mirror of
https://github.com/securego/gosec.git
synced 2024-12-25 03:55:54 +00:00
Enable golangcli and improve testing for formatters
This commit is contained in:
parent
4df7f1c3e9
commit
103c429df5
18 changed files with 755 additions and 336 deletions
10
.github/workflows/ci.yml
vendored
10
.github/workflows/ci.yml
vendored
|
@ -7,6 +7,16 @@ on:
|
||||||
branches:
|
branches:
|
||||||
- master
|
- master
|
||||||
jobs:
|
jobs:
|
||||||
|
golangci:
|
||||||
|
name: lint
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v2
|
||||||
|
- name: golangci-lint
|
||||||
|
uses: golangci/golangci-lint-action@v2
|
||||||
|
continue-on-error: true
|
||||||
|
with:
|
||||||
|
version: latest
|
||||||
tests-go-1-16:
|
tests-go-1-16:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
env:
|
env:
|
||||||
|
|
13
.golangci.yml
Normal file
13
.golangci.yml
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
linters:
|
||||||
|
enable:
|
||||||
|
- megacheck
|
||||||
|
- govet
|
||||||
|
- unparam
|
||||||
|
- unconvert
|
||||||
|
- misspell
|
||||||
|
- gofmt
|
||||||
|
- golint
|
||||||
|
- gosec
|
||||||
|
- nakedret
|
||||||
|
- dogsled
|
||||||
|
- depguard
|
13
cwe/cwe_suite_test.go
Normal file
13
cwe/cwe_suite_test.go
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
package cwe_test
|
||||||
|
|
||||||
|
import (
|
||||||
|
. "github.com/onsi/ginkgo"
|
||||||
|
. "github.com/onsi/gomega"
|
||||||
|
|
||||||
|
"testing"
|
||||||
|
)
|
||||||
|
|
||||||
|
func TestCwe(t *testing.T) {
|
||||||
|
RegisterFailHandler(Fail)
|
||||||
|
RunSpecs(t, "Cwe Suite")
|
||||||
|
}
|
225
cwe/data.go
225
cwe/data.go
|
@ -1,106 +1,129 @@
|
||||||
package cwe
|
package cwe
|
||||||
|
|
||||||
var data = map[string]*Weakness{
|
const (
|
||||||
"118": {
|
//Acronym is the acronym of CWE
|
||||||
ID: "118",
|
Acronym = "CWE"
|
||||||
Description: "The software does not restrict or incorrectly restricts operations within the boundaries of a resource that is accessed using an index or pointer, such as memory or files.",
|
//Version the CWE version
|
||||||
Name: "Incorrect Access of Indexable Resource ('Range Error')",
|
Version = "4.4"
|
||||||
},
|
//ReleaseDateUtc the release Date of CWE Version
|
||||||
"190": {
|
ReleaseDateUtc = "2021-03-15"
|
||||||
ID: "190",
|
//Organization MITRE
|
||||||
Description: "The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.",
|
Organization = "MITRE"
|
||||||
Name: "Integer Overflow or Wraparound",
|
//Description the description of CWE
|
||||||
},
|
Description = "The MITRE Common Weakness Enumeration"
|
||||||
"200": {
|
)
|
||||||
ID: "200",
|
|
||||||
Description: "The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.",
|
var (
|
||||||
Name: "Exposure of Sensitive Information to an Unauthorized Actor",
|
data = map[string]*Weakness{}
|
||||||
},
|
|
||||||
"22": {
|
weaknesses = []*Weakness{
|
||||||
ID: "22",
|
{
|
||||||
Description: "The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.",
|
ID: "118",
|
||||||
Name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
|
Description: "The software does not restrict or incorrectly restricts operations within the boundaries of a resource that is accessed using an index or pointer, such as memory or files.",
|
||||||
},
|
Name: "Incorrect Access of Indexable Resource ('Range Error')",
|
||||||
"242": {
|
},
|
||||||
ID: "242",
|
{
|
||||||
Description: "The program calls a function that can never be guaranteed to work safely.",
|
ID: "190",
|
||||||
Name: "Use of Inherently Dangerous Function",
|
Description: "The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.",
|
||||||
},
|
Name: "Integer Overflow or Wraparound",
|
||||||
"276": {
|
},
|
||||||
ID: "276",
|
{
|
||||||
Description: "During installation, installed file permissions are set to allow anyone to modify those files.",
|
ID: "200",
|
||||||
Name: "Incorrect Default Permissions",
|
Description: "The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.",
|
||||||
},
|
Name: "Exposure of Sensitive Information to an Unauthorized Actor",
|
||||||
"295": {
|
},
|
||||||
ID: "295",
|
{
|
||||||
Description: "The software does not validate, or incorrectly validates, a certificate.",
|
ID: "22",
|
||||||
Name: "Improper Certificate Validation",
|
Description: "The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.",
|
||||||
},
|
Name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
|
||||||
"310": {
|
},
|
||||||
ID: "310",
|
{
|
||||||
Description: "Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.",
|
ID: "242",
|
||||||
Name: "Cryptographic Issues",
|
Description: "The program calls a function that can never be guaranteed to work safely.",
|
||||||
},
|
Name: "Use of Inherently Dangerous Function",
|
||||||
"322": {
|
},
|
||||||
ID: "322",
|
{
|
||||||
Description: "The software performs a key exchange with an actor without verifying the identity of that actor.",
|
ID: "276",
|
||||||
Name: "Key Exchange without Entity Authentication",
|
Description: "During installation, installed file permissions are set to allow anyone to modify those files.",
|
||||||
},
|
Name: "Incorrect Default Permissions",
|
||||||
"326": {
|
},
|
||||||
ID: "326",
|
{
|
||||||
Description: "The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.",
|
ID: "295",
|
||||||
Name: "Inadequate Encryption Strength",
|
Description: "The software does not validate, or incorrectly validates, a certificate.",
|
||||||
},
|
Name: "Improper Certificate Validation",
|
||||||
"327": {
|
},
|
||||||
ID: "327",
|
{
|
||||||
Description: "The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.",
|
ID: "310",
|
||||||
Name: "Use of a Broken or Risky Cryptographic Algorithm",
|
Description: "Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.",
|
||||||
},
|
Name: "Cryptographic Issues",
|
||||||
"338": {
|
},
|
||||||
ID: "338",
|
{
|
||||||
Description: "The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.",
|
ID: "322",
|
||||||
Name: "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
|
Description: "The software performs a key exchange with an actor without verifying the identity of that actor.",
|
||||||
},
|
Name: "Key Exchange without Entity Authentication",
|
||||||
"377": {
|
},
|
||||||
ID: "377",
|
{
|
||||||
Description: "Creating and using insecure temporary files can leave application and system data vulnerable to attack.",
|
ID: "326",
|
||||||
Name: "Insecure Temporary File",
|
Description: "The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.",
|
||||||
},
|
