Define a report package with core and per format sub-packages

This commit is contained in:
Matthieu MOREL 2021-05-06 09:31:51 +02:00 committed by GitHub
parent cc83d4c922
commit ddfa25381f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
24 changed files with 524 additions and 437 deletions

View file

@ -24,7 +24,7 @@ import (
"strings" "strings"
"github.com/securego/gosec/v2" "github.com/securego/gosec/v2"
"github.com/securego/gosec/v2/output" "github.com/securego/gosec/v2/report"
"github.com/securego/gosec/v2/rules" "github.com/securego/gosec/v2/rules"
) )
@ -202,12 +202,12 @@ func saveOutput(filename, format string, color bool, paths []string, issues []*g
return err return err
} }
defer outfile.Close() // #nosec G307 defer outfile.Close() // #nosec G307
err = output.CreateReport(outfile, format, color, rootPaths, issues, metrics, errors) err = report.CreateReport(outfile, format, color, rootPaths, issues, metrics, errors)
if err != nil { if err != nil {
return err return err
} }
} else { } else {
err := output.CreateReport(os.Stdout, format, color, rootPaths, issues, metrics, errors) err := report.CreateReport(os.Stdout, format, color, rootPaths, issues, metrics, errors)
if err != nil { if err != nil {
return err return err
} }

