feat: include suppressions in sarif output

snyk · May 4, 2023 · 87b573b · 87b573b
1 parent 9ba5ecc
commit 87b573b
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 31 deletions.
diff --git a/src/lib/plugins/sast/analysis.ts b/src/lib/plugins/sast/analysis.ts
@@ -149,24 +149,9 @@ async function getCodeAnalysis(
     result.analysisResults.sarif,
   );
 
-  // Filter ignored issues when using report
-  if (options.report) {
-    result.analysisResults.sarif = filterIgnoredIssues(
-      result.analysisResults.sarif,
-    );
-  }
-
   return result as CodeAnalysisResults;
 }
 
-function filterIgnoredIssues(codeAnalysis: Log): Log {
-  const results = codeAnalysis.runs[0].results;
-  codeAnalysis.runs[0].results = results?.filter(
-    (rule) => (rule.suppressions?.length ?? 0) === 0,
-  );
-  return codeAnalysis;
-}
-
 function severityToAnalysisSeverity(severity: SEVERITY): AnalysisSeverity {
   if (severity === SEVERITY.CRITICAL) {
     throw new FeatureNotSupportedBySnykCodeError(SEVERITY.CRITICAL);

diff --git a/src/lib/plugins/sast/format/output-format.ts b/src/lib/plugins/sast/format/output-format.ts
@@ -10,16 +10,27 @@ import { CodeTestResults } from '../types';
 
 const debug = Debug('code-output');
 
-export function getCodeDisplayedOutput(
-  testResults: CodeTestResults,
-  meta: string,
-  prefix: string,
-): string {
+function filterIgnoredIssues(analysisResults: Sarif.Result[]): Sarif.Result[] {
+  return analysisResults.filter(
+    (rule) => (rule.suppressions?.length ?? 0) === 0,
+  );
+}
+
+export function getCodeDisplayedOutput(args: {
+  testResults: CodeTestResults;
+  meta: string;
+  prefix: string;
+  shouldFilterIgnored: boolean;
+}): string {
   let issues: { [index: string]: string[] } = {};
 
-  const sarif = testResults.analysisResults.sarif;
+  const sarif = args.testResults.analysisResults.sarif;
   if (sarif.runs[0].results) {
-    const results: Sarif.Result[] = sarif.runs[0].results;
+    // Filter ignored issues (suppressions) from the sarif to display in the cli output
+    // The sarif will remain unchanged and contain the suppressions
+    const results: Sarif.Result[] = args.shouldFilterIgnored
+      ? filterIgnoredIssues(sarif.runs[0].results)
+      : sarif.runs[0].results;
 
     const rulesMap: {
       [ruleId: string]: Sarif.ReportingDescriptor;
@@ -34,21 +45,21 @@ export function getCodeDisplayedOutput(
   const codeIssueSummary = getCodeIssuesSummary(issues);
 
   let summary =
-    prefix +
+    args.prefix +
     issuesText +
     '\n' +
     summaryOKText +
     '\n\n' +
-    meta +
+    args.meta +
     '\n\n' +
     chalk.bold('Summary:') +
     '\n\n' +
     codeIssueSummary +
     '\n\n';
 
-  if (testResults.reportResults) {
+  if (args.testResults.reportResults) {
     summary +=
-      getCodeReportDisplayedOutput(testResults.reportResults.reportUrl) +
+      getCodeReportDisplayedOutput(args.testResults.reportResults.reportUrl) +
       '\n\n';
   }
 

diff --git a/src/lib/plugins/sast/index.ts b/src/lib/plugins/sast/index.ts
@@ -12,6 +12,7 @@ import { EcosystemPlugin } from '../../ecosystems/types';
 import { FailedToRunTestError, NoSupportedSastFiles } from '../../errors';
 import { jsonStringifyLargeObject } from '../../json';
 import * as analytics from '../../analytics';
+import * as cloneDeep from 'lodash.clonedeep';
 
 const debug = debugLib('snyk-code');
 
@@ -44,7 +45,8 @@ export const codePlugin: EcosystemPlugin = {
         throw new NoSupportedSastFiles();
       }
 
-      const sarifTypedResult = testResults?.analysisResults?.sarif;
+      // cloneDeep is used so the sarif is not changed when using the testResults getting the displayed output
+      const sarifTypedResult = cloneDeep(testResults?.analysisResults?.sarif);
 
       const numOfIssues = sarifTypedResult.runs?.[0].results?.length || 0;
       analytics.add('sast-issues-found', numOfIssues);
@@ -54,7 +56,13 @@ export const codePlugin: EcosystemPlugin = {
       }
       const meta = getMeta({ ...options, org: newOrg }, path);
       const prefix = getPrefix(path);
-      let readableResult = getCodeDisplayedOutput(testResults, meta, prefix);
+      let readableResult = getCodeDisplayedOutput({
+        testResults,
+        meta,
+        prefix,
+        shouldFilterIgnored: options['report'] ?? false,
+      });
+
       if (numOfIssues > 0 && options['no-markdown']) {
         sarifTypedResult.runs?.[0].results?.forEach(({ message }) => {
           delete message.markdown;

diff --git a/test/jest/unit/snyk-code/snyk-code-test.spec.ts b/test/jest/unit/snyk-code/snyk-code-test.spec.ts
@@ -386,7 +386,7 @@ describe('Test snyk code', () => {
     }
   });
 
-  it('should create sarif result with ignored issues omitted', async () => {
+  it('should create sarif result displaying suppression in all issues (including ignored)', async () => {
     const sastSettings = {
       sastEnabled: true,
       localCodeEngine: { url: '', allowCloudUpload: true, enabled: false },
@@ -432,10 +432,10 @@ describe('Test snyk code', () => {
 
     expect(sarifWithoutIgnores.length).toBeGreaterThan(0);
     expect(sarifWithIgnores.length).toBeGreaterThan(0);
-    expect(sarifWithIgnores.length).toBeLessThan(sarifWithoutIgnores.length);
+    expect(sarifWithIgnores.length).toBe(sarifWithoutIgnores.length);
 
     sarifWithIgnores.forEach((result) => {
-      expect(result.suppressions?.length ?? 0).toEqual(0);
+      expect(result.suppressions?.length ?? 0).not.toBeLessThan(0);
     });
   });