Skip to content

Commit

Permalink
version 1.0.0
Browse files Browse the repository at this point in the history
  • Loading branch information
@cosdon
cosdon committed Apr 12, 2023
0 parents commit 5beabf3
Show file tree
Hide file tree
Showing 276 changed files with 65,906 additions and 0 deletions.
145 changes: 145 additions & 0 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,145 @@
name: Build and package the NowSecure Platform CLI
on:
push:
branches:
- main
tags:
- 'v[0-9]+.[0-9]+.[0-9]+*'
pull_request:
branches:
- main
workflow_dispatch: {}

jobs:
build-on-ubuntu:
name: Build .deb files for arm & intel
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v3
- name: Get Git History
run: git fetch --unshallow --filter=blob:none --tags --force
- name: Set Version
id: set-version
run: |
TAG_REGEX="^refs/tags/(v(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)(\\-[0-9A-Za-z-]+(\\.[0-9A-Za-z-]+)*)?(\\+[0-9A-Za-z-]+(\\.[0-9A-Za-z-]+)*)?)$"
if [[ ${{ github.ref }} =~ $TAG_REGEX ]]; then
echo "version=${BASH_REMATCH[1]}" >> $GITHUB_OUTPUT
else
echo "version=$(git describe --tags --long --match 'v*')" >> $GITHUB_OUTPUT
fi
- uses: actions/setup-node@v3
with:
node-version: '16'
- run: |
CLI_VERSION=${{ steps.set-version.outputs.version }} node cli/.ci/set-package-vars.js
CI_CD_BUILD=1 cli/.ci/package.sh
- name: Archive artifacts
uses: actions/upload-artifact@v3
with:
name: Linux
path: |
cli/dist/deb
build-on-macos:
name: Build, sign and notarize .pkg files for Mac
runs-on: macos-12
steps:
- uses: actions/checkout@v3
- name: Get Git History
run: git fetch --unshallow --filter=blob:none --tags --force
- name: Set Version
id: set-version
run: |
TAG_REGEX="^refs/tags/(v(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)(\\-[0-9A-Za-z-]+(\\.[0-9A-Za-z-]+)*)?(\\+[0-9A-Za-z-]+(\\.[0-9A-Za-z-]+)*)?)$"
if [[ ${{ github.ref }} =~ $TAG_REGEX ]]; then
echo "version=${BASH_REMATCH[1]}" >> $GITHUB_OUTPUT
else
echo "version=$(git describe --tags --long --match 'v*')" >> $GITHUB_OUTPUT
fi
- uses: actions/setup-node@v3
with:
node-version: '16'
- name: Install the Apple certificate and provisioning profile
env:
BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
run: |
# create variables
CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
# import certificate from secrets
echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
# create temporary keychain
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
# import certificate to keychain
security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security list-keychain -d user -s $KEYCHAIN_PATH
- name: Build, sign, and notarize the installer packages
env:
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
APPLEID_PASSWORD: ${{ secrets.APPLEID_PASSWORD }}
APPLEID: ${{ secrets.APPLEID }}
APPLEID_TEAM: ${{ secrets.APPLEID_TEAM }}
SIGNING_ID: ${{ secrets.SIGNING_ID }}

# Note: oclif requires the env var OSX_KEYCHAIN to know where the keychain is
run: |
CLI_VERSION=${{ steps.set-version.outputs.version }} node cli/.ci/set-package-vars.js
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $OSX_KEYCHAIN
OSX_KEYCHAIN=$RUNNER_TEMP/app-signing.keychain-db CI_CD_BUILD=1 cli/.ci/package.sh
node cli/.ci/notarize.js cli/dist/macos/*.pkg
spctl --assess -vv --type install cli/dist/macos/*.pkg
- name: Clean up keychain
if: ${{ always() }}
run: |
security delete-keychain $RUNNER_TEMP/app-signing.keychain-db
- name: Archive Artifacts
uses: actions/upload-artifact@v3
with:
name: MacOS
path: |
cli/dist/macos
release:
needs:
- build-on-ubuntu
- build-on-macos
runs-on: ubuntu-22.04
steps:
- name: Check Tag
id: check-tag
run: |
TAG_REGEX="^refs/tags/(v(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)(\\-[0-9A-Za-z-]+(\\.[0-9A-Za-z-]+)*)?(\\+[0-9A-Za-z-]+(\\.[0-9A-Za-z-]+)*)?)$"
if [[ ${{ github.ref }} =~ $TAG_REGEX ]]; then
echo "version=${BASH_REMATCH[1]}" >> $GITHUB_OUTPUT
echo "release=true" >> $GITHUB_OUTPUT
else
echo "release=false" >> $GITHUB_OUTPUT
fi
- name: Download Release Artifacts
if: ${{ steps.check-tag.outputs.release == 'true' }}
uses: actions/download-artifact@v3
with:
path: artifacts

- name: Create Release
if: ${{ steps.check-tag.outputs.release == 'true' }}
uses: ncipollo/[email protected]
with:
artifacts: "artifacts/Linux/*.deb,artifacts/MacOS/*.pkg"
tag: ${{ steps.check-tag.outputs.version }}



2 changes: 2 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
**/node_modules
lib/graphql.schema.json
188 changes: 188 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,188 @@
# NowSecure CLI

## Overview

The NowSecure CLI is a tool that allows users to interact with the NowSecure Platform. It is a command line interface that allows users to perform a variety of tasks, including:

* Uploading Applications to NowSecure Platform.
* Accessing assessment data.
* Managing your NowSecure Organization including sending invitations.

