jenkins/sap-jenkins-library
1
0
Fork 0
mirror of https://github.com/SAP/jenkins-library.git synced 2025-09-16 09:26:22 +02:00
Code Issues Releases Activity

Fix(detectExecuteScan): rework struct methods to meet interface requirements (#4048)

Browse Source 
* Fixed struct methods to meet interface requirements

* Fix test and ruleID

* Small adjustments

* Readability of code

* Added testcases

* Code rework

* Fix fmt

* Mod

* Fix taxonomy

* Fix ruleIndex

* Fix taxonomies

* Fix format

* Remove name

* Fix Fortify and Checkmarx SARIF

* Fix fmt, address comments

* Addressing comments

* Fix fmt
This commit is contained in:
Sven Merk
2022-10-10 10:06:20 +02:00
committed by GitHub
parent db5351f4d3
commit e8ba1b043d
9 changed files with 225 additions and 129 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
cmd/detectExecuteScan.go
View File

@@ -568,29 +568,41 @@ func postScanChecksAndReporting(ctx context.Context, config detectExecuteScanOpt
func getVulnsAndComponents(config detectExecuteScanOptions, influx *detectExecuteScanInflux, sys *blackduckSystem) (*bd.Vulnerabilities, *bd.Components, error) {
detectVersionName := getVersionName(config)
vulns, err := sys.Client.GetVulnerabilities(config.ProjectName, detectVersionName)
components, err := sys.Client.GetComponents(config.ProjectName, detectVersionName)
if err != nil {
return nil, nil, err
}
// create component lookup map to interconnect vulnerability and component
keyFormat := "%v/%v"
componentLookup := map[string]*bd.Component{}
for _, comp := range components.Items {
componentLookup[fmt.Sprintf(keyFormat, comp.Name, comp.Version)] = &comp
}
vulns, err := sys.Client.GetVulnerabilities(config.ProjectName, detectVersionName)
if err != nil {
return nil, components, err
}
majorVulns := 0
activeVulns := 0
for _, vuln := range vulns.Items {
for index, vuln := range vulns.Items {
if isActiveVulnerability(vuln) {
activeVulns++
if isMajorVulnerability(vuln) {
majorVulns++
}
}
component := componentLookup[fmt.Sprintf(keyFormat, vuln.Name, vuln.Version)]
if component != nil && len(component.Name) > 0 {
vulns.Items[index].Component = component
} else {
vulns.Items[index].Component = &bd.Component{Name: vuln.Name, Version: vuln.Version}
}
}
influx.detect_data.fields.vulnerabilities = activeVulns
influx.detect_data.fields.major_vulnerabilities = majorVulns
influx.detect_data.fields.minor_vulnerabilities = activeVulns - majorVulns
components, err := sys.Client.GetComponents(config.ProjectName, detectVersionName)
if err != nil {
return vulns, nil, err
}
influx.detect_data.fields.components = components.TotalCount
return vulns, components, nil

