From d5c433a9fc436d445a6dd3cc8c943180d00fee82 Mon Sep 17 00:00:00 2001 From: barv Date: Sun, 25 Aug 2024 14:32:41 +0300 Subject: [PATCH 1/8] Undetermined reason for undetermined contextual analysis status --- formats/sarifutils/sarifutils.go | 15 +++++++++++++++ formats/sarifutils/test_sarifutils.go | 13 +++++++++++++ formats/simplejsonapi.go | 1 + utils/resultstable.go | 1 + utils/resultstable_test.go | 13 +++++++++++++ 5 files changed, 43 insertions(+) diff --git a/formats/sarifutils/sarifutils.go b/formats/sarifutils/sarifutils.go index e061c4ff..341dac4e 100644 --- a/formats/sarifutils/sarifutils.go +++ b/formats/sarifutils/sarifutils.go @@ -234,6 +234,21 @@ func GetRuleFullDescription(rule *sarif.ReportingDescriptor) string { return "" } +func GetRuleProperty(key string, rule *sarif.ReportingDescriptor) string { + if rule != nil && rule.Properties != nil && rule.Properties[key] != nil { + prop, ok := rule.Properties[key].(string) + if !ok { + return "" + } + return prop + } + return "" +} + +func GetRuleUndeterminedReason(rule *sarif.ReportingDescriptor) string { + return GetRuleProperty("undetermined_reason", rule) +} + func GetRunRules(run *sarif.Run) []*sarif.ReportingDescriptor { if run != nil && run.Tool.Driver != nil { return run.Tool.Driver.Rules diff --git a/formats/sarifutils/test_sarifutils.go b/formats/sarifutils/test_sarifutils.go index 2de6c19e..f797d0e2 100644 --- a/formats/sarifutils/test_sarifutils.go +++ b/formats/sarifutils/test_sarifutils.go @@ -24,6 +24,19 @@ func CreateRunWithDummyResultAndRuleProperties(property, value string, result *s return run } +func CreateRunWithDummyResultAndRuleMultipleProperties(result *sarif.Result, properties, values []string) *sarif.Run { + run := sarif.NewRunWithInformationURI("", "") + if result.RuleID != nil { + run.AddRule(*result.RuleID) + } + run.AddResult(result) + run.Tool.Driver.Rules[0].Properties = make(sarif.Properties, len(properties)) + for index, _ := range properties { + run.Tool.Driver.Rules[0].Properties[properties[index]] = values[index] + } + return run +} + func CreateResultWithLocations(msg, ruleId, level string, locations ...*sarif.Location) *sarif.Result { return &sarif.Result{ Message: *sarif.NewTextMessage(msg), diff --git a/formats/simplejsonapi.go b/formats/simplejsonapi.go index 26ec121b..31d2bbfe 100644 --- a/formats/simplejsonapi.go +++ b/formats/simplejsonapi.go @@ -96,6 +96,7 @@ type CveRow struct { type Applicability struct { Status string `json:"status"` ScannerDescription string `json:"scannerDescription,omitempty"` + UndeterminedReason string `json:"undeterminedReason,omitempty"` Evidence []Evidence `json:"evidence,omitempty"` } diff --git a/utils/resultstable.go b/utils/resultstable.go index 1ad6daae..23aeaa02 100644 --- a/utils/resultstable.go +++ b/utils/resultstable.go @@ -937,6 +937,7 @@ func getCveApplicabilityField(cveId string, applicabilityScanResults []*sarif.Ru if rule, _ := applicabilityRun.GetRuleById(jasutils.CveToApplicabilityRuleId(cveId)); rule != nil { applicability.ScannerDescription = sarifutils.GetRuleFullDescription(rule) status := getApplicabilityStatusFromRule(rule) + applicability.UndeterminedReason = sarifutils.GetRuleUndeterminedReason(rule) if status != "" { applicabilityStatuses = append(applicabilityStatuses, status) } diff --git a/utils/resultstable_test.go b/utils/resultstable_test.go index ea41591c..f40d2949 100644 --- a/utils/resultstable_test.go +++ b/utils/resultstable_test.go @@ -722,6 +722,19 @@ func TestGetApplicableCveValue(t *testing.T) { {Id: "testCve2", Applicability: &formats.Applicability{Status: jasutils.ApplicabilityUndetermined.String()}}, }, }, + { + name: "undetermined with undetermined reason", + scanResults: &ExtendedScanResults{ + ApplicabilityScanResults: []*sarif.Run{ + sarifutils.CreateRunWithDummyResultAndRuleMultipleProperties(sarifutils.CreateDummyPassingResult("applic_testCve2"), []string{"applicability", "undetermined_reason"}, []string{"undetermined", "however"}), + }, + EntitledForJas: true}, + cves: []services.Cve{{Id: "testCve2"}}, + expectedResult: jasutils.ApplicabilityUndetermined, + expectedCves: []formats.CveRow{ + {Id: "testCve2", Applicability: &formats.Applicability{Status: jasutils.ApplicabilityUndetermined.String(), UndeterminedReason: "however"}}, + }, + }, } for _, testCase := range testCases { From 92ed481f354179904f4f2d8ff4e176410a290dcc Mon Sep 17 00:00:00 2001 From: barv Date: Sun, 25 Aug 2024 14:39:47 +0300 Subject: [PATCH 2/8] Undetermined reason for undetermined contextual analysis status --- formats/sarifutils/test_sarifutils.go | 11 ----------- utils/resultstable_test.go | 14 +++++++------- 2 files changed, 7 insertions(+), 18 deletions(-) diff --git a/formats/sarifutils/test_sarifutils.go b/formats/sarifutils/test_sarifutils.go index f797d0e2..3c75dce6 100644 --- a/formats/sarifutils/test_sarifutils.go +++ b/formats/sarifutils/test_sarifutils.go @@ -13,17 +13,6 @@ func CreateRunWithDummyResults(results ...*sarif.Result) *sarif.Run { return run } -func CreateRunWithDummyResultAndRuleProperties(property, value string, result *sarif.Result) *sarif.Run { - run := sarif.NewRunWithInformationURI("", "") - if result.RuleID != nil { - run.AddRule(*result.RuleID) - } - run.AddResult(result) - run.Tool.Driver.Rules[0].Properties = make(sarif.Properties) - run.Tool.Driver.Rules[0].Properties[property] = value - return run -} - func CreateRunWithDummyResultAndRuleMultipleProperties(result *sarif.Result, properties, values []string) *sarif.Run { run := sarif.NewRunWithInformationURI("", "") if result.RuleID != nil { diff --git a/utils/resultstable_test.go b/utils/resultstable_test.go index f40d2949..eb183239 100644 --- a/utils/resultstable_test.go +++ b/utils/resultstable_test.go @@ -682,9 +682,9 @@ func TestGetApplicableCveValue(t *testing.T) { name: "new scan statuses - applicable wins all statuses", scanResults: &ExtendedScanResults{ ApplicabilityScanResults: []*sarif.Run{ - sarifutils.CreateRunWithDummyResultAndRuleProperties("applicability", "applicable", sarifutils.CreateDummyPassingResult("applic_testCve1")), - sarifutils.CreateRunWithDummyResultAndRuleProperties("applicability", "not_applicable", sarifutils.CreateDummyPassingResult("applic_testCve2")), - sarifutils.CreateRunWithDummyResultAndRuleProperties("applicability", "not_covered", sarifutils.CreateDummyPassingResult("applic_testCve3")), + sarifutils.CreateRunWithDummyResultAndRuleMultipleProperties(sarifutils.CreateDummyPassingResult("applic_testCve1"), []string{"applicability"}, []string{"applicable"}), + sarifutils.CreateRunWithDummyResultAndRuleMultipleProperties(sarifutils.CreateDummyPassingResult("applic_testCve2"), []string{"applicability"}, []string{"not_applicable"}), + sarifutils.CreateRunWithDummyResultAndRuleMultipleProperties(sarifutils.CreateDummyPassingResult("applic_testCve3"), []string{"applicability"}, []string{"not_covered"}), }, EntitledForJas: true}, cves: []services.Cve{{Id: "testCve1"}, {Id: "testCve2"}, {Id: "testCve3"}}, @@ -698,8 +698,8 @@ func TestGetApplicableCveValue(t *testing.T) { name: "new scan statuses - not covered wins not applicable", scanResults: &ExtendedScanResults{ ApplicabilityScanResults: []*sarif.Run{ - sarifutils.CreateRunWithDummyResultAndRuleProperties("applicability", "not_covered", sarifutils.CreateDummyPassingResult("applic_testCve1")), - sarifutils.CreateRunWithDummyResultAndRuleProperties("applicability", "not_applicable", sarifutils.CreateDummyPassingResult("applic_testCve2")), + sarifutils.CreateRunWithDummyResultAndRuleMultipleProperties(sarifutils.CreateDummyPassingResult("applic_testCve1"), []string{"applicability"}, []string{"not_covered"}), + sarifutils.CreateRunWithDummyResultAndRuleMultipleProperties(sarifutils.CreateDummyPassingResult("applic_testCve2"), []string{"applicability"}, []string{"not_applicable"}), }, EntitledForJas: true}, cves: []services.Cve{{Id: "testCve1"}, {Id: "testCve2"}}, @@ -712,8 +712,8 @@ func TestGetApplicableCveValue(t *testing.T) { name: "new scan statuses - undetermined wins not covered", scanResults: &ExtendedScanResults{ ApplicabilityScanResults: []*sarif.Run{ - sarifutils.CreateRunWithDummyResultAndRuleProperties("applicability", "not_covered", sarifutils.CreateDummyPassingResult("applic_testCve1")), - sarifutils.CreateRunWithDummyResultAndRuleProperties("applicability", "undetermined", sarifutils.CreateDummyPassingResult("applic_testCve2")), + sarifutils.CreateRunWithDummyResultAndRuleMultipleProperties(sarifutils.CreateDummyPassingResult("applic_testCve1"), []string{"applicability"}, []string{"not_covered"}), + sarifutils.CreateRunWithDummyResultAndRuleMultipleProperties(sarifutils.CreateDummyPassingResult("applic_testCve2"), []string{"applicability"}, []string{"undetermined"}), }, EntitledForJas: true}, cves: []services.Cve{{Id: "testCve1"}, {Id: "testCve2"}}, From 65631752c41ae0951c66eb6a3dbf9a97cfb9e030 Mon Sep 17 00:00:00 2001 From: barv Date: Sun, 25 Aug 2024 16:46:19 +0300 Subject: [PATCH 3/8] Undetermined reason for undetermined contextual analysis status --- formats/sarifutils/test_sarifutils.go | 9 +++++++-- utils/resultstable_test.go | 16 ++++++++-------- 2 files changed, 15 insertions(+), 10 deletions(-) diff --git a/formats/sarifutils/test_sarifutils.go b/formats/sarifutils/test_sarifutils.go index 3c75dce6..9ce9c127 100644 --- a/formats/sarifutils/test_sarifutils.go +++ b/formats/sarifutils/test_sarifutils.go @@ -1,6 +1,8 @@ package sarifutils -import "github.com/owenrumney/go-sarif/v2/sarif" +import ( + "github.com/owenrumney/go-sarif/v2/sarif" +) func CreateRunWithDummyResults(results ...*sarif.Result) *sarif.Run { run := sarif.NewRunWithInformationURI("", "") @@ -13,7 +15,10 @@ func CreateRunWithDummyResults(results ...