2021-05-05 17:54:32 +01:00
|
|
|
package sarif
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"fmt"
|
2021-05-20 09:16:42 +01:00
|
|
|
"sort"
|
2021-05-05 17:54:32 +01:00
|
|
|
"strconv"
|
|
|
|
|
"strings"
|
|
|
|
|
|
2021-05-20 09:16:42 +01:00
|
|
|
"github.com/google/uuid"
|
2021-05-05 17:54:32 +01:00
|
|
|
"github.com/securego/gosec/v2"
|
|
|
|
|
"github.com/securego/gosec/v2/cwe"
|
|
|
|
|
)
|
|
|
|
|
|
2021-05-31 09:44:12 +01:00
|
|
|
// GenerateReport Convert a gosec report to a Sarif Report
|
2021-05-20 09:16:42 +01:00
|
|
|
func GenerateReport(rootPaths []string, data *gosec.ReportInfo) (*Report, error) {
|
2021-05-05 17:54:32 +01:00
|
|
|
type rule struct {
|
|
|
|
|
index int
|
|
|
|
|
rule *ReportingDescriptor
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
rules := make([]*ReportingDescriptor, 0)
|
|
|
|
|
rulesIndices := make(map[string]rule)
|
|
|
|
|
lastRuleIndex := -1
|
|
|
|
|
|
|
|
|
|
results := []*Result{}
|
2021-05-10 09:08:04 +01:00
|
|
|
cweTaxa := make([]*ReportingDescriptor, 0)
|
2021-05-07 15:54:34 +01:00
|
|
|
weaknesses := make(map[string]*cwe.Weakness)
|
2021-05-05 17:54:32 +01:00
|
|
|
|
|
|
|
|
for _, issue := range data.Issues {
|
|
|
|
|
_, ok := weaknesses[issue.Cwe.ID]
|
|
|
|
|
if !ok {
|
|
|
|
|
weakness := cwe.Get(issue.Cwe.ID)
|
|
|
|
|
weaknesses[issue.Cwe.ID] = weakness
|
2021-05-10 09:08:04 +01:00
|
|
|
cweTaxon := parseSarifTaxon(weakness)
|
|
|
|
|
cweTaxa = append(cweTaxa, cweTaxon)
|
2021-05-05 17:54:32 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
r, ok := rulesIndices[issue.RuleID]
|
|
|
|
|
if !ok {
|
|
|
|
|
lastRuleIndex++
|
|
|
|
|
r = rule{index: lastRuleIndex, rule: parseSarifRule(issue)}
|
|
|
|
|
rulesIndices[issue.RuleID] = r
|
|
|
|
|
rules = append(rules, r.rule)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
location, err := parseSarifLocation(issue, rootPaths)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
2021-12-09 10:53:36 +00:00
|
|
|
result := NewResult(r.rule.ID, r.index, getSarifLevel(issue.Severity.String()), issue.What, buildSarifSuppressions(issue.Suppressions)).
|
2021-05-10 09:08:04 +01:00
|
|
|
WithLocations(location)
|
2021-05-05 17:54:32 +01:00
|
|
|
|
|
|
|
|
results = append(results, result)
|
|
|
|
|
}
|
|
|
|
|
|
2021-05-20 09:16:42 +01:00
|
|
|
sort.SliceStable(rules, func(i, j int) bool { return rules[i].ID < rules[j].ID })
|
|
|
|
|
sort.SliceStable(cweTaxa, func(i, j int) bool { return cweTaxa[i].ID < cweTaxa[j].ID })
|
|
|
|
|
|
|
|
|
|
tool := NewTool(buildSarifDriver(rules, data.GosecVersion))
|
2021-05-05 17:54:32 +01:00
|
|
|
|
2021-05-10 09:08:04 +01:00
|
|
|
cweTaxonomy := buildCWETaxonomy(cweTaxa)
|
2021-05-05 17:54:32 +01:00
|
|
|
|
2021-05-10 09:08:04 +01:00
|
|
|
run := NewRun(tool).
|
|
|
|
|
WithTaxonomies(cweTaxonomy).
|
|
|
|
|
WithResults(results...)
|
2021-05-05 17:54:32 +01:00
|
|
|
|
2021-05-10 09:08:04 +01:00
|
|
|
return NewReport(Version, Schema).