View file

@ -1,326 +0,0 @@
// (c) Copyright 2016 Hewlett Packard Enterprise Development LP
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package output
import (
"bufio"
"bytes"
"encoding/csv"
"encoding/json"
"encoding/xml"
"fmt"
htmlTemplate "html/template"
"io"
"strconv"
"strings"
plainTemplate "text/template"
color "github.com/gookit/color"
"github.com/securego/gosec/v2"
"github.com/securego/gosec/v2/formatter"
"github.com/securego/gosec/v2/sarif"
"gopkg.in/yaml.v2"
)
// ReportFormat enumerates the output format for reported issues
type ReportFormat int
const (
// ReportText is the default format that writes to stdout
ReportText ReportFormat = iota // Plain text format
// ReportJSON set the output format to json
ReportJSON // Json format
// ReportCSV set the output format to csv
ReportCSV // CSV format
// ReportJUnitXML set the output format to junit xml
ReportJUnitXML // JUnit XML format
// ReportSARIF set the output format to SARIF
ReportSARIF // SARIF format
)
var text = `Results:
{{range $filePath,$fileErrors := .Errors}}
Golang errors in file: [{{ $filePath }}]:
{{range $index, $error := $fileErrors}}
> [line {{$error.Line}} : column {{$error.Column}}] - {{$error.Err}}
{{end}}
{{end}}
{{ range $index, $issue := .Issues }}
[{{ highlight $issue.FileLocation $issue.Severity }}] - {{ $issue.RuleID }} (CWE-{{ $issue.Cwe.ID }}): {{ $issue.What }} (Confidence: {{ $issue.Confidence}}, Severity: {{ $issue.Severity }})
{{ printCode $issue }}
{{ end }}
{{ notice "Summary:" }}
Files: {{.Stats.NumFiles}}
Lines: {{.Stats.NumLines}}
Nosec: {{.Stats.NumNosec}}
Issues: {{ if eq .Stats.NumFound 0 }}
{{- success .Stats.NumFound }}
{{- else }}
{{- danger .Stats.NumFound }}
{{- end }}
`
// CreateReport generates a report based for the supplied issues and metrics given
// the specified format. The formats currently accepted are: json, yaml, csv, junit-xml, html, sonarqube, golint and text.
func CreateReport(w io.Writer, format string, enableColor bool, rootPaths []string, issues []*gosec.Issue, metrics *gosec.Metrics, errors map[string][]gosec.Error) error {
data := &formatter.ReportInfo{
Errors: errors,
Issues: issues,
Stats: metrics,
}
var err error
switch format {
case "json":
err = reportJSON(w, data)
case "yaml":
err = reportYAML(w, data)
case "csv":
err = reportCSV(w, data)
case "junit-xml":
err = reportJUnitXML(w, data)
case "html":
err = reportFromHTMLTemplate(w, html, data)
case "text":
err = reportFromPlaintextTemplate(w, text, enableColor, data)
case "sonarqube":
err = reportSonarqube(rootPaths, w, data)
case "golint":
err = reportGolint(w, data)
case "sarif":
err = reportSARIFTemplate(rootPaths, w, data)
default:
err = reportFromPlaintextTemplate(w, text, enableColor, data)
}
return err
}
func reportSonarqube(rootPaths []string, w io.Writer, data *formatter.ReportInfo) error {
si, err := convertToSonarIssues(rootPaths, data)
if err != nil {
return err
}
raw, err := json.MarshalIndent(si, "", "\t")
if err != nil {
return err
}
_, err = w.Write(raw)
return err
}
func reportJSON(w io.Writer, data *formatter.ReportInfo) error {
raw, err := json.MarshalIndent(data, "", "\t")
if err != nil {
return err
}
_, err = w.Write(raw)
return err
}
func reportYAML(w io.Writer, data *formatter.ReportInfo) error {
raw, err := yaml.Marshal(data)
if err != nil {
return err
}
_, err = w.Write(raw)
return err
}
func reportCSV(w io.Writer, data *formatter.ReportInfo) error {
out := csv.NewWriter(w)
defer out.Flush()
for _, issue := range data.Issues {
err := out.Write([]string{
issue.File,
issue.Line,
issue.What,
issue.Severity.String(),
issue.Confidence.String(),
issue.Code,
fmt.Sprintf("CWE-%s", issue.Cwe.ID),
})
if err != nil {
return err
}
}
return nil
}
func reportGolint(w io.Writer, data *formatter.ReportInfo) error {
// Output Sample:
// /tmp/main.go:11:14: [CWE-310] RSA keys should be at least 2048 bits (Rule:G403, Severity:MEDIUM, Confidence:HIGH)
for _, issue := range data.Issues {
what := issue.What
if issue.Cwe.ID != "" {
what = fmt.Sprintf("[CWE-%s] %s", issue.Cwe.ID, issue.What)
}
// issue.Line uses "start-end" format for multiple line detection.
lines := strings.Split(issue.Line, "-")
start := lines[0]
_, err := fmt.Fprintf(w, "%s:%s:%s: %s (Rule:%s, Severity:%s, Confidence:%s)\n",
issue.File,
start,
issue.Col,
what,
issue.RuleID,
issue.Severity.String(),
issue.Confidence.String(),
)
if err != nil {
return err
}
}
return nil
}
func reportJUnitXML(w io.Writer, data *formatter.ReportInfo) error {
junitXMLStruct := createJUnitXMLStruct(data)
raw, err := xml.MarshalIndent(junitXMLStruct, "", "\t")
if err != nil {
return err
}
xmlHeader := []byte("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n")
raw = append(xmlHeader, raw...)
_, err = w.Write(raw)
if err != nil {
return err
}
return nil
}
func reportSARIFTemplate(rootPaths []string, w io.Writer, data *formatter.ReportInfo) error {
sr, err := sarif.ConvertToSarifReport(rootPaths, data)
if err != nil {
return err
}
raw, err := json.MarshalIndent(sr, "", "\t")
if err != nil {
return err
}
_, err = w.Write(raw)
return err
}
func reportFromPlaintextTemplate(w io.Writer, reportTemplate string, enableColor bool, data *formatter.ReportInfo) error {
t, e := plainTemplate.
New("gosec").
Funcs(plainTextFuncMap(enableColor)).
Parse(reportTemplate)
if e != nil {
return e
}
return t.Execute(w, data)
}
func reportFromHTMLTemplate(w io.Writer, reportTemplate string, data *formatter.ReportInfo) error {
t, e := htmlTemplate.New("gosec").Parse(reportTemplate)
if e != nil {
return e
}
return t.Execute(w, data)
}
func plainTextFuncMap(enableColor bool) plainTemplate.FuncMap {
if enableColor {
return plainTemplate.FuncMap{
"highlight": highlight,
"danger": color.Danger.Render,
"notice": color.Notice.Render,
"success": color.Success.Render,
"printCode": printCodeSnippet,
}
}
// by default those functions return the given content untouched
return plainTemplate.FuncMap{
"highlight": func(t string, s gosec.Score) string {
return t
},
"danger": fmt.Sprint,
"notice": fmt.Sprint,
"success": fmt.Sprint,
"printCode": printCodeSnippet,
}
}
var (
errorTheme = color.New(color.FgLightWhite, color.BgRed)
warningTheme = color.New(color.FgBlack, color.BgYellow)
defaultTheme = color.New(color.FgWhite, color.BgBlack)
)
// highlight returns content t colored based on Score
func highlight(t string, s gosec.Score) string {
switch s {
case gosec.High:
return errorTheme.Sprint(t)
case gosec.Medium:
return warningTheme.Sprint(t)
default:
return defaultTheme.Sprint(t)
}
}
// printCodeSnippet prints the code snippet from the issue by adding a marker to the affected line
func printCodeSnippet(issue *gosec.Issue) string {
start, end := parseLine(issue.Line)
scanner := bufio.NewScanner(strings.NewReader(issue.Code))
var buf bytes.Buffer
line := start
for scanner.Scan() {
codeLine := scanner.Text()
if strings.HasPrefix(codeLine, strconv.Itoa(line)) && line <= end {
codeLine = " > " + codeLine + "\n"
line++
} else {
codeLine = " " + codeLine + "\n"
}
buf.WriteString(codeLine)
}
return buf.String()
}
// parseLine extract the start and the end line numbers from a issue line
func parseLine(line string) (int, int) {
parts := strings.Split(line, "-")
start := parts[0]
end := start
if len(parts) > 1 {
end = parts[1]
}
s, err := strconv.Atoi(start)
if err != nil {
return -1, -1
}
e, err := strconv.Atoi(end)
if err != nil {
return -1, -1
}
return s, e
}

