From 23f426c4fee6f22f9c00d9eb5000507e0064e192 Mon Sep 17 00:00:00 2001 From: Levan Giguashvili Date: Thu, 7 Dec 2017 10:48:09 +0200 Subject: [PATCH] feat: add docker files for CLI and update README --- README.md | 128 ++++++++++++++++- docker/Dockerfile.gradle-2.8 | 43 ++++++ docker/Dockerfile.maven-3.5.2 | 42 ++++++ docker/Dockerfile.npm_ruby | 25 ++++ docker/Dockerfile.sbt-0.13.16 | 47 ++++++ docker/docker-entrypoint.sh | 68 +++++++++ docker/snyk_report.css | 263 ++++++++++++++++++++++++++++++++++ 7 files changed, 611 insertions(+), 5 deletions(-) create mode 100644 docker/Dockerfile.gradle-2.8 create mode 100644 docker/Dockerfile.maven-3.5.2 create mode 100644 docker/Dockerfile.npm_ruby create mode 100644 docker/Dockerfile.sbt-0.13.16 create mode 100755 docker/docker-entrypoint.sh create mode 100644 docker/snyk_report.css diff --git a/README.md b/README.md index 84dcbe6b27..36625375db 100644 --- a/README.md +++ b/README.md @@ -10,13 +10,21 @@ Snyk helps you find, fix and monitor for known vulnerabilities in Node.js npm, R [Full documentation is available on snyk.io](https://snyk.io/docs/using-snyk/?utm_campaign=docs&utm_medium=github&utm_source=full_docs) +## Table Of Contents: + +- [Installation](#installation) +- [CLI](#cli) +- [Features](#features) +- [Build](#build) +- [Docker](#docker) +- [Badge](#badge) ## Installation 1. Install the Snyk utility using `npm install -g snyk`. 2. Once installed you will need to authenticate with your Snyk account: `snyk auth` -For more detail on how to authenticate take a look at the [CLI authentication](https://snyk.io/docs/using-snyk#authentication?utm_campaign=docs&utm_medium=github&utm_source=CLI_authentication) section of the Snyk documentation. +For more detail on how to authenticate take a look at the [CLI authentication](https://snyk.io/docs/using-snyk#authentication?utm_campaign=docs&utm_medium=github&utm_source=CLI_authentication) section of the Snyk documentation. ## CLI @@ -24,16 +32,16 @@ For more detail on how to authenticate take a look at the [CLI authentication](h snyk [options] [command] [package] ``` -Run `snyk --help` to get a quick overview of all commands or for full details on the CLI read the snyk.io [CLI docs](https://snyk.io/docs/using-snyk?utm_campaign=docs&utm_medium=github&utm_source=cli). +Run `snyk --help` to get a quick overview of all commands or for full details on the CLI read the snyk.io [CLI docs](https://snyk.io/docs/using-snyk?utm_campaign=docs&utm_medium=github&utm_source=cli). The package argument is optional. If no package is given, Snyk will run the command against the current working directory allowing you test you non-public applications. ## Features - **Find** known vulnerabilities by running `snyk test` on a project either as a one off or as part of your CI process. -- **Fix** vulnerabilities using `snyk wizard` and `snyk protect`. - - `snyk wizard` walks you through finding and fixing know vulnerabilities in your project. Remidiation options include configuring your policy file to update, auto patch and ignore vulnerabilities. (npm only) - - `snyk protect` your code from vulnerabilities by applying patches and optionally suppressing specific vulnerabilities. +- **Fix** vulnerabilities using `snyk wizard` and `snyk protect`. + - `snyk wizard` walks you through finding and fixing know vulnerabilities in your project. Remediation options include configuring your policy file to update, auto patch and ignore vulnerabilities. (npm only) + - `snyk protect` your code from vulnerabilities by applying patches and optionally suppressing specific vulnerabilities. - **Alert** `snyk monitor` records the state of dependencies and any vulnerabilities on snyk.io so you can be alerted when new vulnerabilities or updates/patches are disclosed that affect your repositories. - **Prevent** new vulnerable dependencies from being added to