first commit

Author: bmarsh9

.gitignore

@@ -0,0 +1,54 @@
+app/lib/dependency_scan/odc-reports/*
+app/lib/gitleaks/results/*
+app/clone_output/*
+app/keys/*
+
+# py ext
+*.pyc
+
+# C extensions
+*.so
+
+# Packages
+*.egg
+*.egg-info
+dist
+build
+eggs
+parts
+bin
+var
+sdist
+develop-eggs
+.installed.cfg
+__pycache__
+.DS_Store
+
+# logs
+pip-log.txt
+*.log
+
+# Unit test / coverage reports
+.coverage
+.tox
+nosetests.xml
+
+# Translations
+*.mo
+
+# Mr Developer
+.mr.developer.cfg
+.project
+.pydevproject
+
+# SQLite databases
+*.sqlite
+
+# Virtual environment
+venv
+
+# Code Editor
+.vscode
+
+# Temp folder
+tmp

Dockerfile

@@ -0,0 +1,24 @@
+# install base
+#FROM ubuntu
+FROM python:3.6-slim-buster
+
+# update the operating system:
+RUN apt-get update \
+ && apt-get install -y bzip2 xz-utils zlib1g libxml2-dev libxslt1-dev libgomp1 python3-pip libpq-dev nano net-tools sudo git dos2unix\
+ && apt-get clean \
+ && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+
+# copy the folder to the container:
+ADD . /scan7
+
+# Define working directory:
+WORKDIR /scan7
+
+# Install the requirements
+RUN pip3 install -r /scan7/requirements.txt
+
+# expose tcp port 5000
+#EXPOSE 5000
+
+# default command: run the web server
+CMD ["/bin/bash","run.sh"]

LICENSE

@@ -0,0 +1,25 @@
+### Scan7  
+
+#### The Problem  
+There is not a great solution in the Open-Source community for performing license, vulnerability and secret detection in a single platform. You end up having to resort to a bunch of shell scripts or purchasing a commercial tool.
+
+#### What does it do?  
+Scans private/public code repositories for license, vulnerability and secrets data. Track data overtime in the web console and is ideal for security teams.
+
+#### What is the perfect use case?  
+The current design is ideal for a Security Assurance team that wishes to run out-of-band scans against their company repo's to track licenses, vulnerabilities and secrets at a code level.
+
+#### Limitations?  
++ Not ideal to be placed in the CI/CD flow. There is not a API to start/stop commands but that is on the roadmap  
++ Not ideal if you need quick and fast results
+
+#### Roadmap  
++ Support for CI/CD  
++ Customization for the different scan types  
++ Dockerize everything
+
+#### Credits  
+Scan7 utilizes the following Open-Source tools to perform the scanning functionality:  
++ Scancode (https://github.com/nexB/scancode-toolkit)  
++ Gitleaks (https://github.com/zricethezav/gitleaks)  
++ OWASP Dependency Check (https://jeremylong.github.io/DependencyCheck/) 

README.md

@@ -0,0 +1,103 @@
+from flask import Flask,request,render_template,jsonify
+from flask_sqlalchemy import SQLAlchemy
+from flask_user import UserManager
+from flask_migrate import Migrate, MigrateCommand
+from app.utils.flask_logs import LogSetup
+from config import config
+from apscheduler.schedulers.background import BackgroundScheduler
+
+db = SQLAlchemy()
+logs = LogSetup()
+migrate = Migrate()
+
+import app.jobs as schjobs
+
+def create_app(config_name="default"):
+    app = Flask(__name__)
+    app.config.from_object(config[config_name])
+    config[config_name].init_app(app)
+
+    db.init_app(app)
+    logs.init_app(app)
+
+    from app.models import User,UserInvitation
+    app.user_manager = UserManager(app, db, User,UserInvitationClass=UserInvitation)
+    app.db_manager = app.user_manager.db_manager
+
+    from app.main import main as main_blueprint
+    app.register_blueprint(main_blueprint)
+
+    from app.api_v1 import api as api_v1_blueprint
+    app.register_blueprint(api_v1_blueprint, url_prefix='/api/v1')
+
+    # Add all models
+    all_models = {}
+    classes, models, table_names = [], [], []
+    for clazz in db.Model._decl_class_registry.values():
+        try:
+            table_names.append(clazz.__tablename__)
+            classes.append(clazz)
+        except:
+            pass
+    for table in db.metadata.tables.items():
+        if table[0] in table_names:
+            all_models[table[0]] = classes[table_names.index(table[0])]
+            models.append(classes[table_names.index(table[0])])
+    app.models = all_models
+
+    # Setup Flask-Migrate
+    migrate.init_app(app, db)
+
+    from app.models import Tasks
+
+    def background_daemon():
+        with app.app_context(),app.test_request_context():
+            for task in Tasks().ready_to_run():
+                if app.config["JOB_DEBUG"]:
+                    task.add_log("Executing job: {}".format(task.name),namespace="jobs",meta={"module":task.module})
+                task.was_executed()
+                args = task.args or {}
+                result = getattr(schjobs,task.module)(task,**args)
+                if result:
+                    task.healthy = True
+                else:
+                    task.healthy = False
+                db.session.commit()
+
+    scheduler = BackgroundScheduler()
+    scheduler.add_job(background_daemon, 'interval', seconds=15, misfire_grace_time=3600)
+    scheduler.start()
+
+    @app.errorhandler(404)
+    def not_found(e):
+        return render_template("errors/404.html"),404
+
+    @app.errorhandler(500)
+    def internal_error(e):
+        return render_template("errors/500.html"),500
+
+    @app.errorhandler(401)
+    def unauthorized(e):
+        if 'Authorization' in request.headers:
+            return jsonify({"message":"unauthorized"}),401
+        return "bad"
+
+    @app.errorhandler(400)
+    def malformed(e):
+        if 'Authorization' in request.headers:
+            return jsonify({"message":"malformed request"}),400
+        return "bad"
+
+    @app.errorhandler(403)
+    def forbidden(e):
+        if 'Authorization' in request.headers:
+            return jsonify({"message":"forbidden"}),403
+        return "bad"
+
+    '''
+    @app.before_request
+    def before_request():
+        pass
+    '''
+
+    return app

