fix(codeqlExecuteScan): changed audit report format (#4474)

Co-authored-by: sumeet patil <sumeet.patil@sap.com>
2024-12-12 10:55:20 +02:00 · 2023-07-19 15:46:05 +02:00 · 2023-07-19 15:46:05 +02:00 · e117067a66
commit e117067a66
parent b703995917
4 changed files with 33 additions and 23 deletions
--- a/cmd/codeqlExecuteScan.go
+++ b/cmd/codeqlExecuteScan.go
@ -340,10 +340,12 @@ func runCodeqlExecuteScan(config *codeqlExecuteScanOptions, telemetryData *telem
 		reports = append(reports, paths...)

 		if config.CheckForCompliance {
-			unaudited := scanResults.Total - scanResults.Audited
-			if unaudited > config.VulnerabilityThresholdTotal {
-				msg := fmt.Sprintf("Your repository %v with ref %v is not compliant. Total unaudited issues are %v which is greater than the VulnerabilityThresholdTotal count %v", repoUrl, repoInfo.ref, unaudited, config.VulnerabilityThresholdTotal)
-				return reports, errors.Errorf(msg)
+			for _, scanResult := range scanResults {
+				unaudited := scanResult.Total - scanResult.Audited
+				if unaudited > config.VulnerabilityThresholdTotal {
+					msg := fmt.Sprintf("Your repository %v with ref %v is not compliant. Total unaudited issues are %v which is greater than the VulnerabilityThresholdTotal count %v", repoUrl, repoInfo.ref, unaudited, config.VulnerabilityThresholdTotal)
+					return reports, errors.Errorf(msg)
+				}
 			}
 		}
 	}
--- a/pkg/codeql/codeql.go
+++ b/pkg/codeql/codeql.go
@ -33,17 +33,17 @@ type CodeqlScanAuditInstance struct {
 	alertListoptions github.AlertListOptions
 }

-func (codeqlScanAudit *CodeqlScanAuditInstance) GetVulnerabilities(analyzedRef string) (CodeqlScanning, error) {
+func (codeqlScanAudit *CodeqlScanAuditInstance) GetVulnerabilities(analyzedRef string) ([]CodeqlFindings, error) {
 	apiUrl := getApiUrl(codeqlScanAudit.serverUrl)
 	ctx, client, err := sapgithub.NewClient(codeqlScanAudit.token, apiUrl, "", codeqlScanAudit.trustedCerts)
 	if err != nil {
-		return CodeqlScanning{}, err
+		return []CodeqlFindings{}, err
 	}

 	return getVulnerabilitiesFromClient(ctx, client.CodeScanning, analyzedRef, codeqlScanAudit)
 }

-func getVulnerabilitiesFromClient(ctx context.Context, codeScanning githubCodeqlScanningService, analyzedRef string, codeqlScanAudit *CodeqlScanAuditInstance) (CodeqlScanning, error) {
+func getVulnerabilitiesFromClient(ctx context.Context, codeScanning githubCodeqlScanningService, analyzedRef string, codeqlScanAudit *CodeqlScanAuditInstance) ([]CodeqlFindings, error) {
 	page := 1
 	audited := 0
 	totalAlerts := 0
@ -60,7 +60,7 @@ func getVulnerabilitiesFromClient(ctx context.Context, codeScanning githubCodeql

 		alerts, response, err := codeScanning.ListAlertsForRepo(ctx, codeqlScanAudit.owner, codeqlScanAudit.repository, &alertOptions)
 		if err != nil {
-			return CodeqlScanning{}, err
+			return []CodeqlFindings{}, err
 		}

 		page = response.NextPage
@ -81,9 +81,12 @@ func getVulnerabilitiesFromClient(ctx context.Context, codeScanning githubCodeql
 		}
 	}

-	codeqlScanning := CodeqlScanning{}
-	codeqlScanning.Total = totalAlerts
-	codeqlScanning.Audited = audited
+	auditAll := CodeqlFindings{
+		ClassificationName: "Audit All",
+		Total:              totalAlerts,
+		Audited:            audited,
+	}
+	codeqlScanning := []CodeqlFindings{auditAll}

 	return codeqlScanning, nil
 }
--- a/pkg/codeql/codeql_test.go
+++ b/pkg/codeql/codeql_test.go
@ -71,8 +71,10 @@ func TestGetVulnerabilitiesFromClient(t *testing.T) {
 		codeqlScanAuditInstance := NewCodeqlScanAuditInstance("", "", "testRepo1", "", []string{})
 		codeScanning, err := getVulnerabilitiesFromClient(ctx, &ghCodeqlScanningMock, "ref", &codeqlScanAuditInstance)
 		assert.NoError(t, err)
-		assert.Equal(t, 3, codeScanning.Total)
-		assert.Equal(t, 1, codeScanning.Audited)
+		assert.NotEmpty(t, codeScanning)
+		assert.Equal(t, 1, len(codeScanning))
+		assert.Equal(t, 3, codeScanning[0].Total)
+		assert.Equal(t, 1, codeScanning[0].Audited)
 	})

 	t.Run("Success with pagination results", func(t *testing.T) {
@ -80,8 +82,10 @@ func TestGetVulnerabilitiesFromClient(t *testing.T) {
 		codeqlScanAuditInstance := NewCodeqlScanAuditInstance("", "", "testRepo2", "", []string{})
 		codeScanning, err := getVulnerabilitiesFromClient(ctx, &ghCodeqlScanningMock, "ref", &codeqlScanAuditInstance)
 		assert.NoError(t, err)
-		assert.Equal(t, 140, codeScanning.Total)
-		assert.Equal(t, 80, codeScanning.Audited)
+		assert.NotEmpty(t, codeScanning)
+		assert.Equal(t, 1, len(codeScanning))
+		assert.Equal(t, 140, codeScanning[0].Total)
+		assert.Equal(t, 80, codeScanning[0].Audited)
 	})

 	t.Run("Error", func(t *testing.T) {
--- a/pkg/codeql/reporting.go
+++ b/pkg/codeql/reporting.go
@ -10,16 +10,17 @@ import (
 )

 type CodeqlAudit struct {
-	ToolName               string         `json:"toolName"`
-	RepositoryUrl          string         `json:"repositoryUrl"`
-	RepositoryReferenceUrl string         `json:"repositoryReferenceUrl"` //URL of PR or Branch where scan was performed
-	CodeScanningLink       string         `json:"codeScanningLink"`
-	ScanResults            CodeqlScanning `json:"scanResults"`
+	ToolName               string           `json:"toolName"`
+	RepositoryUrl          string           `json:"repositoryUrl"`
+	RepositoryReferenceUrl string           `json:"repositoryReferenceUrl"` //URL of PR or Branch where scan was performed
+	CodeScanningLink       string           `json:"codeScanningLink"`
+	ScanResults            []CodeqlFindings `json:"findings"`
 }

-type CodeqlScanning struct {
-	Total   int `json:"total"`
-	Audited int `json:"audited"`
+type CodeqlFindings struct {
+	ClassificationName string `json:"classificationName"`
+	Total              int    `json:"total"`
+	Audited            int    `json:"audited"`
 }

 func WriteJSONReport(jsonReport CodeqlAudit, modulePath string) ([]piperutils.Path, error) {