View file

@ -1,70 +0,0 @@
package output
import (
"encoding/xml"
htmlLib "html"
"strconv"
"github.com/securego/gosec/v2"
"github.com/securego/gosec/v2/formatter"
)
type junitXMLReport struct {
XMLName xml.Name `xml:"testsuites"`
Testsuites []testsuite `xml:"testsuite"`
}
type testsuite struct {
XMLName xml.Name `xml:"testsuite"`
Name string `xml:"name,attr"`
Tests int `xml:"tests,attr"`
Testcases []testcase `xml:"testcase"`
}
type testcase struct {
XMLName xml.Name `xml:"testcase"`
Name string `xml:"name,attr"`
Failure failure `xml:"failure"`
}
type failure struct {
XMLName xml.Name `xml:"failure"`
Message string `xml:"message,attr"`
Text string `xml:",innerxml"`
}
func generatePlaintext(issue *gosec.Issue) string {
return "Results:\n" +
"[" + issue.File + ":" + issue.Line + "] - " +
issue.What + " (Confidence: " + strconv.Itoa(int(issue.Confidence)) +
", Severity: " + strconv.Itoa(int(issue.Severity)) +
", CWE: " + issue.Cwe.ID + ")\n" + "> " + htmlLib.EscapeString(issue.Code)
}
func createJUnitXMLStruct(data *formatter.ReportInfo) junitXMLReport {
var xmlReport junitXMLReport
testsuites := map[string]int{}
for _, issue := range data.Issues {
index, ok := testsuites[issue.What]
if !ok {
xmlReport.Testsuites = append(xmlReport.Testsuites, testsuite{
Name: issue.What,
})
index = len(xmlReport.Testsuites) - 1
testsuites[issue.What] = index
}
testcase := testcase{
Name: issue.File,
Failure: failure{
Message: "Found 1 vulnerability. See stacktrace for details.",
Text: generatePlaintext(issue),
},
}
xmlReport.Testsuites[index].Testcases = append(xmlReport.Testsuites[index].Testcases, testcase)
xmlReport.Testsuites[index].Tests++
}
return xmlReport
}

View file

@ -1,4 +1,4 @@
package formatter package core
import ( import (
"github.com/securego/gosec/v2" "github.com/securego/gosec/v2"

29
report/csv/writer.go Normal file
View file

@ -0,0 +1,29 @@
package csv
import (
"encoding/csv"
"fmt"
"github.com/securego/gosec/v2/report/core"
"io"
)
//WriteReport write a report in csv format to the output writer
func WriteReport(w io.Writer, data *core.ReportInfo) error {
out := csv.NewWriter(w)
defer out.Flush()
for _, issue := range data.Issues {
err := out.Write([]string{
issue.File,
issue.Line,
issue.What,
issue.Severity.String(),
issue.Confidence.String(),
issue.Code,
fmt.Sprintf("CWE-%s", issue.Cwe.ID),
})
if err != nil {
return err
}
}
return nil
}

