2022-11-07 12:16:07 +02:00
|
|
|
package reporting
|
|
|
|
|
|
|
|
import (
|
|
|
|
"bytes"
|
|
|
|
"fmt"
|
|
|
|
"text/template"
|
|
|
|
"time"
|
|
|
|
|
|
|
|
"github.com/SAP/jenkins-library/pkg/orchestrator"
|
|
|
|
|
|
|
|
"golang.org/x/text/cases"
|
|
|
|
"golang.org/x/text/language"
|
|
|
|
)
|
|
|
|
|
|
|
|
// VulnerabilityReport represents metadata for a report on a vulnerability
|
|
|
|
type VulnerabilityReport struct {
|
2022-12-01 10:47:53 +02:00
|
|
|
ProjectName string
|
|
|
|
ProjectVersion string
|
|
|
|
BlackDuckProjectLink string
|
|
|
|
ArtifactID string
|
|
|
|
Branch string
|
|
|
|
CommitID string
|
|
|
|
Description string
|
|
|
|
DependencyType string
|
|
|
|
Footer string
|
|
|
|
Group string
|
|
|
|
PackageURL string
|
|
|
|
PipelineName string
|
|
|
|
PipelineLink string
|
|
|
|
PublishDate string
|
|
|
|
Resolution string
|
|
|
|
Score float64
|
|
|
|
Severity string
|
|
|
|
Version string
|
|
|
|
VulnerabilityLink string
|
|
|
|
VulnerabilityName string
|
|
|
|
Origin string
|
2022-11-07 12:16:07 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
const vulnerabilityMdTemplate string = `# {{title .Severity }} ({{ .Score }}) Vulnerability {{ .VulnerabilityName }} - {{ .ArtifactID }}
|
|
|
|
|
|
|
|
**Vulnerability link:** [{{ .VulnerabilityLink }}]({{ .VulnerabilityLink }})
|
|
|
|
|
2022-12-01 10:47:53 +02:00
|
|
|
{{if .Resolution -}}
|
2022-11-07 12:16:07 +02:00
|
|
|
## Fix
|
|
|
|
|
|
|
|
**{{ .Resolution }}**
|
2022-12-01 10:47:53 +02:00
|
|
|
{{- end}}
|
2022-11-07 12:16:07 +02:00
|
|
|
|
|
|
|
## Context
|
|
|
|
|
|
|
|
{{if .PipelineLink -}}
|
|
|
|
### Pipeline
|
|
|
|
|
|
|
|
Pipeline run: [{{ .PipelineName }}]({{ .PipelineLink }})
|
|
|
|
{{- end}}
|
|
|
|
|
|
|
|
### Detected in
|
|
|
|
|
2022-12-01 10:47:53 +02:00
|
|
|
**Project Version:** [{{ .ProjectName }} {{ .ProjectVersion }}]({{ .BlackDuckProjectLink }})
|
2022-11-07 12:16:07 +02:00
|
|
|
{{if .Branch}}**Branch:** {{ .Branch }}{{- end}}
|
|
|
|
{{if .CommitID}}**CommitId:** {{ .CommitID }}{{- end}}
|
|
|
|
{{if .Group}}**Group:** {{ .Group }}{{- end}}
|
2022-12-01 10:47:53 +02:00
|
|
|
{{if .PublishDate}}**Publishing date:** {{.PublishDate }}{{- end}}
|
|
|
|
|
|
|
|
{{if .ArtifactID}}**ArtifactId:** {{ .ArtifactID }}{{- end}}
|
2022-11-07 12:16:07 +02:00
|
|
|
{{if .Version}}**Version:** {{ .Version }}{{- end}}
|
2022-12-01 10:47:53 +02:00
|
|
|
{{if .Origin}}**Origin:** {{ .Origin }}{{- end}}
|
|
|
|
{{if .DependencyType}}**Dependency:** {{ .DependencyType }}{{- end}}
|
2022-11-07 12:16:07 +02:00
|
|
|
{{if .PackageURL}}**Package URL:** {{ .PackageURL }}{{- end}}
|
|
|
|
|
|
|
|
## Description
|
|
|
|
|
|
|
|
{{ .Description }}
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
{{.Footer}}
|
|
|
|
`
|
|
|
|
|
|
|
|
// ToMarkdown creates a vulnerability in markdown format which can be used in GitHub issues
|
|
|
|
func (v *VulnerabilityReport) ToMarkdown() ([]byte, error) {
|
|
|
|
funcMap := template.FuncMap{
|
|
|
|
"date": func(t time.Time) string {
|
|
|
|
return t.Format("2006-01-02")
|
|
|
|
},
|
|
|
|
"title": func(s string) string {
|
|
|
|
caser := cases.Title(language.AmericanEnglish)
|
|
|
|
return caser.String(s)
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
// only fill with orchestrator information if orchestrator can be identified properly
|
|
|
|
if provider, err := orchestrator.NewOrchestratorSpecificConfigProvider(); err == nil {
|
|
|
|
// only add information if not yet provided
|
|
|
|
if len(v.CommitID) == 0 {
|
|
|
|
v.CommitID = provider.GetCommit()
|
|
|
|
}
|
|
|
|
if len(v.PipelineLink) == 0 {
|
|
|
|
v.PipelineLink = provider.GetJobURL()
|
|
|
|
v.PipelineName = provider.GetJobName()
|
|
|
|
}
|
2022-12-01 10:47:53 +02:00
|
|
|
|
|
|
|
if len(v.Branch) == 0 {
|
|
|
|
v.Branch = provider.GetBranch()
|
|
|
|
}
|
2022-11-07 12:16:07 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
md := []byte{}
|
|
|
|
tmpl, err := template.New("report").Funcs(funcMap).Parse(vulnerabilityMdTemplate)
|
|
|
|
if err != nil {
|
|
|
|
return md, fmt.Errorf("failed to create markdown issue template: %w", err)
|
|
|
|
}
|
|
|
|
buf := new(bytes.Buffer)
|
|
|
|
err = tmpl.Execute(buf, v)
|
|
|
|
if err != nil {
|
|
|
|
return md, fmt.Errorf("failed to execute markdown issue template: %w", err)
|
|
|
|
}
|
|
|
|
md = buf.Bytes()
|
|
|
|
return md, nil
|
|
|
|
}
|