microsoft · ejohn20 · Aug 3, 2022 · Aug 3, 2022 · Aug 3, 2022 · Aug 4, 2022
@@ -224,4 +224,5 @@ FakesAssemblies/
 # LightSwitch generated files
 GeneratedArtifacts/
 _Pvt_Extensions/
-ModelManifest.xml
+ModelManifest.xml
+*.DS_Store
@@ -69,19 +69,26 @@ Sarif.Multitool validate Other.sarif
 ```
 
 ## Supported Converters
+
 Run ```Sarif.Multitool convert --help``` for the current list.
 
 - AndroidStudio
+- CisCat
 - ClangAnalyzer
 - ClangTidy
 - CppCheck
 - ContrastSecurity
+- FlawFinder
 - Fortify
 - FortifyFpr
 - FxCop
+- GenericSarif
+- Hdf
+- Nessus
 - PREfast
 - Pylint
 - SemmleQL
+- SnykOpenSource
 - StaticDriverVerifier
 - TSLint
 

@@ -47,10 +47,13 @@ NOT RuleId = SM00251 OR OccurrenceCount > 10 AND OccurrenceCount < 100
 * CorrelationGuid
 * Guid
 * HostedViewerUri
+* IsSuppressed
 * Kind
 * Level
 * Message.Text
 * OccurrenceCount
+* properties.[value]
 * Rank
+* rule.properties.[value]
 * RuleId
 * Uri
@@ -9,6 +9,8 @@
 * BUGFIX: Update `merge` command to properly produce runs by tool and version when passed the `--merge-runs` argument. [#2488](https://github.com/microsoft/sarif-sdk/pull/2488)
 * BUGFIX: Eliminate `IOException` and `DirectoryNotFoundException` exceptions thrown by `merge` command when splitting by rule (due to invalid file characters in rule ids). [#2513](https://github.com/microsoft/sarif-sdk/pull/2513)
 * BUGFIX: Fix classes inside NotYetAutoGenerated folder missing `virtual` keyword for public methods and properties, by regenerate and manually sync the changes. [#2537](https://github.com/microsoft/sarif-sdk/pull/2537)
+* FEATURE: Enhancement to the `suppress` command to better support auditing results. New argument `--expression` provides the capability to suppress all results matching the expression. New argument `--results-guids` provides the capability to suppress one to many results by the `guid` value. With this update, previously suppressed (non-expired) results will not be suppressed again. [#2530](https://github.com/microsoft/sarif-sdk/pull/2530)
+* FEATURE: Enhancement to the `query` command adding a new `IsSuppressed` expression option. This query expression allows auditors to filter results based on their suppression status. The expression finds all suppressed (non-expired) results. [#2530](https://github.com/microsoft/sarif-sdk/pull/2530)
 
 ## **v3.1.0** [Sdk](https://www.nuget.org/packages/Sarif.Sdk/3.1.0) | [Driver](https://www.nuget.org/packages/Sarif.Driver/3.1.0) | [Converters](https://www.nuget.org/packages/Sarif.Converters/3.1.0) | [Multitool](https://www.nuget.org/packages/Sarif.Multitool/3.1.0) | [Multitool Library](https://www.nuget.org/packages/Sarif.Multitool.Library/3.1.0)
 

@@ -25,6 +25,7 @@ private static Dictionary<string, Lazy<ToolFileConverterBase>> CreateBuiltInConv
  {
  var result = new Dictionary<string, Lazy<ToolFileConverterBase>>();
  CreateConverterRecord<AndroidStudioConverter>(result, ToolFormat.AndroidStudio);
+ CreateConverterRecord<CisCatConverter>(result, ToolFormat.CisCat);
  CreateConverterRecord<CppCheckConverter>(result, ToolFormat.CppCheck);
  CreateConverterRecord<ClangAnalyzerConverter>(result, ToolFormat.ClangAnalyzer);
  CreateConverterRecord<ClangTidyConverter>(result, ToolFormat.ClangTidy);
@@ -33,9 +34,12 @@ private static Dictionary<string, Lazy<ToolFileConverterBase>> CreateBuiltInConv
  CreateConverterRecord<FortifyFprConverter>(result, ToolFormat.FortifyFpr);
  CreateConverterRecord<FxCopConverter>(result, ToolFormat.FxCop);
  CreateConverterRecord<FlawFinderConverter>(result, ToolFormat.FlawFinder);
+ CreateConverterRecord<GenericSarifConverter>(result, ToolFormat.GenericSarif); 
  CreateConverterRecord<HdfConverter>(result, ToolFormat.Hdf);
+ CreateConverterRecord<NessusConverter>(result, ToolFormat.Nessus);
  CreateConverterRecord<PREfastConverter>(result, ToolFormat.PREfast);
  CreateConverterRecord<PylintConverter>(result, ToolFormat.Pylint);
+ CreateConverterRecord<SnykOpenSourceConverter>(result, ToolFormat.SnykOpenSource);
  CreateConverterRecord<SemmleQLConverter>(result, ToolFormat.SemmleQL);
  CreateConverterRecord<StaticDriverVerifierConverter>(result, ToolFormat.StaticDriverVerifier);
  CreateConverterRecord<TSLintConverter>(result, ToolFormat.TSLint);

@@ -0,0 +1,188 @@
+// Copyright (c) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for full license information.