84
report/formatter.go Normal file
View file

@ -0,0 +1,84 @@
// (c) Copyright 2016 Hewlett Packard Enterprise Development LP
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package report
import (
"github.com/securego/gosec/v2"
"github.com/securego/gosec/v2/report/core"
"github.com/securego/gosec/v2/report/csv"
"github.com/securego/gosec/v2/report/golint"
"github.com/securego/gosec/v2/report/html"
"github.com/securego/gosec/v2/report/json"
"github.com/securego/gosec/v2/report/junit"
"github.com/securego/gosec/v2/report/sarif"
"github.com/securego/gosec/v2/report/sonar"
"github.com/securego/gosec/v2/report/text"
"github.com/securego/gosec/v2/report/yaml"
"io"
)
// Format enumerates the output format for reported issues
type Format int
const (
// ReportText is the default format that writes to stdout
ReportText Format = iota // Plain text format
// ReportJSON set the output format to json
ReportJSON // Json format
// ReportCSV set the output format to csv
ReportCSV // CSV format
// ReportJUnitXML set the output format to junit xml
ReportJUnitXML // JUnit XML format
// ReportSARIF set the output format to SARIF
ReportSARIF // SARIF format
)
// CreateReport generates a report based for the supplied issues and metrics given
// the specified format. The formats currently accepted are: json, yaml, csv, junit-xml, html, sonarqube, golint and text.
func CreateReport(w io.Writer, format string, enableColor bool, rootPaths []string, issues []*gosec.Issue, metrics *gosec.Metrics, errors map[string][]gosec.Error) error {
data := &core.ReportInfo{
Errors: errors,
Issues: issues,
Stats: metrics,
}
var err error
switch format {
case "json":
err = json.WriteReport(w, data)
case "yaml":
err = yaml.WriteReport(w, data)
case "csv":
err = csv.WriteReport(w, data)
case "junit-xml":
err = junit.WriteReport(w, data)
case "html":
err = html.WriteReport(w, data)
case "text":
err = text.WriteReport(w, data, enableColor)
case "sonarqube":
err = sonar.WriteReport(w, data, rootPaths)
case "golint":
err = golint.WriteReport(w, data)
case "sarif":
err = sarif.WriteReport(w, data, rootPaths)
default:
err = text.WriteReport(w, data, enableColor)
}
return err
}

View file

@ -1,4 +1,4 @@
package output package report
import ( import (
. "github.com/onsi/ginkgo" . "github.com/onsi/ginkgo"

