jenkins/sap-jenkins-library
1
0
Fork 0
mirror of https://github.com/SAP/jenkins-library.git synced 2025-04-11 11:41:53 +02:00
Code Issues Releases Activity

feat(SARIF): ContextRegion is now a pointer, can be omitted. In checkmarxExecuteScan: threadflows now added, only first location saved (#3844)

Browse Source
This commit is contained in:
xgoffin 2022-06-22 08:54:24 +02:00 committed by GitHub
parent 810d197665
commit c35d85fecc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 39 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
pkg/checkmarx/cxxml_to_sarif.go
View File

@ -210,6 +210,9 @@ func Parse(sys System, data []byte, scanID int) (format.SARIF, error) {
msg.Text = cxxml.Query[i].Name
}
//Locations
codeflow := *new(format.CodeFlow)
threadflow := *new(format.ThreadFlow)
locationSaved := false
for k := 0; k < len(cxxml.Query[i].Result[j].Path.PathNode); k++ {
loc := *new(format.Location)
loc.PhysicalLocation.ArtifactLocation.URI = cxxml.Query[i].Result[j].FileName
@ -219,7 +222,10 @@ func Parse(sys System, data []byte, scanID int) (format.SARIF, error) {
snip := new(format.SnippetSarif)
snip.Text = cxxml.Query[i].Result[j].Path.PathNode[k].Snippet.Line.Code
loc.PhysicalLocation.Region.Snippet = snip
result.Locations = append(result.Locations, loc)
if !locationSaved { // To avoid overloading log file, we only save the 1st location, or source, as in the webview
result.Locations = append(result.Locations, loc)
locationSaved = true
}
//Related Locations
relatedLocation := *new(format.RelatedLocation)
@ -231,7 +237,19 @@ func Parse(sys System, data []byte, scanID int) (format.SARIF, error) {
relatedLocation.PhysicalLocation.Region.StartColumn = cxxml.Query[i].Result[j].Path.PathNode[k].Column
result.RelatedLocations = append(result.RelatedLocations, relatedLocation)
threadFlowLocation := *new(format.Locations)
tfloc := new(format.Location)
tfloc.PhysicalLocation.ArtifactLocation.URI = cxxml.Query[i].Result[j].FileName
tfloc.PhysicalLocation.Region.StartLine = cxxml.Query[i].Result[j].Path.PathNode[k].Line
tfloc.PhysicalLocation.Region.EndLine = cxxml.Query[i].Result[j].Path.PathNode[k].Line
tfloc.PhysicalLocation.Region.StartColumn = cxxml.Query[i].Result[j].Path.PathNode[k].Column
tfloc.PhysicalLocation.Region.Snippet = snip
threadFlowLocation.Location = tfloc
threadflow.Locations = append(threadflow.Locations, threadFlowLocation)
}
codeflow.ThreadFlows = append(codeflow.ThreadFlows, threadflow)
result.CodeFlows = append(result.CodeFlows, codeflow)
result.PartialFingerprints.CheckmarxSimilarityID = cxxml.Query[i].Result[j].Path.SimilarityID
result.PartialFingerprints.PrimaryLocationLineHash = cxxml.Query[i].Result[j].Path.SimilarityID

2
pkg/format/sarif.go
View File

@ -51,7 +51,7 @@ type Location struct {
type PhysicalLocation struct {
ArtifactLocation ArtifactLocation `json:"artifactLocation"`
Region Region `json:"region"`
ContextRegion ContextRegion `json:"contextRegion"`
ContextRegion *ContextRegion `json:"contextRegion,omitempty"`
LogicalLocations []LogicalLocation `json:"logicalLocations,omitempty"`
}