+
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Linq;
+
+using Microsoft.CodeAnalysis.Sarif.Converters.CisCatObjectModel;
+
+namespace Microsoft.CodeAnalysis.Sarif.Converters
+{
+ public class CisCatConverter : ToolFileConverterBase
+ {
+ private readonly LogReader<CisCatReport> logReader;
+
+ public CisCatConverter()
+ {
+ logReader = new CisCatReportReader();
+ }
+
+ public override string ToolName => ToolFormat.CisCat;
+
+ public override void Convert(Stream input, IResultLogWriter output, OptionallyEmittedData dataToInsert)
+ {
+ input = input ?? throw new ArgumentNullException(nameof(input));
+ output = output ?? throw new ArgumentNullException(nameof(output));
+
+ //Read CIS CAT data
+ CisCatReport log = logReader.ReadLog(input);
+
+ //Top level run object for the scan data
+ var run = new Run();
+
+ //Set the tool details
+ run.Tool = new Tool();
+ run.Tool.Driver = CreateDriver(log);
+
+ //Set the list of tool rules
+ run.Tool.Driver.Rules = new List<ReportingDescriptor>();
+ foreach (CisCatRule rule in log.Rules)
+ {
+ run.Tool.Driver.Rules.Add(CreateReportDescriptor(rule));
+ }
+
+ var results = new List<Result>();
+ foreach (CisCatRule rule in log.Rules.Where(i => !i.IsPass()))
+ {
+ results.Add(CreateResult(rule));
+ }
+
+ PersistResults(output, results, run);
+ }
+
+ internal ToolComponent CreateDriver(CisCatReport report)
+ {
+
+ var driver = new ToolComponent();
+
+ driver.Name = this.ToolName;
+ driver.FullName = report.BenchmarkTitle;
+ driver.Version = report.BenchmarkVersion;
+ driver.SemanticVersion = report.BenchmarkVersion;
+ driver.InformationUri = new Uri("https://www.cisecurity.org/cybersecurity-tools/cis-cat-pro_pre");
+
+ driver.SetProperty("benchmarkId", report.BenchmarkId);
+ driver.SetProperty("profileId", report.ProfileId);
+ driver.SetProperty("profileTitle", report.ProfileTitle);
+ driver.SetProperty("score", report.Score);
+
+ return driver;
+ }
+
+ internal ReportingDescriptor CreateReportDescriptor(CisCatRule rule)
+ {
+ ReportingDescriptor descriptor = new ReportingDescriptor();
+
+ descriptor.Id = rule.RuleId;
+ descriptor.Name = rule.RuleTitle;
+ descriptor.ShortDescription = new MultiformatMessageString()
+ {
+ Text = rule.RuleTitle,
+ Markdown = rule.RuleTitle,
+ };
+ descriptor.FullDescription = new MultiformatMessageString()
+ {
+ Text = rule.RuleTitle,
+ Markdown = rule.RuleTitle,
+ };
+ descriptor.Help = new MultiformatMessageString()
+ {
+ Text = rule.RuleTitle,
+ Markdown = rule.RuleTitle,
+ };
+
+ //Use for GH Security Advisories
+ //set result level and rank (Critical - Low risk rating)
+ FailureLevel level = FailureLevel.None;
+ ResultKind kind = ResultKind.None;
+ double rank = RankConstants.None;
+ getResultSeverity(rule.Result, out level, out kind, out rank);
+
+ //Create only if a valid is assigned
+ if (rank != RankConstants.None)
+ {
+ descriptor.SetProperty("security-severity", rank);
+ }
+
+ //Tags for GH filtering
+ var tags = new List<string>()
+ {
+ "security",
+ };
+
+ descriptor.SetProperty("tags", tags);
+
+ return descriptor;
+ }
+
+ internal Result CreateResult(CisCatRule rule)
+ {
+ //set the result metadata
+ Result result = new Result
+ {
+ RuleId = rule.RuleId,
+ Message = new Message { Text = rule.RuleTitle },
+ };
+
+ //set result kind, level and rank (Critical - Low risk rating)
+ FailureLevel level = FailureLevel.None;
+ ResultKind kind = ResultKind.None;
