Skip to content

doddi/vuln-lsp

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

84 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Vulnerability Language Server Protocol

This is a simple language server for Sonatype vuln products.

Once built, ensure that the vuln-lsp binary is in your $PATH.

Parameters

Backend Service

The LSP can fetch data from either a dummy backend, OssIndex or a Sonatype Lifecycle OssIndex is the default setting.

Logging

To enable logging add the parameter --log-level=<Leve> to the command line arguments where <level> is any of the following:

  • error
  • warn
  • info
  • debug
  • trace

Transitive dependency scanning

By default the LSP will only scan the direct dependencies found in the project. For a more thorough scan, run the LSP with the -i to include all the known transitive dependency. This feature is currently experimental.

Tracing

Tracing can be enable to either write to a file or using OpenTelemetry. The LSP has to be built with either the logging-file or logging-otel feature.

Limitations

At the moment the metadata scanning is basic and anything more than a typical pom.xml (even dependency management is not working at the moment) will fail to detect artifacts correctly.

Editors

Neovim

neovim

To enable the lsp for neovim, add the following to your init.lua:

vim.api.nvim_create_autocmd("bufenter", {
  pattern = { "pom.xml", "Cargo.toml" },
  callback = function()
    vim.lsp.start({
      name = "vuln-lsp",
      cmd = { "vuln-lsp" },
      root_dir = vim.fs.root(0, { "pom.xml", "Cargo.toml" }),
    })
  end,
})

This will start the lsp when you open either a pom.xml or Cargo.toml file.

Vscode

vscode

To build:

cd clients/vscode
npm install

To debug the lsp in vscode, first create a launch.json file in .vscode/ with the following contents:

{
  "version": "0.2.0",
  "configurations": [
    {
      "type": "extensionHost",
      "request": "launch",
      "name": "Debug LSP Extension",
      "runtimeExecutable": "${execPath}",
      "env": {
        "RUST_LOG": "debug"
      },
      "args": [
        "--extensionDevelopmentPath=${workspaceRoot}/anathema-lsp/clients/vscode",
        "--disable-extensions",
        "${workspaceRoot}/anathema-lsp/"
      ]
    }
  ]
}

Run the debugger and open the provided test.anat file to test the lsp.

Intellij

intellij

Features

  • Direct dependency scanning
  • Optionally scan transitive dependencies
  • Tracing support with OpenTelemetry
  • Basic Maven support
  • Basic Cargo support

About

No description, website, or topics provided.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published