Added --minimize option to scan command to reduce report size (#126)

* Fixes #125 by adding --minimize option to the scan command

* Make the example report match the most recent version

* Make pylint happy

* Fix minimize

.gitignore

@@ -21,7 +21,7 @@ iam-report-fake-000011112222.html
 iam-triage-fake-000011112222.csv
 #index.html
 iam-triage-fake.csv
-iam-results-example.json
+/iam-results-example.json
 iam-triage-example.csv
 iam-report-example.html
 iam-report-fake.html

CHANGELOG.md

@@ -3,13 +3,17 @@
 ## Unreleased
 * Docker
 
-## 0.2.3 (Unreleased)
+## 0.2.4 (Unreleased)
 * UI
-  * Credentials Exposure as a new finding (`#99`)
-  * Service Wildcard as a new finding (`#82`)
   * Inline Explanation of findings (`#115`)
   * Better formatting for Privilege Escalation findings (`#114`)
   * Exclusions config is in its own tab in the UI (`#107`)
+
+## 0.2.3 (2020-10-12)
+* `scan` command now has a `--minimize` option, which you can use to reduce your report size. The example report size was reduced from 3.9MB (ouch!) to 212KB. (Fixes #125)
+* UI
+  * Credentials Exposure as a new finding (`#99`)
+  * Service Wildcard as a new finding (`#82`)
 * Backend
   * Updated tests to include updated sample data
 

README.md

@@ -195,7 +195,7 @@ It will create an HTML report like [this](https://opensource.salesforce.com/clou
 
 It will also create a raw JSON data file:
 