*sarif.Result) *sarif.Run { return run } -func CreateRunWithDummyResultAndRuleMultipleProperties(result *sarif.Result, properties, values []string) *sarif.Run { +func CreateRunWithDummyResultAndRuleProperties(result *sarif.Result, properties, values []string) *sarif.Run { + if len(properties) != len(values) { + return nil + } run := sarif.NewRunWithInformationURI("", "") if result.RuleID != nil { run.AddRule(*result.RuleID) diff --git a/utils/resultstable_test.go b/utils/resultstable_test.go index eb183239..750d516f 100644 --- a/utils/resultstable_test.go +++ b/utils/resultstable_test.go @@ -682,9 +682,9 @@ func TestGetApplicableCveValue(t *testing.T) { name: "new scan statuses - applicable wins all statuses", scanResults: &ExtendedScanResults{ ApplicabilityScanResults: []*sarif.Run{ - sarifutils.CreateRunWithDummyResultAndRuleMultipleProperties(sarifutils.CreateDummyPassingResult("applic_testCve1"), []string{"applicability"}, []string{"applicable"}), - sarifutils.CreateRunWithDummyResultAndRuleMultipleProperties(sarifutils.CreateDummyPassingResult("applic_testCve2"), []string{"applicability"}, []string{"not_applicable"}), - sarifutils.CreateRunWithDummyResultAndRuleMultipleProperties(sarifutils.CreateDummyPassingResult("applic_testCve3"), []string{"applicability"}, []string{"not_covered"}), + sarifutils.CreateRunWithDummyResultAndRuleProperties(sarifutils.CreateDummyPassingResult("applic_testCve1"), []string{"applicability"}, []string{"applicable"}), + sarifutils.CreateRunWithDummyResultAndRuleProperties(sarifutils.CreateDummyPassingResult("applic_testCve2"), []string{"applicability"}, []string{"not_applicable"}), + sarifutils.CreateRunWithDummyResultAndRuleProperties(sarifutils.CreateDummyPassingResult("applic_testCve3"), []string{"applicability"}, []string{"not_covered"}), }, EntitledForJas: true}, cves: []services.Cve{{Id: "testCve1"}, {Id: "testCve2"}, {Id: "testCve3"}}, @@ -698,8 +698,8 @@ func TestGetApplicableCveValue(t *testing.T) { name: "new scan statuses - not covered wins not applicable", scanResults: &ExtendedScanResults{ ApplicabilityScanResults: []*sarif.Run{ - sarifutils.CreateRunWithDummyResultAndRuleMultipleProperties(sarifutils.CreateDummyPassingResult("applic_testCve1"), []string{"applicability"}, []string{"not_covered"}), - sarifutils.CreateRunWithDummyResultAndRuleMultipleProperties(sarifutils.CreateDummyPassingResult("applic_testCve2"), []string{"applicability"}, []string{"not_applicable"}), + sarifutils.CreateRunWithDummyResultAndRuleProperties(sarifutils.CreateDummyPassingResult("applic_testCve1"), []string{"applicability"}, []string{"not_covered"}), + sarifutils.CreateRunWithDummyResultAndRuleProperties(sarifutils.CreateDummyPassingResult("applic_testCve2"), []string{"applicability"}, []string{"not_applicable"}), }, EntitledForJas: true}, cves: []services.Cve{{Id: "testCve1"}, {Id: "testCve2"}}, @@ -712,8 +712,8 @@ func TestGetApplicableCveValue(t *testing.T) { name: "new scan statuses - undetermined wins not covered", scanResults: &ExtendedScanResults{ ApplicabilityScanResults: []*sarif.Run{ - sarifutils.CreateRunWithDummyResultAndRuleMultipleProperties(sarifutils.CreateDummyPassingResult("applic_testCve1"), []string{"applicability"}, []string{"not_covered"}), - sarifutils.CreateRunWithDummyResultAndRuleMultipleProperties(sarifutils.CreateDummyPassingResult("applic_testCve2"), []string{"applicability"}, []string{"undetermined"}), + sarifutils.CreateRunWithDummyResultAndRuleProperties(sarifutils.CreateDummyPassingResult("applic_testCve1"), []string{"applicability"}, []string{"not_covered"}), + sarifutils.CreateRunWithDummyResultAndRuleProperties(sarifutils.CreateDummyPassingResult("applic_testCve2"), []string{"applicability"}, []string{"undetermined"}), }, EntitledForJas: true}, cves: []services.Cve{{Id: "testCve1"}, {Id: "testCve2"}}, @@ -726,7 +726,7 @@ func TestGetApplicableCveValue(t *testing.T) { name: "undetermined with undetermined reason", scanResults: &ExtendedScanResults{ ApplicabilityScanResults: []*sarif.Run{ - sarifutils.CreateRunWithDummyResultAndRuleMultipleProperties(sarifutils.CreateDummyPassingResult("applic_testCve2"), []string{"applicability", "undetermined_reason"}, []string{"undetermined", "however"}), + sarifutils.CreateRunWithDummyResultAndRuleProperties(sarifutils.CreateDummyPassingResult("applic_testCve2"), []string{"applicability", "undetermined_reason"}, []string{"undetermined", "however"}), }, EntitledForJas: true}, cves: []services.Cve{{Id: "testCve2"}}, From 7acda7f74dffc748f16a9aef9dce10d17b980dd3 Mon Sep 17 00:00:00 2001 From: barv Date: Thu, 5 Sep 2024 10:57:17 +0300 Subject: [PATCH 4/8] undetermined text fixes --- utils/resultwriter_test.go | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/utils/resultwriter_test.go b/utils/resultwriter_test.go index d009c777..a06c6ad9 100644 --- a/utils/resultwriter_test.go +++ b/utils/resultwriter_test.go @@ -674,7 +674,7 @@ func TestPatchRunsToPassIngestionRules(t *testing.T) { cmdResult: &Results{ResultType: DockerImage, ScaResults: []*ScaScanResult{{Name: "dockerImage:imageVersion"}}}, subScan: ScaScan, input: []*sarif.Run{ - sarifutils.CreateRunWithDummyResultAndRuleProperties("applicability", "applicable", sarifutils.CreateDummyResultWithPathAndLogicalLocation("sha256__f752cb05a39e65f231a3c47c2e08cbeac1c15e4daff0188cb129c12a3ea3049d", "f752cb05a39e65f231a3c47c2e08cbeac1c15e4daff0188cb129c12a3ea3049d", "layer", "algorithm", "sha256").WithMessage(sarif.NewTextMessage("some-msg"))). + sarifutils.CreateRunWithDummyResultAndRuleProperties(sarifutils.CreateDummyResultWithPathAndLogicalLocation("sha256__f752cb05a39e65f231a3c47c2e08cbeac1c15e4daff0188cb129c12a3ea3049d", "f752cb05a39e65f231a3c47c2e08cbeac1c15e4daff0188cb129c12a3ea3049d", "layer", "algorithm", "sha256").WithMessage(sarif.NewTextMessage("some-msg")), []string{"applicability"}, []string{"applicable"}). WithInvocations([]*sarif.Invocation{ sarif.NewInvocation().WithWorkingDirectory(sarif.NewSimpleArtifactLocation(wd)), }, @@ -684,10 +684,9 @@ func TestPatchRunsToPassIngestionRules(t *testing.T) { ), }, expectedResults: []*sarif.Run{ - sarifutils.CreateRunWithDummyResultAndRuleProperties("applicability", "applicable", - sarifutils.CreateDummyResultWithFingerprint("some-msg\nImage: dockerImage:imageVersion\nLayer (sha256): f752cb05a39e65f231a3c47c2e08cbeac1c15e4daff0188cb129c12a3ea3049d", "some-msg", jfrogFingerprintAlgorithmName, "9522c1d915eef55b4a0dc9e160bf5dc7", - sarifutils.CreateDummyLocationWithPathAndLogicalLocation("sha256__f752cb05a39e65f231a3c47c2e08cbeac1c15e4daff0188cb129c12a3ea3049d", "f752cb05a39e65f231a3c47c2e08cbeac1c15e4daff0188cb129c12a3ea3049d", "layer", "algorithm", "sha256"), - ), + sarifutils.CreateRunWithDummyResultAndRuleProperties(sarifutils.CreateDummyResultWithFingerprint("some-msg\nImage: dockerImage:imageVersion\nLayer (sha256): f752cb05a39e65f231a3c47c2e08cbeac1c15e4daff0188cb129c12a3ea3049d", "some-msg", jfrogFingerprintAlgorithmName, "9522c1d915eef55b4a0dc9e160bf5dc7", + sarifutils.CreateDummyLocationWithPathAndLogicalLocation("sha256__f752cb05a39e65f231a3c47c2e08cbeac1c15e4daff0188cb129c12a3ea3049d", "f752cb05a39e65f231a3c47c2e08cbeac1c15e4daff0188cb129c12a3ea3049d", "layer", "algorithm", "sha256"), + ), []string{"applicability"}, []string{"applicable"}, ).WithInvocations([]*sarif.Invocation{ sarif.NewInvocation().WithWorkingDirectory(sarif.NewSimpleArtifactLocation(wd)), }), From c65d3851e23a8169f751b59a2f5bdb34a91484ec Mon Sep 17 00:00:00 2001 From: barv Date: Thu, 5 Sep 2024 10:58:45 +0300 Subject: [PATCH 5/8] undetermined text fixes --- formats/sarifutils/sarifutils.go | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/formats/sarifutils/sarifutils.go b/formats/sarifutils/sarifutils.go index 42f47895..59ab672d 100644 --- a/formats/sarifutils/sarifutils.go +++ b/formats/sarifutils/sarifutils.go @@ -37,17 +37,6 @@ func NewPhysicalLocation(physicalPath string) *sarif.PhysicalLocation { } } -func NewPhysicalLocationWithRegion(physicalPath string, startRow, endRow, startCol, endCol int) *sarif.PhysicalLocation { - location := NewPhysicalLocation(physicalPath) - location.Region = &sarif.Region{ - StartLine: &startRow, - EndLine: &endRow, - StartColumn: &startCol, - EndColumn: &endCol, - } - return location -} - func NewLogicalLocation(name, kind string) *sarif.LogicalLocation { return &sarif.LogicalLocation{ Name: &name, From 58bb7397ba08c3c47e7b2a3f0de5210d8087ac8d Mon Sep 17 00:00:00 2001 From: barv Date: Thu, 5 Sep 2024 11:42:50 +0300 Subject: [PATCH 6/8] undetermined text fixes --- formats/sarifutils/sarifutils.go | 35 -------------------------------- 1 file changed, 35 deletions(-) diff --git a/formats/sarifutils/sarifutils.go b/formats/sarifutils/sarifutils.go index 59ab672d..bd2f30a5 100644 --- a/formats/sarifutils/sarifutils.go +++ b/formats/sarifutils/sarifutils.go @@ -127,41 +127,6 @@ func SetRunToolName(toolName string, run *sarif.Run) { run.Tool.Driver.Name = toolName } -func SetRunToolFullDescriptionText(txt string, run *sarif.Run) { - if run.Tool.Driver == nil { - run.Tool.Driver = &sarif.ToolComponent{} - } - if run.Tool.Driver.FullDescription == nil { - run.Tool.Driver.FullDescription = sarif.NewMultiformatMessageString(txt) - return - } - run.Tool.Driver.FullDescription.Text = &txt -} - -func SetRunToolFullDescriptionMarkdown(markdown string, run *sarif.Run) { - if run.Tool.Driver == nil { - run.Tool.Driver = &sarif.ToolComponent{} - } - if run.Tool.Driver.FullDescription == nil { - run.Tool.Driver.FullDescription = sarif.NewMarkdownMultiformatMessageString(markdown) - } - run.Tool.Driver.FullDescription.Markdown = &markdown -} - -func GetRunToolFullDescriptionText(run *sarif.Run) string { - if run.Tool.Driver != nil && run.Tool.Driver.FullDescription != nil && run.Tool.Driver.FullDescription.Text != nil { - return *run.Tool.Driver.FullDescription.Text - } - return "" -} - -func GetRunToolFullDescriptionMarkdown(run *sarif.Run) string { - if run.Tool.Driver != nil && run.Tool.Driver.FullDescription != nil && run.Tool.Driver.FullDescription.Markdown != nil { - return *run.Tool.Driver.FullDescription.Markdown - } - return "" -} - func GetRunToolName(run *sarif.Run) string { if run.Tool.Driver != nil { return run.Tool.Driver.Name From a443a30dcbf88ff5df432591bfb5219233b63028 Mon Sep 17 00:00:00 2001 From: barv Date: Thu, 5 Sep 2024 11:44:10 +0300 Subject: [PATCH 7/8] undetermined text fixes --- formats/sarifutils/sarifutils.go | 4 ++++ utils/jasutils/jasutils.go | 6 ------ utils/resultstable.go | 2 +- 3 files changed, 5 insertions(+), 7 deletions(-) diff --git a/formats/sarifutils/sarifutils.go b/formats/sarifutils/sarifutils.go index bd2f30a5..41b6d47d 100644 --- a/formats/sarifutils/sarifutils.go +++ b/formats/sarifutils/sarifutils.go @@ -109,6 +109,10 @@ func GetLogicalLocation(kind string, location *sarif.Location) *sarif.LogicalLoc return nil } +func GetRuleUndeterminedReason(rule *sarif.ReportingDescriptor) string { + return GetRuleProperty("undetermined_reason", rule) +} + func GetLocationId(location *sarif.Location) string { return fmt.Sprintf("%s:%s:%d:%d:%d:%d", GetLocationFileName(location), diff --git a/utils/jasutils/jasutils.go b/utils/jasutils/jasutils.go index 47839e63..a9f83170 100644 --- a/utils/jasutils/jasutils.go +++ b/utils/jasutils/jasutils.go @@ -1,8 +1,6 @@ package jasutils import ( - "github.com/jfrog/jfrog-cli-security/formats/sarifutils" - "github.com/owenrumney/go-sarif/v2/sarif" "strings" "github.com/gookit/color" @@ -90,7 +88,3 @@ func ConvertApplicableToScore(applicability string) int { } return -1 } - -func GetRuleUndeterminedReason(rule *sarif.ReportingDescriptor) string { - return sarifutils.GetRuleProperty("undetermined_reason", rule) -} diff --git a/utils/resultstable.go b/utils/resultstable.go index 46ac0da3..ae77ab66 100644 --- a/utils/resultstable.go +++ b/utils/resultstable.go @@ -937,7 +937,7 @@ func getCveApplicabilityField(cveId string, applicabilityScanResults []*sarif.Ru if rule, _ := applicabilityRun.GetRuleById(jasutils.CveToApplicabilityRuleId(cveId)); rule != nil { applicability.ScannerDescription = sarifutils.GetRuleFullDescriptionText(rule) status := getApplicabilityStatusFromRule(rule) - applicability.UndeterminedReason = jasutils.GetRuleUndeterminedReason(rule) + applicability.UndeterminedReason = sarifutils.GetRuleUndeterminedReason(rule) if status != "" { applicabilityStatuses = append(applicabilityStatuses, status) } From 61962a31c72c56ad9458b9ea1513e6a521d4853a Mon Sep 17 00:00:00 2001 From: barv Date: Thu, 5 Sep 2024 14:50:33 +0300 Subject: [PATCH 8/8] undetermined text fixes --- formats/sarifutils/sarifutils.go | 50 +++++++++++++++++++++++++++++--- utils/resultstable.go | 6 +++- 2 files changed, 51 insertions(+), 5 deletions(-) diff --git a/formats/sarifutils/sarifutils.go b/formats/sarifutils/sarifutils.go index 41b6d47d..42f47895 100644 --- a/formats/sarifutils/sarifutils.go +++ b/formats/sarifutils/sarifutils.go @@ -37,6 +37,17 @@ func NewPhysicalLocation(physicalPath string) *sarif.PhysicalLocation { } } +func NewPhysicalLocationWithRegion(physicalPath string, startRow, endRow, startCol, endCol