gosec/report/sarif/sarif_test.go

package sarif_test

import (
	"bytes"
	"regexp"

	. "github.com/onsi/ginkgo/v2"
	. "github.com/onsi/gomega"

	"github.com/securego/gosec/v2"
	"github.com/securego/gosec/v2/issue"
	"github.com/securego/gosec/v2/report/sarif"
)

var _ = Describe("Sarif Formatter", func() {
	BeforeEach(func() {
	})
	Context("when converting to Sarif issues", func() {
		It("sarif formatted report should contain the result", func() {
			buf := new(bytes.Buffer)
			reportInfo := gosec.NewReportInfo([]*issue.Issue{}, &gosec.Metrics{}, map[string][]gosec.Error{}).WithVersion("v2.7.0")
			err := sarif.WriteReport(buf, reportInfo, []string{})
			result := buf.String()
			Expect(err).ShouldNot(HaveOccurred())
			Expect(result).To(ContainSubstring("\"results\": ["))
		})

		It("sarif formatted report should contain the suppressed results", func() {
			ruleID := "G101"
			cwe := issue.GetCweByRule(ruleID)
			suppressedIssue := issue.Issue{
				File:       "/home/src/project/test.go",
				Line:       "1",
				Col:        "1",
				RuleID:     ruleID,
				What:       "test",
				Confidence: issue.High,
				Severity:   issue.High,
				Code:       "1: testcode",
				Cwe:        cwe,
				Suppressions: []issue.SuppressionInfo{
					{
						Kind:          "kind",
						Justification: "justification",
					},
				},
			}

			reportInfo := gosec.NewReportInfo([]*issue.Issue{&suppressedIssue}, &gosec.Metrics{}, map[string][]gosec.Error{}).WithVersion("v2.7.0")
			buf := new(bytes.Buffer)
			err := sarif.WriteReport(buf, reportInfo, []string{})
			result := buf.String()
			Expect(err).ShouldNot(HaveOccurred())

			hasResults, _ := regexp.MatchString(`"results": \[(\s*){`, result)
			Expect(hasResults).To(BeTrue())

			hasSuppressions, _ := regexp.MatchString(`"suppressions": \[(\s*){`, result)
			Expect(hasSuppressions).To(BeTrue())
		})
		It("sarif formatted report should contain the formatted one line code snippet", func() {
			ruleID := "G101"
			cwe := issue.GetCweByRule(ruleID)
			code := "68: \t\t}\n69: \t\tvar data = template.HTML(v.TmplFile)\n70: \t\tisTmpl := true\n"
			expectedCode := "var data = template.HTML(v.TmplFile)"
			newissue := issue.Issue{
				File:       "/home/src/project/test.go",
				Line:       "69",
				Col:        "14",
				RuleID:     ruleID,
				What:       "test",
				Confidence: issue.High,
				Severity:   issue.High,
				Code:       code,
				Cwe:        cwe,
				Suppressions: []issue.SuppressionInfo{
					{
						Kind:          "kind",
						Justification: "justification",
					},
				},
			}
			reportInfo := gosec.NewReportInfo([]*issue.Issue{&newissue}, &gosec.Metrics{}, map[string][]gosec.Error{}).WithVersion("v2.7.0")
			sarifReport, err := sarif.GenerateReport([]string{}, reportInfo)
			Expect(err).ShouldNot(HaveOccurred())
			Expect(sarifReport.Runs[0].Results[0].Locations[0].PhysicalLocation.Region.Snippet.Text).Should(Equal(expectedCode))
		})
		It("sarif formatted report should contain the formatted multiple line code snippet", func() {
			ruleID := "G101"
			cwe := issue.GetCweByRule(ruleID)
			code := "68: }\n69: var data = template.HTML(v.TmplFile)\n70: isTmpl := true\n"
			expectedCode := "var data = template.HTML(v.TmplFile)\nisTmpl := true\n"
			newissue := issue.Issue{
				File:       "/home/src/project/test.go",
				Line:       "69-70",
				Col:        "14",
				RuleID:     ruleID,
				What:       "test",
				Confidence: issue.High,
				Severity:   issue.High,
				Code:       code,
				Cwe:        cwe,
				Suppressions: []issue.SuppressionInfo{
					{
						Kind:          "kind",
						Justification: "justification",
					},
				},
			}
			reportInfo := gosec.NewReportInfo([]*issue.Issue{&newissue}, &gosec.Metrics{}, map[string][]gosec.Error{}).WithVersion("v2.7.0")
			sarifReport, err := sarif.GenerateReport([]string{}, reportInfo)
			Expect(err).ShouldNot(HaveOccurred())
			Expect(sarifReport.Runs[0].Results[0].Locations[0].PhysicalLocation.Region.Snippet.Text).Should(Equal(expectedCode))
		})
		It("sarif formatted report should have proper rule index", func() {
			rules := []string{"G404", "G101", "G102", "G103"}
			issues := []*issue.Issue{}
			for _, rule := range rules {
				cwe := issue.GetCweByRule(rule)
				newissue := issue.Issue{
					File:       "/home/src/project/test.go",
					Line:       "69-70",
					Col:        "14",
					RuleID:     rule,
					What:       "test",
					Confidence: issue.High,
					Severity:   issue.High,
					Cwe:        cwe,
					Suppressions: []issue.SuppressionInfo{
						{
							Kind:          "kind",
							Justification: "justification",
						},
					},
				}
				issues = append(issues, &newissue)

