Add new unified fields to Mend and Blackduck SARIF (#4611)

* Add new unified fields to Mend and Blackduck SARIF * fmt project --------- Co-authored-by: Dmitrii Pavlukhin <dmitrii.pavlukhin@sap.com>
2025-11-06 09:09:19 +02:00 · 2023-10-17 11:48:52 +02:00
parent 3761a9f68a
commit 49f4c81344
7 changed files with 80 additions and 56 deletions
--- a/pkg/blackduck/blackduck.go
+++ b/pkg/blackduck/blackduck.go
@@ -143,6 +143,7 @@ type VulnerabilityWithRemediation struct {
 	ExploitabilitySubscore float32 `json:"exploitabilitySubscore,omitempty"`
 	ImpactSubscore         float32 `json:"impactSubscore,omitempty"`
 	RelatedVulnerability   string  `json:"relatedVulnerability,omitempty"`
+	RemidiatedBy           string  `json:"remediationCreatedBy,omitempty"`
 }

 // Title returns the issue title representation of the contents
--- a/pkg/blackduck/reporting.go
+++ b/pkg/blackduck/reporting.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"path/filepath"
 	"runtime"
+	"strings"

 	"github.com/SAP/jenkins-library/pkg/format"
 	"github.com/SAP/jenkins-library/pkg/log"
@@ -70,12 +71,17 @@ func CreateSarifResultFile(vulns *Vulnerabilities, projectName, projectVersion,
 					PackageURLPlusCVEHash: base64.URLEncoding.EncodeToString([]byte(fmt.Sprintf("%v+%v", v.Component.ToPackageUrl().ToString(), v.CweID))),
 				},
 				Properties: &format.SarifProperties{
-					Audited:           isAudited,
-					ToolSeverity:      v.Severity,
-					ToolSeverityIndex: severityIndex[v.Severity],
-					ToolAuditMessage:  v.VulnerabilityWithRemediation.RemediationComment,
-					ToolState:         v.RemediationStatus,
-					UnifiedAuditState: unifiedStatusValue,
+					Audited:               isAudited,
+					ToolSeverity:          v.Severity,
+					ToolSeverityIndex:     severityIndex[v.Severity],
+					ToolState:             v.RemediationStatus,
+					ToolAuditMessage:      v.VulnerabilityWithRemediation.RemediationComment,
+					UnifiedAuditState:     unifiedStatusValue,
+					UnifiedSeverity:       strings.ToLower(v.Severity),
+					UnifiedCriticality:    v.BaseScore,
+					UnifiedAuditUser:      v.VulnerabilityWithRemediation.RemidiatedBy,
+					AuditRequirement:      format.AUDIT_REQUIREMENT_GROUP_1_DESC,
+					AuditRequirementIndex: format.AUDIT_REQUIREMENT_GROUP_1_INDEX,
 				},
 			}

