Undetermined reason for undetermined contextual analysis status

formats/sarifutils/sarifutils.go

@@ -234,6 +234,21 @@ func GetRuleFullDescription(rule *sarif.ReportingDescriptor) string {
 	return ""
 }
 
+func GetRuleProperty(key string, rule *sarif.ReportingDescriptor) string {
+	if rule != nil && rule.Properties != nil && rule.Properties[key] != nil {
+		prop, ok := rule.Properties[key].(string)
+		if !ok {
+			return ""
+		}
+		return prop
+	}
+	return ""
+}
+
+func GetRuleUndeterminedReason(rule *sarif.ReportingDescriptor) string {
+	return GetRuleProperty("undetermined_reason", rule)
+}
+
 func GetRunRules(run *sarif.Run) []*sarif.ReportingDescriptor {
 	if run != nil && run.Tool.Driver != nil {
 		return run.Tool.Driver.Rules

formats/sarifutils/test_sarifutils.go

@@ -13,14 +13,16 @@ func CreateRunWithDummyResults(results ...*sarif.Result) *sarif.Run {
 	return run
 }
 
-func CreateRunWithDummyResultAndRuleProperties(property, value string, result *sarif.Result) *sarif.Run {
+func CreateRunWithDummyResultAndRuleMultipleProperties(result *sarif.Result, properties, values []string) *sarif.Run {
 	run := sarif.NewRunWithInformationURI("", "")
 	if result.RuleID != nil {
 		run.AddRule(*result.RuleID)
 	}
 	run.AddResult(result)
-	run.Tool.Driver.Rules[0].Properties = make(sarif.Properties)
-	run.Tool.Driver.Rules[0].Properties[property] = value
+	run.Tool.Driver.Rules[0].Properties = make(sarif.Properties, len(properties))
+	for index, _ := range properties {
+		run.Tool.Driver.Rules[0].Properties[properties[index]] = values[index]
+	}
 	return run
 }
 

formats/simplejsonapi.go

@@ -96,6 +96,7 @@ type CveRow struct {
 type Applicability struct {
 	Status             string     `json:"status"`
 	ScannerDescription string     `json:"scannerDescription,omitempty"`
+	UndeterminedReason string     `json:"undeterminedReason,omitempty"`
 	Evidence           []Evidence `json:"evidence,omitempty"`
 }
 

utils/resultstable.go

@@ -937,6 +937,7 @@ func getCveApplicabilityField(cveId string, applicabilityScanResults []*sarif.Ru
 		if rule, _ := applicabilityRun.GetRuleById(jasutils.CveToApplicabilityRuleId(cveId)); rule != nil {
 			applicability.ScannerDescription = sarifutils.GetRuleFullDescription(rule)
 			status := getApplicabilityStatusFromRule(rule)
+			applicability.UndeterminedReason = sarifutils.GetRuleUndeterminedReason(rule)
 			if status != "" {
 				applicabilityStatuses = append(applicabilityStatuses, status)
 			}