			}
			dupRules := []string{"G102", "G404"}
			for _, rule := range dupRules {
				cwe := issue.GetCweByRule(rule)
				newissue := issue.Issue{
					File:       "/home/src/project/test.go",
					Line:       "69-70",
					Col:        "14",
					RuleID:     rule,
					What:       "test",
					Confidence: issue.High,
					Severity:   issue.High,
					Cwe:        cwe,
					Suppressions: []issue.SuppressionInfo{
						{
							Kind:          "kind",
							Justification: "justification",
						},
					},
				}
				issues = append(issues, &newissue)
			}
			reportInfo := gosec.NewReportInfo(issues, &gosec.Metrics{}, map[string][]gosec.Error{}).WithVersion("v2.7.0")

			sarifReport, err := sarif.GenerateReport([]string{}, reportInfo)

			Expect(err).ShouldNot(HaveOccurred())
			resultRuleIndexes := map[string]int{}
			for _, result := range sarifReport.Runs[0].Results {
				resultRuleIndexes[result.RuleID] = result.RuleIndex
			}
			driverRuleIndexes := map[string]int{}
			for ruleIndex, rule := range sarifReport.Runs[0].Tool.Driver.Rules {
				driverRuleIndexes[rule.ID] = ruleIndex
			}
			Expect(resultRuleIndexes).Should(Equal(driverRuleIndexes))
		})
	})
})
Results must always be present in the SARIF report (#650) * Don't omit empty results * Add tests 2021-06-17 13:21:42 +01:00			`package sarif_test`

			`import (`
			`"bytes"`
Add support for suppressing the findings 2021-12-09 10:53:36 +00:00			`"regexp"`
Results must always be present in the SARIF report (#650) * Don't omit empty results * Add tests 2021-06-17 13:21:42 +01:00
Update to ginkgo v2 (#753) 2022-01-03 17:11:35 +00:00			`. "github.com/onsi/ginkgo/v2"`
Results must always be present in the SARIF report (#650) * Don't omit empty results * Add tests 2021-06-17 13:21:42 +01:00			`. "github.com/onsi/gomega"`
correct gci linter (#946) Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com> 2023-03-30 08:31:24 +01:00
Results must always be present in the SARIF report (#650) * Don't omit empty results * Add tests 2021-06-17 13:21:42 +01:00			`"github.com/securego/gosec/v2"`
Extract the issue in its own package 2023-02-15 19:44:13 +00:00			`"github.com/securego/gosec/v2/issue"`
Results must always be present in the SARIF report (#650) * Don't omit empty results * Add tests 2021-06-17 13:21:42 +01:00			`"github.com/securego/gosec/v2/report/sarif"`
			`)`

