Audit - Add Secrets & IaC to sarif format (#829)

artifactory/utils/dependenciesutils.go

@@ -3,11 +3,6 @@ package utils
 import (
  "errors"
  "fmt"
- "net/http"
- "os"
- "path"
- "path/filepath"
-
  "github.com/jfrog/jfrog-cli-core/v2/utils/config"
  "github.com/jfrog/jfrog-cli-core/v2/utils/coreutils"
  xrayutils "github.com/jfrog/jfrog-cli-core/v2/xray/utils"
@@ -17,6 +12,10 @@ import (
  "github.com/jfrog/jfrog-client-go/utils/io/fileutils"
  "github.com/jfrog/jfrog-client-go/utils/io/httputils"
  "github.com/jfrog/jfrog-client-go/utils/log"
+ "net/http"
+ "os"
+ "path"
+ "path/filepath"
 )
 
 const (

xray/commands/utils/utils_test.go

@@ -72,7 +72,7 @@ func TestFilterResultIfNeeded(t *testing.T) {
  },
  },
  params: ScanGraphParams{
- severityLevel: 3,
+ severityLevel: 8,
  },
  expected: services.ScanResponse{
  Violations: []services.Violation{

xray/utils/resultstable.go

@@ -153,14 +153,7 @@ func prepareViolations(violations []services.Violation, extendedResults *Extende
  }
 
  // Sort the rows by severity and whether the row contains fixed versions
- sort.Slice(securityViolationsRows, func(i, j int) bool {
- if securityViolationsRows[i].SeverityNumValue != securityViolationsRows[j].SeverityNumValue {
- return securityViolationsRows[i].SeverityNumValue > securityViolationsRows[j].SeverityNumValue
- } else if securityViolationsRows[i].Applicable != securityViolationsRows[j].Applicable {
- return sortByApplicableValue(i, j, securityViolationsRows)
- }
- return len(securityViolationsRows[i].FixedVersions) > 0 && len(securityViolationsRows[j].FixedVersions) > 0
- })
+ sortVulnerabilityOrViolationRows(securityViolationsRows)
  sort.Slice(licenseViolationsRows, func(i, j int) bool {
  return licenseViolationsRows[i].SeverityNumValue > licenseViolationsRows[j].SeverityNumValue
  })
@@ -231,15 +224,17 @@ func prepareVulnerabilities(vulnerabilities []services.Vulnerability, extendedRe
  }
  }
 
- sort.Slice(vulnerabilitiesRows, func(i, j int) bool {
- if vulnerabilitiesRows[i].SeverityNumValue != vulnerabilitiesRows[j].SeverityNumValue {
- return vulnerabilitiesRows[i].SeverityNumValue > vulnerabilitiesRows[j].SeverityNumValue
- } else if vulnerabilitiesRows[i].Applicable != vulnerabilitiesRows[j].Applicable {
- sortByApplicableValue(i, j, vulnerabilitiesRows)
+ sortVulnerabilityOrViolationRows(vulnerabilitiesRows)
+ return vulnerabilitiesRows, nil
+}
+
+func sortVulnerabilityOrViolationRows(rows []formats.VulnerabilityOrViolationRow) {
+ sort.Slice(rows, func(i, j int) bool {
+ if rows[i].SeverityNumValue != rows[j].SeverityNumValue {
+ return rows[i].SeverityNumValue > rows[j].SeverityNumValue
  }
- return len(vulnerabilitiesRows[i].FixedVersions) > 0 && len(vulnerabilitiesRows[j].FixedVersions) > 0
+ return len(rows[i].FixedVersions) > 0 && len(rows[j].FixedVersions) > 0
  })
- return vulnerabilitiesRows, nil
 }
 