Name: "Inadequate Encryption Strength",
|
||||||
"409": {
|
},
|
||||||
ID: "409",
|
{
|
||||||
Description: "The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.",
|
ID: "327",
|
||||||
Name: "Improper Handling of Highly Compressed Data (Data Amplification)",
|
Description: "The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.",
|
||||||
},
|
Name: "Use of a Broken or Risky Cryptographic Algorithm",
|
||||||
"703": {
|
},
|
||||||
ID: "703",
|
{
|
||||||
Description: "The software does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the software.",
|
ID: "338",
|
||||||
Name: "Improper Check or Handling of Exceptional Conditions",
|
Description: "The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.",
|
||||||
},
|
Name: "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
|
||||||
"78": {
|
},
|
||||||
ID: "78",
|
{
|
||||||
Description: "The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.",
|
ID: "377",
|
||||||
Name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
|
Description: "Creating and using insecure temporary files can leave application and system data vulnerable to attack.",
|
||||||
},
|
Name: "Insecure Temporary File",
|
||||||
"79": {
|
},
|
||||||
ID: "79",
|
{
|
||||||
Description: "The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.",
|
ID: "409",
|
||||||
Name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
|
Description: "The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.",
|
||||||
},
|
Name: "Improper Handling of Highly Compressed Data (Data Amplification)",
|
||||||
"798": {
|
},
|
||||||
ID: "798",
|
{
|
||||||
Description: "The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.",
|
ID: "703",
|
||||||
Name: "Use of Hard-coded Credentials",
|
Description: "The software does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the software.",
|
||||||
},
|
Name: "Improper Check or Handling of Exceptional Conditions",
|
||||||
"88": {
|
},
|
||||||
ID: "88",
|
{
|
||||||
Description: "The software constructs a string for a command to executed by a separate component\nin another control sphere, but it does not properly delimit the\nintended arguments, options, or switches within that command string.",
|
ID: "78",
|
||||||
Name: "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')",
|
Description: "The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.",
|
||||||
},
|
Name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
|
||||||
"89": {
|
},
|
||||||
ID: "89",
|
{
|
||||||
Description: "The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.",
|
ID: "79",
|
||||||
Name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
|
Description: "The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.",
|
||||||
},
|
Name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
ID: "798",
|
||||||
|
Description: "The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.",
|
||||||
|
Name: "Use of Hard-coded Credentials",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
ID: "88",
|
||||||
|
Description: "The software constructs a string for a command to executed by a separate component\nin another control sphere, but it does not properly delimit the\nintended arguments, options, or switches within that command string.",
|
||||||
|
Name: "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
ID: "89",
|
||||||
|
Description: "The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.",
|
||||||
|
Name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
|
||||||
|
},
|
||||||
|
}
|
||||||
|
)
|
||||||
|
|
||||||
|
func init() {
|
||||||
|
for _, weakness := range weaknesses {
|
||||||
|
data[weakness.ID] = weakness
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
//Get Retrieves a CWE weakness by it's id
|
//Get Retrieves a CWE weakness by it's id
|
||||||
|
|
22
cwe/data_test.go
Normal file
22
cwe/data_test.go
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
package cwe_test
|
||||||
|
|
||||||
|
import (
|
||||||
|
. "github.com/onsi/ginkgo"
|
||||||
|
. "github.com/onsi/gomega"
|
||||||
|
"github.com/securego/gosec/v2/cwe"
|
||||||
|
)
|
||||||
|
|
||||||
|
var _ = Describe("CWE data", func() {
|
||||||
|
BeforeEach(func() {
|
||||||
|
})
|
||||||
|
Context("when consulting cwe data", func() {
|
||||||
|
It("it should retrieves the weakness", func() {
|
||||||
|
weakness := cwe.Get("798")
|
||||||
|
Expect(weakness).ShouldNot(BeNil())
|
||||||
|
Expect(weakness.ID).ShouldNot(BeNil())
|
||||||
|
Expect(weakness.Name).ShouldNot(BeNil())
|
||||||
|
Expect(weakness.Description).ShouldNot(BeNil())
|
||||||
|
})
|
||||||
|
|
||||||
|
})
|
||||||
|
})
|
19
cwe/types.go
19
cwe/types.go
|
@ -5,13 +5,6 @@ import (
|
||||||
"fmt"
|
"fmt"
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
|
||||||
//URL is the base URL for CWE definitions
|
|
||||||
URL = "https://cwe.mitre.org/data/definitions/"
|
|
||||||
//Acronym is the acronym of CWE
|
|
||||||
Acronym = "CWE"
|
|
||||||
)
|
|
||||||
|
|
||||||
// Weakness defines a CWE weakness based on http://cwe.mitre.org/data/xsd/cwe_schema_v6.4.xsd
|
// Weakness defines a CWE weakness based on http://cwe.mitre.org/data/xsd/cwe_schema_v6.4.xsd
|
||||||
type Weakness struct {
|
type Weakness struct {
|
||||||
ID string
|
ID string
|
||||||
|
@ -21,7 +14,7 @@ type Weakness struct {
|
||||||
|
|
||||||
//SprintURL format the CWE URL
|
//SprintURL format the CWE URL
|
||||||
func (w *Weakness) SprintURL() string {
|
func (w *Weakness) SprintURL() string {
|
||||||
return fmt.Sprintf("%s%s.html", URL, w.ID)
|
return fmt.Sprintf("https://cwe.mitre.org/data/definitions/%s.html", w.ID)
|
||||||
}
|
}
|
||||||
|
|
||||||
//SprintID format the CWE ID
|
//SprintID format the CWE ID
|
||||||
|
@ -39,3 +32,13 @@ func (w *Weakness) MarshalJSON() ([]byte, error) {
|
||||||
URL: w.SprintURL(),
|
URL: w.SprintURL(),
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
|
//InformationURI link to the published CWE PDF
|
||||||
|
func InformationURI() string {
|
||||||
|
return fmt.Sprintf("https://cwe.mitre.org/data/published/cwe_v%s.pdf/", Version)
|
||||||
|
}
|
||||||
|
|
||||||
|
//DownloadURI link to the zipped XML of the CWE list
|
||||||
|
func DownloadURI() string {
|
||||||
|
return fmt.Sprintf("https://cwe.mitre.org/data/xml/cwec_v%s.xml.zip", Version)
|
||||||
|
}
|
||||||
|
|
25
cwe/types_test.go
Normal file
25
cwe/types_test.go
Normal file
|
@ -0,0 +1,25 @@
|
||||||
|
package cwe_test
|
||||||
|
|
||||||
|
import (
|
||||||
|
. "github.com/onsi/ginkgo"
|
||||||
|
. "github.com/onsi/gomega"
|
||||||
|
"github.com/securego/gosec/v2/cwe"
