Snyk SBOM

components/scanners/snyk-sbom/README.md

@@ -0,0 +1,17 @@
+# Snyk-SBOM
+
+This component implements a [scanner](https://github.com/smithy-security/smithy/blob/main/sdk/component/component.go)
+that uses the command `snyk sbom` to generate an sbom for any tech snyk supports and send it to a waiting Dependency Track.
+This component does not do any other processing at this time.
+
+## Parser Environment variables
+
+The component uses environment variables for configuration.
+
+It requires the component
+environment variables defined [here](https://github.com/smithy-security/smithy/blob/main/sdk/README.md#component) as well
+as the following:
+
+| Environment Variable     | Type   | Required | Default    | Description                                             |
+|--------------------------|--------|----------|------------|---------------------------------------------------------|
+| RAW\_OUT\_FILE\_PATH  | string | yes      | -          | The path where to find the snyk sarif report   |

components/scanners/snyk-sbom/cmd/main.go

@@ -0,0 +1,37 @@
+package main
+
+import (
+	"context"
+	"log"
+	"time"
+
+	"github.com/go-errors/errors"
+
+	"github.com/smithy-security/smithy/sdk/component"
+
+	"github.com/smithy-security/smithy/new-components/scanners/snyk/internal/transformer"
+)
+
+func main() {
+	ctx, cancel := context.WithTimeout(context.Background(), 1*time.Minute)
+	defer cancel()
+
+	if err := Main(ctx); err != nil {
+		log.Fatalf("unexpected error: %v", err)
+	}
+}
+
+func Main(ctx context.Context, opts ...component.RunnerOption) error {
+	opts = append(opts, component.RunnerWithComponentName("semgrep"))
+
+	ocsfTransformer, err := transformer.New()
+	if err != nil {
+		return errors.Errorf("could not create transformer: %w", err)
+	}
+
+	if err := component.RunScanner(ctx, ocsfTransformer, opts...); err != nil {
+		return errors.Errorf("could not run scanner: %w", err)
+	}
+
+	return nil
+}

components/scanners/snyk-sbom/component.yaml

@@ -0,0 +1,55 @@
+name: snyk-sbom
+description: "Runs `snyk sbom` then uploads findings to Dependency-Track"
+type: scanner
+parameters:
+  - name: snyk_token
+    type: string
+    value: ""
+  - name: dependency_track_api_key
+    type: string
+    value: ""
+  - name: dependency_track_api_url
+    type: string
+    value: ""
+  - name: dependency_track_project_name   
+    type: string
+    value: ""
+  - name: dependency_track_project_uuid
+    type: string
+    value: ""
+  - name: dependency_track_project_version
+    type: string
+    value: ""
+  - name: http_proxy
+    type: string
+    value: ""
+  - name: https_proxy
+    type: string
+    value: ""
+steps:
+  - name: run-snyk-sbom
+    image: components/scanners/snyk-sbom/scanner
+    env_vars:
+      HTTP_PROXY: "{{.parameters.http_proxy}}"
+      HTTPS_PROXY: "{{.parameters.https_proxy}}"
+      SNYK_INTEGRATION_VERSION: docker
+      SNYK_INTEGRATION_NAME: smithy
+      SNYK_TOKEN: "{{.parameters.snyk_token}}"
+    executable: /bin/snyk
+    args:
+      - sbom
+      - --prune-repeated-subdependencies 
+      - --format=cyclonedx1.4+json
+      - --all-projects
+      - --json-file-output={{scratchWorkspace}}/snyk-sbom.out
+      - "{{sourceCodeWorkspace}}/"
+  - name: upload-sbom-to-dependency-track
+    image: "components/scanners/snyk-sbom"
+    executable: /bin/app
+    env_vars:
+      RAW_OUT_FILE_PATH: "{{scratchWorkspace}}/snyk-sbom.out"
+      DEPENDENCY_TRACK_API_KEY: "{{.parameters.dependency_track_api_key}}"
+      DEPENDENCY_TRACK_API_URL: "{{.parameters.dependency_track_api_url}}"
+      DEPENDENCY_TRACK_PROJECT_NAME: "{{.parameters.dependency_track_project_name}}"
+      DEPENDENCY_TRACK_PROJECT_UUID: "{{.parameters.dependency_track_project_uuid}}"
+      DEPENDENCY_TRACK_PROJECT_VERSION: "{{.parameters.dependency_track_project_version}}"

