snyk · mcombuechen · Nov 28, 2024 · Nov 26, 2024 · Nov 27, 2024 · Nov 27, 2024
@@ -6,7 +6,7 @@ orbs:
 go_image: &go_image
   resource_class: small
   docker:
-    - image: cimg/go:1.21
+    - image: cimg/go:1.23
 
 jobs:
   security-scans:

@@ -14,7 +14,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v3
       with:
-        go-version: 1.20.3
+        go-version: 1.23.2
 
     - name: Lint
       uses: golangci/golangci-lint-action@v3

@@ -1,6 +1,6 @@
 module github.com/snyk/parlay
 
-go 1.20
+go 1.23
 
 require (
 	github.com/CycloneDX/cyclonedx-go v0.9.0

@@ -49,6 +49,7 @@ github.com/avast/retry-go v3.0.0+incompatible h1:4SOWQ7Qs+oroOTQOYnAHqelpCO0biHS
 github.com/avast/retry-go v3.0.0+incompatible/go.mod h1:XtSnn+n/sHqQIpZ10K1qAevBhOOCWBLXXy3hyiqqBrY=
 github.com/bmatcuk/doublestar v1.1.1/go.mod h1:UD6OnuiIn0yFxxA2le/rnRU1G4RaI4UvFv1sNto9p6w=
 github.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M=
+github.com/bradleyjkemp/cupaloy/v2 v2.8.0/go.mod h1:bm7JXdkRd4BHJk9HpwqAI8BoAY1lps46Enkdqw6aRX0=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
@@ -73,6 +74,7 @@ github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5y
 github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/frankban/quicktest v1.14.3 h1:FJKSZTDHjyhriyC81FLQ0LY93eSai0ZyR/ZIkd3ZUKE=
+github.com/frankban/quicktest v1.14.3/go.mod h1:mgiwOwqx65TmIk1wJ6Q7wvnVMocbUorkibMOrVTHZps=
 github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
 github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
@@ -155,9 +157,11 @@ github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+o
 github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=
+github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY=
 github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
 github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
@@ -167,6 +171,7 @@ github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27k
 github.com/mattn/go-isatty v0.0.16 h1:bq3VjFmv/sOjHtdEhmkEV4x1AJtvUvOJ2PFAZ5+peKQ=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
 github.com/maxatome/go-testdeep v1.12.0 h1:Ql7Go8Tg0C1D/uMMX59LAoYK7LffeJQ6X2T04nTH68g=
+github.com/maxatome/go-testdeep v1.12.0/go.mod h1:lPZc/HAcJMP92l7yI6TRz1aZN5URwUBUAfUNvrclaNM=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/package-url/packageurl-go v0.1.2 h1:0H2DQt6DHd/NeRlVwW4EZ4oEI6Bn40XlNPRqegcxuo4=
@@ -182,6 +187,7 @@ github.com/remeh/sizedwaitgroup v1.0.0 h1:VNGGFwNo/R5+MJBf6yrsr110p0m4/OX4S3DCy7
 github.com/remeh/sizedwaitgroup v1.0.0/go.mod h1:3j2R4OIe/SeS6YDhICBy22RWjJC5eNCJ1V+9+NVNYlo=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.6.1 h1:/FiVV8dS/e+YqF2JvO3yXRFbBLTIuSDkuC7aBOAvL+k=
+github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
 github.com/rs/xid v1.4.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
 github.com/rs/zerolog v1.29.1 h1:cO+d60CHkknCbvzEWxP0S9K6KqyTjrCNUy1LdQLCGPc=
 github.com/rs/zerolog v1.29.1/go.mod h1:Le6ESbR7hc+DP6Lt1THiV8CQSdkkNrd3R0XbEgp3ZBU=
@@ -220,9 +226,13 @@ github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8
 github.com/subosito/gotenv v1.4.2 h1:X1TuBLAMDFbaTAChgCBLu3DU3UPyELpnF2jjJ2cz/S8=
 github.com/subosito/gotenv v1.4.2/go.mod h1:ayKnFf/c6rvx/2iiLrJUk1e6plDbT3edrFNGqEflhK0=
 github.com/terminalstatic/go-xsd-validate v0.1.5 h1:RqpJnf6HGE2CB/lZB1A8BYguk8uRtcvYAPLCF15qguo=
+github.com/terminalstatic/go-xsd-validate v0.1.5/go.mod h1:18lsvYFofBflqCrvo1umpABZ99+GneNTw2kEEc8UPJw=
 github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f h1:J9EGpcZtP0E/raorCMxlFGSTBrsSlaDGf3jU/qvAE2c=
+github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
 github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0=
+github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
 github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74=
+github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=