|
||||||
|
)
|
||||||
|
|
||||||
|
var _ = Describe("CWE Types", func() {
|
||||||
|
BeforeEach(func() {
|
||||||
|
})
|
||||||
|
Context("when consulting cwe types", func() {
|
||||||
|
It("it should retrieves the information and download URIs", func() {
|
||||||
|
Expect(cwe.InformationURI()).To(Equal("https://cwe.mitre.org/data/published/cwe_v4.4.pdf/"))
|
||||||
|
Expect(cwe.DownloadURI()).To(Equal("https://cwe.mitre.org/data/xml/cwec_v4.4.xml.zip"))
|
||||||
|
})
|
||||||
|
|
||||||
|
It("it should retrieves the weakness ID and URL", func() {
|
||||||
|
weakness := &cwe.Weakness{ID: "798"}
|
||||||
|
Expect(weakness).ShouldNot(BeNil())
|
||||||
|
Expect(weakness.SprintID()).To(Equal("CWE-798"))
|
||||||
|
Expect(weakness.SprintURL()).To(Equal("https://cwe.mitre.org/data/definitions/798.html"))
|
||||||
|
})
|
||||||
|
})
|
||||||
|
})
|
|
@ -294,7 +294,7 @@ var _ = Describe("Formatter", func() {
|
||||||
Expect(err).ShouldNot(HaveOccurred())
|
Expect(err).ShouldNot(HaveOccurred())
|
||||||
pattern := "/home/src/project/test.go,1,test,HIGH,HIGH,1: testcode,CWE-%s\n"
|
pattern := "/home/src/project/test.go,1,test,HIGH,HIGH,1: testcode,CWE-%s\n"
|
||||||
expect := fmt.Sprintf(pattern, cwe.ID)
|
expect := fmt.Sprintf(pattern, cwe.ID)
|
||||||
Expect(string(buf.String())).To(Equal(expect))
|
Expect(buf.String()).To(Equal(expect))
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
It("xml formatted report should contain the CWE mapping", func() {
|
It("xml formatted report should contain the CWE mapping", func() {
|
||||||
|
@ -308,7 +308,7 @@ var _ = Describe("Formatter", func() {
|
||||||
Expect(err).ShouldNot(HaveOccurred())
|
Expect(err).ShouldNot(HaveOccurred())
|
||||||
pattern := "Results:\n\n\n[/home/src/project/test.go:1] - %s (CWE-%s): test (Confidence: HIGH, Severity: HIGH)\n > 1: testcode\n\n\n\nSummary:\n Files: 0\n Lines: 0\n Nosec: 0\n Issues: 0\n\n"
|
pattern := "Results:\n\n\n[/home/src/project/test.go:1] - %s (CWE-%s): test (Confidence: HIGH, Severity: HIGH)\n > 1: testcode\n\n\n\nSummary:\n Files: 0\n Lines: 0\n Nosec: 0\n Issues: 0\n\n"
|
||||||
expect := fmt.Sprintf(pattern, rule, cwe.ID)
|
expect := fmt.Sprintf(pattern, rule, cwe.ID)
|
||||||
Expect(string(buf.String())).To(Equal(expect))
|
Expect(buf.String()).To(Equal(expect))
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
It("json formatted report should contain the CWE mapping", func() {
|
It("json formatted report should contain the CWE mapping", func() {
|
||||||
|
@ -442,7 +442,7 @@ var _ = Describe("Formatter", func() {
|
||||||
Expect(err).ShouldNot(HaveOccurred())
|
Expect(err).ShouldNot(HaveOccurred())
|
||||||
pattern := "/home/src/project/test.go:1:1: [CWE-%s] test (Rule:%s, Severity:HIGH, Confidence:HIGH)\n"
|
pattern := "/home/src/project/test.go:1:1: [CWE-%s] test (Rule:%s, Severity:HIGH, Confidence:HIGH)\n"
|
||||||
expect := fmt.Sprintf(pattern, cwe.ID, rule)
|
expect := fmt.Sprintf(pattern, cwe.ID, rule)
|
||||||
Expect(string(buf.String())).To(Equal(expect))
|
Expect(buf.String()).To(Equal(expect))
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
It("sarif formatted report should contain the CWE mapping", func() {
|
It("sarif formatted report should contain the CWE mapping", func() {
|
||||||
|
|
24
report/junit/builder.go
Normal file
24
report/junit/builder.go
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
package junit
|
||||||
|
|
||||||
|
//NewTestsuite instantiate a Testsuite
|
||||||
|
func NewTestsuite(name string) *Testsuite {
|
||||||
|
return &Testsuite{
|
||||||
|
Name: name,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
//NewFailure instantiate a Failure
|
||||||
|
func NewFailure(message string, text string) *Failure {
|
||||||
|
return &Failure{
|
||||||
|
Message: message,
|
||||||
|
Text: text,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
//NewTestcase instantiate a Testcase
|
||||||
|
func NewTestcase(name string, failure *Failure) *Testcase {
|
||||||
|
return &Testcase{
|
||||||
|
Name: name,
|
||||||
|
Failure: failure,
|
||||||
|
}
|
||||||
|
}
|
|
@ -24,19 +24,12 @@ func GenerateReport(data *core.ReportInfo) Report {
|
||||||
for _, issue := range data.Issues {
|
for _, issue := range data.Issues {
|
||||||
index, ok := testsuites[issue.What]
|
index, ok := testsuites[issue.What]
|
||||||
if !ok {
|
if !ok {
|
||||||
xmlReport.Testsuites = append(xmlReport.Testsuites, &Testsuite{
|
xmlReport.Testsuites = append(xmlReport.Testsuites, NewTestsuite(issue.What))
|
||||||
Name: issue.What,
|
|
||||||
})
|
|
||||||
index = len(xmlReport.Testsuites) - 1
|
index = len(xmlReport.Testsuites) - 1
|
||||||
testsuites[issue.What] = index
|
testsuites[issue.What] = index
|
||||||
}
|
}
|
||||||
testcase := &Testcase{
|
failure := NewFailure("Found 1 vulnerability. See stacktrace for details.", generatePlaintext(issue))
|
||||||
Name: issue.File,
|
testcase := NewTestcase(issue.File, failure)
|
||||||
Failure: &Failure{
|
|
||||||
Message: "Found 1 vulnerability. See stacktrace for details.",
|
|
||||||
Text: generatePlaintext(issue),
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
||||||
xmlReport.Testsuites[index].Testcases = append(xmlReport.Testsuites[index].Testcases, testcase)
|
xmlReport.Testsuites[index].Testcases = append(xmlReport.Testsuites[index].Testcases, testcase)
|
||||||
xmlReport.Testsuites[index].Tests++
|
xmlReport.Testsuites[index].Tests++
|
||||||
|
|
176
report/sarif/builder.go
Normal file
176
report/sarif/builder.go
Normal file
|
@ -0,0 +1,176 @@
|
||||||
|
package sarif
|
||||||
|
|
||||||
|
//NewReport instantiate a SARIF Report
|
||||||
|
func NewReport(version string, schema string) *Report {
|
||||||
|
return &Report{
|
||||||
|
Version: version,
|
||||||
|
Schema: schema,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
//WithRuns dafines runs for the current report
|
||||||
|
func (r *Report) WithRuns(runs ...*Run) *Report {
|
||||||
|
r.Runs = runs
|
||||||
|
return r
|
||||||
|
}
|
||||||
|
|
||||||
|
//NewMultiformatMessageString instantiate a MultiformatMessageString
|
||||||
|
func NewMultiformatMessageString(text string) *MultiformatMessageString {
|
||||||
|
return &MultiformatMessageString{
|
||||||
|
Text: text,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
//NewRun instantiate a Run
|
||||||
|
func NewRun(tool *Tool) *Run {
|
||||||
|
return &Run{
|
||||||
|
Tool: tool,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
//WithTaxonomies set the taxonomies for the current run
|
||||||
|
func (r *Run) WithTaxonomies(taxonomies ...*ToolComponent) *Run {