## User's Guide

### Getting Started

### Prerequisites

The following is needed to use the ns-cli:

* A valid NowSecure Platform account.
* A valid NowSecure Platform API token. Instructions on how to acquire this can be found in the NowSecure support center document [Creating an API Bearer Token in Platform](https://support.nowsecure.com/hc/en-us/articles/7499657262093-Creating-an-API-Bearer-Token-in-Platform)
* If you are using a single tenant deployment of NowSecure Platform, you will need to specify the URLs of your deployment during configuration. Please be sure to have the following URLs available:
* The URL of your NowSecure Platform REST API. This is the URL that you will use to access the NowSecure Platform API. This URL will be in the format of `lab-api.<tenant>.nowsecure.com`.
* The URL of your NowSecure Graph API. This is the URL that you will use to access the NowSecure Graph API. This URL will be in the format of `api.<tenant>.nowsecure.com`.
* The URL of your NowSecure Platform UI. This is the URL that you will use to access the NowSecure Platform UI. This URL will be in the format of `app.<tenant>.nowsecure.com`.

### Install

1. Get binary from [Releases](https://github.com/nowsecure/nowsecure-platform-cli/releases)
2. Right click the .pkg file and select `run`.

### Configure

1. After the `ns-cli` has been installed on your system, run `ns-cli configure` to configure the CLI with your NowSecure Platform Account.
2. The first prompt will ask you to enter the profile you are using. Hit enter to select the default profile of `default`.

**Note:** Most users will only need to use the default profile.
3. The next prompt will ask you to enter the Platform API token that you will be using. Paste this into the field provided and hit enter.
4. The next prompt will ask you to enter the Graphql endpoint for the NowSecure Platform. You can just hit enter if you are using the CLI to interact with the default production instance of NowSecure Platform. If you are using a single tenant deployment of NowSecure Platform, you will need to enter the URL of your Graphql endpoint. This URL will be in the format of `api.<tenant>.nowsecure.com`.
5. The next prompt will ask you to enter the REST endpoint for the NowSecure Platform. You can just hit enter if you are using the CLI to interact with the default production instance of NowSecure Platform. If you are using a single tenant deployment of NowSecure Platform, you will need to enter the URL of your REST endpoint. This URL will be in the format of `lab-api.<tenant>.nowsecure.com`.
6. The next prompt and final will ask you to enter the UI Server for the NowSecure platform. You can just hit enter if you are using the CLI to interact with the default production instance of NowSecure Platform. If you are using a single tenant deployment of NowSecure Platform, you will need to enter the URL of your UI Server. This URL will be in the format of `app.<tenant>.nowsecure.com`.

Once done, verify that the CLI functions as expected by running `ns-cli app list`. A listing of the apps in your platform account will be displayed. If desired, you can run `ns-cli app list --json` to return the results in json format. Example:

```bash
✗ ns-cli app list
REF TITLE PLATFORM PACKAGE GROUP
9fc8a97e-2044-11eb-80b5-snip "Business Suite" ios com.facebook.PageAdminApp "Auto Group"
952801a2-2a96-11eb-80b5-snip Disney+ android com.disney.disneyplus "Auto Group"
0f377a8a-2b51-11eb-b2b8-snip Strava ios com.strava.stravaride TriageGroup
dcf30d7a-2c16-11eb-80b5-snip Facebook ios com.facebook.Facebook "Cool Group"
9d691706-3181-11eb-80b5-snip Darksky ios com.jackadam.darksky "Auto Group"
```

### Usage

Running `ns-cli help` will provide a top level list of the options that are available via the CLI:

```
$ ns-cli help
VERSION
@nowsecure/cli/1.0.0-alpha.2 darwin-arm64 node-v16.19.1
USAGE
$ ns-cli [COMMAND]
TOPICS
app Commands to manipulate applications for analysis
assessment Commands to retrieve assessment data
organization Commands for the user's organization
plugins List installed plugins.
user Commands for users & accounts
COMMANDS
app Commands to manipulate applications for analysis
assessment Commands to retrieve assessment data
autocomplete display autocomplete installation instructions
configure
help Display help for ns-cli.
organization Commands for the user's organization
plugins List installed plugins.
user Commands for users & accounts
```
Options are as follows

#### app

App commands provide steps that can be used to manipulate application binaries for analysis. The following commands are available:

* **app archive** Allows you to Archive or Unarchive an application that has been uploaded to NowSecure Platform.
* **app config** Retrieve the analysis configuration for an application that has been uploaded to NowSecure Platform
* **app create** Create an app resource without a binary
* **app last-assessment**: Show the details and findings of an assessment based on platform (`ios` or `android`) and package name (`com.facebook.katana`). If the app exists in multiple groups, provide the group reference using the `-g` or `--group` option.
* **app list** List available applications in your platform account.
* **app process** Upload and analyze an application binary.
* **app update** Update the application's analysis configuration.
* **app upload** Upload an application binary.
* **app vulnerabilities** Show application vulnerabilities

You can use the `--help` option to get more details on each of the options above.