@@ -0,0 +1,20 @@
+package snyk
+
+import (
+	"os"
+
+	"github.com/snyk/parlay/lib/snyk"
+)
+
+func config() *snyk.Config {
+	c := snyk.DefaultConfig()
+
+	if t := os.Getenv("SNYK_TOKEN"); t != "" {
+		c.APIToken = t
+	}
+	if u := os.Getenv("SNYK_API"); u != "" {
+		c.SnykAPIURL = u
+	}
+
+	return c
+}
@@ -17,6 +17,9 @@ func NewEnrichCommand(logger *zerolog.Logger) *cobra.Command {
 		Short: "Enrich an SBOM with Snyk data",
 		Args:  cobra.ExactArgs(1),
 		Run: func(cmd *cobra.Command, args []string) {
+			cfg := config()
+			svc := snyk.NewService(cfg, logger)
+
 			b, err := utils.GetUserInput(args[0], os.Stdin)
 			if err != nil {
 				logger.Fatal().Err(err).Msg("Failed to read input")
@@ -27,7 +30,7 @@ func NewEnrichCommand(logger *zerolog.Logger) *cobra.Command {
 				logger.Fatal().Err(err).Msg("Failed to read SBOM input")
 			}
 
-			snyk.EnrichSBOM(doc, logger)
+			svc.EnrichSBOM(doc)
 
 			if err := doc.Encode(os.Stdout); err != nil {
 				logger.Fatal().Err(err).Msg("Failed to encode new SBOM")

@@ -16,6 +16,9 @@ func NewPackageCommand(logger *zerolog.Logger) *cobra.Command {
 		Short: "Return package vulnerabilities from Snyk",
 		Args:  cobra.ExactArgs(1),
 		Run: func(cmd *cobra.Command, args []string) {
+			cfg := config()
+			svc := snyk.NewService(cfg, logger)
+
 			purl, err := packageurl.FromString(args[0])
 			if err != nil {
 				logger.Fatal().Err(err).Msg("Failed to parse PackageURL")
@@ -26,23 +29,7 @@ func NewPackageCommand(logger *zerolog.Logger) *cobra.Command {
 				Str("purl", args[0]).
 				Msg("Looking up package vulnerabilities from Snyk")
 
-			auth, err := snyk.AuthFromToken(snyk.APIToken())
-			if err != nil {
-				logger.
-					Fatal().
-					Err(err).
-					Msg("Failed to get API credentials")
-			}
-
-			orgID, err := snyk.SnykOrgID(auth)
-			if err != nil {
-				logger.
-					Fatal().
-					Err(err).
-					Msg("Failed to look up user info")
-			}
-
-			resp, err := snyk.GetPackageVulnerabilities(&purl, auth, orgID)
+			resp, err := svc.GetPackageVulnerabilities(&purl)
 			if err != nil {
 				logger.Fatal().Err(err).Msg("Failed to look up package vulnerabilities")
 			}

@@ -0,0 +1,28 @@
+/*
+ * © 2024 Snyk Limited All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package snyk
+
+type Config struct {
+	SnykAPIURL string
+	APIToken   string
+}
+
+func DefaultConfig() *Config {
+	return &Config{
+		SnykAPIURL: "https://api.snyk.io",
+	}
+}
@@ -24,12 +24,17 @@ import (
 	"github.com/snyk/parlay/lib/sbom"
 )
 