View file

@ -1,4 +1,4 @@
package output package report
import ( import (
"bytes" "bytes"
@ -9,8 +9,9 @@ import (
. "github.com/onsi/ginkgo" . "github.com/onsi/ginkgo"
. "github.com/onsi/gomega" . "github.com/onsi/gomega"
"github.com/securego/gosec/v2" "github.com/securego/gosec/v2"
"github.com/securego/gosec/v2/formatter" "github.com/securego/gosec/v2/report/core"
"github.com/securego/gosec/v2/sonar" "github.com/securego/gosec/v2/report/junit"
"github.com/securego/gosec/v2/report/sonar"
"gopkg.in/yaml.v2" "gopkg.in/yaml.v2"
) )
@ -35,10 +36,10 @@ func createIssue(ruleID string, cwe gosec.Cwe) gosec.Issue {
} }
} }
func createReportInfo(rule string, cwe gosec.Cwe) formatter.ReportInfo { func createReportInfo(rule string, cwe gosec.Cwe) core.ReportInfo {
issue := createIssue(rule, cwe) issue := createIssue(rule, cwe)
metrics := gosec.Metrics{} metrics := gosec.Metrics{}
return formatter.ReportInfo{ return core.ReportInfo{
Errors: map[string][]gosec.Error{}, Errors: map[string][]gosec.Error{},
Issues: []*gosec.Issue{ Issues: []*gosec.Issue{
&issue, &issue,
@ -59,7 +60,7 @@ var _ = Describe("Formatter", func() {
}) })
Context("when converting to Sonarqube issues", func() { Context("when converting to Sonarqube issues", func() {
It("it should parse the report info", func() { It("it should parse the report info", func() {
data := &formatter.ReportInfo{ data := &core.ReportInfo{
Errors: map[string][]gosec.Error{}, Errors: map[string][]gosec.Error{},
Issues: []*gosec.Issue{ Issues: []*gosec.Issue{
{ {
@ -94,20 +95,20 @@ var _ = Describe("Formatter", func() {
}, },
Type: "VULNERABILITY", Type: "VULNERABILITY",
Severity: "BLOCKER", Severity: "BLOCKER",
EffortMinutes: SonarqubeEffortMinutes, EffortMinutes: sonar.EffortMinutes,
}, },
}, },
} }
rootPath := "/home/src/project" rootPath := "/home/src/project"
issues, err := convertToSonarIssues([]string{rootPath}, data) issues, err := sonar.GenerateReport([]string{rootPath}, data)
Expect(err).ShouldNot(HaveOccurred()) Expect(err).ShouldNot(HaveOccurred())
Expect(*issues).To(Equal(*want)) Expect(*issues).To(Equal(*want))
}) })
It("it should parse the report info with files in subfolders", func() { It("it should parse the report info with files in subfolders", func() {
data := &formatter.ReportInfo{ data := &core.ReportInfo{
Errors: map[string][]gosec.Error{}, Errors: map[string][]gosec.Error{},
Issues: []*gosec.Issue{ Issues: []*gosec.Issue{
{ {
@ -142,19 +143,19 @@ var _ = Describe("Formatter", func() {
}, },
Type: "VULNERABILITY", Type: "VULNERABILITY",
Severity: "BLOCKER", Severity: "BLOCKER",
EffortMinutes: SonarqubeEffortMinutes, EffortMinutes: sonar.EffortMinutes,
}, },
}, },
} }
rootPath := "/home/src/project" rootPath := "/home/src/project"
issues, err := convertToSonarIssues([]string{rootPath}, data) issues, err := sonar.GenerateReport([]string{rootPath}, data)
Expect(err).ShouldNot(HaveOccurred()) Expect(err).ShouldNot(HaveOccurred())
Expect(*issues).To(Equal(*want)) Expect(*issues).To(Equal(*want))
}) })
It("it should not parse the report info for files from other projects", func() { It("it should not parse the report info for files from other projects", func() {
data := &formatter.ReportInfo{ data := &core.ReportInfo{
Errors: map[string][]gosec.Error{}, Errors: map[string][]gosec.Error{},
Issues: []*gosec.Issue{ Issues: []*gosec.Issue{
{ {
@ -180,13 +181,13 @@ var _ = Describe("Formatter", func() {
rootPath := "/home/src/project2" rootPath := "/home/src/project2"
issues, err := convertToSonarIssues([]string{rootPath}, data) issues, err := sonar.GenerateReport([]string{rootPath}, data)
Expect(err).ShouldNot(HaveOccurred()) Expect(err).ShouldNot(HaveOccurred())
Expect(*issues).To(Equal(*want)) Expect(*issues).To(Equal(*want))
}) })
It("it should parse the report info for multiple projects projects", func() { It("it should parse the report info for multiple projects projects", func() {
data := &formatter.ReportInfo{ data := &core.ReportInfo{
Errors: map[string][]gosec.Error{}, Errors: map[string][]gosec.Error{},
Issues: []*gosec.Issue{ Issues: []*gosec.Issue{
{ {
@ -230,7 +231,7 @@ var _ = Describe("Formatter", func() {
}, },
Type: "VULNERABILITY", Type: "VULNERABILITY",
Severity: "BLOCKER", Severity: "BLOCKER",
EffortMinutes: SonarqubeEffortMinutes, EffortMinutes: sonar.EffortMinutes,
}, },
{ {
EngineID: "gosec", EngineID: "gosec",
@ -245,14 +246,14 @@ var _ = Describe("Formatter", func() {
}, },
Type: "VULNERABILITY", Type: "VULNERABILITY",
Severity: "BLOCKER", Severity: "BLOCKER",
EffortMinutes: SonarqubeEffortMinutes, EffortMinutes: sonar.EffortMinutes,
}, },
}, },
} }
rootPaths := []string{"/home/src/project1", "/home/src/project2"} rootPaths := []string{"/home/src/project1", "/home/src/project2"}
issues, err := convertToSonarIssues(rootPaths, data) issues, err := sonar.GenerateReport(rootPaths, data)
Expect(err).ShouldNot(HaveOccurred()) Expect(err).ShouldNot(HaveOccurred())
Expect(*issues).To(Equal(*want)) Expect(*issues).To(Equal(*want))
}) })
@ -262,7 +263,7 @@ var _ = Describe("Formatter", func() {
It("preserves order of issues", func() { It("preserves order of issues", func() {
issues := []*gosec.Issue{createIssueWithFileWhat("i1", "1"), createIssueWithFileWhat("i2", "2"), createIssueWithFileWhat("i3", "1")} issues := []*gosec.Issue{createIssueWithFileWhat("i1", "1"), createIssueWithFileWhat("i2", "2"), createIssueWithFileWhat("i3", "1")}
junitReport := createJUnitXMLStruct(&formatter.ReportInfo{Issues: issues}) junitReport := junit.GenerateReport(&core.ReportInfo{Issues: issues})
testSuite := junitReport.Testsuites[0] testSuite := junitReport.Testsuites[0]

39
report/golint/writer.go Normal file
View file

@ -0,0 +1,39 @@
package golint
import (
"fmt"
"github.com/securego/gosec/v2/report/core"
"io"
"strings"
)
//WriteReport write a report in golint format to the output writer
func WriteReport(w io.Writer, data *core.ReportInfo) error {
// Output Sample:
// /tmp/main.go:11:14: [CWE-310] RSA keys should be at least 2048 bits (Rule:G403, Severity:MEDIUM, Confidence:HIGH)
for _, issue := range data.Issues {
what := issue.What
if issue.Cwe.ID != "" {
what = fmt.Sprintf("[CWE-%s] %s", issue.Cwe.ID, issue.What)
}
// issue.Line uses "start-end" format for multiple line detection.
lines := strings.Split(issue.Line, "-")
start := lines[0]
_, err := fmt.Fprintf(w, "%s:%s:%s: %s (Rule:%s, Severity:%s, Confidence:%s)\n",
issue.File,
start,
issue.Col,
what,
issue.RuleID,
issue.Severity.String(),
issue.Confidence.String(),
)
if err != nil {
return err
}
}
return nil
}