|
|
|
|
|
WithRuns(run), nil
|
2021-05-05 17:54:32 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// parseSarifRule return SARIF rule field struct
|
|
|
|
|
func parseSarifRule(issue *gosec.Issue) *ReportingDescriptor {
|
2022-01-26 17:29:03 +00:00
|
|
|
cwe := gosec.GetCweByRule(issue.RuleID)
|
|
|
|
|
name := issue.RuleID
|
|
|
|
|
if cwe != nil {
|
|
|
|
|
name = cwe.Name
|
|
|
|
|
}
|
2021-05-05 17:54:32 +01:00
|
|
|
return &ReportingDescriptor{
|
2021-05-10 09:08:04 +01:00
|
|
|
ID: issue.RuleID,
|
2022-01-26 17:29:03 +00:00
|
|
|
Name: name,
|
2021-05-10 09:08:04 +01:00
|
|
|
ShortDescription: NewMultiformatMessageString(issue.What),
|
|
|
|
|
FullDescription: NewMultiformatMessageString(issue.What),
|
|
|
|
|
Help: NewMultiformatMessageString(fmt.Sprintf("%s\nSeverity: %s\nConfidence: %s\n",
|
|
|
|
|
issue.What, issue.Severity.String(), issue.Confidence.String())),
|
2021-05-05 17:54:32 +01:00
|
|
|
Properties: &PropertyBag{
|
2021-05-10 09:08:04 +01:00
|
|
|
"tags": []string{"security", issue.Severity.String()},
|
|
|
|
|
"precision": strings.ToLower(issue.Confidence.String()),
|
2021-05-05 17:54:32 +01:00
|
|
|
},
|
|
|
|
|
DefaultConfiguration: &ReportingConfiguration{
|
|
|
|
|
Level: getSarifLevel(issue.Severity.String()),
|
|
|
|
|
},
|
|
|
|
|
Relationships: []*ReportingDescriptorRelationship{
|
2021-05-07 15:54:34 +01:00
|
|
|
buildSarifReportingDescriptorRelationship(issue.Cwe),
|
2021-05-05 17:54:32 +01:00
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2021-05-07 15:54:34 +01:00
|
|
|
func buildSarifReportingDescriptorRelationship(weakness *cwe.Weakness) *ReportingDescriptorRelationship {
|
2021-05-05 17:54:32 +01:00
|
|
|
return &ReportingDescriptorRelationship{
|
|
|
|
|
Target: &ReportingDescriptorReference{
|
2021-05-10 09:08:04 +01:00
|
|
|
ID: weakness.ID,
|
|
|
|
|
GUID: uuid3(weakness.SprintID()),
|
|
|
|
|
ToolComponent: NewToolComponentReference(cwe.Acronym),
|
2021-05-05 17:54:32 +01:00
|
|
|
},
|
|
|
|
|
Kinds: []string{"superset"},
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2021-05-10 09:08:04 +01:00
|
|
|
func buildCWETaxonomy(taxa []*ReportingDescriptor) *ToolComponent {
|
2021-06-13 12:30:16 +01:00
|
|
|
return NewToolComponent(cwe.Acronym, cwe.Version, cwe.InformationURI).
|
2021-05-10 09:08:04 +01:00
|
|
|
WithReleaseDateUtc(cwe.ReleaseDateUtc).
|
2021-06-13 12:30:16 +01:00
|
|
|
WithDownloadURI(cwe.DownloadURI).
|
2021-05-10 09:08:04 +01:00
|
|
|
WithOrganization(cwe.Organization).
|
|
|
|
|
WithShortDescription(NewMultiformatMessageString(cwe.Description)).
|
|
|
|
|
WithIsComprehensive(true).
|
2021-05-20 09:16:42 +01:00
|
|
|
WithLanguage("en").
|
2021-05-10 09:08:04 +01:00
|
|
|
WithMinimumRequiredLocalizedDataSemanticVersion(cwe.Version).
|
|
|
|
|
WithTaxa(taxa...)
|
2021-05-05 17:54:32 +01:00
|
|
|
}
|
|
|
|
|
|
2021-05-07 15:54:34 +01:00
|
|
|
func parseSarifTaxon(weakness *cwe.Weakness) *ReportingDescriptor {
|
2021-05-05 17:54:32 +01:00
|
|
|
return &ReportingDescriptor{
|
2021-05-10 09:08:04 +01:00
|
|
|
ID: weakness.ID,
|
|
|
|
|
GUID: uuid3(weakness.SprintID()),
|
|
|
|
|
HelpURI: weakness.SprintURL(),
|
2021-05-20 09:16:42 +01:00
|
|
|
FullDescription: NewMultiformatMessageString(weakness.Description),
|
|
|
|
|
ShortDescription: NewMultiformatMessageString(weakness.Name),
|
2021-05-05 17:54:32 +01:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2021-05-20 09:16:42 +01:00
|
|
|
func parseSemanticVersion(version string) string {
|
|
|
|
|
if len(version) == 0 {
|
|
|
|
|
return "devel"
|
2021-05-05 17:54:32 +01:00
|
|
|
}
|
2021-05-20 09:16:42 +01:00
|
|
|
if strings.HasPrefix(version, "v") {
|
|
|
|
|
return version[1:]
|
|
|
|
|
}
|
|
|
|
|
return version
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func buildSarifDriver(rules []*ReportingDescriptor, gosecVersion string) *ToolComponent {
|
|
|
|
|
semanticVersion := parseSemanticVersion(gosecVersion)
|
2021-05-10 09:08:04 +01:00
|
|
|
return NewToolComponent("gosec", gosecVersion, "https://github.com/securego/gosec/").