|
||||||
|
r.Taxonomies = taxonomies
|
||||||
|
return r
|
||||||
|
}
|
||||||
|
|
||||||
|
//WithResults set the results for the current run
|
||||||
|
func (r *Run) WithResults(results ...*Result) *Run {
|
||||||
|
r.Results = results
|
||||||
|
return r
|
||||||
|
}
|
||||||
|
|
||||||
|
//NewArtifactLocation instantiate an ArtifactLocation
|
||||||
|
func NewArtifactLocation(uri string) *ArtifactLocation {
|
||||||
|
return &ArtifactLocation{
|
||||||
|
URI: uri,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
//NewRegion instantiate a Region
|
||||||
|
func NewRegion(startLine int, endLine int, startColumn int, endColumn int, sourceLanguage string) *Region {
|
||||||
|
return &Region{
|
||||||
|
StartLine: startLine,
|
||||||
|
EndLine: endLine,
|
||||||
|
StartColumn: startColumn,
|
||||||
|
EndColumn: endColumn,
|
||||||
|
SourceLanguage: sourceLanguage,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
//NewTool instantiate a Tool
|
||||||
|
func NewTool(driver *ToolComponent) *Tool {
|
||||||
|
return &Tool{
|
||||||
|
Driver: driver,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
//NewResult instantiate a Result
|
||||||
|
func NewResult(ruleID string, ruleIndex int, level Level, message string) *Result {
|
||||||
|
return &Result{
|
||||||
|
RuleID: ruleID,
|
||||||
|
RuleIndex: ruleIndex,
|
||||||
|
Level: level,
|
||||||
|
Message: NewMessage(message),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
//NewMessage instantiate a Message
|
||||||
|
func NewMessage(text string) *Message {
|
||||||
|
return &Message{
|
||||||
|
Text: text,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
//WithLocations define the current result's locations
|
||||||
|
func (r *Result) WithLocations(locations ...*Location) *Result {
|
||||||
|
r.Locations = locations
|
||||||
|
return r
|
||||||
|
}
|
||||||
|
|
||||||
|
//NewLocation instantiate a Location
|
||||||
|
func NewLocation(physicalLocation *PhysicalLocation) *Location {
|
||||||
|
return &Location{
|
||||||
|
PhysicalLocation: physicalLocation,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
//NewPhysicalLocation instantiate a PhysicalLocation
|
||||||
|
func NewPhysicalLocation(artifactLocation *ArtifactLocation, region *Region) *PhysicalLocation {
|
||||||
|
return &PhysicalLocation{
|
||||||
|
ArtifactLocation: artifactLocation,
|
||||||
|
Region: region,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
//NewToolComponent instantiate a ToolComponent
|
||||||
|
func NewToolComponent(name string, version string, informationURI string) *ToolComponent {
|
||||||
|
return &ToolComponent{
|
||||||
|
Name: name,
|
||||||
|
Version: version,
|
||||||
|
InformationURI: informationURI,
|
||||||
|
GUID: uuid3(name),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
//WithReleaseDateUtc set releaseDateUtc for the current ToolComponent
|
||||||
|
func (t *ToolComponent) WithReleaseDateUtc(releaseDateUtc string) *ToolComponent {
|
||||||
|
t.ReleaseDateUtc = releaseDateUtc
|
||||||
|
return t
|
||||||
|
}
|
||||||
|
|
||||||
|
//WithDownloadURI set downloadURI for the current ToolComponent
|
||||||
|
func (t *ToolComponent) WithDownloadURI(downloadURI string) *ToolComponent {
|
||||||
|
t.DownloadURI = downloadURI
|
||||||
|
return t
|
||||||
|
}
|
||||||
|
|
||||||
|
//WithOrganization set organization for the current ToolComponent
|
||||||
|
func (t *ToolComponent) WithOrganization(organization string) *ToolComponent {
|
||||||
|
t.Organization = organization
|
||||||
|
return t
|
||||||
|
}
|
||||||
|
|
||||||
|
//WithShortDescription set shortDescription for the current ToolComponent
|
||||||
|
func (t *ToolComponent) WithShortDescription(shortDescription *MultiformatMessageString) *ToolComponent {
|
||||||
|
t.ShortDescription = shortDescription
|
||||||
|
return t
|
||||||
|
}
|
||||||
|
|
||||||
|
//WithIsComprehensive set isComprehensive for the current ToolComponent
|
||||||
|
func (t *ToolComponent) WithIsComprehensive(isComprehensive bool) *ToolComponent {
|
||||||
|
t.IsComprehensive = isComprehensive
|
||||||
|
return t
|
||||||
|
}
|
||||||
|
|
||||||
|
//WithMinimumRequiredLocalizedDataSemanticVersion set MinimumRequiredLocalizedDataSemanticVersion for the current ToolComponent
|
||||||
|
func (t *ToolComponent) WithMinimumRequiredLocalizedDataSemanticVersion(minimumRequiredLocalizedDataSemanticVersion string) *ToolComponent {
|
||||||
|
t.MinimumRequiredLocalizedDataSemanticVersion = minimumRequiredLocalizedDataSemanticVersion
|
||||||
|
return t
|
||||||
|
}
|
||||||
|
|
||||||
|
//WithTaxa set taxa for the current ToolComponent
|
||||||
|
func (t *ToolComponent) WithTaxa(taxa ...*ReportingDescriptor) *ToolComponent {
|
||||||
|
t.Taxa = taxa
|
||||||
|
return t
|
||||||
|
}
|
||||||
|
|
||||||
|
//WithSupportedTaxonomies set the supported taxonomies for the current ToolComponent
|
||||||
|
func (t *ToolComponent) WithSupportedTaxonomies(supportedTaxonomies ...*ToolComponentReference) *ToolComponent {
|
||||||
|
t.SupportedTaxonomies = supportedTaxonomies
|
||||||
|
return t
|
||||||
|
}
|
||||||
|
|
||||||
|
//WithRules set the rules for the current ToolComponent
|
||||||
|
func (t *ToolComponent) WithRules(rules ...*ReportingDescriptor) *ToolComponent {
|
||||||
|
t.Rules = rules
|
||||||
|
return t
|
||||||
|
}
|
||||||
|
|
||||||
|
//NewToolComponentReference instantiate a ToolComponentReference
|
||||||
|
func NewToolComponentReference(name string) *ToolComponentReference {
|
||||||
|
return &ToolComponentReference{
|
||||||
|
Name: name,
|
||||||
|
GUID: uuid3(name),
|
||||||
|
}
|
||||||
|
}
|
22
report/sarif/data.go
Normal file
22
report/sarif/data.go
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
package sarif
|
||||||
|
|
||||||
|
//Level SARIF level
|
||||||
|
// From https://docs.oasis-open.org/sarif/sarif/v2.0/csprd02/sarif-v2.0-csprd02.html#_Toc10127839
|
||||||
|
type Level string
|
||||||
|
|
||||||
|
const (
|
||||||
|
//None : The concept of “severity” does not apply to this result because the kind
|
||||||
|
// property (§3.27.9) has a value other than "fail".
|
||||||
|
None = Level("none")
|
||||||
|
//Note : The rule specified by ruleId was evaluated and a minor problem or an opportunity
|
||||||
|
// to improve the code was found.
|
||||||
|
Note = Level("note")
|
||||||
|
//Warning : The rule specified by ruleId was evaluated and a problem was found.
|
||||||
|
Warning = Level("warning")
|
||||||
|
//Error : The rule specified by ruleId was evaluated and a serious problem was found.