34
pkg/fortify/fpr_to_sarif.go
View File

@ -22,14 +22,14 @@ import (
// FVDL This struct encapsulates everyting in the FVDL document
type FVDL struct {
XMLName xml.Name `xml:"FVDL"`
Xmlns string `xml:"xmlns,attr"`
XmlnsXsi string `xml:"xsi,attr"`
Version string `xml:"version,attr"`
XsiType string `xml:"type,attr"`
Created CreatedTS
Uuid UUID
Build Build
XMLName xml.Name `xml:"FVDL"`
Xmlns string `xml:"xmlns,attr"`
XmlnsXsi string `xml:"xsi,attr"`
Version string `xml:"version,attr"`
XsiType string `xml:"type,attr"`
Created CreatedTS `xml:"CreatedTS"`
Uuid UUID `xml:"UUID"`
Build Build `xml:"Build"`
Vulnerabilities Vulnerabilities `xml:"Vulnerabilities"`
ContextPool ContextPool `xml:"ContextPool"`
UnifiedNodePool UnifiedNodePool `xml:"UnifiedNodePool"`
@ -99,6 +99,7 @@ type Vulnerabilities struct {
Vulnerability []Vulnerability `xml:"Vulnerability"`
}
// Vulnerability
type Vulnerability struct {
XMLName xml.Name `xml:"Vulnerability"`
ClassInfo ClassInfo `xml:"ClassInfo"`
@ -134,10 +135,10 @@ type AnalysisInfo struct { //Note that this is directly the "Unified" object
// Context
type Context struct {
XMLName xml.Name `xml:"Context"`
ContextId string `xml:"id,attr,omitempty"`
Function Function
FDSL FunctionDeclarationSourceLocation
XMLName xml.Name `xml:"Context"`
ContextId string `xml:"id,attr,omitempty"`
Function Function `xml:"Function"`
FDSL FunctionDeclarationSourceLocation `xml:"FunctionDeclarationSourceLocation"`
}
// Function
@ -651,6 +652,7 @@ func Parse(sys System, project *models.Project, projectVersion *models.ProjectVe
targetSnippetId := fvdl.Vulnerabilities.Vulnerability[i].AnalysisInfo.Trace[k].Primary.Entry[l].Node.SourceLocation.Snippet
for j := 0; j < len(fvdl.Snippets); j++ {
if fvdl.Snippets[j].SnippetId == targetSnippetId {
tfloc.PhysicalLocation.ContextRegion = new(format.ContextRegion)
tfloc.PhysicalLocation.ContextRegion.StartLine = fvdl.Snippets[j].StartLine
tfloc.PhysicalLocation.ContextRegion.EndLine = fvdl.Snippets[j].EndLine
snippetSarif := new(format.SnippetSarif)
@ -672,7 +674,7 @@ func Parse(sys System, project *models.Project, projectVersion *models.ProjectVe
// Handle snippet
snippetTarget := handleSnippet(fvdl.Vulnerabilities.Vulnerability[i].AnalysisInfo.Trace[k].Primary.Entry[l].Node.Action.Type, fvdl.Vulnerabilities.Vulnerability[i].AnalysisInfo.Trace[k].Primary.Entry[l].Node.Action.ActionData)
if tfloc.PhysicalLocation.ContextRegion.Snippet != nil {
if tfloc.PhysicalLocation.ContextRegion != nil && tfloc.PhysicalLocation.ContextRegion.Snippet != nil {
physLocationSnippetLines := strings.Split(tfloc.PhysicalLocation.ContextRegion.Snippet.Text, "\n")
snippetText := ""
for j := 0; j < len(physLocationSnippetLines); j++ {
@ -690,7 +692,7 @@ func Parse(sys System, project *models.Project, projectVersion *models.ProjectVe
tfloc.PhysicalLocation.Region.Snippet = snippetSarif
}
} else {
if tfloc.PhysicalLocation.ContextRegion.Snippet != nil {
if tfloc.PhysicalLocation.ContextRegion != nil && tfloc.PhysicalLocation.ContextRegion.Snippet != nil {
snippetSarif := new(format.SnippetSarif)
snippetSarif.Text = tfloc.PhysicalLocation.ContextRegion.Snippet.Text
tfloc.PhysicalLocation.Region.Snippet = snippetSarif
@ -734,6 +736,7 @@ func Parse(sys System, project *models.Project, projectVersion *models.ProjectVe
targetSnippetId := fvdl.Vulnerabilities.Vulnerability[i].AnalysisInfo.Trace[k].Primary.Entry[l].Node.Reason.Trace.Primary.Entry[0].Node.SourceLocation.Snippet
for j := 0; j < len(fvdl.Snippets); j++ {
if fvdl.Snippets[j].SnippetId == targetSnippetId {
nintfloc.PhysicalLocation.ContextRegion = new(format.ContextRegion)
nintfloc.PhysicalLocation.ContextRegion.StartLine = fvdl.Snippets[j].StartLine
nintfloc.PhysicalLocation.ContextRegion.EndLine = fvdl.Snippets[j].EndLine
snippetSarif := new(format.SnippetSarif)
@ -1080,6 +1083,7 @@ func Parse(sys System, project *models.Project, projectVersion *models.ProjectVe
targetSnippetId := fvdl.UnifiedNodePool.Node[i].SourceLocation.Snippet
for j := 0; j < len(fvdl.Snippets); j++ {
if fvdl.Snippets[j].SnippetId == targetSnippetId {
loc.PhysicalLocation.ContextRegion = new(format.ContextRegion)
loc.PhysicalLocation.ContextRegion.StartLine = fvdl.Snippets[j].StartLine
loc.PhysicalLocation.ContextRegion.EndLine = fvdl.Snippets[j].EndLine
snippetSarif := new(format.SnippetSarif)
@ -1094,7 +1098,7 @@ func Parse(sys System, project *models.Project, projectVersion *models.ProjectVe
// Handle snippet
snippetTarget := handleSnippet(fvdl.UnifiedNodePool.Node[i].Action.Type, fvdl.UnifiedNodePool.Node[i].Action.ActionData)
if loc.PhysicalLocation.ContextRegion.Snippet != nil {
if loc.PhysicalLocation.ContextRegion != nil && loc.PhysicalLocation.ContextRegion.Snippet != nil {
physLocationSnippetLines := strings.Split(loc.PhysicalLocation.ContextRegion.Snippet.Text, "\n")
snippetText := ""
for j := 0; j < len(physLocationSnippetLines); j++ {