|
2021-05-20 09:16:42 +01:00
|
|
|
WithSemanticVersion(semanticVersion).
|
2021-05-10 09:08:04 +01:00
|
|
|
WithSupportedTaxonomies(NewToolComponentReference(cwe.Acronym)).
|
|
|
|
|
WithRules(rules...)
|
2021-05-05 17:54:32 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func uuid3(value string) string {
|
|
|
|
|
return uuid.NewMD5(uuid.Nil, []byte(value)).String()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// parseSarifLocation return SARIF location struct
|
|
|
|
|
func parseSarifLocation(issue *gosec.Issue, rootPaths []string) (*Location, error) {
|
|
|
|
|
region, err := parseSarifRegion(issue)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
artifactLocation := parseSarifArtifactLocation(issue, rootPaths)
|
2021-05-10 09:08:04 +01:00
|
|
|
return NewLocation(NewPhysicalLocation(artifactLocation, region)), nil
|
2021-05-05 17:54:32 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func parseSarifArtifactLocation(issue *gosec.Issue, rootPaths []string) *ArtifactLocation {
|
|
|
|
|
var filePath string
|
|
|
|
|
for _, rootPath := range rootPaths {
|
|
|
|
|
if strings.HasPrefix(issue.File, rootPath) {
|
|
|
|
|
filePath = strings.Replace(issue.File, rootPath+"/", "", 1)
|
|
|
|
|
}
|
|
|
|
|
}
|
2021-05-10 09:08:04 +01:00
|
|
|
return NewArtifactLocation(filePath)
|
2021-05-05 17:54:32 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func parseSarifRegion(issue *gosec.Issue) (*Region, error) {
|
|
|
|
|
lines := strings.Split(issue.Line, "-")
|
|
|
|
|
startLine, err := strconv.Atoi(lines[0])
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
endLine := startLine
|
|
|
|
|
if len(lines) > 1 {
|
|
|
|
|
endLine, err = strconv.Atoi(lines[1])
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
col, err := strconv.Atoi(issue.Col)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2021-05-13 15:02:28 +01:00
|
|
|
snippet := NewArtifactContent(issue.Code)
|
|
|
|
|
return NewRegion(startLine, endLine, col, col, "go").WithSnippet(snippet), nil
|
2021-05-05 17:54:32 +01:00
|
|
|
}
|
|
|
|
|
|
2021-05-10 09:08:04 +01:00
|
|
|
func getSarifLevel(s string) Level {
|
2021-05-05 17:54:32 +01:00
|
|
|
switch s {
|
|
|
|
|
case "LOW":
|
2021-05-10 09:08:04 +01:00
|
|
|
return Warning
|
2021-05-05 17:54:32 +01:00
|
|
|
case "MEDIUM":
|
2021-05-10 09:08:04 +01:00
|
|
|
return Error
|
2021-05-05 17:54:32 +01:00
|
|
|
case "HIGH":
|
2021-05-10 09:08:04 +01:00
|
|
|
return Error
|
2021-05-05 17:54:32 +01:00
|
|
|
default:
|
2021-05-10 09:08:04 +01:00
|
|
|
return Note
|
2021-05-05 17:54:32 +01:00
|
|
|
}
|
|
|
|
|
}
|
2021-12-09 10:53:36 +00:00
|
|
|
|
|
|
|
|
func buildSarifSuppressions(suppressions []gosec.SuppressionInfo) []*Suppression {
|
|
|
|
|
var sarifSuppressionList []*Suppression
|
|
|
|
|
for _, s := range suppressions {
|
|
|
|
|
sarifSuppressionList = append(sarifSuppressionList, NewSuppression(s.Kind, s.Justification))
|
|
|
|
|
}
|
|
|
|
|
return sarifSuppressionList
|
|
|
|
|
}
|