|
||||||
|
Error = Level("error")
|
||||||
|
//Version : SARIF Schema version
|
||||||
|
Version = "2.1.0"
|
||||||
|
//Schema : SARIF Schema URL
|
||||||
|
Schema = "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json"
|
||||||
|
)
|
|
@ -12,15 +12,6 @@ import (
|
||||||
"github.com/securego/gosec/v2/report/core"
|
"github.com/securego/gosec/v2/report/core"
|
||||||
)
|
)
|
||||||
|
|
||||||
type sarifLevel string
|
|
||||||
|
|
||||||
const (
|
|
||||||
sarifNone = sarifLevel("none")
|
|
||||||
sarifNote = sarifLevel("note")
|
|
||||||
sarifWarning = sarifLevel("warning")
|
|
||||||
sarifError = sarifLevel("error")
|
|
||||||
)
|
|
||||||
|
|
||||||
//GenerateReport Convert a gosec report to a Sarif Report
|
//GenerateReport Convert a gosec report to a Sarif Report
|
||||||
func GenerateReport(rootPaths []string, data *core.ReportInfo) (*Report, error) {
|
func GenerateReport(rootPaths []string, data *core.ReportInfo) (*Report, error) {
|
||||||
|
|
||||||
|
@ -34,7 +25,7 @@ func GenerateReport(rootPaths []string, data *core.ReportInfo) (*Report, error)
|
||||||
lastRuleIndex := -1
|
lastRuleIndex := -1
|
||||||
|
|
||||||
results := []*Result{}
|
results := []*Result{}
|
||||||
taxa := make([]*ReportingDescriptor, 0)
|
cweTaxa := make([]*ReportingDescriptor, 0)
|
||||||
weaknesses := make(map[string]*cwe.Weakness)
|
weaknesses := make(map[string]*cwe.Weakness)
|
||||||
|
|
||||||
for _, issue := range data.Issues {
|
for _, issue := range data.Issues {
|
||||||
|
@ -42,8 +33,8 @@ func GenerateReport(rootPaths []string, data *core.ReportInfo) (*Report, error)
|
||||||
if !ok {
|
if !ok {
|
||||||
weakness := cwe.Get(issue.Cwe.ID)
|
weakness := cwe.Get(issue.Cwe.ID)
|
||||||
weaknesses[issue.Cwe.ID] = weakness
|
weaknesses[issue.Cwe.ID] = weakness
|
||||||
taxon := parseSarifTaxon(weakness)
|
cweTaxon := parseSarifTaxon(weakness)
|
||||||
taxa = append(taxa, taxon)
|
cweTaxa = append(cweTaxa, cweTaxon)
|
||||||
}
|
}
|
||||||
|
|
||||||
r, ok := rulesIndices[issue.RuleID]
|
r, ok := rulesIndices[issue.RuleID]
|
||||||
|
@ -59,58 +50,36 @@ func GenerateReport(rootPaths []string, data *core.ReportInfo) (*Report, error)
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
result := buildSarifResult(r.rule.ID, r.index, issue, []*Location{location})
|
result := NewResult(r.rule.ID, r.index, getSarifLevel(issue.Severity.String()), issue.What).
|
||||||
|
WithLocations(location)
|
||||||
|
|
||||||
results = append(results, result)
|
results = append(results, result)
|
||||||
}
|
}
|
||||||
|
|
||||||
tool := buildSarifTool(buildSarifDriver(rules))
|
tool := NewTool(buildSarifDriver(rules))
|
||||||
|
|
||||||
run := buildSarifRun(results, buildSarifTaxonomies(taxa), tool)
|
cweTaxonomy := buildCWETaxonomy(cweTaxa)
|
||||||
|
|
||||||
return buildSarifReport(run), nil
|
run := NewRun(tool).
|
||||||
}
|
WithTaxonomies(cweTaxonomy).
|
||||||
|
WithResults(results...)
|
||||||
|
|
||||||
func buildSarifResult(ruleID string, index int, issue *gosec.Issue, locations []*Location) *Result {
|
return NewReport(Version, Schema).
|
||||||
return &Result{
|
WithRuns(run), nil
|
||||||
RuleID: ruleID,
|
|
||||||
RuleIndex: index,
|
|
||||||
Level: getSarifLevel(issue.Severity.String()),
|
|
||||||
Message: &Message{
|
|
||||||
Text: issue.What,
|
|
||||||
},
|
|
||||||
Locations: locations,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// buildSarifReport return SARIF report struct
|
|
||||||
func buildSarifReport(run *Run) *Report {
|
|
||||||
return &Report{
|
|
||||||
Version: "2.1.0",
|
|
||||||
Schema: "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
|
|
||||||
Runs: []*Run{run},
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// parseSarifRule return SARIF rule field struct
|
// parseSarifRule return SARIF rule field struct
|
||||||
func parseSarifRule(issue *gosec.Issue) *ReportingDescriptor {
|
func parseSarifRule(issue *gosec.Issue) *ReportingDescriptor {
|
||||||
return &ReportingDescriptor{
|
return &ReportingDescriptor{
|
||||||
ID: issue.RuleID,
|
ID: issue.RuleID,
|
||||||
Name: issue.What,
|
Name: issue.What,
|
||||||
ShortDescription: &MultiformatMessageString{
|
ShortDescription: NewMultiformatMessageString(issue.What),
|
||||||
Text: issue.What,
|
FullDescription: NewMultiformatMessageString(issue.What),
|
||||||
},
|
Help: NewMultiformatMessageString(fmt.Sprintf("%s\nSeverity: %s\nConfidence: %s\n",
|
||||||
FullDescription: &MultiformatMessageString{
|
issue.What, issue.Severity.String(), issue.Confidence.String())),
|
||||||
Text: issue.What,
|
|
||||||
},
|
|
||||||
Help: &MultiformatMessageString{
|
|
||||||
Text: fmt.Sprintf("%s\nSeverity: %s\nConfidence: %s\n", issue.What, issue.Severity.String(), issue.Confidence.String()),
|
|
||||||
},
|
|
||||||
Properties: &PropertyBag{
|
Properties: &PropertyBag{
|
||||||
Tags: []string{"security", issue.Severity.String()},
|
"tags": []string{"security", issue.Severity.String()},
|
||||||
AdditionalProperties: map[string]interface{}{
|
"precision": strings.ToLower(issue.Confidence.String()),
|
||||||
"precision": strings.ToLower(issue.Confidence.String()),
|
|
||||||
},
|
|
||||||
},
|
},
|
||||||
DefaultConfiguration: &ReportingConfiguration{
|
DefaultConfiguration: &ReportingConfiguration{
|
||||||
Level: getSarifLevel(issue.Severity.String()),
|
Level: getSarifLevel(issue.Severity.String()),
|
||||||
|
@ -124,55 +93,32 @@ func parseSarifRule(issue *gosec.Issue) *ReportingDescriptor {
|
||||||
func buildSarifReportingDescriptorRelationship(weakness *cwe.Weakness) *ReportingDescriptorRelationship {
|
func buildSarifReportingDescriptorRelationship(weakness *cwe.Weakness) *ReportingDescriptorRelationship {
|
||||||
return &ReportingDescriptorRelationship{
|
return &ReportingDescriptorRelationship{
|
||||||
Target: &ReportingDescriptorReference{
|
Target: &ReportingDescriptorReference{
|
||||||
ID: weakness.ID,
|
ID: weakness.ID,
|
||||||
GUID: uuid3(weakness.SprintID()),
|
GUID: uuid3(weakness.SprintID()),
|
||||||
ToolComponent: &ToolComponentReference{
|
ToolComponent: NewToolComponentReference(cwe.Acronym),
|
||||||
Name: cwe.Acronym,
|
|
||||||
},
|
|
||||||
},
|
},
|
||||||
Kinds: []string{"superset"},
|
Kinds: []string{"superset"},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func buildSarifTool(driver *ToolComponent) *Tool {
|
func buildCWETaxonomy(taxa []*ReportingDescriptor) *ToolComponent {
|
||||||
return &Tool{
|
return NewToolComponent(cwe.Acronym, cwe.Version, cwe.InformationURI()).
|
||||||
Driver: driver,
|
WithReleaseDateUtc(cwe.ReleaseDateUtc).
|
||||||
}
|
WithDownloadURI(cwe.DownloadURI()).
|
||||||
}
|
WithOrganization(cwe.Organization).
|
||||||
|
WithShortDescription(NewMultiformatMessageString(cwe.Description)).
|
||||||
func buildSarifTaxonomies(taxa []*ReportingDescriptor) []*ToolComponent {
|
WithIsComprehensive(true).
|
||||||
return []*ToolComponent{
|
WithMinimumRequiredLocalizedDataSemanticVersion(cwe.Version).
|
||||||
buildCWETaxonomy("4.4", taxa),
|
WithTaxa(taxa...)