int) *sarif.PhysicalLocation { + location := NewPhysicalLocation(physicalPath) + location.Region = &sarif.Region{ + StartLine: &startRow, + EndLine: &endRow, + StartColumn: &startCol, + EndColumn: &endCol, + } + return location +} + func NewLogicalLocation(name, kind string) *sarif.LogicalLocation { return &sarif.LogicalLocation{ Name: &name, @@ -109,10 +120,6 @@ func GetLogicalLocation(kind string, location *sarif.Location) *sarif.LogicalLoc return nil } -func GetRuleUndeterminedReason(rule *sarif.ReportingDescriptor) string { - return GetRuleProperty("undetermined_reason", rule) -} - func GetLocationId(location *sarif.Location) string { return fmt.Sprintf("%s:%s:%d:%d:%d:%d", GetLocationFileName(location), @@ -131,6 +138,41 @@ func SetRunToolName(toolName string, run *sarif.Run) { run.Tool.Driver.Name = toolName } +func SetRunToolFullDescriptionText(txt string, run *sarif.Run) { + if run.Tool.Driver == nil { + run.Tool.Driver = &sarif.ToolComponent{} + } + if run.Tool.Driver.FullDescription == nil { + run.Tool.Driver.FullDescription = sarif.NewMultiformatMessageString(txt) + return + } + run.Tool.Driver.FullDescription.Text = &txt +} + +func SetRunToolFullDescriptionMarkdown(markdown string, run *sarif.Run) { + if run.Tool.Driver == nil { + run.Tool.Driver = &sarif.ToolComponent{} + } + if run.Tool.Driver.FullDescription == nil { + run.Tool.Driver.FullDescription = sarif.NewMarkdownMultiformatMessageString(markdown) + } + run.Tool.Driver.FullDescription.Markdown = &markdown +} + +func GetRunToolFullDescriptionText(run *sarif.Run) string { + if run.Tool.Driver != nil && run.Tool.Driver.FullDescription != nil && run.Tool.Driver.FullDescription.Text != nil { + return *run.Tool.Driver.FullDescription.Text + } + return "" +} + +func GetRunToolFullDescriptionMarkdown(run *sarif.Run) string { + if run.Tool.Driver != nil && run.Tool.Driver.FullDescription != nil && run.Tool.Driver.FullDescription.Markdown != nil { + return *run.Tool.Driver.FullDescription.Markdown + } + return "" +} + func GetRunToolName(run *sarif.Run) string { if run.Tool.Driver != nil { return run.Tool.Driver.Name diff --git a/utils/resultstable.go b/utils/resultstable.go index ae77ab66..9594140f 100644 --- a/utils/resultstable.go +++ b/utils/resultstable.go @@ -937,7 +937,7 @@ func getCveApplicabilityField(cveId string, applicabilityScanResults []*sarif.Ru if rule, _ := applicabilityRun.GetRuleById(jasutils.CveToApplicabilityRuleId(cveId)); rule != nil { applicability.ScannerDescription = sarifutils.GetRuleFullDescriptionText(rule) status := getApplicabilityStatusFromRule(rule) - applicability.UndeterminedReason = sarifutils.GetRuleUndeterminedReason(rule) + applicability.UndeterminedReason = GetRuleUndeterminedReason(rule) if status != "" { applicabilityStatuses = append(applicabilityStatuses, status) } @@ -1026,6 +1026,10 @@ func extractDependencyNameFromComponent(key string, techIdentifier string) (depe return } +func GetRuleUndeterminedReason(rule *sarif.ReportingDescriptor) string { + return sarifutils.GetRuleProperty("undetermined_reason", rule) +} + func getApplicabilityStatusFromRule(rule *sarif.ReportingDescriptor) jasutils.ApplicabilityStatus { if rule.Properties["applicability"] != nil { status, ok := rule.Properties["applicability"].(string)