fix: add project-id and monitor-id to analytics

Author: aarlaud

pkg/analytics/instrumentation_collector.go

@@ -38,6 +38,8 @@ type InstrumentationCollector interface {
 	SetStatus(s Status)
 	SetTestSummary(s json_schemas.TestSummary)
 	SetTargetId(t string) // maybe use package-url library and types
+	SetProjectId(projectId string)
+	SetMonitorId(monitorId string)
 	AddError(err error)
 	AddExtension(key string, value interface{})
 }
@@ -62,6 +64,8 @@ type instrumentationCollectorImpl struct {
 	status              Status
 	testSummary         json_schemas.TestSummary
 	targetId            string
+	projectId           string
+	monitorId           string
 	instrumentationErr  []error
 	extension           map[string]interface{}
 }
@@ -129,6 +133,14 @@ func (ic *instrumentationCollectorImpl) SetTargetId(t string) {
 	ic.targetId = t
 }
 
+func (ic *instrumentationCollectorImpl) SetProjectId(id string) {
+	ic.projectId = id
+}
+
+func (ic *instrumentationCollectorImpl) SetMonitorId(id string) {
+	ic.monitorId = id
+}
+
 func (ic *instrumentationCollectorImpl) AddError(err error) {
 	ic.instrumentationErr = append(ic.instrumentationErr, err)
 }
@@ -219,6 +231,21 @@ func (ic *instrumentationCollectorImpl) getV2Attributes() api.AnalyticsAttribute
 
 func (ic *instrumentationCollectorImpl) getV2Interaction() api.Interaction {
 	stage := toInteractionStage(ic.stage)
+
+	if len(ic.projectId) > 0 {
+		if ic.extension == nil {
+			ic.extension = make(map[string]interface{})
+		}
+		ic.extension["project_id"] = ic.projectId
+	}
+
+	if len(ic.monitorId) > 0 {
+		if ic.extension == nil {
+			ic.extension = make(map[string]interface{})
+		}
+		ic.extension["monitor_id"] = ic.monitorId
+	}
+
 	return api.Interaction{
 		Categories:  &ic.category,
 		Errors:      toInteractionErrors(ic.instrumentationErr),

pkg/analytics/instrumentation_collector_test.go

@@ -256,6 +256,34 @@ func Test_InstrumentationCollector(t *testing.T) {
 		actualCategory := ic.GetCategory()
 		assert.Equal(t, mockCategory, actualCategory)
 	})
+
+	t.Run("it should add project id to extension", func(t *testing.T) {
+		ic := setupBaseCollector(t)
+		expectedV2InstrumentationObject := buildExpectedBaseObject(t)
+
+		mockProjectId := "123e4567-e89b-12d3-a456-426614174000"
+		mockMonitorId := "89674498-4fcc-4af3-9a80-0582a74614d5"
+		ic.SetProjectId(mockProjectId)
+		ic.SetMonitorId(mockMonitorId)
+
+		mockExtension := map[string]interface{}{
+			"strings":    "hello world",
+			"project_id": mockProjectId,
+			"monitor_id": mockMonitorId,
+		}
+
+		expectedV2InstrumentationObject.Data.Attributes.Interaction.Extension = &mockExtension
+
+		actualV2InstrumentationObject, err := GetV2InstrumentationObject(ic)
+		assert.NoError(t, err)
+
+		expectedV2InstrumentationJson, err := json.Marshal(expectedV2InstrumentationObject)
+		assert.NoError(t, err)
+		actualV2InstrumentationJson, err := json.Marshal(actualV2InstrumentationObject)
+		assert.NoError(t, err)
+
+		assert.JSONEq(t, string(expectedV2InstrumentationJson), string(actualV2InstrumentationJson))
+	})
 }
 