-* `default-iam-results.json`: This contains the raw JSON output of the report. You can use this data file for operating on the scan results for various purposes. For example, you could write a Python script that parses this data and opens up automated JIRA issues or Salesforce Work Items. An example entry is shown below. The full example can be viewed at [examples/output/example-authz-details-results.json](examples/files/iam-results-example.json)
+* `default-iam-results.json`: This contains the raw JSON output of the report. You can use this data file for operating on the scan results for various purposes. For example, you could write a Python script that parses this data and opens up automated JIRA issues or Salesforce Work Items. An example entry is shown below. The full example can be viewed at [examples/files/iam-results-example.json](examples/files/iam-results-example.json)
 
 ```json
 {

cloudsplaining/bin/version.py

@@ -1,2 +1,2 @@
 # pylint: disable=missing-module-docstring
-__version__ = "0.2.2"
+__version__ = "0.2.3"

cloudsplaining/command/scan.py

@@ -58,10 +58,17 @@
     help="Don't open the HTML report in the web browser after creating. "
     "This helps when running the report in automation.",
 )
+@click.option(
+    "--minimize",
+    required=False,
+    default=False,
+    is_flag=True,
+    help="Reduce the size of the HTML Report by pulling the Cloudsplaining Javascript code over the internet."
+)
 @click_log.simple_verbosity_option()
 # pylint: disable=redefined-builtin
 def scan(
-    input_file, exclusions_file, output, skip_open_report
+    input_file, exclusions_file, output, skip_open_report, minimize
 ):  # pragma: no cover
     """
     Given the path to account authorization details files and the exclusions config file, scan all inline and
@@ -84,7 +91,8 @@ def scan(
             contents = f.read()
             account_authorization_details_cfg = json.loads(contents)
         rendered_html_report = scan_account_authorization_details(
-            account_authorization_details_cfg, exclusions, account_name, output, write_data_files=True
+            account_authorization_details_cfg, exclusions, account_name, output, write_data_files=True,
+            minimize=minimize
         )
         html_output_file = os.path.join(output, f"iam-report-{account_name}.html")
         logger.info("Saving the report to %s", html_output_file)
@@ -116,7 +124,8 @@ def scan(
             account_name = Path(file).stem
             # Scan the Account Authorization Details config
             rendered_html_report = scan_account_authorization_details(
-                account_authorization_details_cfg, exclusions, account_name, output, write_data_files=True
+                account_authorization_details_cfg, exclusions, account_name, output, write_data_files=True,
+                minimize=minimize
             )
             html_output_file = os.path.join(output, f"iam-report-{account_name}.html")
             logger.info("Saving the report to %s", html_output_file)
@@ -136,7 +145,8 @@ def scan(
 
 
 def scan_account_authorization_details(
-    account_authorization_details_cfg, exclusions, account_name="default", output_directory=os.getcwd(), write_data_files=False
+    account_authorization_details_cfg, exclusions, account_name="default", output_directory=os.getcwd(),
+    write_data_files=False, minimize=False
 ):  # pragma: no cover
     """
     Given the path to account authorization details files and the exclusions config file, scan all inline and
@@ -162,6 +172,7 @@ def scan_account_authorization_details(
         account_id=account_id,
         account_name=account_name,
         results=results,
+        minimize=minimize
     )
     rendered_report = html_report.get_html_report()
 

cloudsplaining/output/report.py

@@ -10,17 +10,42 @@
 
 class HTMLReport:
     """Inject the JS files and report results into the final HTML report"""
-    def __init__(self, account_id, account_name, results):
+    def __init__(self, account_id, account_name, results, minimize=False):
         self.account_name = account_name
         self.account_id = account_id
         self.report_generated_time = datetime.datetime.now().strftime("%Y-%m-%d")
-
+        self.minimize = minimize
         self.results = f"var iam_data = {json.dumps(results)}"
-        with open(app_bundle_path, "r") as f:
-            self.app_bundle = f.read()
-        vendor_bundle_path = get_vendor_bundle_path()
-        with open(vendor_bundle_path, "r") as f:
-            self.vendor_bundle = f.read()
+
+    @property
+    def app_bundle(self):
+        """The Cloudsplaining Javascript application code should be loaded either from the CDN or locally,
+        depending on if the user specified the --minimize option"""
+        if self.minimize:
+            js_url = f"https://cdn.jsdelivr.net/gh/salesforce/cloudsplaining@{__version__}/cloudsplaining/output/dist/js/index.js"
+            bundle = f"<script type=\"text/javascript\" src=\"{js_url}\"></script>"
+            return bundle
+        else:
+            with open(app_bundle_path, "r") as f:
+                bundle_content = f.read()
+            bundle = f"<script type=\"text/javascript\">\n{bundle_content}\n</script>"
+            return bundle
+
+    @property
+    def vendor_bundle(self):
+        """The Javascript vendor bundle should be loaded either from the CDN or locally,
+        depending on if the user specified the --minimize option"""
+
+        if self.minimize:
+            js_url = f"https://cdn.jsdelivr.net/gh/salesforce/cloudsplaining@{__version__}/cloudsplaining/output/dist/js/chunk-vendors.js"
+            bundle = f"<script type=\"text/javascript\" src=\"{js_url}\"></script>"
+            return bundle
+        else:
+            vendor_bundle_path = get_vendor_bundle_path()
+            with open(vendor_bundle_path, "r") as f:
+                bundle_content = f.read()
+            bundle = f"<script type=\"text/javascript\">\n{bundle_content}\n</script>"
+            return bundle
 
     def get_html_report(self):
         """Returns the rendered HTML report"""

cloudsplaining/output/template.html

@@ -3,6 +3,7 @@
 <head>
     <meta charset="utf-8">
     <meta content="IE=edge" http-equiv="X-UA-Compatible">
+    <meta http-equiv="X-Content-Type-Options" content="nosniff"/>
     <meta content="width=device-width,initial-scale=1.0" name="viewport">
     <title>Cloudsplaining report</title>
     <!-- Load required Bootstrap and BootstrapVue CSS -->
@@ -43,12 +44,10 @@
     console.log(`iam data keys: ${Object.keys(iam_data)}`);
 
 </script>
-<script>
-    {{ t.vendor_bundle_js }}
-</script>
-<script>
-    {{ t.app_bundle_js }}
-</script>
+
+{{ t.vendor_bundle_js }}
+
+{{ t.app_bundle_js }}
 
 </body>
 <!--  Bootstrap-->