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func buildCWETaxonomy(version string, taxa []*ReportingDescriptor) *ToolComponent {
|
|
||||||
return &ToolComponent{
|
|
||||||
Name: cwe.Acronym,
|
|
||||||
Version: version,
|
|
||||||
ReleaseDateUtc: "2021-03-15",
|
|
||||||
InformationURI: fmt.Sprintf("https://cwe.mitre.org/data/published/cwe_v%s.pdf/", version),
|
|
||||||
DownloadURI: fmt.Sprintf("https://cwe.mitre.org/data/xml/cwec_v%s.xml.zip", version),
|
|
||||||
Organization: "MITRE",
|
|
||||||
ShortDescription: &MultiformatMessageString{
|
|
||||||
Text: "The MITRE Common Weakness Enumeration",
|
|
||||||
},
|
|
||||||
GUID: uuid3(cwe.Acronym),
|
|
||||||
IsComprehensive: true,
|
|
||||||
MinimumRequiredLocalizedDataSemanticVersion: version,
|
|
||||||
Taxa: taxa,
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func parseSarifTaxon(weakness *cwe.Weakness) *ReportingDescriptor {
|
func parseSarifTaxon(weakness *cwe.Weakness) *ReportingDescriptor {
|
||||||
return &ReportingDescriptor{
|
return &ReportingDescriptor{
|
||||||
ID: weakness.ID,
|
ID: weakness.ID,
|
||||||
Name: weakness.Name,
|
Name: weakness.Name,
|
||||||
GUID: uuid3(weakness.SprintID()),
|
GUID: uuid3(weakness.SprintID()),
|
||||||
HelpURI: weakness.SprintURL(),
|
HelpURI: weakness.SprintURL(),
|
||||||
ShortDescription: &MultiformatMessageString{
|
ShortDescription: NewMultiformatMessageString(weakness.Description),
|
||||||
Text: weakness.Description,
|
|
||||||
},
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -184,29 +130,15 @@ func buildSarifDriver(rules []*ReportingDescriptor) *ToolComponent {
|
||||||
} else {
|
} else {
|
||||||
gosecVersion = "devel"
|
gosecVersion = "devel"
|
||||||
}
|
}
|
||||||
return &ToolComponent{
|
return NewToolComponent("gosec", gosecVersion, "https://github.com/securego/gosec/").
|
||||||
Name: "gosec",
|
WithSupportedTaxonomies(NewToolComponentReference(cwe.Acronym)).
|
||||||
Version: gosecVersion,
|
WithRules(rules...)
|
||||||
SupportedTaxonomies: []*ToolComponentReference{
|
|
||||||
{Name: cwe.Acronym, GUID: uuid3(cwe.Acronym)},
|
|
||||||
},
|
|
||||||
InformationURI: "https://github.com/securego/gosec/",
|
|
||||||
Rules: rules,
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func uuid3(value string) string {
|
func uuid3(value string) string {
|
||||||
return uuid.NewMD5(uuid.Nil, []byte(value)).String()
|
return uuid.NewMD5(uuid.Nil, []byte(value)).String()
|
||||||
}
|
}
|
||||||
|
|
||||||
func buildSarifRun(results []*Result, taxonomies []*ToolComponent, tool *Tool) *Run {
|
|
||||||
return &Run{
|
|
||||||
Results: results,
|
|
||||||
Taxonomies: taxonomies,
|
|
||||||
Tool: tool,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// parseSarifLocation return SARIF location struct
|
// parseSarifLocation return SARIF location struct
|
||||||
func parseSarifLocation(issue *gosec.Issue, rootPaths []string) (*Location, error) {
|
func parseSarifLocation(issue *gosec.Issue, rootPaths []string) (*Location, error) {
|
||||||
region, err := parseSarifRegion(issue)
|
region, err := parseSarifRegion(issue)
|
||||||
|
@ -214,20 +146,7 @@ func parseSarifLocation(issue *gosec.Issue, rootPaths []string) (*Location, erro
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
artifactLocation := parseSarifArtifactLocation(issue, rootPaths)
|
artifactLocation := parseSarifArtifactLocation(issue, rootPaths)
|
||||||
return buildSarifLocation(buildSarifPhysicalLocation(artifactLocation, region)), nil
|
return NewLocation(NewPhysicalLocation(artifactLocation, region)), nil
|
||||||
}
|
|
||||||
|
|
||||||
func buildSarifLocation(physicalLocation *PhysicalLocation) *Location {
|
|
||||||
return &Location{
|
|
||||||
PhysicalLocation: physicalLocation,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func buildSarifPhysicalLocation(artifactLocation *ArtifactLocation, region *Region) *PhysicalLocation {
|
|
||||||
return &PhysicalLocation{
|
|
||||||
ArtifactLocation: artifactLocation,
|
|
||||||
Region: region,
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func parseSarifArtifactLocation(issue *gosec.Issue, rootPaths []string) *ArtifactLocation {
|
func parseSarifArtifactLocation(issue *gosec.Issue, rootPaths []string) *ArtifactLocation {
|
||||||
|
@ -237,13 +156,7 @@ func parseSarifArtifactLocation(issue *gosec.Issue, rootPaths []string) *Artifac
|
||||||
filePath = strings.Replace(issue.File, rootPath+"/", "", 1)
|
filePath = strings.Replace(issue.File, rootPath+"/", "", 1)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return buildSarifArtifactLocation(filePath)
|
return NewArtifactLocation(filePath)
|
||||||
}
|
|
||||||
|
|
||||||
func buildSarifArtifactLocation(uri string) *ArtifactLocation {
|
|
||||||
return &ArtifactLocation{
|
|
||||||
URI: uri,
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func parseSarifRegion(issue *gosec.Issue) (*Region, error) {
|
func parseSarifRegion(issue *gosec.Issue) (*Region, error) {
|
||||||
|
@ -264,33 +177,18 @@ func parseSarifRegion(issue *gosec.Issue) (*Region, error) {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
return buildSarifRegion(startLine, endLine, col), nil
|
return NewRegion(startLine, endLine, col, col, "go"), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func buildSarifRegion(startLine int, endLine int, col int) *Region {
|
func getSarifLevel(s string) Level {
|
||||||
return &Region{
|
|
||||||
StartLine: startLine,
|
|
||||||
EndLine: endLine,
|
|
||||||
StartColumn: col,
|
|
||||||
EndColumn: col,
|
|
||||||
SourceLanguage: "go",
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// From https://docs.oasis-open.org/sarif/sarif/v2.0/csprd02/sarif-v2.0-csprd02.html#_Toc10127839
|
|
||||||
// * "warning": The rule specified by ruleId was evaluated and a problem was found.
|
|
||||||
// * "error": The rule specified by ruleId was evaluated and a serious problem was found.
|
|
||||||
// * "note": The rule specified by ruleId was evaluated and a minor problem or an opportunity to improve the code was found.
|
|
||||||
// * "none": The concept of “severity” does not apply to this result because the kind property (§3.27.9) has a value other than "fail".
|
|
||||||
func getSarifLevel(s string) sarifLevel {
|
|
||||||
switch s {
|
switch s {
|
||||||
case "LOW":
|
case "LOW":
|
||||||
return sarifWarning
|
return Warning
|
||||||
case "MEDIUM":
|
case "MEDIUM":
|
||||||
return sarifError
|
return Error
|
||||||
case "HIGH":
|
case "HIGH":
|
||||||
return sarifError
|
return Error
|
||||||
default:
|
default:
|
||||||
return sarifNote
|
return Note
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -2,12 +2,6 @@
|
||||||
|
|
||||||
package sarif
|
package sarif
|
||||||
|
|
||||||
import (
|
|
||||||
"bytes"
|
|
||||||
"encoding/json"
|
|
||||||
"fmt"
|
|
||||||
)
|
|
||||||
|
|
||||||
// Address A physical or virtual address, or a range of addresses, in an 'addressable region' (memory or a binary file).