74
cmd/detectExecuteScan_test.go
View File

@@ -130,7 +130,7 @@ const (
]
}`
componentsContent = `{
"totalCount": 2,
"totalCount": 3,
"items" : [
{
"componentName": "Spring Framework",
@@ -140,15 +140,19 @@ const (
"componentName": "Apache Tomcat",
"componentVersionName": "9.0.52",
"policyStatus": "IN_VIOLATION"
}, {
"componentName": "Apache Log4j",
"componentVersionName": "4.5.16",
"policyStatus": "UNKNOWN"
}
]
}`
vulnerabilitiesContent = `{
"totalCount": 1,
"totalCount": 3,
"items": [
{
"componentName": "Spring Framework",
"componentVersionName": "5.3.2",
"componentVersionName": "5.3.9",
"vulnerabilityWithRemediation" : {
"vulnerabilityName" : "BDSA-2019-2021",
"baseScore" : 7.5,
@@ -157,6 +161,28 @@ const (
"remediationStatus" : "IGNORED",
"description" : "description"
}
}, {
"componentName": "Apache Log4j",
"componentVersionName": "4.5.16",
"vulnerabilityWithRemediation" : {
"vulnerabilityName" : "BDSA-2020-4711",
"baseScore" : 7.5,
"overallScore" : 7.5,
"severity" : "HIGH",
"remediationStatus" : "IGNORED",
"description" : "description"
}
}, {
"componentName": "Apache Log4j",
"componentVersionName": "4.5.16",
"vulnerabilityWithRemediation" : {
"vulnerabilityName" : "BDSA-2020-4712",
"baseScore" : 4.5,
"overallScore" : 4.5,
"severity" : "MEDIUM",
"remediationStatus" : "IGNORED",
"description" : "description"
}
}
]
}`
@@ -752,6 +778,46 @@ func TestGetActivePolicyViolations(t *testing.T) {
components, err := sys.Client.GetComponents("SHC-PiperTest", "1.0")
assert.NoError(t, err)
assert.Equal(t, getActivePolicyViolations(components), 2)
assert.Equal(t, 2, getActivePolicyViolations(components))
})
}
func TestGetVulnsAndComponents(t *testing.T) {
t.Parallel()
t.Run("Case true", func(t *testing.T) {
config := detectExecuteScanOptions{Token: "token", ServerURL: "https://my.blackduck.system", ProjectName: "SHC-PiperTest", Version: "", CustomScanVersion: "1.0"}
sys := newBlackduckMockSystem(config)
vulns, components, err := getVulnsAndComponents(config, &detectExecuteScanInflux{}, &sys)
assert.NoError(t, err)
assert.Equal(t, 3, len(vulns.Items))
assert.Equal(t, 3, len(components.Items))
vulnerabilitySpring := bd.Vulnerability{}
vulnerabilityLog4j1 := bd.Vulnerability{}
vulnerabilityLog4j2 := bd.Vulnerability{}
for _, v := range vulns.Items {
if v.VulnerabilityWithRemediation.VulnerabilityName == "BDSA-2019-2021" {
vulnerabilitySpring = v
}
if v.VulnerabilityWithRemediation.VulnerabilityName == "BDSA-2020-4711" {
vulnerabilityLog4j1 = v
}