-func EnrichSBOM(doc *sbom.SBOMDocument, logger *zerolog.Logger) *sbom.SBOMDocument {
+const (
+	snykAdvisorWebURL         = "https://snyk.io/advisor"
+	snykVulnerabilityDBWebURL = "https://security.snyk.io"
+)
+
+func EnrichSBOM(cfg *Config, doc *sbom.SBOMDocument, logger *zerolog.Logger) *sbom.SBOMDocument {
 	switch bom := doc.BOM.(type) {
 	case *cdx.BOM:
-		enrichCycloneDX(bom, logger)
+		enrichCycloneDX(cfg, bom, logger)
 	case *spdx.Document:
-		enrichSPDX(bom, logger)
+		enrichSPDX(cfg, bom, logger)
 	}
 
 	return doc

@@ -31,15 +31,15 @@ import (
 	"github.com/snyk/parlay/snyk/issues"
 )
 
-type cdxEnricher = func(*cdx.Component, *packageurl.PackageURL)
+type cdxEnricher = func(*Config, *cdx.Component, *packageurl.PackageURL)
 
 var cdxEnrichers = []cdxEnricher{
 	enrichCDXSnykAdvisorData,
 	enrichCDXSnykVulnerabilityDBData,
 }
 
-func enrichCDXSnykVulnerabilityDBData(component *cdx.Component, purl *packageurl.PackageURL) {
-	url := SnykVulnURL(purl)
+func enrichCDXSnykVulnerabilityDBData(cfg *Config, component *cdx.Component, purl *packageurl.PackageURL) {
+	url := SnykVulnURL(cfg, purl)
 	if url != "" {
 		ext := cdx.ExternalReference{
 			URL:     url,
@@ -54,8 +54,8 @@ func enrichCDXSnykVulnerabilityDBData(component *cdx.Component, purl *packageurl
 	}
 }
 
-func enrichCDXSnykAdvisorData(component *cdx.Component, purl *packageurl.PackageURL) {
-	url := SnykAdvisorURL(purl)
+func enrichCDXSnykAdvisorData(cfg *Config, component *cdx.Component, purl *packageurl.PackageURL) {
+	url := SnykAdvisorURL(cfg, purl)
 	if url != "" {
 		ext := cdx.ExternalReference{
 			URL:     url,
@@ -70,14 +70,14 @@ func enrichCDXSnykAdvisorData(component *cdx.Component, purl *packageurl.Package
 	}
 }
 
-func enrichCycloneDX(bom *cdx.BOM, logger *zerolog.Logger) *cdx.BOM {
-	auth, err := AuthFromToken(APIToken())
+func enrichCycloneDX(cfg *Config, bom *cdx.BOM, logger *zerolog.Logger) *cdx.BOM {
+	auth, err := AuthFromToken(cfg.APIToken)
 	if err != nil {
 		logger.Fatal().Err(err).Msg("Failed to authenticate")
 		return nil
 	}
 
-	orgID, err := SnykOrgID(auth)
+	orgID, err := SnykOrgID(cfg, auth)
 	if err != nil {
 		logger.Error().Err(err).Msg("Failed to infer preferred Snyk organization")
 		return nil
@@ -105,9 +105,9 @@ func enrichCycloneDX(bom *cdx.BOM, logger *zerolog.Logger) *cdx.BOM {
 				return
 			}
 			for _, enrichFunc := range cdxEnrichers {
-				enrichFunc(component, &purl)
+				enrichFunc(cfg, component, &purl)
 			}
-			resp, err := GetPackageVulnerabilities(&purl, auth, orgID)
+			resp, err := GetPackageVulnerabilities(cfg, &purl, auth, orgID)
 			if err != nil {
 				l.Err(err).
 					Str("purl", purl.ToString()).
@@ -206,7 +206,7 @@ func enrichCycloneDX(bom *cdx.BOM, logger *zerolog.Logger) *cdx.BOM {
 					for _, sev := range *issue.Attributes.Severities {
 						source := cdx.Source{
 							Name: "Snyk",
-							URL:  "https://security.snyk.io",
+							URL:  snykVulnerabilityDBWebURL,
 						}
 						if sev.Score != nil {
 							score := float64(*sev.Score)

