Add sonarqube output

README.md

@@ -161,7 +161,7 @@ gosec -tag debug,ignore ./...
 
 ### Output formats
 
-gosec currently supports text, json, yaml, csv and JUnit XML output formats. By default
+gosec currently supports text, json, yaml, csv, sonarqube and JUnit XML output formats. By default
 results will be reported to stdout, but can also be written to an output
 file. The output format is controlled by the '-fmt' flag, and the output file is controlled by the '-out' flag as follows:
 

cmd/gosec/main.go

@@ -65,7 +65,7 @@ var (
 	flagIgnoreNoSec = flag.Bool("nosec", false, "Ignores #nosec comments when set")
 
 	// format output
-	flagFormat = flag.String("fmt", "text", "Set output format. Valid options are: json, yaml, csv, junit-xml, html, or text")
+	flagFormat = flag.String("fmt", "text", "Set output format. Valid options are: json, yaml, csv, junit-xml, html, sonarqube, or text")
 
 	// output file
 	flagOutput = flag.String("out", "", "Set output file for results")
@@ -165,19 +165,19 @@ func loadRules(include, exclude string) rules.RuleList {
 	return rules.Generate(filters...)
 }
 
-func saveOutput(filename, format string, issues []*gosec.Issue, metrics *gosec.Metrics, errors map[string][]gosec.Error) error {
+func saveOutput(filename, format, rootPath string, issues []*gosec.Issue, metrics *gosec.Metrics, errors map[string][]gosec.Error) error {
 	if filename != "" {
 		outfile, err := os.Create(filename)
 		if err != nil {
 			return err
 		}
 		defer outfile.Close()
-		err = output.CreateReport(outfile, format, issues, metrics, errors)
+		err = output.CreateReport(outfile, format, rootPath, issues, metrics, errors)
 		if err != nil {
 			return err
 		}
 	} else {
-		err := output.CreateReport(os.Stdout, format, issues, metrics, errors)
+		err := output.CreateReport(os.Stdout, format, rootPath, issues, metrics, errors)
 		if err != nil {
 			return err
 		}
@@ -318,6 +318,7 @@ func main() {
 	if *flagBuildTags != "" {
 		buildTags = strings.Split(*flagBuildTags, ",")
 	}
+
 	if err := analyzer.Process(buildTags, packages...); err != nil {
 		logger.Fatal(err)
 	}
@@ -342,9 +343,9 @@ func main() {
 	if !issuesFound && *flagQuiet {
 		os.Exit(0)
 	}
-
+	rootPath := packages[0]
 	// Create output report
-	if err := saveOutput(*flagOutput, *flagFormat, issues, metrics, errors); err != nil {
+	if err := saveOutput(*flagOutput, *flagFormat, rootPath, issues, metrics, errors); err != nil {
 		logger.Fatal(err)
 	}
 

output/formatter.go

@@ -20,6 +20,8 @@ import (
 	"encoding/xml"
 	htmlTemplate "html/template"
 	"io"
+	"strconv"
+	"strings"
 	plainTemplate "text/template"
 
 	"github.com/securego/gosec"
@@ -41,6 +43,9 @@ const (
 
 	// ReportJUnitXML set the output format to junit xml
 	ReportJUnitXML // JUnit XML format
+
+	//SonarqubeEffortMinutes effort to fix in minutes
+	SonarqubeEffortMinutes = 5
 )
 
 var text = `Results:
@@ -71,7 +76,7 @@ type reportInfo struct {
 
 // CreateReport generates a report based for the supplied issues and metrics given
 // the specified format. The formats currently accepted are: json, csv, html and text.
-func CreateReport(w io.Writer, format string, issues []*gosec.Issue, metrics *gosec.Metrics, errors map[string][]gosec.Error) error {
+func CreateReport(w io.Writer, format, rootPath string, issues []*gosec.Issue, metrics *gosec.Metrics, errors map[string][]gosec.Error) error {
 	data := &reportInfo{
 		Errors: errors,
 		Issues: issues,
@@ -91,22 +96,53 @@ func CreateReport(w io.Writer, format string, issues []*gosec.Issue, metrics *go
 		err = reportFromHTMLTemplate(w, html, data)
 	case "text":
 		err = reportFromPlaintextTemplate(w, text, data)
+	case "sonarqube":
+		err = reportSonarqube(rootPath, w, data)
 	default:
 		err = reportFromPlaintextTemplate(w, text, data)
 	}
 	return err
 }
 
+func reportSonarqube(rootPath string, w io.Writer, data *reportInfo) error {
+	var si sonarIssues
+	for _, issue := range data.Issues {
+		lines := strings.Split(issue.Line, "-")
+
+		startLine, _ := strconv.Atoi(lines[0])
+		endLine := startLine
+		if len(lines) > 1 {
+			endLine, _ = strconv.Atoi(lines[1])
+		}
+		s := sonarIssue{
+			EngineID: "gosec",
+			RuleID:   issue.RuleID,
+			PrimaryLocation: location{
+				Message:   issue.What,
+				FilePath:  strings.Replace(issue.File, rootPath+"/", "", 1),
+				TextRange: textRange{StartLine: startLine, EndLine: endLine},
+			},
+			Type:          "VULNERABILITY",
+			Severity:      getSonarSeverity(issue.Severity.String()),
+			EffortMinutes: SonarqubeEffortMinutes,
+		}
+		si.SonarIssues = append(si.SonarIssues, s)
+	}
+	raw, err := json.MarshalIndent(si, "", "\t")
+	if err != nil {
+		return err
+	}
+	_, err = w.Write(raw)
+	return err
+}
+
 func reportJSON(w io.Writer, data *reportInfo) error {
 	raw, err := json.MarshalIndent(data, "", "\t")
 	if err != nil {
-		panic(err)
+		return err
 	}
 
 	_, err = w.Write(raw)
-	if err != nil {
-		panic(err)
-	}
 	return err
 }
 

output/sonarqube_format.go

@@ -0,0 +1,40 @@
+package output
+
+type textRange struct {
+	StartLine   int `json:"startLine"`
+	EndLine     int `json:"endLine"`
+	StartColumn int `json:"startColumn,omitempty"`
+	EtartColumn int `json:"endColumn,omitempty"`
+}
+type location struct {
+	Message   string    `json:"message"`
+	FilePath  string    `json:"filePath"`
+	TextRange textRange `json:"textRange,omitempty"`
+}
+
+type sonarIssue struct {
+	EngineID           string     `json:"engineId"`
+	RuleID             string     `json:"ruleId"`
+	PrimaryLocation    location   `json:"primaryLocation"`
+	Type               string     `json:"type"`
+	Severity           string     `json:"severity"`
+	EffortMinutes      int        `json:"effortMinutes"`
+	SecondaryLocations []location `json:"secondaryLocations,omitempty"`
+}
+
+type sonarIssues struct {
+	SonarIssues []sonarIssue `json:"issues"`
+}
+
+func getSonarSeverity(s string) string {
+	switch s {
+	case "LOW":
+		return "MINOR"
+	case "MEDIUM":
+		return "MAJOR"
+	case "HIGH":
+		return "BLOCKER"
+	default:
+		return "INFO"
+	}
+}