if v.VulnerabilityWithRemediation.VulnerabilityName == "BDSA-2020-4712" {
vulnerabilityLog4j2 = v
}
}
vulnerableComponentSpring := &bd.Component{}
vulnerableComponentLog4j := &bd.Component{}
for _, c := range components.Items {
if c.Name == "Spring Framework" {
vulnerableComponentSpring = &c
}
if c.Name == "Apache Log4j" {
vulnerableComponentLog4j = &c
}
}
assert.Equal(t, vulnerableComponentSpring, vulnerabilitySpring.Component)
assert.Equal(t, vulnerableComponentLog4j, vulnerabilityLog4j1.Component)
assert.Equal(t, vulnerableComponentLog4j, vulnerabilityLog4j2.Component)
})
}

13
pkg/blackduck/blackduck.go
View File

@@ -89,6 +89,7 @@ type Vulnerability struct {
Version string `json:"componentVersionName,omitempty"`
Ignored bool `json:"ignored,omitempty"`
VulnerabilityWithRemediation `json:"vulnerabilityWithRemediation,omitempty"`
Component *Component
}
type VulnerabilityWithRemediation struct {
@@ -105,13 +106,13 @@ type VulnerabilityWithRemediation struct {
// Title returns the issue title representation of the contents
func (v Vulnerability) Title() string {
return fmt.Sprintf("Security Vulnerability %v %v", v.VulnerabilityName, v.Name)
return v.VulnerabilityWithRemediation.VulnerabilityName
}
// ToMarkdown returns the markdown representation of the contents
func (v Vulnerability) ToMarkdown(component *Component) ([]byte, error) {
func (v Vulnerability) ToMarkdown() ([]byte, error) {
vul := reporting.VulnerabilityReport{
ArtifactID: v.Name,
ArtifactID: v.Component.Name,
// no information available about branch and commit, yet
Branch: "",
@@ -137,7 +138,7 @@ func (v Vulnerability) ToMarkdown(component *Component) ([]byte, error) {
Score: float64(v.VulnerabilityWithRemediation.BaseScore),
Severity: v.VulnerabilityWithRemediation.Severity,
Version: v.Version,
PackageURL: component.ToPackageUrl().ToString(),
PackageURL: v.Component.ToPackageUrl().ToString(),
// no vulnerability link available, yet
VulnerabilityLink: "",
@@ -148,7 +149,7 @@ func (v Vulnerability) ToMarkdown(component *Component) ([]byte, error) {
}
// ToTxt returns the textual representation of the contents
func (v Vulnerability) ToTxt(component *Component) string {
func (v Vulnerability) ToTxt() string {
return fmt.Sprintf(`Vulnerability %v
Severity: %v
Base (NVD) Score: %v
@@ -165,7 +166,7 @@ Link: [%v](%v)`,
v.VulnerabilityWithRemediation.OverallScore,
v.Name,
v.Version,
component.ToPackageUrl().ToString(),
v.Component.ToPackageUrl().ToString(),
v.Description,
"",
"",