 // PrintLicensesTable prints the licenses in a table.
@@ -350,8 +345,8 @@ func prepareIacs(iacs []IacOrSecretResult, isTable bool) []formats.IacSecretsRow
 func PrintIacTable(iacs []IacOrSecretResult, entitledForIacScan bool) error {
  if entitledForIacScan {
  iacRows := prepareIacs(iacs, true)
- return coreutils.PrintTable(formats.ConvertToIacTableRow(iacRows), "Iac Violations",
- "✨ No Iac violations were found ✨", false)
+ return coreutils.PrintTable(formats.ConvertToIacTableRow(iacRows), "Infrastructure as Code Vulnerabilities",
+ "✨ No Infrastructure as Code vulnerabilities were found ✨", false)
  }
  return nil
 }
@@ -534,20 +529,24 @@ func (s *Severity) printableTitle(isTable bool) string {
 
 var Severities = map[string]map[string]*Severity{
  "Critical": {
- ApplicableStringValue: {emoji: "💀", title: "Critical", numValue: 4, style: color.New(color.BgLightRed, color.LightWhite)},
- NotApplicableStringValue: {emoji: "👌", title: "Critical", numValue: 4},
+ ApplicableStringValue: {emoji: "💀", title: "Critical", numValue: 12, style: color.New(color.BgLightRed, color.LightWhite)},
+ ApplicabilityUndeterminedStringValue: {emoji: "💀", title: "Critical", numValue: 11, style: color.New(color.BgLightRed, color.LightWhite)},
+ NotApplicableStringValue: {emoji: "👌", title: "Critical", numValue: 10},
  },
  "High": {
- ApplicableStringValue: {emoji: "🔥", title: "High", numValue: 3, style: color.New(color.Red)},
- NotApplicableStringValue: {emoji: "👌", title: "High", numValue: 3},
+ ApplicableStringValue: {emoji: "🔥", title: "High", numValue: 9, style: color.New(color.Red)},
+ ApplicabilityUndeterminedStringValue: {emoji: "🔥", title: "High", numValue: 8, style: color.New(color.Red)},
+ NotApplicableStringValue: {emoji: "👌", title: "High", numValue: 7},
  },
  "Medium": {
- ApplicableStringValue: {emoji: "🎃", title: "Medium", numValue: 2, style: color.New(color.Yellow)},
- NotApplicableStringValue: {emoji: "👌", title: "Medium", numValue: 2},
+ ApplicableStringValue: {emoji: "🎃", title: "Medium", numValue: 6, style: color.New(color.Yellow)},
+ ApplicabilityUndeterminedStringValue: {emoji: "🎃", title: "Medium", numValue: 5, style: color.New(color.Yellow)},
+ NotApplicableStringValue: {emoji: "👌", title: "Medium", numValue: 4},
  },
  "Low": {
- ApplicableStringValue: {emoji: "👻", title: "Low", numValue: 1},
- NotApplicableStringValue: {emoji: "👌", title: "Low", numValue: 1},
+ ApplicableStringValue: {emoji: "👻", title: "Low", numValue: 3},
+ ApplicabilityUndeterminedStringValue: {emoji: "👻", title: "Low", numValue: 2},
+ NotApplicableStringValue: {emoji: "👌", title: "Low", numValue: 1},
  },
 }
 
@@ -572,10 +571,15 @@ func GetSeverity(severityTitle string, applicable string) *Severity {
  if Severities[severityTitle] == nil {
  return &Severity{title: severityTitle}
  }
- if applicable == NotApplicableStringValue {
+
+ switch applicable {
+ case NotApplicableStringValue:
  return Severities[severityTitle][NotApplicableStringValue]
+ case ApplicableStringValue:
+ return Severities[severityTitle][ApplicableStringValue]
+ default:
+ return Severities[severityTitle][ApplicabilityUndeterminedStringValue]
  }
- return Severities[severityTitle][ApplicableStringValue]
 }
 
 type operationalRiskViolationReadableData struct {
@@ -825,24 +829,10 @@ func getApplicableCveValue(extendedResults *ExtendedScanResults, xrayCves []form
  return ApplicabilityUndeterminedStringValue
 }
 
