feat: support sarif

.github/README.md

@@ -131,6 +131,7 @@ Files supported by the `out` parameter are listed below：
 |        | `html` | `.html`                          | `v1.0.6` and above |
 |        | `sqlite` | `.sqlite`                      | `v1.0.13` and above|
 |        | `csv` | `.csv`                            | `v1.0.13` and above|
+|        | `sarif`| `.sarif`                         |                    |
 | SBOM   | `spdx` | `.spdx` `.spdx.json` `.spdx.xml` | `v1.0.8` and above |
 |        | `cdx`  | `.cdx.json` `.cdx.xml`           | `v1.0.11`and above |
 |        | `swid` | `.swid.json` `.swid.xml`         | `v1.0.11`and above |

README.md

@@ -121,6 +121,7 @@
 |          | `html`   | `.html`                          |
 |          | `sqlite` | `.sqlite`                        |
 |          | `csv`    | `.csv`                           |
+|          | `sarif`  | `.sarif`                         |
 | SBOM清单 | `spdx`   | `.spdx` `.spdx.json` `.spdx.xml` |
 |          | `cdx`    | `.cdx.json` `.cdx.xml`           |
 |          | `swid`   | `.swid.json` `.swid.xml`         |

cmd/detail/detail.go

@@ -156,6 +156,20 @@ type Vuln struct {
 	ExploitLevelId  int    `json:"exploit_level_id" gorm:"column:exploit_level_id"`
 }
 
+func (v *Vuln) SecurityLevel() string {
+	switch v.SecurityLevelId {
+	case 1:
+		return "Critical"
+	case 2:
+		return "High"
+	case 3:
+		return "Medium"
+	case 4:
+		return "Low"
+	}
+	return "Unknown"
+}
+
 func vulnLanguageKey(language model.Language) []string {
 	switch language {
 	case model.Lan_Java:

cmd/format/sarif.go

@@ -0,0 +1,181 @@
+package format
+
+import (
+	"encoding/json"
+	"fmt"
+	"github.com/xmirrorsecurity/opensca-cli/v3/opensca/logs"
+	"io"
+	"path/filepath"
+	"strings"
+
+	"github.com/xmirrorsecurity/opensca-cli/v3/cmd/detail"
+)
+
+type sarifReport struct {
+	Version string     `json:"version"`
+	Schema  string     `json:"$schema"`
+	Runs    []sarifRun `json:"runs"`
+}
+
+type sarifRun struct {
+	Tool struct {
+		Driver struct {
+			Name           string      `json:"name"`
+			Version        string      `json:"version"`
+			InformationUri string      `json:"informationUri"`
+			Rules          []sarifRule `json:"rules"`
+		} `json:"driver"`
+	} `json:"tool"`
+	Results []sarifResult `json:"results"`
+}
+
+type sarifRule struct {
+	Id               string                    `json:"id"`
+	ShortDescription sarifRuleShortDescription `json:"shortDescription"`
+	Help             sarifRuleHelp             `json:"help"`
+	Properties       sarifRuleProperties       `json:"properties"`
+}
+
+type sarifRuleShortDescription struct {
+	Text string `json:"text"`
+}
+
+type sarifRuleFullDescription struct {
+	Text string `json:"text"`
+}
+
+type sarifRuleHelp struct {
+	Text     string `json:"text"`
+	Markdown string `json:"markdown"`
+}
+
+type sarifRuleProperties struct {
+	Tags []string `json:"tags"`
+}
+
+type sarifResult struct {
+	RuleId  string `json:"ruleId"`
+	Level   string `json:"level"`
+	Message struct {
+		Text string `json:"text"`
+	} `json:"message"`
+	Locations []sarifLocation `json:"locations"`
+}
+
+type sarifLocation struct {
+	PhysicalLocation struct {
+		ArtifactLocation struct {
+			Uri   string `json:"uri"`
+			Index int    `json:"index,omitempty"`
+		} `json:"artifactLocation"`
+		// Region struct {
+		// 	StartLine   int `json:"startLine"`
+		// 	StartColumn int `json:"startColumn"`
+		// } `json:"region"`
+	} `json:"physicalLocation"`
+}
+
+func Sarif(report Report, out string) {
+
+	s := sarifReport{
+		Version: "2.1.0",
+		Schema:  "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0.json",
+	}
+
+	run := sarifRun{}
+	run.Tool.Driver.Name = "opensca-cli"
+	run.Tool.Driver.Version = strings.TrimLeft(report.TaskInfo.ToolVersion, "vV")
+	run.Tool.Driver.InformationUri = "https://opensca.xmirror.cn"
+
+	report.ForEach(func(n *detail.DepDetailGraph) bool {
+		for _, vuln := range n.Vulnerabilities {
+			run.Tool.Driver.Rules = append(run.Tool.Driver.Rules, sarifRule{
+				Id: vuln.Id,
+				ShortDescription: sarifRuleShortDescription{
+					Text: fmt.Sprintf("[%s] 组件 %s 中存在 %s", vuln.SecurityLevel(), n.Dep.Key()[:strings.LastIndex(n.Dep.Key(), ":")], vuln.Name),
+				},
+				Help: sarifRuleHelp{
+					Markdown: formatDesc(vuln),
+				},
+				Properties: sarifRuleProperties{
+					Tags: formatTags(n),
+				},
+			},
+			)
+
+			if vuln.Id == "" {
+				continue
+			}
+			result := sarifResult{
+				RuleId: "XM1001",
+				Level:  "warning",
+			}
+			result.Message.Text = fmt.Sprintf("引入的组件 %s 中存在 %s", n.Dep.Key()[:strings.LastIndex(n.Dep.Key(), ":")], vuln.Name)
+			for i, path := range n.Paths {
+				location := sarifLocation{}
+				if truncIndex := strings.Index(path, "["); truncIndex > 0 {
+					path = path[:truncIndex]
+					path = strings.TrimPrefix(path, filepath.Base(report.TaskInfo.AppName))
+					path = strings.Trim(path, `\/`)
+				}
+				location.PhysicalLocation.ArtifactLocation.Uri = path
+				location.PhysicalLocation.ArtifactLocation.Index = i
+				result.Locations = append(result.Locations, location)
+			}
+			run.Results = append(run.Results, result)
+		}
+		return true
+	})
+
+	s.Runs = []sarifRun{run}
+	outWrite(out, func(w io.Writer) {
+		err := json.NewEncoder(w).Encode(s)
+		if err != nil {
+			logs.Error(err)
+		}
+	})
+}
+
+func formatDesc(v *detail.Vuln) string {
+	text := fmt.Sprintf("| id | %s |", v.Id)
+	text = fmt.Sprintf("%s\n| --- | --- |", text)
+	if v.Cve != "" {
+		text = fmt.Sprintf("%s\n| cve | %s |", text, v.Cve)
+	}
+	if v.Cnnvd != "" {
+		text = fmt.Sprintf("%s\n| cnnvd | %s |", text, v.Cnnvd)
+	}
+	if v.Cnvd != "" {
+		text = fmt.Sprintf("%s\n| cnvd | %s |", text, v.Cnvd)
+	}
+	if v.Cwe != "" {
+		text = fmt.Sprintf("%s\n| cwe | %s |", text, v.Cwe)
+	}
+	text = fmt.Sprintf("%s\n| level | %s |", text, v.SecurityLevel())
+	text = fmt.Sprintf("%s\n| desc | %s |", text, v.Description)
+	text = fmt.Sprintf("%s\n| suggestion | %s |", text, v.Suggestion)
+
+	return text
+}
+
+func formatTags(dg *detail.DepDetailGraph) []string {
+	tags := []string{}
+	exists := make(map[string]bool)
+	tags = append(tags, "security")
+	tags = append(tags, "Use-Vulnerable-and-Outdated-Components")
+	if dg.Dep.Language != "" {
+		tags = append(tags, dg.Dep.Language)
+		exists[dg.Dep.Language] = true
+	}
+	for _, v := range dg.Vulnerabilities {
+		if v.Cve != "" && !exists[v.Cve] {
+			tags = append(tags, v.Cve)
+			exists[v.Cve] = true
+		}
+		if v.AttackType != "" && !exists[v.AttackType] {
+			tags = append(tags, v.AttackType)
+			exists[v.AttackType] = true
+		}
+	}
+	return tags
+}

cmd/format/save.go

@@ -71,6 +71,8 @@ func Save(report Report, output string) {
 			Csv(report, out)
 		case ".sqlite", ".db":
 			Sqlite(report, out)
+		case ".sarif":
+			Sarif(report, out)
 		default:
 			Json(report, out)
 		}

main.go

@@ -104,7 +104,7 @@ func args() {
 	flag.BoolVar(&login, "login", false, "login to cloud server. example: -login")
 	flag.StringVar(&cfgf, "config", "", "config path. example: -config config.json")
 	flag.StringVar(&cfg.Path, "path", cfg.Path, "project path. example: -path project_path")
-	flag.StringVar(&cfg.Output, "out", cfg.Output, "report path, support html/json/xml/csv/sqlite/cdx/spdx/swid/dsdx. example: -out out.json,out.html")
+	flag.StringVar(&cfg.Output, "out", cfg.Output, "report path, support html/json/xml/csv/sarif/sqlite/cdx/spdx/swid/dsdx. example: -out out.json,out.html")
 	flag.StringVar(&cfg.LogFile, "log", cfg.LogFile, "-log ./my_opensca_log.txt")
 	flag.StringVar(&cfg.Origin.Token, "token", "", "web token, example: -token xxxx")
 	flag.StringVar(&proj, "proj", proj, "saas project id, example: -proj xxxx")