183
pkg/blackduck/reporting.go
View File

@@ -16,116 +16,115 @@ import (
// CreateSarifResultFile creates a SARIF result from the Vulnerabilities that were brought up by the scan
func CreateSarifResultFile(vulns *Vulnerabilities, components *Components) *format.SARIF {
// create component lookup map
componentLookup := map[string]Component{}
for _, comp := range components.Items {
componentLookup[fmt.Sprintf("%v/%v", comp.Name, comp.Version)] = comp
}
//Now, we handle the sarif
log.Entry().Debug("Creating SARIF file for data transfer")
var sarif format.SARIF
sarif.Schema = "https://docs.oasis-open.org/sarif/sarif/v2.1.0/cos02/schemas/sarif-schema-2.1.0.json"
sarif.Version = "2.1.0"
var wsRun format.Runs
sarif.Runs = append(sarif.Runs, wsRun)
//handle the tool object
tool := *new(format.Tool)
tool.Driver = *new(format.Driver)
tool.Driver.Name = "Blackduck Hub Detect"
tool.Driver.Version = "unknown"
tool.Driver.InformationUri = "https://community.synopsys.com/s/document-item?bundleId=integrations-detect&topicId=introduction.html&_LANG=enus"
// Handle results/vulnerabilities
rules := []format.SarifRule{}
collectedRules := []string{}
cweIdsForTaxonomies := []string{}
results := []format.Results{}
if vulns != nil && vulns.Items != nil {
for _, v := range vulns.Items {
component := componentLookup[fmt.Sprintf("%v/%v", v.Name, v.Version)]
result := *new(format.Results)
ruleId := v.Title()
log.Entry().Debugf("Transforming alert %v into SARIF format", ruleId)
result.RuleID = ruleId
result.Level = transformToLevel(v.VulnerabilityWithRemediation.Severity)
result.Message = new(format.Message)
result.Message.Text = v.VulnerabilityWithRemediation.Description
result.AnalysisTarget = new(format.ArtifactLocation)
result.AnalysisTarget.URI = v.Name
result.AnalysisTarget.Index = 0
location := format.Location{PhysicalLocation: format.PhysicalLocation{ArtifactLocation: format.ArtifactLocation{URI: v.Name}}}
result.Locations = append(result.Locations, location)
partialFingerprints := new(format.PartialFingerprints)
partialFingerprints.PackageURLPlusCVEHash = base64.URLEncoding.EncodeToString([]byte(fmt.Sprintf("%v+%v", component.ToPackageUrl().ToString(), v.Title())))
result.PartialFingerprints = *partialFingerprints
cweIdsForTaxonomies = append(cweIdsForTaxonomies, v.VulnerabilityWithRemediation.CweID)
log.Entry().Debugf("Transforming alert %v on Package %v Version %v into SARIF format", v.VulnerabilityWithRemediation.VulnerabilityName, v.Component.Name, v.Component.Version)
result := format.Results{
RuleID: v.VulnerabilityWithRemediation.VulnerabilityName,
Level: transformToLevel(v.VulnerabilityWithRemediation.Severity),
Message: &format.Message{Text: v.VulnerabilityWithRemediation.Description},
AnalysisTarget: &format.ArtifactLocation{
URI: v.Component.ToPackageUrl().ToString(),
Index: 0,
},
Locations: []format.Location{{PhysicalLocation: format.PhysicalLocation{ArtifactLocation: format.ArtifactLocation{URI: v.Name}}}},
PartialFingerprints: format.PartialFingerprints{
PackageURLPlusCVEHash: base64.URLEncoding.EncodeToString([]byte(fmt.Sprintf("%v+%v", v.Component.ToPackageUrl().ToString(), v.CweID))),
},
}
// append the result
sarif.Runs[0].Results = append(sarif.Runs[0].Results, result)
results = append(results, result)
// append taxonomies
if len(v.VulnerabilityWithRemediation.CweID) > 0 && !piperutils.ContainsString(cweIdsForTaxonomies, v.VulnerabilityWithRemediation.CweID) {
cweIdsForTaxonomies = append(cweIdsForTaxonomies, v.VulnerabilityWithRemediation.CweID)
}
// only create rule on new CVE
if !piperutils.ContainsString(collectedRules, ruleId) {
collectedRules = append(collectedRules, ruleId)
sarifRule := *new(format.SarifRule)
sarifRule.ID = ruleId
sarifRule.ShortDescription = new(format.Message)
sarifRule.ShortDescription.Text = fmt.Sprintf("%v Package %v", v.VulnerabilityName, component.Name)
sarifRule.FullDescription = new(format.Message)
sarifRule.FullDescription.Text = v.VulnerabilityWithRemediation.Description
sarifRule.DefaultConfiguration = new(format.DefaultConfiguration)
sarifRule.DefaultConfiguration.Level = transformToLevel(v.VulnerabilityWithRemediation.Severity)
sarifRule.HelpURI = ""