-func getApplicableCveNumValue(stringValue string) int {
- if stringValue == ApplicableStringValue {
- return 3
- } else if stringValue == ApplicabilityUndeterminedStringValue {
- return 2
- }
- return 1
-}
-
 func printApplicableCveValue(applicableValue string, isTable bool) string {
  if applicableValue == ApplicableStringValue && isTable && (log.IsStdOutTerminal() && log.IsColorsSupported() ||
  os.Getenv("GITLAB_CI") != "") {
  return color.New(color.Red).Render(ApplicableStringValue)
  }
  return applicableValue
 }
-
-func sortByApplicableValue(i int, j int, securityViolationsRows []formats.VulnerabilityOrViolationRow) bool {
- return getApplicableCveNumValue(securityViolationsRows[i].Applicable) >
- getApplicableCveNumValue(securityViolationsRows[j].Applicable)
-}

xray/utils/resultstable_test.go

@@ -466,6 +466,108 @@ func TestGetApplicableCveValue(t *testing.T) {
  }
 }
 
+func TestSortVulnerabilityOrViolationRows(t *testing.T) {
+ testCases := []struct {
+ name string
+ rows []formats.VulnerabilityOrViolationRow
+ expectedOrder []string
+ }{
+ {
+ name: "Sort by severity with different severity values",
+ rows: []formats.VulnerabilityOrViolationRow{
+ {
+ Summary: "Summary 1",
+ Severity: "High",
+ SeverityNumValue: 9,
+ FixedVersions: []string{},
+ ImpactedDependencyName: "Dependency 1",
+ ImpactedDependencyVersion: "1.0.0",
+ },
+ {
+ Summary: "Summary 2",
+ Severity: "Critical",
+ SeverityNumValue: 12,
+ FixedVersions: []string{"1.0.0"},
+ ImpactedDependencyName: "Dependency 2",
+ ImpactedDependencyVersion: "2.0.0",
+ },
+ {
+ Summary: "Summary 3",
+ Severity: "Medium",
+ SeverityNumValue: 6,
+ FixedVersions: []string{},
+ ImpactedDependencyName: "Dependency 3",
+ ImpactedDependencyVersion: "3.0.0",
+ },
+ },
+ expectedOrder: []string{"Dependency 2", "Dependency 1", "Dependency 3"},
+ },
+ {
+ name: "Sort by severity with same severity values, but different fixed versions",
+ rows: []formats.VulnerabilityOrViolationRow{
+ {
+ Summary: "Summary 1",
+ Severity: "Critical",
+ SeverityNumValue: 12,
+ FixedVersions: []string{"1.0.0"},
+ ImpactedDependencyName: "Dependency 1",
+ ImpactedDependencyVersion: "1.0.0",
+ },
+ {
+ Summary: "Summary 2",
+ Severity: "Critical",
+ SeverityNumValue: 12,
+ FixedVersions: []string{},
+ ImpactedDependencyName: "Dependency 2",
+ ImpactedDependencyVersion: "2.0.0",
+ },
+ },
+ expectedOrder: []string{"Dependency 1", "Dependency 2"},
+ },
+ {
+ name: "Sort by severity with same severity values different applicability",
+ rows: []formats.VulnerabilityOrViolationRow{
+ {
+ Summary: "Summary 1",
+ Severity: "Critical",
+ Applicable: ApplicableStringValue,
+ SeverityNumValue: 13,
+ FixedVersions: []string{"1.0.0"},
+ ImpactedDependencyName: "Dependency 1",
+ ImpactedDependencyVersion: "1.0.0",
+ },
+ {
+ Summary: "Summary 2",
+ Applicable: NotApplicableStringValue,
+ Severity: "Critical",
+ SeverityNumValue: 11,
+ ImpactedDependencyName: "Dependency 2",
+ ImpactedDependencyVersion: "2.0.0",
+ },
+ {
+ Summary: "Summary 3",
+ Applicable: ApplicabilityUndeterminedStringValue,
+ Severity: "Critical",
+ SeverityNumValue: 12,
+ ImpactedDependencyName: "Dependency 3",
+ ImpactedDependencyVersion: "2.0.0",
+ },
+ },
+ expectedOrder: []string{"Dependency 1", "Dependency 3", "Dependency 2"},
+ },
+ }
+
+ for _, tc := range testCases {
+ t.Run(tc.name, func(t *testing.T) {
+ sortVulnerabilityOrViolationRows(tc.rows)
+
+ for i, row := range tc.rows {
+ assert.Equal(t, tc.expectedOrder[i], row.ImpactedDependencyName)
+ }
+ })
+ }
+}
+
 func newBoolPtr(v bool) *bool {
  return &v
 }