sap-jenkins-library/pkg/checkmarxone/cxjson_to_sarif.go

package checkmarxOne

import (
	"fmt"
	"strings"
	"time"

	"github.com/SAP/jenkins-library/pkg/format"
	"github.com/SAP/jenkins-library/pkg/log"
	"github.com/SAP/jenkins-library/pkg/piperutils"
)

// ConvertCxJSONToSarif is the entrypoint for the Parse function
func ConvertCxJSONToSarif(sys System, serverURL string, scanResults *[]ScanResult, scanMeta *ScanMetadata, scan *Scan) (format.SARIF, error) {
	// Process sarif
	start := time.Now()

	var sarif format.SARIF
	sarif.Schema = "https://docs.oasis-open.org/sarif/sarif/v2.1.0/cos02/schemas/sarif-schema-2.1.0.json"
	sarif.Version = "2.1.0"
	var checkmarxRun format.Runs
	checkmarxRun.ColumnKind = "utf16CodeUnits"
	sarif.Runs = append(sarif.Runs, checkmarxRun)
	rulesArray := []format.SarifRule{}

	baseURL := serverURL + "/results/" + scanMeta.ScanID + "/" + scanMeta.ProjectID

	cweIdsForTaxonomies := make(map[int]int) //use a map to avoid duplicates
	cweCounter := 0
	//maxretries := 5

	//JSON contains a ScanResultData > Query object, which represents a broken rule or type of vuln
	//This Query object contains a list of Result objects, each representing an occurence
	//Each Result object contains a ResultPath, which represents the exact location of the occurence (the "Snippet")
	log.Entry().Debug("[SARIF] Now handling results.")

	for _, r := range *scanResults {
		_, haskey := cweIdsForTaxonomies[r.VulnerabilityDetails.CweId]

		if !haskey {
			cweIdsForTaxonomies[r.VulnerabilityDetails.CweId] = cweCounter
			cweCounter++
		}

		simidString := fmt.Sprintf("%d", r.SimilarityID)

		var apiDescription string
		result := *new(format.Results)

		//General
		result.RuleID = fmt.Sprintf("checkmarxOne-%v/%d", r.Data.LanguageName, r.Data.QueryID)
		result.RuleIndex = cweIdsForTaxonomies[r.VulnerabilityDetails.CweId]
		result.Level = "none"
		msg := new(format.Message)
		if apiDescription != "" {
			msg.Text = apiDescription
		} else {
			msg.Text = r.Data.QueryName
		}
		result.Message = msg

		//Locations
		codeflow := *new(format.CodeFlow)
		threadflow := *new(format.ThreadFlow)
		locationSaved := false
		for k := 0; k < len(r.Data.Nodes); k++ {
			loc := *new(format.Location)
			loc.PhysicalLocation.ArtifactLocation.URI = r.Data.Nodes[0].FileName
			loc.PhysicalLocation.Region.StartLine = r.Data.Nodes[k].Line
			loc.PhysicalLocation.Region.EndLine = r.Data.Nodes[k].Line
			loc.PhysicalLocation.Region.StartColumn = r.Data.Nodes[k].Column
			snip := new(format.SnippetSarif)
			snip.Text = r.Data.Nodes[k].Name
			loc.PhysicalLocation.Region.Snippet = snip
			if !locationSaved { // To avoid overloading log file, we only save the 1st location, or source, as in the webview
				result.Locations = append(result.Locations, loc)
				locationSaved = true
			}

			//Related Locations
			relatedLocation := *new(format.RelatedLocation)
			relatedLocation.ID = k + 1
			relatedLocation.PhysicalLocation = *new(format.RelatedPhysicalLocation)
			relatedLocation.PhysicalLocation.ArtifactLocation = loc.PhysicalLocation.ArtifactLocation
			relatedLocation.PhysicalLocation.Region = *new(format.RelatedRegion)
			relatedLocation.PhysicalLocation.Region.StartLine = loc.PhysicalLocation.Region.StartLine
			relatedLocation.PhysicalLocation.Region.StartColumn = r.Data.Nodes[k].Column
			result.RelatedLocations = append(result.RelatedLocations, relatedLocation)

			threadFlowLocation := *new(format.Locations)
			tfloc := new(format.Location)
			tfloc.PhysicalLocation.ArtifactLocation.URI = r.Data.Nodes[0].FileName
			tfloc.PhysicalLocation.Region.StartLine = r.Data.Nodes[k].Line
			tfloc.PhysicalLocation.Region.EndLine = r.Data.Nodes[k].Line
			tfloc.PhysicalLocation.Region.StartColumn = r.Data.Nodes[k].Column
			tfloc.PhysicalLocation.Region.Snippet = snip
			threadFlowLocation.Location = tfloc
			threadflow.Locations = append(threadflow.Locations, threadFlowLocation)