|
// Address A physical or virtual address, or a range of addresses, in an 'addressable region' (memory or a binary file).
|
||||||
type Address struct {
|
type Address struct {
|
||||||
|
|
||||||
|
@ -693,12 +687,7 @@ type PhysicalLocation struct {
|
||||||
}
|
}
|
||||||
|
|
||||||
// PropertyBag Key/value pairs that provide additional information about the object.
|
// PropertyBag Key/value pairs that provide additional information about the object.
|
||||||
type PropertyBag struct {
|
type PropertyBag map[string]interface{}
|
||||||
AdditionalProperties map[string]interface{} `json:"-,omitempty"`
|
|
||||||
|
|
||||||
// A set of distinct strings that provide additional information.
|
|
||||||
Tags []string `json:"tags,omitempty"`
|
|
||||||
}
|
|
||||||
|
|
||||||
// Rectangle An area within an image.
|
// Rectangle An area within an image.
|
||||||
type Rectangle struct {
|
type Rectangle struct {
|
||||||
|
@ -1480,37 +1469,3 @@ type WebResponse struct {
|
||||||
// The response version. Example: '1.1'.
|
// The response version. Example: '1.1'.
|
||||||
Version string `json:"version,omitempty"`
|
Version string `json:"version,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
func (strct *PropertyBag) MarshalJSON() ([]byte, error) {
|
|
||||||
buf := bytes.NewBuffer(make([]byte, 0))
|
|
||||||
buf.WriteString("{")
|
|
||||||
comma := false
|
|
||||||
// Marshal the "tags" field
|
|
||||||
if comma {
|
|
||||||
buf.WriteString(",")
|
|
||||||
}
|
|
||||||
buf.WriteString("\"tags\": ")
|
|
||||||
if tmp, err := json.Marshal(strct.Tags); err != nil {
|
|
||||||
return nil, err
|
|
||||||
} else {
|
|
||||||
buf.Write(tmp)
|
|
||||||
}
|
|
||||||
comma = true
|
|
||||||
// Marshal any additional Properties
|
|
||||||
for k, v := range strct.AdditionalProperties {
|
|
||||||
if comma {
|
|
||||||
buf.WriteString(",")
|
|
||||||
}
|
|
||||||
buf.WriteString(fmt.Sprintf("\"%s\":", k))
|
|
||||||
if tmp, err := json.Marshal(v); err != nil {
|
|
||||||
return nil, err
|
|
||||||
} else {
|
|
||||||
buf.Write(tmp)
|
|
||||||
}
|
|
||||||
comma = true
|
|
||||||
}
|
|
||||||
|
|
||||||
buf.WriteString("}")
|
|
||||||
rv := buf.Bytes()
|
|
||||||
return rv, nil
|
|
||||||
}
|
|
||||||
|
|
30
report/sonar/builder.go
Normal file
30
report/sonar/builder.go
Normal file
|
@ -0,0 +1,30 @@
|
||||||
|
package sonar
|
||||||
|
|
||||||
|
//NewLocation instantiate a Location
|
||||||
|
func NewLocation(message string, filePath string, textRange *TextRange) *Location {
|
||||||
|
return &Location{
|
||||||
|
Message: message,
|
||||||
|
FilePath: filePath,
|
||||||
|
TextRange: textRange,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
//NewTextRange instantiate a TextRange
|
||||||
|
func NewTextRange(startLine int, endLine int) *TextRange {
|
||||||
|
return &TextRange{
|
||||||
|
StartLine: startLine,
|
||||||
|
EndLine: endLine,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
//NewIssue instantiate an Issue
|
||||||
|
func NewIssue(engineID string, ruleID string, primaryLocation *Location, issueType string, severity string, effortMinutes int) *Issue {
|
||||||
|
return &Issue{
|
||||||
|
EngineID: engineID,
|
||||||
|
RuleID: ruleID,
|
||||||
|
PrimaryLocation: primaryLocation,
|
||||||
|
Type: issueType,
|
||||||
|
Severity: severity,
|
||||||
|
EffortMinutes: effortMinutes,
|
||||||
|
}
|
||||||
|
}
|
|
@ -27,30 +27,15 @@ func GenerateReport(rootPaths []string, data *core.ReportInfo) (*Report, error)
|
||||||
return si, err
|
return si, err
|
||||||
}
|
}
|
||||||
|
|
||||||
primaryLocation := buildPrimaryLocation(issue.What, sonarFilePath, textRange)
|
primaryLocation := NewLocation(issue.What, sonarFilePath, textRange)
|
||||||
severity := getSonarSeverity(issue.Severity.String())
|
severity := getSonarSeverity(issue.Severity.String())
|
||||||
|
|
||||||
s := &Issue{
|
s := NewIssue("gosec", issue.RuleID, primaryLocation, "VULNERABILITY", severity, EffortMinutes)
|
||||||
EngineID: "gosec",
|
|
||||||
RuleID: issue.RuleID,
|
|
||||||
PrimaryLocation: primaryLocation,
|
|
||||||
Type: "VULNERABILITY",
|
|
||||||
Severity: severity,
|
|
||||||
EffortMinutes: EffortMinutes,
|
|
||||||
}
|
|
||||||
si.Issues = append(si.Issues, s)
|
si.Issues = append(si.Issues, s)
|
||||||
}
|
}
|
||||||
return si, nil
|
return si, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func buildPrimaryLocation(message string, filePath string, textRange *TextRange) *Location {
|
|
||||||
return &Location{
|
|
||||||
Message: message,
|
|
||||||
FilePath: filePath,
|
|
||||||
TextRange: textRange,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func parseFilePath(issue *gosec.Issue, rootPaths []string) string {
|
func parseFilePath(issue *gosec.Issue, rootPaths []string) string {
|
||||||
var sonarFilePath string
|
var sonarFilePath string
|
||||||
for _, rootPath := range rootPaths {
|
for _, rootPath := range rootPaths {
|
||||||
|
@ -74,7 +59,7 @@ func parseTextRange(issue *gosec.Issue) (*TextRange, error) {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return &TextRange{StartLine: startLine, EndLine: endLine}, nil
|
return NewTextRange(startLine, endLine), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func getSonarSeverity(s string) string {
|
func getSonarSeverity(s string) string {
|
||||||
|
|
13
report/sonar/sonar_suite_test.go
Normal file
13
report/sonar/sonar_suite_test.go
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
package sonar_test
|
||||||
|
|
||||||
|
import (
|
||||||
|
. "github.com/onsi/ginkgo"
|
||||||
|
. "github.com/onsi/gomega"
|
||||||
|
|
||||||
|
"testing"
|
||||||
|
)
|
||||||
|
|
||||||
|
func TestRules(t *testing.T) {
|
||||||
|
RegisterFailHandler(Fail)
|
||||||
|
RunSpecs(t, "Sonar Formatters Suite")
|
||||||
|
}
|
214
report/sonar/sonar_test.go
Normal file
214
report/sonar/sonar_test.go
Normal file
|
@ -0,0 +1,214 @@
|
||||||
|
package sonar_test
|
||||||
|
|
||||||
|
import (
|
||||||
|
. "github.com/onsi/ginkgo"
|
||||||
|
. "github.com/onsi/gomega"
|
||||||
|
"github.com/securego/gosec/v2"
|
||||||
|
"github.com/securego/gosec/v2/report/core"
|
||||||
|
"github.com/securego/gosec/v2/report/sonar"