			`var _ = Describe("Sarif Formatter", func() {`
			`BeforeEach(func() {`
			`})`
			`Context("when converting to Sarif issues", func() {`
			`It("sarif formatted report should contain the result", func() {`
			`buf := new(bytes.Buffer)`
Extract the issue in its own package 2023-02-15 19:44:13 +00:00			`reportInfo := gosec.NewReportInfo([]*issue.Issue{}, &gosec.Metrics{}, map[string][]gosec.Error{}).WithVersion("v2.7.0")`
Results must always be present in the SARIF report (#650) * Don't omit empty results * Add tests 2021-06-17 13:21:42 +01:00			`err := sarif.WriteReport(buf, reportInfo, []string{})`
			`result := buf.String()`
			`Expect(err).ShouldNot(HaveOccurred())`
			`Expect(result).To(ContainSubstring("\"results\": ["))`
			`})`
Add support for suppressing the findings 2021-12-09 10:53:36 +00:00
			`It("sarif formatted report should contain the suppressed results", func() {`
			`ruleID := "G101"`
Extract the issue in its own package 2023-02-15 19:44:13 +00:00			`cwe := issue.GetCweByRule(ruleID)`
			`suppressedIssue := issue.Issue{`
Add support for suppressing the findings 2021-12-09 10:53:36 +00:00			`File: "/home/src/project/test.go",`
			`Line: "1",`
			`Col: "1",`
			`RuleID: ruleID,`
			`What: "test",`
Extract the issue in its own package 2023-02-15 19:44:13 +00:00			`Confidence: issue.High,`
			`Severity: issue.High,`
Add support for suppressing the findings 2021-12-09 10:53:36 +00:00			`Code: "1: testcode",`
			`Cwe: cwe,`
Extract the issue in its own package 2023-02-15 19:44:13 +00:00			`Suppressions: []issue.SuppressionInfo{`
Add support for suppressing the findings 2021-12-09 10:53:36 +00:00			`{`
			`Kind: "kind",`
			`Justification: "justification",`
			`},`
			`},`
			`}`

Extract the issue in its own package 2023-02-15 19:44:13 +00:00			`reportInfo := gosec.NewReportInfo([]*issue.Issue{&suppressedIssue}, &gosec.Metrics{}, map[string][]gosec.Error{}).WithVersion("v2.7.0")`
Add support for suppressing the findings 2021-12-09 10:53:36 +00:00			`buf := new(bytes.Buffer)`
			`err := sarif.WriteReport(buf, reportInfo, []string{})`
			`result := buf.String()`
			`Expect(err).ShouldNot(HaveOccurred())`

			hasResults, _ := regexp.MatchString(`"results": \[(\s*){`, result)
			`Expect(hasResults).To(BeTrue())`