+ double rank = RankConstants.None;
+ getResultSeverity(rule.Result, out level, out kind, out rank);
+
+ //Set result object data
+ result.Level = level;
+ result.Kind = kind;
+ result.Rank = rank;
+
+ //Set the unique fingerprint
+ result.Fingerprints = new Dictionary<string, string>();
+ result.Fingerprints.Add("0", HashUtilities.ComputeSha256HashValue(rule.RuleId).ToLower());
+
+ return result;
+ }
+
+ private void getResultSeverity(string result, out FailureLevel level, out ResultKind kind, out double rank)
+ {
+ // Default values
+ level = FailureLevel.None;
+ kind = ResultKind.None;
+ rank = RankConstants.None;
+
+ //Kind & Level determine the status
+ //Result: "fail": Level = Error, Kind = Fail
+ //Result: "info|notchecked|pass|unknown": Level = None, Kind = Informational|NotApplicable|Pass|Review
+ switch (result)
+ {
+ case "pass":
+ level = FailureLevel.None;
+ kind = ResultKind.Pass;
+ rank = RankConstants.None;
+ break;
+ case "fail":
+ level = FailureLevel.Error;
+ kind = ResultKind.Fail;
+ rank = RankConstants.High;
+ break;
+ case "notchecked":
+ level = FailureLevel.None;
+ kind = ResultKind.NotApplicable;
+ rank = RankConstants.None;
+ break;
+ case "informational":
+ level = FailureLevel.None;
+ kind = ResultKind.Informational;
+ rank = RankConstants.None;
+ break;
+ case "unknown":
+ default:
+ level = FailureLevel.Warning;
+ kind = ResultKind.Fail;
+ rank = RankConstants.Medium;
+ break;
+ };
+ }
+ }
+}
@@ -0,0 +1,33 @@
+// Copyright (c) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for full license information.
+
+using System.Collections.Generic;
+
+using Newtonsoft.Json;
+
+namespace Microsoft.CodeAnalysis.Sarif.Converters.CisCatObjectModel
+{
+ public class CisCatReport
+ {
+ [JsonProperty("benchmark-id")]
+ public string BenchmarkId { get; set; }
+
+ [JsonProperty("benchmark-title")]
+ public string BenchmarkTitle { get; set; }
+
+ [JsonProperty("benchmark-version")]
+ public string BenchmarkVersion { get; set; }
+
+ [JsonProperty("profile-id")]
+ public string ProfileId { get; set; }
+
+ [JsonProperty("profile-title")]
+ public string ProfileTitle { get; set; }
+
+ [JsonProperty("score")]
+ public string Score { get; set; }
+
+ [JsonProperty("rules")]
+ public IEnumerable<CisCatRule> Rules { get; set; }
+ }
+}
@@ -0,0 +1,25 @@
+// Copyright (c) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for full license information.
+
+using System.Collections.Generic;
+using System.IO;
+
+using Newtonsoft.Json;
+
+namespace Microsoft.CodeAnalysis.Sarif.Converters.CisCatObjectModel
+{
+ public class CisCatReportReader : LogReader<CisCatReport>
+ {
+ public override CisCatReport ReadLog(Stream input)
+ {
+ string reportData;
+
+ using (TextReader streamReader = new StreamReader(input))
+ {
+ reportData = streamReader.ReadToEnd();
+ }
+
+ return JsonConvert.DeserializeObject<CisCatReport>(reportData);
+ }
+ }
+}
@@ -0,0 +1,24 @@
+// Copyright (c) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for full license information.
+
+using Newtonsoft.Json;
+
+namespace Microsoft.CodeAnalysis.Sarif.Converters.CisCatObjectModel
+{
+ public class CisCatRule
+ {
+ [JsonProperty("rule-id")]
+ public string RuleId { get; set; }
+
+ [JsonProperty("rule-title")]
+ public string RuleTitle { get; set; }
+
+ [JsonProperty("result")]
+ public string Result { get; set; }
+
+ public bool IsPass()
+ {
+ return this.Result == "pass";
+ }
+ }
+}