system' from module 'posix'Bunknown�
 +O/Users/mehrinkiani/Documents/modelscan/notebooks/XGBoostModels/unsafe_model.pkl%modelscan.scanners.PickleUnsafeOpScan3Use of unsafe operator 'system' from module 'posix':3Use of unsafe operator 'system' from module 'posix'Bunknown