utils/resultstable_test.go

@@ -682,9 +682,9 @@ func TestGetApplicableCveValue(t *testing.T) {
 			name: "new scan statuses - applicable wins all statuses",
 			scanResults: &ExtendedScanResults{
 				ApplicabilityScanResults: []*sarif.Run{
-					sarifutils.CreateRunWithDummyResultAndRuleProperties("applicability", "applicable", sarifutils.CreateDummyPassingResult("applic_testCve1")),
-					sarifutils.CreateRunWithDummyResultAndRuleProperties("applicability", "not_applicable", sarifutils.CreateDummyPassingResult("applic_testCve2")),
-					sarifutils.CreateRunWithDummyResultAndRuleProperties("applicability", "not_covered", sarifutils.CreateDummyPassingResult("applic_testCve3")),
+					sarifutils.CreateRunWithDummyResultAndRuleMultipleProperties(sarifutils.CreateDummyPassingResult("applic_testCve1"), []string{"applicability"}, []string{"applicable"}),
+					sarifutils.CreateRunWithDummyResultAndRuleMultipleProperties(sarifutils.CreateDummyPassingResult("applic_testCve2"), []string{"applicability"}, []string{"not_applicable"}),
+					sarifutils.CreateRunWithDummyResultAndRuleMultipleProperties(sarifutils.CreateDummyPassingResult("applic_testCve3"), []string{"applicability"}, []string{"not_covered"}),
 				},
 				EntitledForJas: true},
 			cves:           []services.Cve{{Id: "testCve1"}, {Id: "testCve2"}, {Id: "testCve3"}},
@@ -698,8 +698,8 @@ func TestGetApplicableCveValue(t *testing.T) {
 			name: "new scan statuses - not covered wins not applicable",
 			scanResults: &ExtendedScanResults{
 				ApplicabilityScanResults: []*sarif.Run{
-					sarifutils.CreateRunWithDummyResultAndRuleProperties("applicability", "not_covered", sarifutils.CreateDummyPassingResult("applic_testCve1")),
-					sarifutils.CreateRunWithDummyResultAndRuleProperties("applicability", "not_applicable", sarifutils.CreateDummyPassingResult("applic_testCve2")),
+					sarifutils.CreateRunWithDummyResultAndRuleMultipleProperties(sarifutils.CreateDummyPassingResult("applic_testCve1"), []string{"applicability"}, []string{"not_covered"}),
+					sarifutils.CreateRunWithDummyResultAndRuleMultipleProperties(sarifutils.CreateDummyPassingResult("applic_testCve2"), []string{"applicability"}, []string{"not_applicable"}),
 				},
 				EntitledForJas: true},
 			cves:           []services.Cve{{Id: "testCve1"}, {Id: "testCve2"}},
@@ -712,8 +712,8 @@ func TestGetApplicableCveValue(t *testing.T) {
 			name: "new scan statuses - undetermined wins not covered",
 			scanResults: &ExtendedScanResults{
 				ApplicabilityScanResults: []*sarif.Run{
-					sarifutils.CreateRunWithDummyResultAndRuleProperties("applicability", "not_covered", sarifutils.CreateDummyPassingResult("applic_testCve1")),
-					sarifutils.CreateRunWithDummyResultAndRuleProperties("applicability", "undetermined", sarifutils.CreateDummyPassingResult("applic_testCve2")),
+					sarifutils.CreateRunWithDummyResultAndRuleMultipleProperties(sarifutils.CreateDummyPassingResult("applic_testCve1"), []string{"applicability"}, []string{"not_covered"}),
+					sarifutils.CreateRunWithDummyResultAndRuleMultipleProperties(sarifutils.CreateDummyPassingResult("applic_testCve2"), []string{"applicability"}, []string{"undetermined"}),
 				},
 				EntitledForJas: true},
 			cves:           []services.Cve{{Id: "testCve1"}, {Id: "testCve2"}},
@@ -722,6 +722,19 @@ func TestGetApplicableCveValue(t *testing.T) {
 				{Id: "testCve2", Applicability: &formats.Applicability{Status: jasutils.ApplicabilityUndetermined.String()}},
 			},
 		},
+		{
+			name: "undetermined with undetermined reason",
+			scanResults: &ExtendedScanResults{
+				ApplicabilityScanResults: []*sarif.Run{
+					sarifutils.CreateRunWithDummyResultAndRuleMultipleProperties(sarifutils.CreateDummyPassingResult("applic_testCve2"), []string{"applicability", "undetermined_reason"}, []string{"undetermined", "however"}),
+				},
+				EntitledForJas: true},
+			cves:           []services.Cve{{Id: "testCve2"}},
+			expectedResult: jasutils.ApplicabilityUndetermined,
+			expectedCves: []formats.CveRow{
+				{Id: "testCve2", Applicability: &formats.Applicability{Status: jasutils.ApplicabilityUndetermined.String(), UndeterminedReason: "however"}},
+			},
+		},
 	}
 
 	for _, testCase := range testCases {