View file

@ -12,9 +12,9 @@
// See the License for the specific language governing permissions and // See the License for the specific language governing permissions and
// limitations under the License. // limitations under the License.
package output package html
const html = ` const templateContent = `
<!doctype html> <!doctype html>
<html lang="en"> <html lang="en">
<head> <head>

17
report/html/writer.go Normal file
View file

@ -0,0 +1,17 @@
package html
import (
"github.com/securego/gosec/v2/report/core"
"html/template"
"io"
)
//WriteReport write a report in html format to the output writer
func WriteReport(w io.Writer, data *core.ReportInfo) error {
t, e := template.New("gosec").Parse(templateContent)
if e != nil {
return e
}
return t.Execute(w, data)
}

18
report/json/writer.go Normal file
View file

@ -0,0 +1,18 @@
package json
import (
"encoding/json"
"github.com/securego/gosec/v2/report/core"
"io"
)
//WriteReport write a report in json format to the output writer
func WriteReport(w io.Writer, data *core.ReportInfo) error {
raw, err := json.MarshalIndent(data, "", "\t")
if err != nil {
return err
}
_, err = w.Write(raw)
return err
}

46
report/junit/formatter.go Normal file
View file

@ -0,0 +1,46 @@
package junit
import (
"html"
"strconv"
"github.com/securego/gosec/v2"
"github.com/securego/gosec/v2/report/core"
)
func generatePlaintext(issue *gosec.Issue) string {
return "Results:\n" +
"[" + issue.File + ":" + issue.Line + "] - " +
issue.What + " (Confidence: " + strconv.Itoa(int(issue.Confidence)) +
", Severity: " + strconv.Itoa(int(issue.Severity)) +
", CWE: " + issue.Cwe.ID + ")\n" + "> " + html.EscapeString(issue.Code)
}
//GenerateReport Convert a gosec report to a JUnit Report
func GenerateReport(data *core.ReportInfo) Report {
var xmlReport Report
testsuites := map[string]int{}
for _, issue := range data.Issues {
index, ok := testsuites[issue.What]
if !ok {
xmlReport.Testsuites = append(xmlReport.Testsuites, &Testsuite{
Name: issue.What,
})
index = len(xmlReport.Testsuites) - 1
testsuites[issue.What] = index
}
testcase := &Testcase{
Name: issue.File,
Failure: &Failure{
Message: "Found 1 vulnerability. See stacktrace for details.",
Text: generatePlaintext(issue),
},
}
xmlReport.Testsuites[index].Testcases = append(xmlReport.Testsuites[index].Testcases, testcase)
xmlReport.Testsuites[index].Tests++
}
return xmlReport
}

33
report/junit/types.go Normal file
View file

@ -0,0 +1,33 @@
package junit
import (
"encoding/xml"
)
//Report defines a JUnit XML report
type Report struct {
XMLName xml.Name `xml:"testsuites"`
Testsuites []*Testsuite `xml:"testsuite"`
}
//Testsuite defines a JUnit testsuite
type Testsuite struct {
XMLName xml.Name `xml:"testsuite"`
Name string `xml:"name,attr"`
Tests int `xml:"tests,attr"`
Testcases []*Testcase `xml:"testcase"`
}
//Testcase defines a JUnit testcase
type Testcase struct {
XMLName xml.Name `xml:"testcase"`
Name string `xml:"name,attr"`
Failure *Failure `xml:"failure"`
}
//Failure defines a JUnit failure
type Failure struct {
XMLName xml.Name `xml:"failure"`
Message string `xml:"message,attr"`
Text string `xml:",innerxml"`
}

25
report/junit/writer.go Normal file
View file

@ -0,0 +1,25 @@
package junit
import (
"encoding/xml"
"github.com/securego/gosec/v2/report/core"
"io"
)
//WriteReport write a report in JUnit format to the output writer
func WriteReport(w io.Writer, data *core.ReportInfo) error {
junitXMLStruct := GenerateReport(data)
raw, err := xml.MarshalIndent(junitXMLStruct, "", "\t")
if err != nil {
return err
}
xmlHeader := []byte("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n")
raw = append(xmlHeader, raw...)
_, err = w.Write(raw)
if err != nil {
return err
}
return nil
}