 func setupBaseCollector(t *testing.T) InstrumentationCollector {

pkg/instrumentation/get-project-id.go

@@ -0,0 +1,20 @@
+package instrumentation
+
+import (
+	"regexp"
+)
+
+func GetProjectIdAndMonitorIdFromText(text string) (string, string, error) {
+	// Pattern: /org/{org-slug}/project/{project-uuid}/history/{history--uuidd}
+	re := regexp.MustCompile(`/org/[^/]+/project/([0-9a-fA-F-]{36})/history/([0-9a-fA-F-]{36})`)
+	matches := re.FindStringSubmatch(text)
+
+	if len(matches) < 3 {
+		return "", "", nil
+	}
+
+	projectUuid := matches[1]
+	historyUuid := matches[2]
+
+	return projectUuid, historyUuid, nil
+}

pkg/instrumentation/get-project-id_test.go

@@ -0,0 +1,169 @@
+package instrumentation
+
+import "testing"
+
+func Test_GetProjectIdAndMonitorIdFromMonitorUrl(t *testing.T) {
+	text := `Testing /home/antoine/Documents/SnykSB/goof ...
+
+Open Issues
+
+ ✗ [LOW] Use of Hardcoded Credentials
+   Finding ID: 56fdeb92-25b8-4e4a-a062-fd1b6a68e346
+   Path: typeorm-db.js, line 11
+   Info: Do not hardcode credentials in code. Found hardcoded credential used in typeorm.createConnection.
+
+ ✗ [LOW] Use of Hardcoded Passwords
+   Finding ID: 4d0edc8e-b007-4fbd-96ad-5f8439152c7a
+   Path: tests/authentication.component.spec.js, line 48
+   Info: Do not hardcode passwords in code. Found hardcoded password used in changePassword.
+
+ ✗ [LOW] Use of Hardcoded Passwords
+   Finding ID: 3d75a56b-9732-4d84-8348-1d5b8c3ebc2b
+   Path: tests/authentication.component.spec.js, line 48
+   Info: Do not hardcode passwords in code. Found hardcoded password used in changePassword.
+
+ ✗ [LOW] Use of Hardcoded Passwords
+   Finding ID: 3ff041bb-45bd-4f13-b08b-ed5fb56cdb4e
+   Path: tests/authentication.component.spec.js, line 35
+   Info: Do not hardcode passwords in code. Found hardcoded password used in changePassword.
+
+ ✗ [LOW] Use of Hardcoded Passwords
+   Finding ID: 0afb365f-5b54-4630-beea-b987bd8c7560
+   Path: tests/authentication.component.spec.js, line 35
+   Info: Do not hardcode passwords in code. Found hardcoded password used in changePassword.
+
+ ✗ [LOW] Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
+   Finding ID: 0862b4f4-2d1d-4014-934c-6175c8bc3115
+   Path: app.js, line 45
+   Info: Cookie misses the Secure attribute (it is false by default). Set it to true to protect the cookie from man-in-the-middle attacks.
+
+ ✗ [LOW] Use of Hardcoded Passwords
+   Finding ID: 1ba6abc7-31a1-4768-a6e4-84d76aa1aa1b
+   Path: tests/authentication.component.spec.js, line 24
+   Info: Do not hardcode passwords in code. Found hardcoded password used in changePassword.
+
+ ✗ [LOW] Use of Hardcoded Passwords
+   Finding ID: bbfea606-d013-42e3-b26c-07985f5eae6a
+   Path: tests/authentication.component.spec.js, line 24
+   Info: Do not hardcode passwords in code. Found hardcoded password used in changePassword.
+
+ ✗ [MEDIUM] Allocation of Resources Without Limits or Throttling
+   Finding ID: 6f5840f0-b4d1-41bf-9047-ba8698ad5314
+   Path: routes/index.js, line 75
+   Info: Expensive operation (a file system operation) is performed by an endpoint handler which does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.
+
+ ✗ [MEDIUM] Allocation of Resources Without Limits or Throttling
+   Finding ID: df6bf797-fb70-4107-b9ff-aca8c30b7115
+   Path: routes/index.js, line 241
+   Info: Expensive operation (a file system operation) is performed by an endpoint handler which does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.
+
+ ✗ [MEDIUM] Use of Hardcoded Passwords
+   Finding ID: 09fa8eb9-117f-42a6-90fb-24eaadd60fbf
+   Path: typeorm-db.js, line 12
+   Info: Do not hardcode passwords in code. Found hardcoded password used in typeorm.createConnection.
+
+ ✗ [MEDIUM] Cleartext Transmission - HTTP Instead of HTTPS
+   Finding ID: e5a806b4-30d1-47ec-8bd3-13d11e5e7f0b
+   Path: app.js, line 86
+   Info: http.createServer uses HTTP which is an insecure protocol and should not be used in code due to cleartext transmission of information. Data in cleartext in a communication channel can be sniffed by unauthorized actors. Consider using the https module instead.
+
+ ✗ [MEDIUM] Use of Hardcoded Passwords
+   Finding ID: 1cecd1d1-2097-4a3a-904f-baa188c00468
+   Path: mongoose-db.js, line 52
+   Info: Do not hardcode passwords in code. Found hardcoded password used in password.
+
+ ✗ [MEDIUM] Cross-Site Request Forgery (CSRF)
+   Finding ID: 25c696b5-6ab0-4cbb-ae06-44c3b696e7f0
+   Path: app.js, line 28