markdown, _ := v.ToMarkdown(&component)
sarifRule.Help = new(format.Help)
sarifRule.Help.Text = v.ToTxt(&component)
sarifRule.Help.Markdown = string(markdown)
ruleProp := *new(format.SarifRuleProperties)
ruleProp.Tags = append(ruleProp.Tags, "SECURITY_VULNERABILITY")
ruleProp.Tags = append(ruleProp.Tags, component.ToPackageUrl().ToString())
ruleProp.Tags = append(ruleProp.Tags, v.VulnerabilityWithRemediation.CweID)
ruleProp.Precision = "very-high"
ruleProp.Impact = fmt.Sprint(v.VulnerabilityWithRemediation.ImpactSubscore)
ruleProp.Probability = fmt.Sprint(v.VulnerabilityWithRemediation.ExploitabilitySubscore)
ruleProp.SecuritySeverity = fmt.Sprint(v.OverallScore)
sarifRule.Properties = &ruleProp
if !piperutils.ContainsString(collectedRules, result.RuleID) {
collectedRules = append(collectedRules, result.RuleID)
markdown, _ := v.ToMarkdown()
tags := []string{
"SECURITY_VULNERABILITY",
v.Component.ToPackageUrl().ToString(),
v.VulnerabilityWithRemediation.CweID,
}
ruleProp := format.SarifRuleProperties{
Tags: tags,
Precision: "very-high",
Impact: fmt.Sprint(v.VulnerabilityWithRemediation.ImpactSubscore),
Probability: fmt.Sprint(v.VulnerabilityWithRemediation.ExploitabilitySubscore),
SecuritySeverity: fmt.Sprint(v.OverallScore),
}
sarifRule := format.SarifRule{
ID: result.RuleID,
ShortDescription: &format.Message{Text: fmt.Sprintf("%v in Package %v", v.VulnerabilityName, v.Component.Name)},
FullDescription: &format.Message{Text: v.VulnerabilityWithRemediation.Description},
DefaultConfiguration: &format.DefaultConfiguration{Level: transformToLevel(v.VulnerabilityWithRemediation.Severity)},
HelpURI: "",
Help: &format.Help{Text: v.ToTxt(), Markdown: string(markdown)},
Properties: &ruleProp,
}
// append the rule
tool.Driver.Rules = append(tool.Driver.Rules, sarifRule)
rules = append(rules, sarifRule)
}
}
}
//Finalize: tool
sarif.Runs[0].Tool = tool
// Threadflowlocations is no loger useful: voiding it will make for smaller reports
sarif.Runs[0].ThreadFlowLocations = []format.Locations{}
// Add a conversion object to highlight this isn't native SARIF
conversion := new(format.Conversion)
conversion.Tool.Driver.Name = "Piper FPR to SARIF converter"
conversion.Tool.Driver.InformationUri = "https://github.com/SAP/jenkins-library"
conversion.Invocation.ExecutionSuccessful = true
convInvocProp := new(format.InvocationProperties)
convInvocProp.Platform = runtime.GOOS
conversion.Invocation.Properties = convInvocProp
sarif.Runs[0].Conversion = conversion
//handle taxonomies
//Only one exists apparently: CWE. It is fixed
taxonomy := *new(format.Taxonomies)
taxonomy.GUID = "25F72D7E-8A92-459D-AD67-64853F788765"
taxonomy.Name = "CWE"
taxonomy.Organization = "MITRE"
taxonomy.ShortDescription.Text = "The MITRE Common Weakness Enumeration"
for key := range cweIdsForTaxonomies {
taxa := *new(format.Taxa)
taxa.Id = fmt.Sprint(key)
taxonomy.Taxa = append(taxonomy.Taxa, taxa)
taxas := []format.Taxa{}
for _, value := range cweIdsForTaxonomies {
taxa := format.Taxa{Id: value}
taxas = append(taxas, taxa)
}
taxonomy := format.Taxonomies{
GUID: "25F72D7E-8A92-459D-AD67-64853F788765",
Name: "CWE",
Organization: "MITRE",
ShortDescription: format.Message{Text: "The MITRE Common Weakness Enumeration"},
Taxa: taxas,
}
//handle the tool object
tool := format.Tool{
Driver: format.Driver{
Name: "Blackduck Hub Detect",
Version: "unknown",
InformationUri: "https://community.synopsys.com/s/document-item?bundleId=integrations-detect&topicId=introduction.html&_LANG=enus",
Rules: rules,
},
}
sarif := format.SARIF{
Schema: "https://docs.oasis-open.org/sarif/sarif/v2.1.0/cos02/schemas/sarif-schema-2.1.0.json",
Version: "2.1.0",
Runs: []format.Runs{
{
Results: results,
Tool: tool,
ThreadFlowLocations: []format.Locations{},
Conversion: &format.Conversion{
Tool: format.Tool{
Driver: format.Driver{
Name: "Piper FPR to SARIF converter",
InformationUri: "https://github.com/SAP/jenkins-library",
},
},
Invocation: format.Invocation{
ExecutionSuccessful: true,
Properties: &format.InvocationProperties{Platform: runtime.GOOS},
},
},
Taxonomies: []format.Taxonomies{taxonomy},
},
},
}
sarif.Runs[0].Taxonomies = append(sarif.Runs[0].Taxonomies, taxonomy)
return &sarif
}