View file

@ -9,7 +9,7 @@ import (
"github.com/securego/gosec/v2" "github.com/securego/gosec/v2"
"github.com/securego/gosec/v2/cwe" "github.com/securego/gosec/v2/cwe"
"github.com/securego/gosec/v2/formatter" "github.com/securego/gosec/v2/report/core"
) )
type sarifLevel string type sarifLevel string
@ -22,8 +22,8 @@ const (
cweAcronym = "CWE" cweAcronym = "CWE"
) )
//ConvertToSarifReport Convert a gosec report to a Sarif Report //GenerateReport Convert a gosec report to a Sarif Report
func ConvertToSarifReport(rootPaths []string, data *formatter.ReportInfo) (*Report, error) { func GenerateReport(rootPaths []string, data *core.ReportInfo) (*Report, error) {
type rule struct { type rule struct {
index int index int

22
report/sarif/writer.go Normal file
View file

@ -0,0 +1,22 @@
package sarif
import (
"encoding/json"
"github.com/securego/gosec/v2/report/core"
"io"
)
//WriteReport write a report in SARIF format to the output writer
func WriteReport(w io.Writer, data *core.ReportInfo,rootPaths []string) error {
sr, err := GenerateReport(rootPaths, data)
if err != nil {
return err
}
raw, err := json.MarshalIndent(sr, "", "\t")
if err != nil {
return err
}
_, err = w.Write(raw)
return err
}

View file

@ -1,20 +1,20 @@
package output package sonar
import ( import (
"github.com/securego/gosec/v2" "github.com/securego/gosec/v2"
"github.com/securego/gosec/v2/formatter" "github.com/securego/gosec/v2/report/core"
"github.com/securego/gosec/v2/sonar"
"strconv" "strconv"
"strings" "strings"
) )
const ( const (
//SonarqubeEffortMinutes effort to fix in minutes //EffortMinutes effort to fix in minutes
SonarqubeEffortMinutes = 5 EffortMinutes = 5
) )
func convertToSonarIssues(rootPaths []string, data *formatter.ReportInfo) (*sonar.Report, error) { //GenerateReport Convert a gosec report to a Sonar Report
si := &sonar.Report{Issues: []*sonar.Issue{}} func GenerateReport(rootPaths []string, data *core.ReportInfo) (*Report, error) {
si := &Report{Issues: []*Issue{}}
for _, issue := range data.Issues { for _, issue := range data.Issues {
sonarFilePath := parseFilePath(issue, rootPaths) sonarFilePath := parseFilePath(issue, rootPaths)
@ -30,21 +30,21 @@ func convertToSonarIssues(rootPaths []string, data *formatter.ReportInfo) (*sona
primaryLocation := buildPrimaryLocation(issue.What, sonarFilePath, textRange) primaryLocation := buildPrimaryLocation(issue.What, sonarFilePath, textRange)
severity := getSonarSeverity(issue.Severity.String()) severity := getSonarSeverity(issue.Severity.String())
s := &sonar.Issue{ s := &Issue{
EngineID: "gosec", EngineID: "gosec",
RuleID: issue.RuleID, RuleID: issue.RuleID,
PrimaryLocation: primaryLocation, PrimaryLocation: primaryLocation,
Type: "VULNERABILITY", Type: "VULNERABILITY",
Severity: severity, Severity: severity,
EffortMinutes: SonarqubeEffortMinutes, EffortMinutes: EffortMinutes,
} }
si.Issues = append(si.Issues, s) si.Issues = append(si.Issues, s)
} }
return si, nil return si, nil
} }
func buildPrimaryLocation(message string, filePath string, textRange *sonar.TextRange) *sonar.Location { func buildPrimaryLocation(message string, filePath string, textRange *TextRange) *Location {
return &sonar.Location{ return &Location{
Message: message, Message: message,
FilePath: filePath, FilePath: filePath,
TextRange: textRange, TextRange: textRange,
@ -61,7 +61,7 @@ func parseFilePath(issue *gosec.Issue, rootPaths []string) string {
return sonarFilePath return sonarFilePath
} }
func parseTextRange(issue *gosec.Issue) (*sonar.TextRange, error) { func parseTextRange(issue *gosec.Issue) (*TextRange, error) {
lines := strings.Split(issue.Line, "-") lines := strings.Split(issue.Line, "-")
startLine, err := strconv.Atoi(lines[0]) startLine, err := strconv.Atoi(lines[0])
if err != nil { if err != nil {
@ -74,7 +74,7 @@ func parseTextRange(issue *gosec.Issue) (*sonar.TextRange, error) {
return nil, err return nil, err
} }
} }
return &sonar.TextRange{StartLine: startLine, EndLine: endLine}, nil return &TextRange{StartLine: startLine, EndLine: endLine}, nil
} }
func getSonarSeverity(s string) string { func getSonarSeverity(s string) string {

