Skip to content

Commit

Permalink
Merge pull request #4566 from snyk/fix/align-container-sarif-output
Browse files Browse the repository at this point in the history
fix: align container sarif output
  • Loading branch information
minsiyang authored Apr 25, 2023
2 parents cde8ca6 + 15dd67c commit 794017f
Show file tree
Hide file tree
Showing 7 changed files with 247 additions and 126 deletions.
16 changes: 9 additions & 7 deletions .github/CODEOWNERS
Validating CODEOWNERS rules …
Original file line number Diff line number Diff line change
Expand Up @@ -21,19 +21,21 @@ src/cli/commands/describe.ts @snyk/cloud-context
src/cli/commands/update-exclude-policy.ts @snyk/cloud-dev-ex
src/cli/commands/apps @snyk/moose
src/lib/apps @snyk/moose
src/lib/container @snyk/mycelium
src/lib/container @snyk/lumos
src/lib/plugins @snyk/snyk-open-source
test/fixtures/sast/ @snyk/zenith
src/lib/plugins/sast/ @snyk/zenith
test/jest/unit/snyk-code/ @snyk/zenith
src/lib/formatters/iac-output/ @snyk/cloud-dev-ex
src/lib/formatters/sarif-output.ts @snyk/container
src/lib/formatters/get-sarif-result.ts @snyk/container @snyk/hammerhead @snyk/snyk-open-source
src/lib/iac/ @snyk/group-infrastructure-as-code
src/lib/iac/test/ @snyk/cloud-dev-ex
src/lib/snyk-test/iac-test-result.ts @snyk/cloud-dev-ex
test/fixtures/basic-apk/ @snyk/mycelium
test/fixtures/container-app-vulns/ @snyk/mycelium
test/fixtures/container-projects/ @snyk/mycelium @snyk/potion
test/fixtures/docker/ @snyk/mycelium @snyk/potion
test/fixtures/basic-apk/ @snyk/lumos
test/fixtures/container-app-vulns/ @snyk/lumos
test/fixtures/container-projects/ @snyk/lumos
test/fixtures/docker/ @snyk/lumos
test/fixtures/iac/ @snyk/cloud-dev-ex
test/fixtures/iac/drift @snyk/cloud-context
test/fixtures/iac/capture @snyk/cloud-context
Expand All @@ -43,7 +45,7 @@ test/smoke/spec/snyk_basic_spec.sh @snyk/hammerhead
test/smoke/.iac-data/ @snyk/cloud-dev-ex
test/jest/unit/lib/endpoint-config-test.spec.ts @snyk/nebula
test/jest/unit/lib/formatters/iac-output/ @snyk/cloud-dev-ex
test/jest/unit/lib/formatters/test/format-test-results.spec.ts @snyk/hammerhead @snyk/snyk-open-source @snyk/mycelium
test/jest/unit/lib/formatters/test/format-test-results.spec.ts @snyk/hammerhead @snyk/snyk-open-source @snyk/lumos
test/jest/unit/iac/ @snyk/cloud-dev-ex
test/jest/unit/cli/commands/test/iac @snyk/cloud-dev-ex
test/jest/unit/lib/iac/drift/ @snyk/cloud-context
Expand Down Expand Up @@ -72,7 +74,7 @@ src/cli/commands/log4shell-hashes.ts @snyk/tundra
src/cli/commands/log4shell.ts @snyk/tundra
test/fixtures/unmanaged-log4j-fixture @snyk/tundra
test/jest/acceptance/snyk-log4shell/log4shell-detection.spec.ts @snyk/tundra
test/jest/acceptance/snyk-test/app-vuln-container-project.spec.ts @snyk/mycelium
test/jest/acceptance/snyk-test/app-vuln-container-project.spec.ts @snyk/lumos
/.github @snyk/hammerhead
/.github/workflows/iac-smoke-tests.yml @snyk/cloud-dev-ex
/.github/workflows/iac-smoke-tests-pulls.yml @snyk/cloud-dev-ex
Expand Down
44 changes: 44 additions & 0 deletions src/lib/formatters/get-sarif-result.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
import * as sarif from 'sarif';
import * as groupBy from 'lodash.groupby';
import * as map from 'lodash.map';

import { SEVERITY, AnnotatedIssue } from '../snyk-test/legacy';

export function getResults(testResult): sarif.Result[] {
const groupedVulnerabilities = groupBy(testResult.vulnerabilities, 'id');
return map(
groupedVulnerabilities,
([vuln]): sarif.Result => ({
ruleId: vuln.id,
level: getLevel(vuln),
message: {
text: `This file introduces a vulnerable ${vuln.packageName} package with a ${vuln.severity} severity vulnerability.`,
},
locations: [
{
physicalLocation: {
artifactLocation: {
uri: testResult.displayTargetFile,
},
region: {
startLine: vuln.lineNumber || 1,
},
},
},
],
}),
);
}

export function getLevel(vuln: AnnotatedIssue) {
switch (vuln.severity) {
case SEVERITY.CRITICAL:
case SEVERITY.HIGH:
return 'error';
case SEVERITY.MEDIUM:
return 'warning';
case SEVERITY.LOW:
default:
return 'note';
}
}
48 changes: 5 additions & 43 deletions src/lib/formatters/open-source-sarif-output.ts
Original file line number Diff line number Diff line change
@@ -1,9 +1,10 @@
import * as sarif from 'sarif';
const upperFirst = require('lodash.upperfirst');
const groupBy = require('lodash.groupby');
const map = require('lodash.map');
import * as upperFirst from 'lodash.upperfirst';
import * as groupBy from 'lodash.groupby';
import * as map from 'lodash.map';