your project by running `snyk test` as part of your CI to fail tests when vulnerable Node.js or Ruby dependencies are added. @@ -48,6 +56,114 @@ This will create a `dist` directory with the minimal lodash file. When using the package via npm, the build is not needed as the `dist` directory is already included in the npm package. +## Docker + +Snyk is also provided as a set of Docker images thatcarry the runtime environment of each package manager. For example the npm image will carry all of the needed setup to run `npm install` on the currently running container. Currently there are images for npm, Ruby, Maven, Gradle and SBT. + +The images can perform `snyk test` by default on the specified project which is mounted to the container as a read/write volume and `snyk monitor` when the `MONITOR` environment variable is set when running the docker container. When running `snyk monitor` with the `GENERATE_REPORT` environment variable set an html file called `snyk-report.html` and a CSS file called `snyk-report.css` will be generated. The image also writes a file called `snyk-res.json` for internal use and `snyk-error.log` for errors that we can look at if something goes wrong. + + +The following environment variables can be used when running the container on docker: + +- `SNYK_TOKEN` - Snyk API token, obtained from [https://snyk.io/account](https://snyk.io/account). +- `USER_ID` - [OPTIONAL] Current user ID on the host machine. If not provided will take the user ID of the currently running user inside the container. This is used for CI builds such as Jenkins where we are running with a non-privileged user and want to allow the user to access the mounted project folder. +- `MONITOR` - [OPTIONAL] If set, tells the image that we want to run `snyk monitor` after running `snyk test`. +- `TARGET_FILE_DIR` - [OPTIONAL] If set, this will cd to the directory inside the mounted project dir to run snyk inside it. +- `GENERATE_REPORT` - [OPTIONAL] if set, this will generate the HTML report with a summary of the vulnerabilities detected by snyk. + +Docker images are tagged according to the package manager runtime they include the package manager version and snyk version. +The general format of tags is [snyk-version]-[package-manager]-[package-manager-version] or [package-manager]-[package-manager-version] if we want to use the latest version of snyk. Please see available tags to see the available options. + +[snyk-version] - The version of snyk that is installed in the image, if version is omitted it will use the latest version. +[package-manager] - One of the available package managers (e.g: mvn, gradle, etc...). +[package-manager-version] - The version of the package manager that is installed inside the image. + +### NodeJS + + +We will need to mount the project root folder when running the image so that Snyk can access the code within the container. The host project folder will be mounted to `/project` on the container and will be used to read the dependencies file and write results for CI builds. Please see the following examples on how to run Snyk inside docker: + +This is an example of running `snyk test` and `snyk monitor` in the image with Snyk latest version + +``` +docker run -it + -e "SNYK_TOKEN=" + -e "USER_ID=1234" + -e "MONITOR=true" + -e "TARGET_FILE=package.json" + -v ":/project" + snyk/snyk-cli:npm test --org=my-org-name +``` + +### RubyGems + +We will need to mount the project root folder when running the image so that Snyk can access the code within the container. The host project folder will be mounted to `/project` on the container and will be used to read the dependencies file and write results for CI builds. Please see the following examples on how to run Snyk inside docker: + +This is an example of running `snyk test` and `snyk monitor` in the image with Snyk latest version + +``` +docker run -it + -e "SNYK_TOKEN=" + -e "USER_ID=1234" + -e "MONITOR=true" + -e "TARGET_FILE=Gemfile.lock" + -v ":/project" + snyk/snyk-cli:rubygems test --org=my-org-name +``` + +### Maven 3.5.2 + +We will need to mount the project root folder when running the image so that Snyk can access the code within the container and mount the local .m2 and .ivy2 folders. The host project folder will be mounted to `/project` on the container and will be used to read the dependencies file and write results for CI builds. Please see the following examples on how to run Snyk inside docker: + +This is an example of running `snyk test` and `snyk monitor` in the image with Snyk latest version + +``` +docker run -it + -e "SNYK_TOKEN=" + -e "USER_ID=1234" + -e "MONITOR=true" + -v ":/project" + -v "/home/user/.m2:/home/node/.m2" + -v "/home/user/.ivy2:/home/node/.ivy2" + snyk/snyk-cli:mvn-3.5.2 test --org=my-org-name +``` + +### SBT 0.13.16 + +We will need to mount the project root folder when running the image so that Snyk can access the code within the container and mount the local .m2 and .ivy2 folders. The host project folder will be mounted to `/project` on the container and will be used to read the dependencies file and write results for CI builds. Please see the following examples on how to run Snyk inside docker: + +dependency-tree module is required as a global module in version 0.8.2. Please see [this repo](https://github.com/jrudolph/sbt-dependency-graph/tree/v0.8.2) for installation instructions. + +This is an example of running `snyk test` and `snyk monitor` in the image with Snyk latest version + +``` +docker run -it + -e "SNYK_TOKEN=" + -e "USER_ID=1234" + -e "MONITOR=true" + -v ":/project" + -v "/home/user/.m2:/home/node/.m2" + -v "/home/user/.ivy2:/home/node/.ivy2" + snyk/snyk-cli:sbt-0.13.16 test --org=my-org-name +``` + +### Gradle 2.8 + +We will need to mount the project root folder when running the image so that Snyk can access the code within the container and mount the local .m2 and .ivy2 folders. The host project folder will be mounted to `/project` on the container and will be used to read the dependencies file and write results for CI builds. Please see the following examples on how to run Snyk inside docker: + +This is an example of running `snyk test` and `snyk monitor` in the image with Snyk latest version + +``` +docker run -it + -e "SNYK_TOKEN=" + -e "USER_ID=1234" + -e "MONITOR=true" + -v ":/project" + -v "/home/user/.m2:/home/node/.m2" + -v "/home/user/.ivy2:/home/node/.ivy2" + snyk/snyk-cli:gradle-2.8 test [args] +``` + ## Badge Once you’re vulnerability free, you can put a badge on your README showing your package has no known security holes. This will show your users you care about security, and tell them that they should care too. @@ -76,3 +192,5 @@ Markdown: [![Analytics](https://ga-beacon.appspot.com/UA-69111857-2/Snyk/snyk?pixel)](https://snyk.io/) + + diff --git a/docker/Dockerfile.gradle-2.8 b/docker/Dockerfile.gradle-2.8 new file mode 100644 index 0000000000..7189f84b34 --- /dev/null +++ b/docker/Dockerfile.gradle-2.8 @@ -0,0 +1,43 @@ +FROM node:8-slim + +MAINTAINER Snyk Ltd + +# Install Java 8 +RUN echo "deb http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main" | tee /etc/apt/sources.list.d/webupd8team-java.list +RUN echo "deb-src http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main" | tee -a /etc/apt/sources.list.d/webupd8team-java.list + +# Accept license non-iteractive +RUN echo oracle-java8-installer shared/accepted-oracle-license-v1-1 select true | /usr/bin/debconf-set-selections +RUN apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys EEA14886 +RUN apt-get update +RUN apt-get install -y oracle-java8-installer oracle-java8-set-default + +#Install gradle +RUN curl -L https://services.gradle.org/distributions/gradle-2.8-bin.zip -o gradle-2.8-bin.zip && \ + apt-get install -y unzip && \ + unzip gradle-2.8-bin.zip -d /home/node/ + +# Install snyk cli +RUN npm install --global snyk snyk-to-html && \ + apt-get update && \ + apt-get install jq + +ENV GRADLE_HOME=/home/node/gradle-2.8 +ENV PATH=$PATH:$GRADLE_HOME/bin + +RUN chmod -R a+wrx /home/node +WORKDIR /home/node +ENV HOME /home/node +ENV M2 /home/node/.m2 + +# The path at which the project is mounted (-v runtime arg) +ENV PROJECT_PATH /project + +ADD docker-entrypoint.sh . +ADD snyk_report.css . + +ENTRYPOINT ["./docker-entrypoint.sh"] + +# Default command is `snyk test` +# Override with `docker run ... snyk/snyk-cli ` +CMD ["test"] diff --git a/docker/Dockerfile.maven-3.5.2 b/docker/Dockerfile.maven-3.5.2 new file mode 100644 index 0000000000..3cfadda6f6 --- /dev/null +++ b/docker/Dockerfile.maven-3.5.2 @@ -0,0 +1,42 @@ +FROM node:8-slim + +MAINTAINER Snyk Ltd + +# Install Java 8 +RUN echo "deb http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main" | tee /etc/apt/sources.list.d/webupd8team-java.list +RUN echo "deb-src http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main" | tee -a /etc/apt/sources.list.d/webupd8team-java.list + +# Accept license non-iteractive +RUN echo oracle-java8-installer shared/accepted-oracle-license-v1-1 select true | /usr/bin/debconf-set-selections +RUN apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys EEA14886 +RUN apt-get update +RUN apt-get install -y oracle-java8-installer oracle-java8-set-default + +#Install maven +RUN wget http://www-eu.apache.org/dist/maven/maven-3/3.5.2/binaries/apache-maven-3.5.2-bin.tar.gz +RUN tar -xvzf apache-maven-3.5.2-bin.tar.gz +RUN rm -f apache-maven-3.5.2-bin.tar.gz + +# Install snyk cli +RUN npm install --global snyk snyk-to-html && \ + apt-get update && \ + apt-get install jq + +RUN chmod -R a+wrx /home/node +WORKDIR /home/node +ENV HOME /home/node +ENV M2 /home/node/.m2 +ENV PATH /apache-maven-3.5.2/bin:$PATH + +# The path at which the project is mounted (-v runtime arg) +ENV PROJECT_PATH /project + +ADD docker-entrypoint.sh . +ADD snyk_report.css . + +ENTRYPOINT ["./docker-entrypoint.sh"] + +# Default command is `snyk test` +# Override with `docker run ... snyk/snyk-cli ` +CMD ["test"] + diff --git a/docker/Dockerfile.npm_ruby b/docker/Dockerfile.npm_ruby new file mode 100644 index 0000000000..a6695c00dd --- /dev/null +++ b/docker/Dockerfile.npm_ruby @@ -0,0 +1,25 @@ +FROM node:8-slim + +MAINTAINER Snyk Ltd + +# Install snyk cli +RUN npm install --global snyk snyk-to-html && \ + apt-get update && \ + apt-get install jq + +RUN chmod -R a+wrx /home/node +WORKDIR /home/node +ENV HOME /home/node + +# The path at which the project is mounted (-v runtime arg) +ENV PROJECT_PATH /project + +ADD docker-entrypoint.sh . +ADD snyk_report.css . + +ENTRYPOINT ["./docker-entrypoint.sh"] + +# Default command is `snyk test` +# Override with `docker run ... snyk/snyk-cli ` +CMD ["test"] + diff --git a/docker/Dockerfile.sbt-0.13.16 b/docker/Dockerfile.sbt-0.13.16 new file mode 100644 index 0000000000..77d95a05aa --- /dev/null +++ b/docker/Dockerfile.sbt-0.13.16 @@ -0,0 +1,47 @@ +FROM node:8-slim + +MAINTAINER Snyk Ltd + +# Install Java 8 +RUN echo "deb http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main" | tee /etc/apt/sources.list.d/webupd8team-java.list +RUN echo "deb-src http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main" | tee -a /etc/apt/sources.list.d/webupd8team-java.list + +# Accept license non-iteractive +RUN echo oracle-java8-installer shared/accepted-oracle-license-v1-1 select true | /usr/bin/debconf-set-selections +RUN apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys EEA14886 +RUN apt-get update +RUN apt-get install -y oracle-java8-installer oracle-java8-set-default + +#Install sbt +RUN echo "deb https://dl.bintray.com/sbt/debian /" | tee -a /etc/apt/sources.list.d/sbt.list && \ + apt-get install apt-transport-https && \ + curl -L -o sbt.deb http://dl.bintray.com/sbt/debian/sbt-0.13.16.deb && \ + dpkg -i sbt.deb + +RUN echo "docker-user ALL=(ALL:ALL) NOPASSWD: ALL" >> /etc/sudoers && \ + mkdir -p /home/node/.sbt/0.13/plugins && \ + echo "addSbtPlugin(\"net.virtual-void\" % \"sbt-dependency-graph\" % \"0.8.2\")" >> /home/node/.sbt/0.13/plugins/build.sbt && \ + echo "net.virtualvoid.sbt.graph.DependencyGraphSettings.graphSettings" >> /home/node/.sbt/0.13/user.sbt && \ + echo "-sbt-version 0.13.16" >> /etc/sbt/sbtopts + +# Install snyk cli +RUN npm install --global snyk snyk-to-html && \ + apt-get update && \ + apt-get install -y jq + +RUN chmod -R a+wrx /home/node +WORKDIR /home/node +ENV HOME /home/node +ENV M2 /home/node/.m2 + +# The path at which the project is mounted (-v runtime arg) +ENV PROJECT_PATH /project + +ADD docker-entrypoint.sh . +ADD snyk_report.css . + +ENTRYPOINT ["./docker-entrypoint.sh"] + +# Default command is `snyk test` +# Override with `docker run ... snyk/snyk-cli ` +CMD ["test"] diff --git a/docker/docker-entrypoint.sh b/docker/docker-entrypoint.sh new file mode 100755 index 0000000000..a3b78b7286 --- /dev/null +++ b/docker/docker-entrypoint.sh @@ -0,0 +1,68 @@ +#!/bin/bash + +OUTPUT_FILE=snyk-result.json +ERROR_FILE=snyk-error.log +HTML_FILE=snyk_report.html +SNYK_COMMAND="$1" +SNYK_PARAMS="${@:2}" + +if [ -z $USER_ID ]; then + USER_ID=`id -u` +fi + +if [ $USER_ID -ne 0 ]; then + useradd -m -o -u $USER_ID -d /home/node docker-user 2>/dev/null +fi + +runCmdAsDockerUser () { + if [ $USER_ID -ne 0 ]; then + su docker-user -m -c "$1; status=$?" + else + bash -c "$1; status=$?" + fi + + return $status +} + +exitWithMsg () { + echo "Failed to run the process ..." + + if [ -f $1 ]; then + cat "$1" + else + echo "$1" + fi + + exit $2 +} + +if [ -z $SNYK_TOKEN ]; then + exitWithMsg "Missing \$SNYK_TOKEN" 1 +fi + +cd "$PROJECT_PATH/$TARGET_FILE_DIR" + +runCmdAsDockerUser "PATH=$PATH snyk $SNYK_COMMAND $SNYK_PARAMS --json > $OUTPUT_FILE 2>$ERROR_FILE" + +RC=$? + +if [ $RC -ne "0" ] && [ $RC -ne "1" ]; then + exitWithMsg "$OUTPUT_FILE" $RC +fi + +if [ ! -z $MONITOR ]; then + runCmdAsDockerUser "PATH=$PATH snyk monitor $SNYK_PARAMS" +fi + +if [ ! -z $GENERATE_REPORT ]; then + runCmdAsDockerUser "cat $OUTPUT_FILE | jq '.vulnerabilities|= map(. + {severity_numeric: (if(.severity) == \"high\" then 1 else (if(.severity) == \"medium\" then 2 else (if(.severity) == \"low\" then 3 else 4 end) end) end)}) |.vulnerabilities |= sort_by(.severity_numeric) | del(.vulnerabilities[].severity_numeric)' | snyk-to-html | sed 's/<\/head>/ <\/head>/' > $HTML_FILE" + runCmdAsDockerUser "cat /home/node/snyk_report.css > snyk_report.css" +fi + +if [ $RC -ne "0" ]; then + exitWithMsg "$OUTPUT_FILE" $RC +fi + +cat $OUTPUT_FILE + +exit $RC diff --git a/docker/snyk_report.css b/docker/snyk_report.css new file mode 100644 index 0000000000..86202f197f --- /dev/null +++ b/docker/snyk_report.css @@ -0,0 +1,263 @@ +body { + -moz-font-feature-settings: "pnum"; + -webkit-font-feature-settings: "pnum"; + font-variant-numeric: proportional-nums; + display: flex; + flex-direction: column; + font-feature-settings: "pnum"; + font-size: 100%; + line-height: 1.5; + min-height: 100vh; + -webkit-text-size-adjust: 100%; + margin: 0; + padding: 0; + background-color: #F5F5F5; + font-family: 'Arial', 'Helvetica', Calibri, sans-serif; +} + +h1, +h2, +h3, +h4, +h5, +h6 { + font-weight: 500; +} + +a, +a:link, +a:visited { + border-bottom: 1px solid #4b45a9; + text-decoration: none; + color: #4b45a9; +} + +a:hover, +a:focus, +a:active { + border-bottom: 2px solid #4b45a9; +} + +hr { + border: none; + margin: 1em 0; + border-top: 1px solid #c5c5c5; +} + +ul { + padding: 0 1em; + margin: 1em 0; +} + +code { + background-color: #EEE; + color: #333; + padding: 0.25em 0.5em; + border-radius: 0.25em; +} + +pre { + background-color: #333; + font-family: monospace; + padding: 0.5em 1em 0.75em; + border-radius: 0.25em; + font-size: 14px; +} + +pre code { + padding: 0; + background-color: transparent; + color: #fff; +} + +a code { + border-radius: .125rem .125rem 0 0; + padding-bottom: 0; + color: #4b45a9; +} + +a[href^="http://"]:after, +a[href^="https://"]:after { + background-image: linear-gradient(transparent,transparent),url("data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%20112%20109%22%3E%3Cg%20id%3D%22Page-1%22%20fill%3D%22none%22%20fill-rule%3D%22evenodd%22%3E%3Cg%20id%3D%22link-external%22%3E%3Cg%20id%3D%22arrow%22%3E%3Cpath%20id%3D%22Line%22%20stroke%3D%22%234B45A9%22%20stroke-width%3D%2215%22%20d%3D%22M88.5%2021l-43%2042.5%22%20stroke-linecap%3D%22square%22%2F%3E%3Cpath%20id%3D%22Triangle%22%20fill%3D%22%234B45A9%22%20d%3D%22M111.2%200v50L61%200z%22%2F%3E%3C%2Fg%3E%3Cpath%20id%3D%22square%22%20fill%3D%22%234B45A9%22%20d%3D%22M66%2015H0v94h94V44L79%2059v35H15V30h36z%22%2F%3E%3C%2Fg%3E%3C%2Fg%3E%3C%2Fsvg%3E"); + background-repeat: no-repeat; + background-size: .75rem; + content: ""; + display: inline-block; + height: .75rem; + margin-left: .25rem; + width: .75rem; +} + + +/* Layout */ + +[class*=layout-container] { + margin: 0 auto; + max-width: 71.25em; + padding: 1.9em 1.3em; + position: relative; +} +.layout-container--short { + padding-top: 0; + padding-bottom: 0; +} + +.layout-container--short:after { + display: block; + content: ""; + clear: both; +} + +/* Header */ + +.header { + padding-bottom: 1px; +} + +.project__header { + background-color: #4C4A73; + color: #fff; + margin-bottom: -1px; + padding-top: 1em; + padding-bottom: 0.25em; + border-bottom: 2px solid #BBB; +} + +.project__header__title { + overflow-wrap: break-word; + word-wrap: break-word; + word-break: break-all; + margin-bottom: .1em; + margin-top: 0; + float: left; +} + +.timestamp { + float: right; + clear: none; + margin-bottom: 0; +} + +.meta-counts { + clear: both; + display: block; + flex-wrap: wrap; + justify-content: space-between; + margin: 0 0 1.5em; + color: #fff; + clear: both; + font-size: 1.1em; +} + +.meta-count { + display: block; + flex-basis: 100%; + margin: 0 1em 1em 0; + float: left; + padding-right: 1em; + border-right: 2px solid #fff; +} + +.meta-count:last-child { + border-right: 0; + padding-right: 0; + margin-right: 0; +} + +/* Card */ + +.card { + background-color: #fff; + border: 1px solid #c5c5c5; + border-radius: .25rem; + margin: 0 0 2em 0; + position: relative; + min-height: 40px; + padding: 1.5em; +} + +.card .label { + background-color: #767676; + border: 2px solid #767676; + color: white; + padding: 0.25rem 0.75rem; + font-size: 0.875rem; + text-transform: uppercase; + display: inline-block; + margin: 0; + border-radius: 0.25rem; +} + +.card .label__text { + vertical-align: text-top; +} + +.card .label--high { + background-color: #B51B72; + border-color: #B51B72; +} + +.card .label--medium { + background-color: #E29022; + border-color: #E29022; +} + +.card .label--low { + background-color: #222049; + border-color: #222049; +} + +.card .card.severity--low { + border-color: #222049; +} + +.card .card.severity--medium { + border-color: #E29022; +} + +.card .card.severity--high { + border-color: #B51B72; +} + +.card--vuln { + padding-top: 4em; + max-width: 48.75em; +} + +.card--vuln .label { + left: 0; + position: absolute; + top: 1.1em; + padding-left: 1.9em; + padding-right: 1.9em; + border-radius: 0 0.25rem 0.25rem 0; +} + +.card--vuln .card__section h2 { + font-size: 22px; + margin-bottom: 0.5em; +} + +.card--vuln .card__section p { + margin: 0 0 0.5em 0; +} + +.card--vuln .card__meta { + padding: 0 0 0 1em; + margin: 0; + font-size: 1.1em; +} + +.card .card__meta__paths { + font-size: 0.9em; +} + +.card--vuln .card__title { + font-size: 28px; + margin-top: 0; +} + +.card--vuln .card__cta p { + margin: 0; + text-align: right; +}