More details on findings (#33)

* update description * add message to the rules * start to considerate message in the sarif output file * change severity from 5 to 4
htrgouvea · Jan 28, 2024 · ec2d288 · ec2d288
1 parent b1bb9fa
commit ec2d288
Show file tree

Hide file tree

Showing 5 changed files with 14 additions and 8 deletions.
diff --git a/.perlcriticrc b/.perlcriticrc
@@ -1,3 +1,4 @@
-severity = 5
+severity = 4
 
-[-TestingAndDebugging::RequireUseStrict]
+[-TestingAndDebugging::RequireUseStrict]
+[-TestingAndDebugging::RequireUseWarnings]
diff --git a/action.yml b/action.yml
@@ -1,5 +1,5 @@
 name: zarn-sast
-description: A lightweight static security analysis tool for modern Perl Apps
+description: A lightweight static security analysis tool (SAST) for modern Perl Apps
 author: Heitor Gouvêa
 branding:
   icon: "shield"

diff --git a/lib/Zarn/AST.pm b/lib/Zarn/AST.pm
@@ -28,6 +28,7 @@ package Zarn::AST {
                     my @sample   = $rule -> {sample} -> @*;
                     my $category = $rule -> {category};
                     my $title    = $rule -> {name};
+                    my $message  = $rule -> {message};
 
                     if (grep {my $content = $_; scalar(grep {$content =~ m/$_/xms} @sample)} $token -> content()) {
                         my $next_element = $token -> snext_sibling;
@@ -50,6 +51,7 @@ package Zarn::AST {
                                         category => $category,
                                         file     => $file,
                                         title    => $title,
+                                        message  => $message,
                                         line     => $line,
                                         rowchar  => $rowchar
                                     };

diff --git a/lib/Zarn/Sarif.pm b/lib/Zarn/Sarif.pm
@@ -25,8 +25,11 @@ package Zarn::Sarif {
         foreach my $info (@vulnerabilities) {
             my $result = {
                 ruleId => $info -> {title},
+                properties => {
+                    title => $info -> {title}
+                },
                 message => {
-                    text => $info -> {title}
+                    text => $info -> {message}
                 },
                 locations => [{
                     physicalLocation => {

diff --git a/rules/default.yml b/rules/default.yml
@@ -3,13 +3,13 @@ rules:
   - id: '0001'
     category: info
     name: Debug module enabled
-    message:
+    message: Debug modules can expose sensitive information and potentially create security vulnerabilities.
     sample:
       - Dumper
   - id: '0002'
     category: vuln
     name: Code Injection
-    message:
+    message: Occur when untrusted data is executed as code, allowing attackers to run arbitrary commands on the server.
     sample:
       - system
       - eval
@@ -18,12 +18,12 @@ rules:
   - id: '0003'
     category: vuln
     name: Path Traversal
-    message:
+    message: Occur when user input is not properly sanitized, allowing attackers to access files and directories outside of the intended directory structure.
     sample:
       - open
   - id: '0004'
     category: vuln
     name: Weak Criptography Algorithm
-    message:
+    message: Weak algorithms like MD5 are susceptible to various attacks and should be avoided in favor of stronger alternatives to ensure the security of sensitive data.
     sample:
       - md5