--- a/pkg/blackduck/reporting_test.go
+++ b/pkg/blackduck/reporting_test.go
@@ -32,6 +32,7 @@ func TestCreateSarifResultFile(t *testing.T) {
 				BaseScore:         9.8, OverallScore: 10,
 				RemediationStatus:  "IGNORED",
 				RemediationComment: "CWE-45456543 Auto-remediated: CWE-45456543 is related to CVE-1, but the CWE team has determined that this component version is not affected.",
+				RemidiatedBy:       "technical_user",
 			},
 		},
 		{
@@ -60,6 +61,7 @@ func TestCreateSarifResultFile(t *testing.T) {
 				Description:       "Some vulnerability that can be exploited by turning it upside down.",
 				BaseScore:         6.5,
 				OverallScore:      7,
+				RemediationStatus: "IGNORED",
 			},
 		},
 		{
@@ -110,6 +112,13 @@ func TestCreateSarifResultFile(t *testing.T) {
 	// Test correctness of audit information
 	assert.Equal(t, true, sarif.Runs[0].Results[0].Properties.Audited)
 	assert.Equal(t, "IGNORED", sarif.Runs[0].Results[0].Properties.ToolState)
+	assert.Equal(t, alerts[0].BaseScore, sarif.Runs[0].Results[0].Properties.UnifiedCriticality)
+	assert.Equal(t, "critical", sarif.Runs[0].Results[0].Properties.UnifiedSeverity)
+	assert.Equal(t, "new", sarif.Runs[0].Results[1].Properties.UnifiedAuditState)
+	assert.Equal(t, "notRelevant", sarif.Runs[0].Results[0].Properties.UnifiedAuditState)
+	assert.Equal(t, "technical_user", sarif.Runs[0].Results[0].Properties.UnifiedAuditUser)
+	assert.Equal(t, format.AUDIT_REQUIREMENT_GROUP_1_DESC, sarif.Runs[0].Results[0].Properties.AuditRequirement)
+	assert.Equal(t, format.AUDIT_REQUIREMENT_GROUP_1_INDEX, sarif.Runs[0].Results[0].Properties.AuditRequirementIndex)
 	assert.Equal(t,
 		"CWE-45456543 Auto-remediated: CWE-45456543 is related to CVE-1, but the CWE team has determined that this component version is not affected.",
 		sarif.Runs[0].Results[0].Properties.ToolAuditMessage,
--- a/pkg/format/sarif.go
+++ b/pkg/format/sarif.go
@@ -96,17 +96,20 @@ type PartialFingerprints struct {
 // SarifProperties adding additional information/context to the finding
 type SarifProperties struct {
 	// common
-	RuleGUID              string `json:"ruleGUID,omitempty"`
-	InstanceID            string `json:"instanceID,omitempty"`
-	Audited               bool   `json:"audited"`
-	ToolSeverity          string `json:"toolSeverity"`
-	ToolSeverityIndex     int    `json:"toolSeverityIndex"`
-	ToolState             string `json:"toolState"`
-	ToolStateIndex        int    `json:"toolStateIndex"`
-	ToolAuditMessage      string `json:"toolAuditMessage"`
-	UnifiedAuditState     string `json:"unifiedAuditState"`
-	AuditRequirement      string `json:"auditRequirement"`
-	AuditRequirementIndex int    `json:"auditRequirementIndex"`
+	RuleGUID              string  `json:"ruleGUID,omitempty"`
+	InstanceID            string  `json:"instanceID,omitempty"`
+	Audited               bool    `json:"audited"`
+	ToolSeverity          string  `json:"toolSeverity"`
+	ToolSeverityIndex     int     `json:"toolSeverityIndex"`
+	ToolState             string  `json:"toolState"`
+	ToolStateIndex        int     `json:"toolStateIndex"`
+	ToolAuditMessage      string  `json:"toolAuditMessage"`
+	UnifiedAuditState     string  `json:"unifiedAuditState,omitempty"`
+	UnifiedSeverity       string  `json:"unifiedSeverity,omitempty"`
+	UnifiedCriticality    float32 `json:"unifiedCriticality,omitempty"`
+	UnifiedAuditUser      string  `json:"unifiedAuditUser,omitempty"`
+	AuditRequirement      string  `json:"auditRequirement"`
+	AuditRequirementIndex int     `json:"auditRequirementIndex"`

 	// specific
 	InstanceSeverity      string `json:"instanceSeverity"`
--- a/pkg/whitesource/reporting.go
+++ b/pkg/whitesource/reporting.go
@@ -40,7 +40,7 @@ func CreateCustomVulnerabilityReport(productName string, scan *Scan, alerts *[]A
 			{Description: "Filtered project names", Details: strings.Join(projectNames, ", ")},
 		},
 		Overview: []reporting.OverviewRow{
-			{Description: "Total number of vulnerabilities", Details: fmt.Sprint(len((*alerts)))},
+			{Description: "Total number of vulnerabilities", Details: fmt.Sprint(len(*alerts))},
 			{Description: "Total number of high/critical vulnerabilities with CVSS score >= 7.0", Details: fmt.Sprint(severe)},
 		},
 		SuccessfulScan: severe == 0,
@@ -295,9 +295,13 @@ func getAuditInformation(alert Alert) *format.SarifProperties {
 	}