			hasSuppressions, _ := regexp.MatchString(`"suppressions": \[(\s*){`, result)
			`Expect(hasSuppressions).To(BeTrue())`
			`})`
Process the code snippet before adding it to the SARIF report Preprocess the code snippet from the issue in order to extract only the line(s) of code where the issue is located. In addition remove the line numbers and whitespaces before writing the code snippet into the SARIF report. 2022-02-09 15:05:15 +00:00			`It("sarif formatted report should contain the formatted one line code snippet", func() {`
			`ruleID := "G101"`
Extract the issue in its own package 2023-02-15 19:44:13 +00:00			`cwe := issue.GetCweByRule(ruleID)`
Process the code snippet before adding it to the SARIF report Preprocess the code snippet from the issue in order to extract only the line(s) of code where the issue is located. In addition remove the line numbers and whitespaces before writing the code snippet into the SARIF report. 2022-02-09 15:05:15 +00:00			`code := "68: \t\t}\n69: \t\tvar data = template.HTML(v.TmplFile)\n70: \t\tisTmpl := true\n"`
			`expectedCode := "var data = template.HTML(v.TmplFile)"`
Extract the issue in its own package 2023-02-15 19:44:13 +00:00			`newissue := issue.Issue{`
Process the code snippet before adding it to the SARIF report Preprocess the code snippet from the issue in order to extract only the line(s) of code where the issue is located. In addition remove the line numbers and whitespaces before writing the code snippet into the SARIF report. 2022-02-09 15:05:15 +00:00			`File: "/home/src/project/test.go",`
			`Line: "69",`
			`Col: "14",`
			`RuleID: ruleID,`
			`What: "test",`
Extract the issue in its own package 2023-02-15 19:44:13 +00:00			`Confidence: issue.High,`
			`Severity: issue.High,`
Process the code snippet before adding it to the SARIF report Preprocess the code snippet from the issue in order to extract only the line(s) of code where the issue is located. In addition remove the line numbers and whitespaces before writing the code snippet into the SARIF report. 2022-02-09 15:05:15 +00:00			`Code: code,`
			`Cwe: cwe,`
Extract the issue in its own package 2023-02-15 19:44:13 +00:00			`Suppressions: []issue.SuppressionInfo{`
Process the code snippet before adding it to the SARIF report Preprocess the code snippet from the issue in order to extract only the line(s) of code where the issue is located. In addition remove the line numbers and whitespaces before writing the code snippet into the SARIF report. 2022-02-09 15:05:15 +00:00			`{`
			`Kind: "kind",`
			`Justification: "justification",`
			`},`
			`},`
			`}`
Extract the issue in its own package 2023-02-15 19:44:13 +00:00			`reportInfo := gosec.NewReportInfo([]*issue.Issue{&newissue}, &gosec.Metrics{}, map[string][]gosec.Error{}).WithVersion("v2.7.0")`
Process the code snippet before adding it to the SARIF report Preprocess the code snippet from the issue in order to extract only the line(s) of code where the issue is located. In addition remove the line numbers and whitespaces before writing the code snippet into the SARIF report. 2022-02-09 15:05:15 +00:00			`sarifReport, err := sarif.GenerateReport([]string{}, reportInfo)`
			`Expect(err).ShouldNot(HaveOccurred())`
			`Expect(sarifReport.Runs[0].Results[0].Locations[0].PhysicalLocation.Region.Snippet.Text).Should(Equal(expectedCode))`
			`})`
			`It("sarif formatted report should contain the formatted multiple line code snippet", func() {`
			`ruleID := "G101"`
Extract the issue in its own package 2023-02-15 19:44:13 +00:00			`cwe := issue.GetCweByRule(ruleID)`
Process the code snippet before adding it to the SARIF report Preprocess the code snippet from the issue in order to extract only the line(s) of code where the issue is located. In addition remove the line numbers and whitespaces before writing the code snippet into the SARIF report. 2022-02-09 15:05:15 +00:00			`code := "68: }\n69: var data = template.HTML(v.TmplFile)\n70: isTmpl := true\n"`
			`expectedCode := "var data = template.HTML(v.TmplFile)\nisTmpl := true\n"`
Extract the issue in its own package 2023-02-15 19:44:13 +00:00			`newissue := issue.Issue{`
Process the code snippet before adding it to the SARIF report Preprocess the code snippet from the issue in order to extract only the line(s) of code where the issue is located. In addition remove the line numbers and whitespaces before writing the code snippet into the SARIF report. 2022-02-09 15:05:15 +00:00			`File: "/home/src/project/test.go",`
			`Line: "69-70",`
			`Col: "14",`
			`RuleID: ruleID,`
			`What: "test",`
Extract the issue in its own package 2023-02-15 19:44:13 +00:00			`Confidence: issue.High,`
			`Severity: issue.High,`
Process the code snippet before adding it to the SARIF report Preprocess the code snippet from the issue in order to extract only the line(s) of code where the issue is located. In addition remove the line numbers and whitespaces before writing the code snippet into the SARIF report. 2022-02-09 15:05:15 +00:00			`Code: code,`
			`Cwe: cwe,`
Extract the issue in its own package 2023-02-15 19:44:13 +00:00			`Suppressions: []issue.SuppressionInfo{`
Process the code snippet before adding it to the SARIF report Preprocess the code snippet from the issue in order to extract only the line(s) of code where the issue is located. In addition remove the line numbers and whitespaces before writing the code snippet into the SARIF report. 2022-02-09 15:05:15 +00:00			`{`
			`Kind: "kind",`
			`Justification: "justification",`
			`},`
			`},`
			`}`
Extract the issue in its own package 2023-02-15 19:44:13 +00:00			`reportInfo := gosec.NewReportInfo([]*issue.Issue{&newissue}, &gosec.Metrics{}, map[string][]gosec.Error{}).WithVersion("v2.7.0")`
Process the code snippet before adding it to the SARIF report Preprocess the code snippet from the issue in order to extract only the line(s) of code where the issue is located. In addition remove the line numbers and whitespaces before writing the code snippet into the SARIF report. 2022-02-09 15:05:15 +00:00			`sarifReport, err := sarif.GenerateReport([]string{}, reportInfo)`
			`Expect(err).ShouldNot(HaveOccurred())`
			`Expect(sarifReport.Runs[0].Results[0].Locations[0].PhysicalLocation.Region.Snippet.Text).Should(Equal(expectedCode))`
			`})`
Fix rule index reference into sarif report (#934) 2023-02-21 10:43:38 +00:00			`It("sarif formatted report should have proper rule index", func() {`
			`rules := []string{"G404", "G101", "G102", "G103"}`
			`issues := []*issue.Issue{}`
			`for _, rule := range rules {`
			`cwe := issue.GetCweByRule(rule)`
			`newissue := issue.Issue{`
			`File: "/home/src/project/test.go",`
			`Line: "69-70",`
			`Col: "14",`
			`RuleID: rule,`
			`What: "test",`
			`Confidence: issue.High,`
			`Severity: issue.High,`
			`Cwe: cwe,`
			`Suppressions: []issue.SuppressionInfo{`
			`{`
			`Kind: "kind",`
			`Justification: "justification",`
			`},`
			`},`
			`}`
			`issues = append(issues, &newissue)`

