diff --git a/pkg/codeql/codeql.go b/pkg/codeql/codeql.go index a365c9650..0f537b588 100644 --- a/pkg/codeql/codeql.go +++ b/pkg/codeql/codeql.go @@ -49,6 +49,8 @@ func getVulnerabilitiesFromClient(ctx context.Context, codeScanning githubCodeql page := 1 audited := 0 totalAlerts := 0 + optionalAudited := 0 + totalOptionalAlerts := 0 for page != 0 { alertOptions := github.AlertListOptions{ @@ -72,13 +74,31 @@ func getVulnerabilitiesFromClient(ctx context.Context, codeScanning githubCodeql continue } - if *alert.State == auditStateDismissed { - audited += 1 - totalAlerts += 1 + isSecurityIssue := false + for _, tag := range alert.Rule.Tags { + if tag == "security" { + isSecurityIssue = true + } } - if *alert.State == auditStateOpen { - totalAlerts += 1 + if isSecurityIssue { + if *alert.State == auditStateDismissed { + audited += 1 + totalAlerts += 1 + } + + if *alert.State == auditStateOpen { + totalAlerts += 1 + } + } else { + if *alert.State == auditStateDismissed { + optionalAudited += 1 + totalOptionalAlerts += 1 + } + + if *alert.State == auditStateOpen { + totalOptionalAlerts += 1 + } } } } @@ -88,7 +108,12 @@ func getVulnerabilitiesFromClient(ctx context.Context, codeScanning githubCodeql Total: totalAlerts, Audited: audited, } - codeqlScanning := []CodeqlFindings{auditAll} + optionalIssues := CodeqlFindings{ + ClassificationName: "Optional", + Total: totalOptionalAlerts, + Audited: optionalAudited, + } + codeqlScanning := []CodeqlFindings{auditAll, optionalIssues} return codeqlScanning, nil } diff --git a/pkg/codeql/codeql_test.go b/pkg/codeql/codeql_test.go index 84b0ac40e..e056a5192 100644 --- a/pkg/codeql/codeql_test.go +++ b/pkg/codeql/codeql_test.go @@ -24,30 +24,36 @@ func (g *githubCodeqlScanningMock) ListAlertsForRepo(ctx context.Context, owner, testToolName := "Test" if repo == "testRepo1" { - alerts = append(alerts, &github.Alert{State: &openState, Tool: &github.Tool{Name: &codeqlToolName}}) - alerts = append(alerts, &github.Alert{State: &openState, Tool: &github.Tool{Name: &codeqlToolName}}) - alerts = append(alerts, &github.Alert{State: &dismissedState, Tool: &github.Tool{Name: &codeqlToolName}}) - alerts = append(alerts, &github.Alert{State: &dismissedState, Tool: &github.Tool{Name: &testToolName}}) + alerts = append(alerts, &github.Alert{State: &openState, Tool: &github.Tool{Name: &codeqlToolName}, Rule: &github.Rule{Tags: []string{"security"}}}) + alerts = append(alerts, &github.Alert{State: &openState, Tool: &github.Tool{Name: &codeqlToolName}, Rule: &github.Rule{Tags: []string{"security"}}}) + alerts = append(alerts, &github.Alert{State: &dismissedState, Tool: &github.Tool{Name: &codeqlToolName}, Rule: &github.Rule{Tags: []string{"security"}}}) + alerts = append(alerts, &github.Alert{State: &dismissedState, Tool: &github.Tool{Name: &testToolName}, Rule: &github.Rule{Tags: []string{"security"}}}) + alerts = append(alerts, &github.Alert{State: &dismissedState, Tool: &github.Tool{Name: &codeqlToolName}, Rule: &github.Rule{Tags: []string{"useless_code"}}}) + alerts = append(alerts, &github.Alert{State: &dismissedState, Tool: &github.Tool{Name: &testToolName}, Rule: &github.Rule{Tags: []string{"useless_code"}}}) response.NextPage = 0 } if repo == "testRepo2" { if opts.Page == 1 { for i := 0; i < 50; i++ { - alerts = append(alerts, &github.Alert{State: &openState, Tool: &github.Tool{Name: &codeqlToolName}}) + alerts = append(alerts, &github.Alert{State: &openState, Tool: &github.Tool{Name: &codeqlToolName}, Rule: &github.Rule{Tags: []string{"security"}}}) + alerts = append(alerts, &github.Alert{State: &dismissedState, Tool: &github.Tool{Name: &testToolName}, Rule: &github.Rule{Tags: []string{"useless_code"}}}) } for i := 0; i < 50; i++ { - alerts = append(alerts, &github.Alert{State: &dismissedState, Tool: &github.Tool{Name: &codeqlToolName}}) + alerts = append(alerts, &github.Alert{State: &dismissedState, Tool: &github.Tool{Name: &codeqlToolName}, Rule: &github.Rule{Tags: []string{"security"}}}) + alerts = append(alerts, &github.Alert{State: &dismissedState, Tool: &github.Tool{Name: &testToolName}, Rule: &github.Rule{Tags: []string{"useless_code"}}}) } response.NextPage = 2 } if opts.Page == 2 { for i := 0; i < 10; i++ { - alerts = append(alerts, &github.Alert{State: &openState, Tool: &github.Tool{Name: &codeqlToolName}}) + alerts = append(alerts, &github.Alert{State: &openState, Tool: &github.Tool{Name: &codeqlToolName}, Rule: &github.Rule{Tags: []string{"security"}}}) + alerts = append(alerts, &github.Alert{State: &dismissedState, Tool: &github.Tool{Name: &testToolName}, Rule: &github.Rule{Tags: []string{"useless_code"}}}) } for i := 0; i < 30; i++ { - alerts = append(alerts, &github.Alert{State: &dismissedState, Tool: &github.Tool{Name: &codeqlToolName}}) + alerts = append(alerts, &github.Alert{State: &dismissedState, Tool: &github.Tool{Name: &codeqlToolName}, Rule: &github.Rule{Tags: []string{"security"}}}) + alerts = append(alerts, &github.Alert{State: &dismissedState, Tool: &github.Tool{Name: &testToolName}, Rule: &github.Rule{Tags: []string{"useless_code"}}}) } response.NextPage = 0 } @@ -72,7 +78,7 @@ func TestGetVulnerabilitiesFromClient(t *testing.T) { codeScanning, err := getVulnerabilitiesFromClient(ctx, &ghCodeqlScanningMock, "ref", &codeqlScanAuditInstance) assert.NoError(t, err) assert.NotEmpty(t, codeScanning) - assert.Equal(t, 1, len(codeScanning)) + assert.Equal(t, 2, len(codeScanning)) assert.Equal(t, 3, codeScanning[0].Total) assert.Equal(t, 1, codeScanning[0].Audited) }) @@ -83,7 +89,7 @@ func TestGetVulnerabilitiesFromClient(t *testing.T) { codeScanning, err := getVulnerabilitiesFromClient(ctx, &ghCodeqlScanningMock, "ref", &codeqlScanAuditInstance) assert.NoError(t, err) assert.NotEmpty(t, codeScanning) - assert.Equal(t, 1, len(codeScanning)) + assert.Equal(t, 2, len(codeScanning)) assert.Equal(t, 140, codeScanning[0].Total) assert.Equal(t, 80, codeScanning[0].Audited) })