+   Info: CSRF protection is disabled for your Express app. This allows the attackers to execute requests on a user's behalf.
+
+ ✗ [MEDIUM] Open Redirect
+   Finding ID: 353708b0-064f-4af9-95f7-ea9c246f8ee2
+   Path: routes/index.js, line 61
+   Info: Unsanitized input from the HTTP request body flows into redirect, where it is used as input for request redirection. This may result in an Open Redirect vulnerability.
+
+ ✗ [MEDIUM] Allocation of Resources Without Limits or Throttling
+   Finding ID: 303714ee-79e3-4cfa-96e8-d1a237476701
+   Path: routes/index.js, line 152
+   Info: Expensive operation (a system command execution) is performed by an endpoint handler which does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.
+
+ ✗ [MEDIUM] Allocation of Resources Without Limits or Throttling
+   Finding ID: d64d17f7-6441-43c9-82a1-c6d8dfa6f145
+   Path: routes/index.js, line 298
+   Info: Expensive operation (a file system operation) is performed by an endpoint handler which does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.
+
+ ✗ [MEDIUM] Allocation of Resources Without Limits or Throttling
+   Finding ID: 6f75850c-a2fa-4550-baab-76b8b4cccb14
+   Path: routes/index.js, line 67
+   Info: Expensive operation (a file system operation) is performed by an endpoint handler which does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.
+
+ ✗ [MEDIUM] Information Exposure - X-Powered-By Header
+   Finding ID: 02e7cd17-b381-46dd-9909-9722ffe036c2
+   Path: app.js, line 28
+   Info: Disable X-Powered-By header for your Express app (consider using Helmet middleware), because it exposes information about the used framework to potential attackers.
+
+ ✗ [MEDIUM] Allocation of Resources Without Limits or Throttling
+   Finding ID: e746b22c-83e0-489c-a1fa-8e60a0b19079
+   Path: routes/index.js, line 82
+   Info: Expensive operation (a file system operation) is performed by an endpoint handler which does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.
+
+ ✗ [MEDIUM] Allocation of Resources Without Limits or Throttling
+   Finding ID: 477afacb-d530-4119-ad55-c9513f1ef49f
+   Path: routes/index.js, line 89
+   Info: Expensive operation (a file system operation) is performed by an endpoint handler which does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.
+
+ ✗ [HIGH] Hardcoded Non-Cryptographic Secret
+   Finding ID: 746d0c10-032e-47f1-83d0-147d4d5107a7
+   Path: app.js, line 83
+   Info: Avoid hardcoding values that are meant to be secret. Found a hardcoded string used in here.
+
+ ✗ [HIGH] Hardcoded Non-Cryptographic Secret
+   Finding ID: 709d9187-8a5d-4109-836a-0951c4ec6b32
+   Path: app.js, line 42
+   Info: Avoid hardcoding values that are meant to be secret. Found a hardcoded string used in express-session.
+
+ ✗ [HIGH] NoSQL Injection
+   Finding ID: 24f3f971-1729-4201-98a3-79a736ca7f52
+   Path: routes/index.js, line 39
+   Info: Unsanitized input from the HTTP request body flows into find, where it is used in an NoSQL query. This may result in an NoSQL Injection vulnerability.
+
+
+
+╭─────────────────────────────────────────────────────────────╮
+│ Test Summary                                                │
+│                                                             │
+│   Organization:      antoine-playground                     │
+│   Test type:         Static code analysis                   │
+│   Project path:      /home/antoine/Documents/SnykSB/goof    │
+│                                                             │
+│   Total issues:   24                                        │
+│   Ignored issues: 0 [ 0 HIGH  0 MEDIUM  0 LOW ]             │
+│   Open issues:    24 [ 3 HIGH  13 MEDIUM  8 LOW ]           │
+╰─────────────────────────────────────────────────────────────╯
+
+Report
+
+  Your test results are available at:
+  https://app.snyk.io/org/antoine-playground/project/1f94159a-ba57-4447-a2e8-4611a9509794/history/36cca17a-44c0-496d-824b-091a641306c3
+    
+💡 Tip
+
+   To view ignored issues, use the --include-ignores option.
+`
+
+	projectID, monitorID, err := GetProjectIdAndMonitorIdFromText(text)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	expectedProjectID := "1f94159a-ba57-4447-a2e8-4611a9509794"
+	expectedMonitorID := "36cca17a-44c0-496d-824b-091a641306c3"
+
+	if projectID != expectedProjectID {
+		t.Errorf("projectID mismatch: got %q, want %q", projectID, expectedProjectID)
+	}
+
+	if monitorID != expectedMonitorID {
+		t.Errorf("monitorID mismatch: got %q, want %q", monitorID, expectedMonitorID)
+	}
+}