import { TestResult, SEVERITY, AnnotatedIssue } from '../snyk-test/legacy';
import { TestResult, AnnotatedIssue } from '../snyk-test/legacy';
import { getResults } from './get-sarif-result';

const LOCK_FILES_TO_MANIFEST_MAP = {
'Gemfile.lock': 'Gemfile',
Expand Down Expand Up @@ -89,45 +90,6 @@ ${vuln.description}`.replace(/##\s/g, '# '),
);
}

export function getResults(testResult): sarif.Result[] {
const groupedVulnerabilities = groupBy(testResult.vulnerabilities, 'id');
return map(
groupedVulnerabilities,
([vuln]): sarif.Result => ({
ruleId: vuln.id,
level: getLevel(vuln),
message: {
text: `This file introduces a vulnerable ${vuln.packageName} package with a ${vuln.severity} severity vulnerability.`,
},
locations: [
{
physicalLocation: {
artifactLocation: {
uri: testResult.displayTargetFile,
},
region: {
startLine: vuln.lineNumber || 1,
},
},
},
],
}),
);
}

export function getLevel(vuln: AnnotatedIssue) {
switch (vuln.severity) {
case SEVERITY.CRITICAL:
case SEVERITY.HIGH:
return 'error';
case SEVERITY.MEDIUM:
return 'warning';
case SEVERITY.LOW:
default:
return 'note';
}
}

function getIntroducedThrough(vuln: AnnotatedIssue) {
const [firstFrom, secondFrom] = vuln.from || [];

Expand Down
43 changes: 11 additions & 32 deletions src/lib/formatters/sarif-output.ts
Original file line number Diff line number Diff line change
@@ -1,12 +1,15 @@
import * as sarif from 'sarif';
import * as upperFirst from 'lodash.upperfirst';
import { TestResult } from '../snyk-test/legacy';
import { SEVERITY } from '../snyk-test/legacy';
const upperFirst = require('lodash.upperfirst');
import { getResults } from './get-sarif-result';

export function createSarifOutputForContainers(
testResults: TestResult[],
): sarif.Log {
const sarifRes: sarif.Log = {
$schema:
'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json',
version: '2.1.0',
runs: [],
};
Expand Down Expand Up @@ -48,7 +51,7 @@ export function getTool(testResult): sarif.Tool {
return;
}
const level = getIssueLevel(vuln.severity);
const cve = vuln['identifiers']['CVE'][0];
const cve = vuln.identifiers?.CVE?.join();
pushedIds[vuln.id] = true;
return {
id: vuln.id,
Expand All @@ -70,39 +73,15 @@ export function getTool(testResult): sarif.Tool {
level: level,
},
properties: {
tags: ['security', ...vuln.identifiers.CWE],
tags: [
'security',
...(vuln.identifiers?.CWE || []),
// eslint-disable-next-line @typescript-eslint/no-non-null-assertion
testResult.packageManager!,
],
},
};
})
.filter(Boolean);
return tool;
}

export function getResults(testResult): sarif.Result[] {
const results: sarif.Result[] = [];

if (!testResult.vulnerabilities) {
return results;
}
testResult.vulnerabilities.forEach((vuln) => {
results.push({
ruleId: vuln.id,
message: {
text: `This file introduces a vulnerable ${vuln.packageName} package with a ${vuln.severity} severity vulnerability.`,
},
locations: [
{
physicalLocation: {
artifactLocation: {
uri: testResult.displayTargetFile,
},
region: {
startLine: vuln.lineNumber || 1,
},
},
},
],
});
});
return results;
}
31 changes: 14 additions & 17 deletions test/fixtures/docker/sarif-container-result.json
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
{
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
"version": "2.1.0",
"runs": [
{
Expand All @@ -18,37 +19,33 @@
"text": "",
"markdown": "## Overview\nUse-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.\n\n## References\n- [GENTOO](https://security.gentoo.org/glsa/201708-08)\n- [CONFIRM](https://bugzilla.redhat.com/show_bug.cgi?id=1319648)\n- [SECTRACK](http://www.securitytracker.com/id/1036132)\n- [BID](http://www.securityfocus.com/bid/91297)\n- [CONFIRM](http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html)\n- [MLIST](http://www.openwall.com/lists/oss-security/2016/06/20/1)\n"
},
"defaultConfiguration": { "level": "warning" },
"properties": { "tags": ["security"] }
"defaultConfiguration": {
"level": "warning"
},
"properties": {
"tags": [
"security",
"deb"
]
}
}
]
}
},
"results": [
{
"ruleId": "SNYK-LINUX-BZIP2-106947",
"level": "note",
"message": {
"text": "This file introduces a vulnerable bzip2 package with a low severity vulnerability."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {},
"region": { "startLine": 1 }
}
}
]
},
{
"ruleId": "SNYK-LINUX-BZIP2-106947",
"message": {
"text": "This file introduces a vulnerable bzip2 package with a low severity vulnerability."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {},
"region": { "startLine": 1 }
"region": {
"startLine": 1
}
}
}
]
Expand Down
Loading

0 comments on commit 794017f

Please sign in to comment.