34
pkg/blackduck/reporting_test.go
View File

@@ -13,16 +13,21 @@ import (
)
func TestCreateSarifResultFile(t *testing.T) {
vulnerabilities := []string{"CVE-1", "CVE-2", "CVE-3", "CVE-4"}
affectedComponent := Component{Name: "test1", Version: "1.2.3", ComponentOriginName: "Maven", PrimaryLanguage: "Java"}
otherAffectedComponent := Component{Name: "test2", Version: "1.2.8", ComponentOriginName: "Maven", PrimaryLanguage: "Java"}
alerts := []Vulnerability{
{Name: "test1", Version: "1.2.3", VulnerabilityWithRemediation: VulnerabilityWithRemediation{VulnerabilityName: "CVE-45456543", Severity: "Critical", Description: "Some vulnerability that can be exploited by peeling the glue off.", BaseScore: 9.8, OverallScore: 10}},
{Name: "test1", Version: "1.2.3", VulnerabilityWithRemediation: VulnerabilityWithRemediation{VulnerabilityName: "CVE-45456542", Severity: "Critical", Description: "Some other vulnerability that can be exploited by filling the glass.", BaseScore: 9, OverallScore: 9}},
{Name: "test1", Version: "1.2.3", VulnerabilityWithRemediation: VulnerabilityWithRemediation{VulnerabilityName: "CVE-45456541", Severity: "Medium", Description: "Some vulnerability that can be exploited by turning it upside down.", BaseScore: 6.5, OverallScore: 7}},
{Name: "test1", Version: "1.2.3", Component: &affectedComponent, VulnerabilityWithRemediation: VulnerabilityWithRemediation{CweID: "CWE-45456543", VulnerabilityName: "CVE-1", Severity: "Critical", Description: "Some vulnerability that can be exploited by peeling the glue off.", BaseScore: 9.8, OverallScore: 10}},
{Name: "test1", Version: "1.2.3", Component: &affectedComponent, VulnerabilityWithRemediation: VulnerabilityWithRemediation{CweID: "CWE-45456542", VulnerabilityName: "CVE-2", Severity: "Critical", Description: "Some other vulnerability that can be exploited by filling the glass.", BaseScore: 9, OverallScore: 9}},
{Name: "test1", Version: "1.2.3", Component: &affectedComponent, VulnerabilityWithRemediation: VulnerabilityWithRemediation{CweID: "CWE-45456541", VulnerabilityName: "CVE-3", Severity: "High", Description: "Some vulnerability that can be exploited by turning it upside down.", BaseScore: 6.5, OverallScore: 7}},
{Name: "test2", Version: "1.2.8", Component: &otherAffectedComponent, VulnerabilityWithRemediation: VulnerabilityWithRemediation{CweID: "CWE-45789754", VulnerabilityName: "CVE-4", Severity: "High", Description: "Some vulnerability that can be exploited by turning it upside down.", BaseScore: 6.5, OverallScore: 7}},
{Name: "test2", Version: "1.2.8", Component: &otherAffectedComponent, VulnerabilityWithRemediation: VulnerabilityWithRemediation{CweID: "CWE-45456541", VulnerabilityName: "CVE-3", Severity: "High", Description: "Some vulnerability that can be exploited by turning it upside down.", BaseScore: 6.5, OverallScore: 7}},
}
vulns := Vulnerabilities{
Items: alerts,
}
components := []Component{
{Name: "test1", Version: "1.2.3", ComponentOriginName: "Maven"},
affectedComponent,
}
componentList := Components{
Items: components,
@@ -35,9 +40,24 @@ func TestCreateSarifResultFile(t *testing.T) {
assert.Equal(t, 1, len(sarif.Runs))
assert.Equal(t, "Blackduck Hub Detect", sarif.Runs[0].Tool.Driver.Name)
assert.Equal(t, "unknown", sarif.Runs[0].Tool.Driver.Version)
assert.Equal(t, 3, len(sarif.Runs[0].Tool.Driver.Rules))
assert.Equal(t, 3, len(sarif.Runs[0].Results))
// TODO add more extensive verification once we agree on the format details
assert.Equal(t, 4, len(sarif.Runs[0].Tool.Driver.Rules))
assert.Equal(t, 5, len(sarif.Runs[0].Results))
collectedRules := []string{}
for _, rule := range sarif.Runs[0].Tool.Driver.Rules {
piperutils.ContainsString(vulnerabilities, rule.ID)
collectedRules = append(collectedRules, rule.ID)
}
collectedResults := []string{}
for _, result := range sarif.Runs[0].Results {
piperutils.ContainsString(vulnerabilities, result.RuleID)
collectedResults = append(collectedResults, result.RuleID)
}
assert.Equal(t, 4, len(collectedRules))
assert.Equal(t, 5, len(collectedResults))
assert.Equal(t, vulnerabilities, collectedRules)
}
func TestWriteCustomVulnerabilityReports(t *testing.T) {

2
pkg/checkmarx/cxxml_to_sarif.go
View File

@@ -381,7 +381,7 @@ func Parse(sys System, data []byte, scanID int) (format.SARIF, error) {
sarif.Runs[0].Tool = tool
//handle automationDetails
sarif.Runs[0].AutomationDetails.Id = cxxml.DeepLink // Use deeplink to pass a maximum of information
sarif.Runs[0].AutomationDetails = &format.AutomationDetails{Id: cxxml.DeepLink} // Use deeplink to pass a maximum of information
//handle taxonomies
//Only one exists apparently: CWE. It is fixed