pkg/local_workflows/output_workflow.go

@@ -9,6 +9,7 @@ import (
 
 	iUtils "github.com/snyk/go-application-framework/internal/utils"
 	"github.com/snyk/go-application-framework/pkg/configuration"
+	"github.com/snyk/go-application-framework/pkg/instrumentation"
 	"github.com/snyk/go-application-framework/pkg/local_workflows/content_type"
 	"github.com/snyk/go-application-framework/pkg/local_workflows/output_workflow"
 	"github.com/snyk/go-application-framework/pkg/workflow"
@@ -42,6 +43,32 @@ func outputWorkflowEntryPoint(invocation workflow.InvocationContext, input []wor
 	config := invocation.GetConfiguration()
 	debugLogger := invocation.GetEnhancedLogger()
 
+	for i := range input {
+		if input[i].GetContentType() != content_type.LOCAL_FINDING_MODEL && input[i].GetContentType() != "text/hidden" {
+			continue
+		}
+		outputText := string(input[i].GetPayload().([]byte))
+
+		analytics := invocation.GetAnalytics()
+		projectID, monitorID, err := instrumentation.GetProjectIdAndMonitorIdFromText(outputText)
+		if err != nil {
+			debugLogger.Printf("Error parsing monitor URL: %v", err)
+			continue
+		}
+
+		if projectID != "" {
+			analytics.GetInstrumentation().SetProjectId(projectID)
+		}
+		if monitorID != "" {
+			analytics.GetInstrumentation().SetMonitorId(monitorID)
+		}
+
+		if input[i].GetContentType() == "text/hidden" {
+			input[i].SetPayload([]byte{})
+		}
+		break
+	}
+
 	// Handle UFM models, if none found, continue with the rest
 	input, err := output_workflow.HandleContentTypeUnifiedModel(input, invocation, outputDestination)
 	if err != nil {