			`}`
			`dupRules := []string{"G102", "G404"}`
			`for _, rule := range dupRules {`
			`cwe := issue.GetCweByRule(rule)`
			`newissue := issue.Issue{`
			`File: "/home/src/project/test.go",`
			`Line: "69-70",`
			`Col: "14",`
			`RuleID: rule,`
			`What: "test",`
			`Confidence: issue.High,`
			`Severity: issue.High,`
			`Cwe: cwe,`
			`Suppressions: []issue.SuppressionInfo{`
			`{`
			`Kind: "kind",`
			`Justification: "justification",`
			`},`
			`},`
			`}`
			`issues = append(issues, &newissue)`
			`}`
			`reportInfo := gosec.NewReportInfo(issues, &gosec.Metrics{}, map[string][]gosec.Error{}).WithVersion("v2.7.0")`

			`sarifReport, err := sarif.GenerateReport([]string{}, reportInfo)`

			`Expect(err).ShouldNot(HaveOccurred())`
Fix typos in comments, vars and tests 2023-05-26 16:03:54 +01:00			`resultRuleIndexes := map[string]int{}`
Fix rule index reference into sarif report (#934) 2023-02-21 10:43:38 +00:00			`for _, result := range sarifReport.Runs[0].Results {`
Fix typos in comments, vars and tests 2023-05-26 16:03:54 +01:00			`resultRuleIndexes[result.RuleID] = result.RuleIndex`
Fix rule index reference into sarif report (#934) 2023-02-21 10:43:38 +00:00			`}`
			`driverRuleIndexes := map[string]int{}`
			`for ruleIndex, rule := range sarifReport.Runs[0].Tool.Driver.Rules {`
			`driverRuleIndexes[rule.ID] = ruleIndex`
			`}`
Fix typos in comments, vars and tests 2023-05-26 16:03:54 +01:00			`Expect(resultRuleIndexes).Should(Equal(driverRuleIndexes))`
Fix rule index reference into sarif report (#934) 2023-02-21 10:43:38 +00:00			`})`
Results must always be present in the SARIF report (#650) * Don't omit empty results * Add tests 2021-06-17 13:21:42 +01:00			`})`
			`})`