Opencre enrichers

components/enrichers/opencre/.env

@@ -0,0 +1,7 @@
+# This is for local setup only.
+SMITHY_INSTANCE_ID=8d719c1c-c569-4078-87b3-4951bd4012ee
+SMITHY_LOG_LEVEL=debug
+SMITHY_STORE_TYPE=postgresql
+SMITHY_REMOTE_STORE_POSTGRES_DSN="postgresql://smithy:smithy1234@findings-db:5432/findings-db?sslmode=disable&connect_timeout=10"
+CUSTOM_ANNOTATION_NAME=reachability
+CUSTOM_ANNOTATION_VALUES={"foo":"bar"}

components/enrichers/opencre/README.md

@@ -0,0 +1,18 @@
+# custom-annotation
+
+This component implements an [enricher](https://github.com/smithy-security/smithy/blob/main/sdk/component/component.go)
+that adds a custom json annotation to the fetched vulnerability findings
+associated with the workflow.
+
+## Environment variables
+
+The component uses environment variables for configuration.
+
+It requires the component
+environment variables defined [here](https://github.com/smithy-security/smithy/blob/main/sdk/README.md#component)
+as well as the following:
+
+| Environment Variable       | Type   | Required | Default | Description                                                             |
+|----------------------------|--------|----------|---------|-------------------------------------------------------------------------|
+| CUSTOM\_ANNOTATION\_NAME     | string | yes      | -       | The name of the annotation to be added.                                 |
+| CUSTOM\_ANNOTATION\_VALUES   | string | no       | {}      | Json annotations to be added as annotation. For example '{"foo":"bar"}' |

components/enrichers/opencre/cmd/main.go

@@ -0,0 +1,38 @@
+package main
+
+import (
+	"context"
+	"log"
+	"time"
+
+	"github.com/go-errors/errors"
+
+	"github.com/smithy-security/smithy/sdk/component"
+
+	"github.com/smithy-security/smithy/components/enrichers/opencre/internal/opencre"
+)
+
+func main() {
+	ctx, cancel := context.WithTimeout(context.Background(), 1*time.Minute)
+	defer cancel()
+
+	if err := Main(ctx); err != nil {
+		log.Fatalf("unexpected error: %v", err)
+	}
+}
+
+func Main(ctx context.Context, opts ...component.RunnerOption) error {
+	opts = append(opts, component.RunnerWithComponentName("opencre-enricher"))
+
+	client := opencre.NewOpenCREClient()
+	annotator, err := opencre.NewCREEnricher(client)
+	if err != nil {
+		return errors.Errorf("error creating opencre annotator: %w", err)
+	}
+
+	if err := component.RunEnricher(ctx, annotator, opts...); err != nil {
+		return errors.Errorf("error enriching with opencre annotation: %w", err)
+	}
+
+	return nil
+}

components/enrichers/opencre/component.yaml

@@ -0,0 +1,7 @@
+name: opencre
+description: "Adds a cre enrichment to the passed findings"
+type: enricher
+steps:
+  - name: cre-enrichment
+    image: components/enrichers/opencre
+    executable: /bin/app

components/enrichers/opencre/go.mod

@@ -0,0 +1,57 @@
+module github.com/smithy-security/smithy/components/enrichers/opencre
+
+go 1.23.7
+
+require github.com/smithy-security/smithy/sdk v0.0.14-alpha
+
+require (
+	ariga.io/atlas v0.29.0 // indirect
+	github.com/Masterminds/goutils v1.1.1 // indirect
+	github.com/Masterminds/semver/v3 v3.2.0 // indirect
+	github.com/Masterminds/sprig/v3 v3.2.3 // indirect
+	github.com/abice/go-enum v0.6.0 // indirect
+	github.com/agext/levenshtein v1.2.3 // indirect
+	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
+	github.com/bmatcuk/doublestar v1.3.4 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
+	github.com/go-errors/errors v1.5.1 // indirect
+	github.com/go-openapi/inflect v0.19.0 // indirect
+	github.com/golang/mock v1.6.0 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/hashicorp/hcl/v2 v2.18.1 // indirect
+	github.com/huandu/xstrings v1.3.3 // indirect
+	github.com/imdario/mergo v0.3.13 // indirect
+	github.com/jackc/pgpassfile v1.0.0 // indirect
+	github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect
+	github.com/jackc/pgx/v5 v5.6.0 // indirect
+	github.com/jonboulle/clockwork v0.4.0 // indirect
+	github.com/labstack/gommon v0.4.1 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mattn/go-sqlite3 v1.14.24 // indirect
+	github.com/mattn/goveralls v0.0.12 // indirect
+	github.com/mitchellh/copystructure v1.2.0 // indirect
+	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
+	github.com/mitchellh/reflectwalk v1.0.2 // indirect
+	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	github.com/shopspring/decimal v1.2.0 // indirect
+	github.com/smithy-security/pkg/env v0.0.1 // indirect
+	github.com/spf13/cast v1.3.1 // indirect
+	github.com/sqlc-dev/sqlc v1.27.0 // indirect
+	github.com/urfave/cli/v2 v2.26.0 // indirect
+	github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
+	github.com/zclconf/go-cty v1.14.4 // indirect
+	go.uber.org/mock v0.5.0 // indirect
+	golang.org/x/crypto v0.24.0 // indirect
+	golang.org/x/mod v0.18.0 // indirect
+	golang.org/x/net v0.26.0 // indirect
+	golang.org/x/sync v0.8.0 // indirect
+	golang.org/x/sys v0.22.0 // indirect
+	golang.org/x/text v0.16.0 // indirect
+	golang.org/x/tools v0.22.0 // indirect
+	golang.org/x/tools/cmd/cover v0.1.0-deprecated // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240528184218-531527333157 // indirect
+	google.golang.org/grpc v1.65.0 // indirect
+	google.golang.org/protobuf v1.35.1 // indirect
+)