components/scanners/snyk-sbom/go.mod

@@ -0,0 +1,71 @@
+module github.com/smithy-security/smithy/new-components/scanners/snyk
+
+go 1.23.3
+
+require (
+	github.com/DependencyTrack/client-go v0.16.0
+	github.com/go-errors/errors v1.5.1
+	github.com/jonboulle/clockwork v0.5.0
+	github.com/smithy-security/pkg/env v0.0.1
+	github.com/smithy-security/smithy/sdk v0.0.11-alpha
+	github.com/stretchr/testify v1.10.0
+	google.golang.org/protobuf v1.36.6
+)
+
+require (
+	ariga.io/atlas v0.32.0 // indirect
+	dario.cat/mergo v1.0.1 // indirect
+	github.com/Masterminds/goutils v1.1.1 // indirect
+	github.com/Masterminds/semver/v3 v3.3.1 // indirect
+	github.com/Masterminds/sprig/v3 v3.3.0 // indirect
+	github.com/abice/go-enum v0.6.1 // indirect
+	github.com/agext/levenshtein v1.2.3 // indirect
+	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
+	github.com/bmatcuk/doublestar v1.3.4 // indirect
+	github.com/containerd/log v0.1.0 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.6 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/distribution/reference v0.6.0 // indirect
+	github.com/go-openapi/inflect v0.21.2 // indirect
+	github.com/golang/mock v1.6.0 // indirect
+	github.com/google/go-cmp v0.7.0 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/hashicorp/hcl/v2 v2.23.0 // indirect
+	github.com/huandu/xstrings v1.5.0 // indirect
+	github.com/jackc/pgpassfile v1.0.0 // indirect
+	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
+	github.com/jackc/pgx/v5 v5.7.4 // indirect
+	github.com/labstack/gommon v0.4.2 // indirect
+	github.com/mattn/go-colorable v0.1.14 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mattn/go-sqlite3 v1.14.27 // indirect
+	github.com/mattn/goveralls v0.0.12 // indirect
+	github.com/mitchellh/copystructure v1.2.0 // indirect
+	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
+	github.com/mitchellh/reflectwalk v1.0.2 // indirect
+	github.com/moby/sys/user v0.4.0 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	github.com/shopspring/decimal v1.4.0 // indirect
+	github.com/spf13/cast v1.7.1 // indirect
+	github.com/sqlc-dev/sqlc v1.28.0 // indirect
+	github.com/urfave/cli/v2 v2.27.6 // indirect
+	github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect
+	github.com/zclconf/go-cty v1.16.2 // indirect
+	github.com/zclconf/go-cty-yaml v1.1.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 // indirect
+	go.opentelemetry.io/otel v1.35.0 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.35.0 // indirect
+	go.uber.org/mock v0.5.1 // indirect
+	golang.org/x/crypto v0.37.0 // indirect
+	golang.org/x/mod v0.24.0 // indirect
+	golang.org/x/net v0.39.0 // indirect
+	golang.org/x/sync v0.13.0 // indirect
+	golang.org/x/sys v0.32.0 // indirect
+	golang.org/x/text v0.24.0 // indirect
+	golang.org/x/tools v0.32.0 // indirect
+	golang.org/x/tools/cmd/cover v0.1.0-deprecated // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250407143221-ac9807e6c755 // indirect
+	google.golang.org/grpc v1.71.1 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+)