12
pkg/format/assessment.go
View File

@@ -34,16 +34,14 @@ const (
type AssessmentAnalysis string
const (
WaitingForFix AssessmentAnalysis = "waitingForFix" //"Waiting for OSS community fix"
RiskAccepted AssessmentAnalysis = "riskAccepted" //"Risk Accepted"
//Others AssessmentAnalysis = "others" //"Others"
WaitingForFix AssessmentAnalysis = "waitingForFix" //"Waiting for OSS community fix"
RiskAccepted AssessmentAnalysis = "riskAccepted" //"Risk Accepted"
NotPresent AssessmentAnalysis = "notPresent" //"Affected parts of the OSS library are not present"
NotUsed AssessmentAnalysis = "notUsed" //"Affected parts of the OSS library are not used"
AssessmentPropagation AssessmentAnalysis = "assessmentPropagation" //"Assessment Propagation"
//BuildVersionOutdated AssessmentAnalysis = "buildVersionOutdated" //"Build Version is outdated"
FixedByDevTeam AssessmentAnalysis = "fixedByDevTeam" //"OSS Component fixed by development team"
Mitigated AssessmentAnalysis = "mitigated" //"Mitigated by the Application"
WronglyReported AssessmentAnalysis = "wronglyReported" //"Wrongly reported CVE"
FixedByDevTeam AssessmentAnalysis = "fixedByDevTeam" //"OSS Component fixed by development team"
Mitigated AssessmentAnalysis = "mitigated" //"Mitigated by the Application"
WronglyReported AssessmentAnalysis = "wronglyReported" //"Wrongly reported CVE"
)
type Purl struct {

8
pkg/format/sarif.go
View File

@@ -21,7 +21,7 @@ type Runs struct {
Invocations []Invocation `json:"invocations,omitempty"`
OriginalUriBaseIds *OriginalUriBaseIds `json:"originalUriBaseIds,omitempty"`
Artifacts []Artifact `json:"artifacts,omitempty"`
AutomationDetails AutomationDetails `json:"automationDetails,omitempty"`
AutomationDetails *AutomationDetails `json:"automationDetails,omitempty"`
ColumnKind string `json:"columnKind,omitempty" default:"utf16CodeUnits"`
ThreadFlowLocations []Locations `json:"threadFlowLocations,omitempty"`
Taxonomies []Taxonomies `json:"taxonomies,omitempty"`
@@ -31,7 +31,7 @@ type Runs struct {
// Results these structs are relevant to the Results object
type Results struct {
RuleID string `json:"ruleId"`
RuleIndex int `json:"ruleIndex"`
RuleIndex int `json:"ruleIndex,omitempty"`
Kind string `json:"kind,omitempty"`
Level string `json:"level,omitempty"`
Message *Message `json:"message,omitempty"`
@@ -39,8 +39,8 @@ type Results struct {
Locations []Location `json:"locations,omitempty"`
CodeFlows []CodeFlow `json:"codeFlows,omitempty"`
RelatedLocations []RelatedLocation `json:"relatedLocations,omitempty"`
PartialFingerprints PartialFingerprints `json:"partialFingerprints"`
Properties *SarifProperties `json:"properties"`
PartialFingerprints PartialFingerprints `json:"partialFingerprints,omitempty"`
Properties *SarifProperties `json:"properties,omitempty"`
}
// Message to detail the finding

2
pkg/fortify/fpr_to_sarif.go
View File

@@ -1056,7 +1056,7 @@ func Parse(sys System, projectVersion *models.ProjectVersion, data []byte, filte
}
//handle automationDetails
sarif.Runs[0].AutomationDetails.Id = fvdl.Build.BuildID
sarif.Runs[0].AutomationDetails = &format.AutomationDetails{Id: fvdl.Build.BuildID}
//handle threadFlowLocations
log.Entry().Debug("[SARIF] Now handling threadFlowLocations.")