app/__init__.py

@@ -0,0 +1,3 @@
+from flask import Blueprint
+api = Blueprint('api', __name__)
+from . import views,search,graphs

app/api_v1/__init__.py

@@ -0,0 +1,59 @@
+from flask import jsonify, request, current_app
+from . import api
+from flask_user import current_user, login_required, roles_required, roles_accepted
+from app.utils.apex_constants import get_graph
+from app.utils.db_helper import DynamicQuery
+
+@api.route('/apex', methods = ['GET'])
+@login_required
+def get_apex_chart():
+    graph_type = request.args.get('type', None, type=str)
+    horizontal = request.args.get('horizontal', False, type=bool)
+    if not graph_type:
+        return jsonify({"message":"specify type of graph"})
+    result = DynamicQuery(
+        model=request.args.get('model', "file", type=str),
+        request_args=request.args,
+        qjson=request.get_json(silent=True)
+    )
+    response = result.generate()
+    if not response:
+        return jsonify({"message":"no data available"})
+
+    try:
+      if graph_type == "bar":
+        d = get_graph("multi_bar")
+        d["xaxis"]["categories"] = response["label"]
+        series = []
+        for point in response["data"]:
+            series.append(int(point))
+        d["series"] = [{"name":"Count","data":series}]
+        d["yaxis"]["title"]["text"] = "Count"
+        d["chart"]["height"] = "{}px".format(request.args.get('height', "250", type=str))
+        d["plotOptions"]["bar"]["horizontal"] = horizontal
+
+      if graph_type == "area":
+        d = get_graph("simple_line")
+        series = {"name":"Count","data":[]}
+        for point in response["data"]:
+            series["data"].append(int(point))
+        d["series"] = [series]
+        d["labels"] = [x.capitalize() for x in response["label"]]
+        d["chart"]["height"] = "{}px".format(request.args.get('height', "250", type=str))
+
+      elif graph_type == "donut":
+        d = get_graph("donut")
+        d["labels"] = [x.capitalize() for x in response["label"]]
+        series = []
+        for point in response["data"]:
+            series.append(int(point))
+        d["series"] = series
+        d["chart"]["height"] = "{}px".format(request.args.get('height', "250", type=str))
+
+      d["title"]["text"] = request.args.get('title', "Add title", type=str).capitalize()
+      d["theme"] = {"palette":"palette1"}
+      d.pop("colors",None)
+      return jsonify(d)
+    except Exception as e:
+        current_app.logger.warning("Exception caught while drawing graphs:{}".format(str(e)))
+    return jsonify({"message":"no data available"})

app/api_v1/graphs.py

@@ -0,0 +1,19 @@
+from flask import jsonify, request, current_app
+from . import api
+from flask_user import current_user, login_required, roles_required, roles_accepted
+from app.models import *
+from app.utils.db_helper import DynamicQuery
+
+@api.route("/search/<string:model>", methods=["GET"])
+@login_required
+def search_api(model):
+    '''
+    API for sqlalchemy database tables
+    '''
+    result = DynamicQuery(
+        model=model,
+        request_args=request.args,
+        qjson=request.get_json(silent=True)
+    )
+    response = result.generate()
+    return jsonify(response)

app/api_v1/search.py

@@ -0,0 +1,8 @@
+from flask import jsonify, request, current_app
+from . import api
+from flask_user import current_user, login_required, roles_required, roles_accepted
+
+@api.route('/health', methods=['GET'])
+@login_required
+def get_health():
+    return jsonify({"message":"ok"})

app/api_v1/views.py

@@ -0,0 +1,2 @@
+from .init_db import InitDbCommand
+