		}
		codeflow.ThreadFlows = append(codeflow.ThreadFlows, threadflow)
		result.CodeFlows = append(result.CodeFlows, codeflow)

		result.PartialFingerprints.CheckmarxSimilarityID = simidString
		result.PartialFingerprints.PrimaryLocationLineHash = simidString

		//Properties
		props := new(format.SarifProperties)
		props.Audited = false
		props.CheckmarxSimilarityID = simidString
		props.InstanceID = r.ResultID // no more PathID in cx1
		props.ToolSeverity = r.Severity

		// classify into audit groups
		switch r.Severity {
		case "HIGH":
			props.AuditRequirement = format.AUDIT_REQUIREMENT_GROUP_1_DESC
			props.AuditRequirementIndex = format.AUDIT_REQUIREMENT_GROUP_1_INDEX
			props.ToolSeverityIndex = 3
			break
		case "MEDIUM":
			props.AuditRequirement = format.AUDIT_REQUIREMENT_GROUP_1_DESC
			props.AuditRequirementIndex = format.AUDIT_REQUIREMENT_GROUP_1_INDEX
			props.ToolSeverityIndex = 2
			break
		case "LOW":
			props.AuditRequirement = format.AUDIT_REQUIREMENT_GROUP_2_DESC
			props.AuditRequirementIndex = format.AUDIT_REQUIREMENT_GROUP_2_INDEX
			props.ToolSeverityIndex = 1
			break
		case "INFORMATION":
			props.AuditRequirement = format.AUDIT_REQUIREMENT_GROUP_3_DESC
			props.AuditRequirementIndex = format.AUDIT_REQUIREMENT_GROUP_3_INDEX
			props.ToolSeverityIndex = 0
			break
		}

		switch r.State {
		case "NOT_EXPLOITABLE":
			props.ToolState = "NOT_EXPLOITABLE"
			props.ToolStateIndex = 1
			props.Audited = true
			break
		case "CONFIRMED":
			props.ToolState = "CONFIRMED"
			props.ToolStateIndex = 2
			props.Audited = true
			break
		case "URGENT", "URGENT ":
			props.ToolState = "URGENT"
			props.ToolStateIndex = 3
			props.Audited = true
			break
		case "PROPOSED_NOT_EXPLOITABLE":
			props.ToolState = "PROPOSED_NOT_EXPLOITABLE"
			props.ToolStateIndex = 4
			props.Audited = true
			break
		default:
			props.ToolState = "TO_VERIFY" // Includes case 0
			props.ToolStateIndex = 0

			break
		}

		props.ToolAuditMessage = ""
		// currently disabled due to the extra load (one api call per finding)
		/*predicates, err := sys.GetResultsPredicates(r.SimilarityID, scanMeta.ProjectID)
		if err == nil {
			log.Entry().Infof("Retrieved %d results predicates", len(predicates))
			messageCandidates := []string{}
			for _, p := range predicates {
				messageCandidates = append([]string{strings.Trim(p.Comment, "\r\n")}, messageCandidates...) //Append in reverse order, trim to remove extra \r
			}
			log.Entry().Info(strings.Join(messageCandidates, "; "))
			props.ToolAuditMessage = strings.Join(messageCandidates, " \n ")
		} else {
			log.Entry().Warningf("Error while retrieving result predicates: %s", err)
		}*/

		props.RuleGUID = fmt.Sprintf("%d", r.Data.QueryID)
		props.UnifiedAuditState = ""
		result.Properties = props

		//Finalize
		sarif.Runs[0].Results = append(sarif.Runs[0].Results, result)

