feat(sarif): logging improvements (#3727)

* fix(fortifyExecuteScan): check audit data length in all cases

* fix(fortifyExecuteScan): check audit data length in all cases

* feat(SARIF): logging improvements in debug mode

* fix(logging): readability

Co-authored-by: Sven Merk <33895725+nevskrem@users.noreply.github.com>

pkg/checkmarx/cxxml_to_sarif.go

@@ -115,6 +115,7 @@ type Line struct {
 // ConvertCxxmlToSarif is the entrypoint for the Parse function
 func ConvertCxxmlToSarif(xmlReportName string) (format.SARIF, error) {
 	var sarif format.SARIF
+	log.Entry().Debug("Reading audit file.")
 	data, err := ioutil.ReadFile(xmlReportName)
 	if err != nil {
 		return sarif, err
@@ -155,6 +156,7 @@ func Parse(data []byte) (format.SARIF, error) {
 	//CxXML files contain a CxXMLResults > Query object, which represents a broken rule or type of vuln
 	//This Query object contains a list of Result objects, each representing an occurence
 	//Each Result object contains a ResultPath, which represents the exact location of the occurence (the "Snippet")
+	log.Entry().Debug("[SARIF] Now handling results.")
 	for i := 0; i < len(cxxml.Query); i++ {
 		//add cweid to array
 		cweIdsForTaxonomies[cxxml.Query[i].CweID] = cweCounter
@@ -263,6 +265,7 @@ func Parse(data []byte) (format.SARIF, error) {
 	}
 
 	// Handle driver object
+	log.Entry().Debug("[SARIF] Now handling driver object.")
 	tool := *new(format.Tool)
 	tool.Driver = *new(format.Driver)
 	tool.Driver.Name = "Checkmarx SCA"

pkg/checkmarx/reporting.go

@@ -204,6 +204,7 @@ func WriteSarif(sarif format.SARIF) ([]piperutils.Path, error) {
 	bufEncoder.SetIndent("", "  ")
 	//encode to buffer
 	bufEncoder.Encode(sarif)
+	log.Entry().Info("Writing file to disk: ", sarifReportPath)
 	if err := utils.FileWrite(sarifReportPath, buffer.Bytes(), 0666); err != nil {
 		log.SetErrorCategory(log.ErrorConfiguration)
 		return reportPaths, errors.Wrapf(err, "failed to write Checkmarx SARIF report")

pkg/fortify/fpr_to_sarif.go

@@ -519,6 +519,7 @@ func ConvertFprToSarif(sys System, project *models.Project, projectVersion *mode
 		return sarif, err
 	}
 
+	log.Entry().Debug("Reading audit file.")
 	data, err := ioutil.ReadFile(filepath.Join(tmpFolder, "audit.fvdl"))
 	if err != nil {
 		return sarif, err
@@ -572,6 +573,7 @@ func Parse(sys System, project *models.Project, projectVersion *models.ProjectVe
 	sarif.Runs = append(sarif.Runs, fortifyRun)
 
 	// Handle results/vulnerabilities
+	log.Entry().Debug("[SARIF] Now handling results.")
 	for i := 0; i < len(fvdl.Vulnerabilities.Vulnerability); i++ {
 		result := *new(format.Results)
 		result.RuleID = fvdl.Vulnerabilities.Vulnerability[i].ClassInfo.ClassID
@@ -748,6 +750,7 @@ func Parse(sys System, project *models.Project, projectVersion *models.ProjectVe
 	}
 
 	//handle the tool object
+	log.Entry().Debug("[SARIF] Now handling driver object.")
 	tool := *new(format.Tool)
 	tool.Driver = *new(format.Driver)
 	tool.Driver.Name = "MicroFocus Fortify SCA"
@@ -884,6 +887,7 @@ func Parse(sys System, project *models.Project, projectVersion *models.ProjectVe
 	sarif.Runs[0].Tool = tool
 
 	//handle invocations object
+	log.Entry().Debug("[SARIF] Now handling invocation.")
 	invocation := *new(format.Invocations)
 	for i := 0; i < len(fvdl.EngineData.Properties); i++ { //i selects the properties type
 		if fvdl.EngineData.Properties[i].PropertiesType == "Fortify" { // This is the correct type, now iterate on props
@@ -917,6 +921,7 @@ func Parse(sys System, project *models.Project, projectVersion *models.ProjectVe
 	sarif.Runs[0].OriginalUriBaseIds = oubi
 
 	//handle artifacts
+	log.Entry().Debug("[SARIF] Now handling artifacts.")
 	for i := 0; i < len(fvdl.Build.SourceFiles); i++ { //i iterates on source files
 		artifact := *new(format.Artifact)
 		artifact.Location.Uri = fvdl.Build.SourceFiles[i].Name
@@ -938,6 +943,7 @@ func Parse(sys System, project *models.Project, projectVersion *models.ProjectVe
 	sarif.Runs[0].AutomationDetails.Id = fvdl.Build.BuildID
 
 	//handle threadFlowLocations
+	log.Entry().Debug("[SARIF] Now handling threadFlowLocations.")
 	threadFlowLocationsObject := []format.Locations{}
 	//prepare a check object
 	for i := 0; i < len(fvdl.UnifiedNodePool.Node); i++ {
@@ -1073,7 +1079,7 @@ func integrateAuditData(ruleProp *format.SarifProperties, issueInstanceID string
 	}
 	if len(data) != 1 { //issueInstanceID is supposedly unique so len(data) = 1
 		//log.Entry().Error("not exactly 1 issue found, found " + fmt.Sprint(len(data)))
-		return errors.New("not exactly 1 issue found, found " + fmt.Sprint(len(data)))
+		return errors.New("not exactly 1 issue found for instance ID " + issueInstanceID + ", found " + fmt.Sprint(len(data)))
 	}
 	ruleProp.Audited = data[0].Audited
 	ruleProp.ToolSeverity = *data[0].Friority

pkg/fortify/fpr_to_sarif_test.go

@@ -491,7 +491,7 @@ func TestIntegrateAuditData(t *testing.T) {
 		project := models.Project{}
 		projectVersion := models.ProjectVersion{ID: 11037}
 		err := integrateAuditData(&ruleProp, "DUMMYDUMMYDUMMY", sys, &project, &projectVersion, nil, filterSet, false)
-		assert.Error(t, err, "not exactly 1 issue found, found 0")
+		assert.Error(t, err, "not exactly 1 issue found for instance ID 11037, found 0")
 	})
 
 	t.Run("Successful lookup in oneRequestPerInstance mode", func(t *testing.T) {

pkg/fortify/reporting.go

@@ -154,6 +154,7 @@ func WriteSarif(sarif format.SARIF) ([]piperutils.Path, error) {
 	bufEncoder.SetIndent("", "  ")
 	//encode to buffer
 	bufEncoder.Encode(sarif)
+	log.Entry().Info("Writing file to disk: ", sarifReportPath)
 	if err := utils.FileWrite(sarifReportPath, buffer.Bytes(), 0666); err != nil {
 		log.SetErrorCategory(log.ErrorConfiguration)
 		return reportPaths, errors.Wrapf(err, "failed to write fortify SARIF report")