SARIF output support #573
SARIF output support #573
Conversation
| @@ -152,17 +153,12 @@ def audit_result(violations) | |||
| } | |||
| end | |||
|
|
|||
| def fatal_violation(message) | |||
There was a problem hiding this comment.
This was moved to a class method in Violation
| violation(logical_resource_ids) | ||
| end | ||
|
|
||
| def violation(logical_resource_ids, line_numbers = nil) |
There was a problem hiding this comment.
Allow rule implementation classes to generate violation objects without needing to run audit. This is useful for unit testing and other locations
|
Open Questions
|
Take a look here. There actually isn't a right or wrong answer here. The main thing is people can go and see more information about the rules ran. At a minimum, it should have the rules where is a result. In a perfect world, all rules would be great, but it can just be with results.
do you mean how to structure to location format so it shows the line path within the GUI? |
|
Nice work @arothian 💯 This is actually super close to being done 👍 I just tested it and the only problem I am seeing is: This data should be structured like this: I see it is working in some situations, for example: However, for quite a few others I am seeing: The problem here is the |
|
It looks like it may be rule specific 🤔
|
|
@NickLiffen Are you using I'll see if we can get a line number that matches back to the pre-transformed resource; otherwise, I can likely drop off the line number entirely for those results. |
|
@arothian you are indeed correct, this is using SAM, so they are It would be amazing if you could grab the line number before pre-transformed resources. Worst comes to worst (not saying we should do this) we see a lot of companies putting line |
|
Alright, I've added some protection to this so that it will default to line I'll open a separate PR around the issue with -1 line numbers for SAM resources, as it's not directly related to SARIF support here. |
|
@arothian this is good to ship 💯 (IMO) |
| { | ||
| name: 'cfn_nag', | ||
| informationUri: 'https://github.com/stelligent/cfn_nag', | ||
| semanticVersion: Gem.loaded_specs['cfn-nag'].version.to_s, |
There was a problem hiding this comment.
Looks like we need to do checks for when this is nil or using .& format because rake:test-all is coming back with failures in these cases:
Failures:
1) SarifResults#driver with four rules should contain name, informationUri, semanticVersion and rules attributes
Failure/Error: semanticVersion: Gem.loaded_specs['cfn-nag'].version.to_s,
NoMethodError:
undefined method `version' for nil:NilClass
# ./lib/cfn-nag/result_view/sarif_results.rb:38:in `driver'
# ./spec/result_view/sarif_results_spec.rb:36:in `block (4 levels) in <top (required)>'
2) SarifResults#driver with four rules should contain a driver with four rules
Failure/Error: semanticVersion: Gem.loaded_specs['cfn-nag'].version.to_s,
NoMethodError:
undefined method `version' for nil:NilClass
# ./lib/cfn-nag/result_view/sarif_results.rb:38:in `driver'
# ./spec/result_view/sarif_results_spec.rb:44:in `block (4 levels) in <top (required)>'
3) SarifResults#driver with four rules should contain a rule with id, name, fullDescription
Failure/Error: semanticVersion: Gem.loaded_specs['cfn-nag'].version.to_s,
NoMethodError:
undefined method `version' for nil:NilClass
# ./lib/cfn-nag/result_view/sarif_results.rb:38:in `driver'
# ./spec/result_view/sarif_results_spec.rb:50:in `block (4 levels) in <top (required)>'
Finished in 12.88 seconds (files took 11.49 seconds to load)
871 examples, 3 failures
Failed examples:
rspec ./spec/result_view/sarif_results_spec.rb:35 # SarifResults#driver with four rules should contain name, informationUri, semanticVersion and rules attributes
rspec ./spec/result_view/sarif_results_spec.rb:43 # SarifResults#driver with four rules should contain a driver with four rules
rspec ./spec/result_view/sarif_results_spec.rb:49 # SarifResults#driver with four rules should contain a rule with id, name, fullDescription
There was a problem hiding this comment.
@thegonch Addressed by setting up a version.rb file and updating several code references to use that instead.
- Pass rule definitions to result formatters - Add names to rule definitions/violations
arothian
force-pushed
the
sarif_support
branch
from
447871a
to
e1cb0fc
Compare
There was a problem hiding this comment.
Good fixes, however, during local testing, the end to end test fails on the version_spec test as it expects the hardcoded version 0.0.01 to be in use.
begin end-to-end tests...
Run options: include {:end_to_end=>true}
..F....1
.F......F..
Failures:
1) cfn_nag --version when ensuring the local gem is installed equals 0.0.01
Failure/Error:
expect { system %( cfn_nag --version ) }
.to output(a_string_matching('0.0.01'))
.to_stdout_from_any_process
expected block to output a string matching "0.0.01" to stdout, but output "0.0.0\n"
Diff:
@@ -1,2 +1,2 @@
-(a string matching "0.0.01")
+0.0.0
# ./spec/end_to_end/cfn_nag/version_spec.rb:6:in `block (3 levels) in <top (required)>'
2) cfn_nag_rules --version when ensuring the local gem is installed equals 0.0.01
Failure/Error:
expect { system %( cfn_nag_rules --version ) }
.to output(a_string_matching('0.0.01'))
.to_stdout_from_any_process
expected block to output a string matching "0.0.01" to stdout, but output "0.0.0\n"
Diff:
@@ -1,2 +1,2 @@
-(a string matching "0.0.01")
+0.0.0
# ./spec/end_to_end/cfn_nag_rules/version_spec.rb:6:in `block (3 levels) in <top (required)>'
3) cfn_nag_scan --version when ensuring the local gem is installed equals 0.0.01
Failure/Error:
expect { system %( cfn_nag_scan --version ) }
.to output(a_string_matching('0.0.01'))
.to_stdout_from_any_process
expected block to output a string matching "0.0.01" to stdout, but output "0.0.0\n"
Diff:
@@ -1,2 +1,2 @@
-(a string matching "0.0.01")
+0.0.0
# ./spec/end_to_end/cfn_nag_scan/version_spec.rb:6:in `block (3 levels) in <top (required)>'
Finished in 19.08 seconds (files took 7.03 seconds to load)
18 examples, 3 failures
Failed examples:
rspec ./spec/end_to_end/cfn_nag/version_spec.rb:5 # cfn_nag --version when ensuring the local gem is installed equals 0.0.01
rspec ./spec/end_to_end/cfn_nag_rules/version_spec.rb:5 # cfn_nag_rules --version when ensuring the local gem is installed equals 0.0.01
rspec ./spec/end_to_end/cfn_nag_scan/version_spec.rb:5 # cfn_nag_scan --version when ensuring the local gem is installed equals 0.0.01
Update version spec to reflect the version.rb values
Adds support for output results in SARIF format #568