		//handle the rules array
		rule := *new(format.SarifRule)

		rule.ID = fmt.Sprintf("checkmarxOne-%v/%d", r.Data.LanguageName, r.Data.QueryID)
		words := strings.Split(r.Data.QueryName, "_")
		for w := 0; w < len(words); w++ {
			words[w] = piperutils.Title(strings.ToLower(words[w]))
		}
		rule.Name = strings.Join(words, "")

		rule.HelpURI = fmt.Sprintf("%v/sast/description/%v/%v", baseURL, r.VulnerabilityDetails.CweId, r.Data.QueryID)
		rule.Help = new(format.Help)
		rule.Help.Text = rule.HelpURI
		rule.ShortDescription = new(format.Message)
		rule.ShortDescription.Text = r.Data.QueryName
		rule.Properties = new(format.SarifRuleProperties)

		if len(r.VulnerabilityDetails.Compliances) > 0 {
			rule.FullDescription = new(format.Message)
			rule.FullDescription.Text = strings.Join(r.VulnerabilityDetails.Compliances[:], ";")

			for cat := 0; cat < len(r.VulnerabilityDetails.Compliances); cat++ {
				rule.Properties.Tags = append(rule.Properties.Tags, r.VulnerabilityDetails.Compliances[cat])
			}
		}
		switch r.Severity {
		case "INFORMATION":
			rule.Properties.SecuritySeverity = "0.0"
		case "LOW":
			rule.Properties.SecuritySeverity = "2.0"
		case "MEDIUM":
			rule.Properties.SecuritySeverity = "5.0"
		case "HIGH":
			rule.Properties.SecuritySeverity = "7.0"
		default:
			rule.Properties.SecuritySeverity = "10.0"
		}

		if r.VulnerabilityDetails.CweId != 0 {
			rule.Properties.Tags = append(rule.Properties.Tags, fmt.Sprintf("external/cwe/cwe-%d", r.VulnerabilityDetails.CweId))
		}
		rulesArray = append(rulesArray, rule)
	}

	// Handle driver object
	log.Entry().Debug("[SARIF] Now handling driver object.")
	tool := *new(format.Tool)
	tool.Driver = *new(format.Driver)
	tool.Driver.Name = "CheckmarxOne SCA"

	// TODO: a way to fetch/store the version
	tool.Driver.Version = "1" //strings.Split(cxxml.CheckmarxVersion, "V ")
	tool.Driver.InformationUri = "https://checkmarx.com/resource/documents/en/34965-68571-viewing-results.html"
	tool.Driver.Rules = rulesArray
	sarif.Runs[0].Tool = tool

	//handle automationDetails
	sarif.Runs[0].AutomationDetails = &format.AutomationDetails{Id: fmt.Sprintf("%v/sast", baseURL)} // Use deeplink to pass a maximum of information

	//handle taxonomies
	//Only one exists apparently: CWE. It is fixed
	taxonomy := *new(format.Taxonomies)
	taxonomy.Name = "CWE"
	taxonomy.Organization = "MITRE"
	taxonomy.ShortDescription.Text = "The MITRE Common Weakness Enumeration"
	for key := range cweIdsForTaxonomies {
		taxa := *new(format.Taxa)
		taxa.Id = fmt.Sprintf("%d", key)
		taxonomy.Taxa = append(taxonomy.Taxa, taxa)
	}
	sarif.Runs[0].Taxonomies = append(sarif.Runs[0].Taxonomies, taxonomy)

	// Add a conversion object to highlight this isn't native SARIF
	conversion := new(format.Conversion)
	conversion.Tool.Driver.Name = "Piper CheckmarxOne JSON to SARIF converter"
	conversion.Tool.Driver.InformationUri = "https://github.com/SAP/jenkins-library"
	conversion.Invocation.ExecutionSuccessful = true
	conversion.Invocation.StartTimeUtc = fmt.Sprintf("%s", start.Format("2006-01-02T15:04:05.000Z")) // "YYYY-MM-DDThh:mm:ss.sZ" on 2006-01-02 15:04:05
	conversion.Invocation.Account = scan.Initiator
	sarif.Runs[0].Conversion = conversion

	return sarif, nil
}

func getQuery(queries []Query, queryID uint64) *Query {
	for id := range queries {
		if queries[id].QueryID == queryID {
			return &queries[id]
		}
	}
	return nil
}