|
||||||
|
)
|
||||||
|
|
||||||
|
var _ = Describe("Sonar Formatter", func() {
|
||||||
|
BeforeEach(func() {
|
||||||
|
})
|
||||||
|
Context("when converting to Sonarqube issues", func() {
|
||||||
|
It("it should parse the report info", func() {
|
||||||
|
data := &core.ReportInfo{
|
||||||
|
Errors: map[string][]gosec.Error{},
|
||||||
|
Issues: []*gosec.Issue{
|
||||||
|
{
|
||||||
|
Severity: 2,
|
||||||
|
Confidence: 0,
|
||||||
|
RuleID: "test",
|
||||||
|
What: "test",
|
||||||
|
File: "/home/src/project/test.go",
|
||||||
|
Code: "",
|
||||||
|
Line: "1-2",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
Stats: &gosec.Metrics{
|
||||||
|
NumFiles: 0,
|
||||||
|
NumLines: 0,
|
||||||
|
NumNosec: 0,
|
||||||
|
NumFound: 0,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
want := &sonar.Report{
|
||||||
|
Issues: []*sonar.Issue{
|
||||||
|
{
|
||||||
|
EngineID: "gosec",
|
||||||
|
RuleID: "test",
|
||||||
|
PrimaryLocation: &sonar.Location{
|
||||||
|
Message: "test",
|
||||||
|
FilePath: "test.go",
|
||||||
|
TextRange: &sonar.TextRange{
|
||||||
|
StartLine: 1,
|
||||||
|
EndLine: 2,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
Type: "VULNERABILITY",
|
||||||
|
Severity: "BLOCKER",
|
||||||
|
EffortMinutes: sonar.EffortMinutes,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
rootPath := "/home/src/project"
|
||||||
|
|
||||||
|
issues, err := sonar.GenerateReport([]string{rootPath}, data)
|
||||||
|
Expect(err).ShouldNot(HaveOccurred())
|
||||||
|
Expect(*issues).To(Equal(*want))
|
||||||
|
})
|
||||||
|
|
||||||
|
It("it should parse the report info with files in subfolders", func() {
|
||||||
|
data := &core.ReportInfo{
|
||||||
|
Errors: map[string][]gosec.Error{},
|
||||||
|
Issues: []*gosec.Issue{
|
||||||
|
{
|
||||||
|
Severity: 2,
|
||||||
|
Confidence: 0,
|
||||||
|
RuleID: "test",
|
||||||
|
What: "test",
|
||||||
|
File: "/home/src/project/subfolder/test.go",
|
||||||
|
Code: "",
|
||||||
|
Line: "1-2",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
Stats: &gosec.Metrics{
|
||||||
|
NumFiles: 0,
|
||||||
|
NumLines: 0,
|
||||||
|
NumNosec: 0,
|
||||||
|
NumFound: 0,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
want := &sonar.Report{
|
||||||
|
Issues: []*sonar.Issue{
|
||||||
|
{
|
||||||
|
EngineID: "gosec",
|
||||||
|
RuleID: "test",
|
||||||
|
PrimaryLocation: &sonar.Location{
|
||||||
|
Message: "test",
|
||||||
|
FilePath: "subfolder/test.go",
|
||||||
|
TextRange: &sonar.TextRange{
|
||||||
|
StartLine: 1,
|
||||||
|
EndLine: 2,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
Type: "VULNERABILITY",
|
||||||
|
Severity: "BLOCKER",
|
||||||
|
EffortMinutes: sonar.EffortMinutes,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
rootPath := "/home/src/project"
|
||||||
|
|
||||||
|
issues, err := sonar.GenerateReport([]string{rootPath}, data)
|
||||||
|
Expect(err).ShouldNot(HaveOccurred())
|
||||||
|
Expect(*issues).To(Equal(*want))
|
||||||
|
})
|
||||||
|
It("it should not parse the report info for files from other projects", func() {
|
||||||
|
data := &core.ReportInfo{
|
||||||
|
Errors: map[string][]gosec.Error{},
|
||||||
|
Issues: []*gosec.Issue{
|
||||||
|
{
|
||||||
|
Severity: 2,
|
||||||
|
Confidence: 0,
|
||||||
|
RuleID: "test",
|
||||||
|
What: "test",
|
||||||
|
File: "/home/src/project1/test.go",
|
||||||
|
Code: "",
|
||||||
|
Line: "1-2",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
Stats: &gosec.Metrics{
|
||||||
|
NumFiles: 0,
|
||||||
|
NumLines: 0,
|
||||||
|
NumNosec: 0,
|
||||||
|
NumFound: 0,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
want := &sonar.Report{
|
||||||
|
Issues: []*sonar.Issue{},
|
||||||
|
}
|
||||||
|
|
||||||
|
rootPath := "/home/src/project2"
|
||||||
|
|
||||||
|
issues, err := sonar.GenerateReport([]string{rootPath}, data)
|
||||||
|
Expect(err).ShouldNot(HaveOccurred())
|
||||||
|
Expect(*issues).To(Equal(*want))
|
||||||
|
})
|
||||||
|
|
||||||
|
It("it should parse the report info for multiple projects projects", func() {
|
||||||
|
data := &core.ReportInfo{
|
||||||
|
Errors: map[string][]gosec.Error{},
|
||||||
|
Issues: []*gosec.Issue{
|
||||||
|
{
|
||||||
|
Severity: 2,
|
||||||
|
Confidence: 0,
|
||||||
|
RuleID: "test",
|
||||||
|
What: "test",
|
||||||
|
File: "/home/src/project1/test-project1.go",
|
||||||
|
Code: "",
|
||||||
|
Line: "1-2",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
Severity: 2,
|
||||||
|
Confidence: 0,
|
||||||
|
RuleID: "test",
|
||||||
|
What: "test",
|
||||||
|
File: "/home/src/project2/test-project2.go",
|
||||||
|
Code: "",
|
||||||
|
Line: "1-2",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
Stats: &gosec.Metrics{
|
||||||
|
NumFiles: 0,
|
||||||
|
NumLines: 0,
|
||||||
|
NumNosec: 0,
|
||||||
|
NumFound: 0,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
want := &sonar.Report{
|
||||||
|
Issues: []*sonar.Issue{
|
||||||
|
{
|
||||||
|
EngineID: "gosec",
|
||||||
|
RuleID: "test",
|
||||||
|
PrimaryLocation: &sonar.Location{
|
||||||
|
Message: "test",
|
||||||
|
FilePath: "test-project1.go",
|
||||||
|
TextRange: &sonar.TextRange{
|
||||||
|
StartLine: 1,
|
||||||
|
EndLine: 2,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
Type: "VULNERABILITY",
|
||||||
|
Severity: "BLOCKER",
|
||||||
|
EffortMinutes: sonar.EffortMinutes,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
EngineID: "gosec",
|
||||||
|
RuleID: "test",
|
||||||
|
PrimaryLocation: &sonar.Location{
|
||||||
|
Message: "test",
|
||||||
|
FilePath: "test-project2.go",
|
||||||
|
TextRange: &sonar.TextRange{
|
||||||
|
StartLine: 1,
|
||||||
|
EndLine: 2,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
Type: "VULNERABILITY",
|
||||||
|
Severity: "BLOCKER",
|
||||||
|
EffortMinutes: sonar.EffortMinutes,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
rootPaths := []string{"/home/src/project1", "/home/src/project2"}
|
||||||
|
|
||||||
|
issues, err := sonar.GenerateReport(rootPaths, data)
|
||||||
|
Expect(err).ShouldNot(HaveOccurred())
|
||||||
|
Expect(*issues).To(Equal(*want))
|
||||||
|
})
|
||||||
|
})
|
||||||
|
})
|
Loading…
Reference in a new issue