@@ -32,19 +32,15 @@ import (
 	"github.com/snyk/parlay/snyk/issues"
 )
 
-const (
-	snykVulnerabilityDB_URI = "https://security.snyk.io"
-)
-
-type spdxEnricher = func(*spdx_2_3.Package, *packageurl.PackageURL)
+type spdxEnricher = func(*Config, *spdx_2_3.Package, *packageurl.PackageURL)
 
 var spdxEnrichers = []spdxEnricher{
 	enrichSPDXSnykAdvisorData,
 	enrichSPDXSnykVulnerabilityDBData,
 }
 
-func enrichSPDXSnykAdvisorData(component *spdx_2_3.Package, purl *packageurl.PackageURL) {
-	url := SnykAdvisorURL(purl)
+func enrichSPDXSnykAdvisorData(cfg *Config, component *spdx_2_3.Package, purl *packageurl.PackageURL) {
+	url := SnykAdvisorURL(cfg, purl)
 	if url != "" {
 		ext := &spdx_2_3.PackageExternalReference{
 			Locator:            url,
@@ -60,8 +56,8 @@ func enrichSPDXSnykAdvisorData(component *spdx_2_3.Package, purl *packageurl.Pac
 	}
 }
 
-func enrichSPDXSnykVulnerabilityDBData(component *spdx_2_3.Package, purl *packageurl.PackageURL) {
-	url := SnykVulnURL(purl)
+func enrichSPDXSnykVulnerabilityDBData(cfg *Config, component *spdx_2_3.Package, purl *packageurl.PackageURL) {
+	url := SnykVulnURL(cfg, purl)
 	if url != "" {
 		ext := &spdx_2_3.PackageExternalReference{
 			Locator:            url,
@@ -77,16 +73,16 @@ func enrichSPDXSnykVulnerabilityDBData(component *spdx_2_3.Package, purl *packag
 	}
 }
 
-func enrichSPDX(bom *spdx.Document, logger *zerolog.Logger) *spdx.Document {
-	auth, err := AuthFromToken(APIToken())
+func enrichSPDX(cfg *Config, bom *spdx.Document, logger *zerolog.Logger) *spdx.Document {
+	auth, err := AuthFromToken(cfg.APIToken)
 	if err != nil {
 		logger.Fatal().
 			Err(err).
 			Msg("Failed to authenticate")
 		return nil
 	}
 
-	orgID, err := SnykOrgID(auth)
+	orgID, err := SnykOrgID(cfg, auth)
 	if err != nil {
 		logger.Fatal().
 			Err(err).
@@ -114,9 +110,9 @@ func enrichSPDX(bom *spdx.Document, logger *zerolog.Logger) *spdx.Document {
 				return
 			}
 			for _, enrichFn := range spdxEnrichers {
-				enrichFn(pkg, purl)
+				enrichFn(cfg, pkg, purl)
 			}
-			resp, err := GetPackageVulnerabilities(purl, auth, orgID)
+			resp, err := GetPackageVulnerabilities(cfg, purl, auth, orgID)
 			if err != nil {
 				l.Err(err).
 					Str("purl", purl.ToString()).
@@ -154,9 +150,8 @@ func enrichSPDX(bom *spdx.Document, logger *zerolog.Logger) *spdx.Document {
 				RefType:  spdx.SecurityAdvisory,
 				Locator: fmt.Sprintf(
 					"%s/vuln/%s",
-					snykVulnerabilityDB_URI,
-					url.PathEscape(*issue.Id),
-				),
+					snykVulnerabilityDBWebURL,
+					url.PathEscape(*issue.Id)),
 			}
 
 			if issue.Attributes.Title != nil {