 	return &format.SarifProperties{
-		Audited:           isAudited,
-		ToolAuditMessage:  auditMessage,
-		UnifiedAuditState: unifiedAuditState,
+		Audited:               isAudited,
+		ToolAuditMessage:      auditMessage,
+		UnifiedAuditState:     unifiedAuditState,
+		AuditRequirement:      format.AUDIT_REQUIREMENT_GROUP_1_DESC,
+		AuditRequirementIndex: format.AUDIT_REQUIREMENT_GROUP_1_INDEX,
+		UnifiedSeverity:       alert.Vulnerability.CVSS3Severity,
+		UnifiedCriticality:    float32(alert.Vulnerability.CVSS3Score),
 	}
 }

--- a/pkg/whitesource/reporting_test.go
+++ b/pkg/whitesource/reporting_test.go
@@ -349,9 +349,11 @@ func TestGetAuditInformation(t *testing.T) {
 				Status: "OPEN",
 			},
 			expected: &format.SarifProperties{
-				Audited:           false,
-				ToolAuditMessage:  "",
-				UnifiedAuditState: "new",
+				Audited:               false,
+				ToolAuditMessage:      "",
+				UnifiedAuditState:     "new",
+				AuditRequirement:      format.AUDIT_REQUIREMENT_GROUP_1_DESC,
+				AuditRequirementIndex: format.AUDIT_REQUIREMENT_GROUP_1_INDEX,
 			},
 		},
 		{
@@ -359,11 +361,19 @@ func TestGetAuditInformation(t *testing.T) {
 			alert: Alert{
 				Status:   "IGNORE",
 				Comments: "Not relevant alert",
+				Vulnerability: Vulnerability{
+					CVSS3Score:    9.3,
+					CVSS3Severity: "critical",
+				},
 			},
 			expected: &format.SarifProperties{
-				Audited:           true,
-				ToolAuditMessage:  "Not relevant alert",
-				UnifiedAuditState: "notRelevant",
+				Audited:               true,
+				ToolAuditMessage:      "Not relevant alert",
+				UnifiedAuditState:     "notRelevant",
+				UnifiedSeverity:       "critical",
+				UnifiedCriticality:    9.3,
+				AuditRequirement:      format.AUDIT_REQUIREMENT_GROUP_1_DESC,
+				AuditRequirementIndex: format.AUDIT_REQUIREMENT_GROUP_1_INDEX,
 			},
 		},
 		{
@@ -373,13 +383,15 @@ func TestGetAuditInformation(t *testing.T) {
 				Comments: "Some comment",
 			},
 			expected: &format.SarifProperties{
-				Audited:           false,
-				ToolAuditMessage:  "",
-				UnifiedAuditState: "new",
+				Audited:               false,
+				ToolAuditMessage:      "",
+				UnifiedAuditState:     "new",
+				AuditRequirement:      format.AUDIT_REQUIREMENT_GROUP_1_DESC,
+				AuditRequirementIndex: format.AUDIT_REQUIREMENT_GROUP_1_INDEX,
 			},
 		},
 		{
-			name: "Audited alert",
+			name: "Not audited alert",
 			alert: Alert{
 				Assessment: &format.Assessment{
 					Status:   format.NotRelevant,
@@ -389,16 +401,18 @@ func TestGetAuditInformation(t *testing.T) {
 				Comments: "New alert",
 			},
 			expected: &format.SarifProperties{
-				Audited:           true,
-				ToolAuditMessage:  string(format.FixedByDevTeam),
-				UnifiedAuditState: "notRelevant",
+				Audited:               true,
+				ToolAuditMessage:      string(format.FixedByDevTeam),
+				UnifiedAuditState:     "notRelevant",
+				AuditRequirement:      format.AUDIT_REQUIREMENT_GROUP_1_DESC,
+				AuditRequirementIndex: format.AUDIT_REQUIREMENT_GROUP_1_INDEX,
 			},
 		},
 	}

 	for _, test := range tt {
 		t.Run(test.name, func(t *testing.T) {
-			assert.Equal(t, getAuditInformation(test.alert), test.expected)
+			assert.Equal(t, test.expected, getAuditInformation(test.alert))
 		})
 	}
 }