#### assessment

Assessment commands are used to interact with assessments created in in NowSecure Platform. The following commands are available:

* **assessment cancel** Cancel a running assessment
* **assessment github-snapshot** Create a SARIF report from an assessment
* **assessment list** List assessments in your NowSecure Platform account
* **assessment raw** Get the raw data for an assessment
* **assessment sarif** Create a SARIF report from an assessment
* **assessment show** Show the details and findings of an assessment
* **assessment start** Start an assessment

You can use the `--help` option to get more details on each of the options above.

#### autocomplete

Running `ns-cli autocomplete` will provide details on how to integrate the ns-cli into your `.zshrc` to perform autocomplete actions.

#### configure

Configure is described above in the [Configure](#configure) section.

#### help

Help provides help for the ns-cli.

#### organization

Organization commands provide steps that can be used to manipulate an organization within NowSecure Platform. The following commands are available:

* **organization groups** Returns the groups that have been configured in an NowSecure Platform organization.
* **organization invitations** List invitations that have been created within your NowSecure Platform organization.
* **organization invite** Create an invitiation to add someone to your NowSecure Platform organization.
* **organization revoke-invitation** Revoke an invitation that has been created in your NowSecure Platform organization.
* **organization users** List the users that exist in your NowSecure Platform organization.

You can use the `--help` option to get more details on each of the options above.

#### plugins

The Plugins options will list plugins that have been added to the ns-cli.

#### user

User commands provide steps that can be used to manipulate users within NowSecure Platform. The following commands are available:

* **user account** Get the user details from NowSecure Platform for the user account that was used to create the token that the ns-cli has been configured to use.
* **user groups** Get the group membership from NowSecure Platform for the user account that was used to create the token that the ns-cli has been configured

You can use the `--help` option to get more details on each of the options above.



## Developer's Guide

This is a Monorepo containing the following items.
- The [NowSecure Sarif Conversion Module](./sarif/README.md)
- The [NowSecure GitHub Snapshot Module](./github-snapshot/README.md)
- The [NowSecure REST and GQL API Library](./lib/README.md)
- The [NowSecure CLI](./cli/README.md)

## Building

> Ensure you are using Node >= 16 and have `yarn` installed before proceeding.
If you are looking to build a specific library or tool, see
[Building specific tools](#building-specific-tools).

Run the following to build everything:
```sh
yarn run build
```

Run the following to clean up all build artifacts:
```sh
yarn run clean
```

### Building specific tools

| Tool | Build Command | Clean Command |
|:--|:--|:--|
| [NowSecure REST and GQL API Library](./lib/README.md) | `yarn run build:lib` | `yarn run clean:lib` |
| [NowSecure Sarif Conversion Module](./sarif/README.md) | `yarn run build:sarif` | `yarn run clean:sarif` |
| [NowSecure GitHub Snapshot Module](./github-snapshot/README.md) | `yarn run build:github-snapshot` | `yarn run clean:github-snapshot` |
| [NowSecure CLI](./cli/README.md) | `yarn run build:cli` | `yarn run clean:cli` |

52 changes: 52 additions & 0 deletions cli/.ci/notarize.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
#!/usr/bin/env node

const fs = require("fs");
const path = require("path");
const { notarize } = require("@electron/notarize");

const APPLEID = process.env.APPLEID;
const APPLEID_TEAM = process.env.APPLEID_TEAM;
const APPLEID_PASSWORD = process.env.APPLEID_PASSWORD;

async function processOne(fileName) {
const fullPath = path.normalize(path.resolve(fileName));
console.log(`Notarizing ${fullPath}`);
await notarize({
tool: "notarytool",
appPath: fullPath,
appleId: APPLEID,
appleIdPassword: APPLEID_PASSWORD,
teamId: APPLEID_TEAM,
});
console.log(`${fullPath} completed`);
}

async function processAll() {
const files = process.argv.slice(2);

if (!APPLEID) {
console.log("No Apple ID specified, skipping");
return;
}

if (!(APPLEID_PASSWORD && APPLEID_TEAM)) {
console.error("APPLEID_PASSWORD and APPLEID_TEAM are required");
process.exit(1);
}

const promises = [];
for (const file of files) {
const stat = fs.statSync(file);
if (stat.isFile()) {
promises.push(processOne(file));
}
}

if (promises.length === 0) {
console.log("No files found");
} else {
await Promise.all(promises);
}
}

Promise.resolve().then(processAll);
Loading

0 comments on commit 5beabf3

Please sign in to comment.