21
report/sonar/writer.go Normal file
View file

@ -0,0 +1,21 @@
package sonar
import (
"encoding/json"
"github.com/securego/gosec/v2/report/core"
"io"
)
//WriteReport write a report in sonar format to the output writer
func WriteReport(w io.Writer, data *core.ReportInfo, rootPaths []string) error {
si, err := GenerateReport(rootPaths, data)
if err != nil {
return err
}
raw, err := json.MarshalIndent(si, "", "\t")
if err != nil {
return err
}
_, err = w.Write(raw)
return err
}

25
report/text/template.go Normal file
View file

@ -0,0 +1,25 @@
package text
const templateContent = `Results:
{{range $filePath,$fileErrors := .Errors}}
Golang errors in file: [{{ $filePath }}]:
{{range $index, $error := $fileErrors}}
> [line {{$error.Line}} : column {{$error.Column}}] - {{$error.Err}}
{{end}}
{{end}}
{{ range $index, $issue := .Issues }}
[{{ highlight $issue.FileLocation $issue.Severity }}] - {{ $issue.RuleID }} (CWE-{{ $issue.Cwe.ID }}): {{ $issue.What }} (Confidence: {{ $issue.Confidence}}, Severity: {{ $issue.Severity }})
{{ printCode $issue }}
{{ end }}
{{ notice "Summary:" }}
Files: {{.Stats.NumFiles}}
Lines: {{.Stats.NumLines}}
Nosec: {{.Stats.NumNosec}}
Issues: {{ if eq .Stats.NumFound 0 }}
{{- success .Stats.NumFound }}
{{- else }}
{{- danger .Stats.NumFound }}
{{- end }}
`

106
report/text/writer.go Normal file
View file

@ -0,0 +1,106 @@
package text
import (
"bufio"
"bytes"
"fmt"
"github.com/gookit/color"
"github.com/securego/gosec/v2"
"github.com/securego/gosec/v2/report/core"
"io"
"strconv"
"strings"
"text/template"
)
var (
errorTheme = color.New(color.FgLightWhite, color.BgRed)
warningTheme = color.New(color.FgBlack, color.BgYellow)
defaultTheme = color.New(color.FgWhite, color.BgBlack)
)
//WriteReport write a (colorized) report in text format
func WriteReport(w io.Writer, data *core.ReportInfo, enableColor bool) error {
t, e := template.
New("gosec").
Funcs(plainTextFuncMap(enableColor)).
Parse(templateContent)
if e != nil {
return e
}
return t.Execute(w, data)
}
func plainTextFuncMap(enableColor bool) template.FuncMap {
if enableColor {
return template.FuncMap{
"highlight": highlight,
"danger": color.Danger.Render,
"notice": color.Notice.Render,
"success": color.Success.Render,
"printCode": printCodeSnippet,
}
}
// by default those functions return the given content untouched
return template.FuncMap{
"highlight": func(t string, s gosec.Score) string {
return t
},
"danger": fmt.Sprint,
"notice": fmt.Sprint,
"success": fmt.Sprint,
"printCode": printCodeSnippet,
}
}
// highlight returns content t colored based on Score
func highlight(t string, s gosec.Score) string {
switch s {
case gosec.High:
return errorTheme.Sprint(t)
case gosec.Medium:
return warningTheme.Sprint(t)
default:
return defaultTheme.Sprint(t)
}
}
// printCodeSnippet prints the code snippet from the issue by adding a marker to the affected line
func printCodeSnippet(issue *gosec.Issue) string {
start, end := parseLine(issue.Line)
scanner := bufio.NewScanner(strings.NewReader(issue.Code))
var buf bytes.Buffer
line := start
for scanner.Scan() {
codeLine := scanner.Text()
if strings.HasPrefix(codeLine, strconv.Itoa(line)) && line <= end {
codeLine = " > " + codeLine + "\n"
line++
} else {
codeLine = " " + codeLine + "\n"
}
buf.WriteString(codeLine)
}
return buf.String()
}
// parseLine extract the start and the end line numbers from a issue line
func parseLine(line string) (int, int) {
parts := strings.Split(line, "-")
start := parts[0]
end := start
if len(parts) > 1 {
end = parts[1]
}
s, err := strconv.Atoi(start)
if err != nil {
return -1, -1
}
e, err := strconv.Atoi(end)
if err != nil {
return -1, -1
}
return s, e
}

17
report/yaml/writer.go Normal file
View file

@ -0,0 +1,17 @@
package yaml
import (
"github.com/securego/gosec/v2/report/core"
"gopkg.in/yaml.v2"
"io"
)
//WriteReport write a report in yaml format to the output writer
func WriteReport(w io.Writer, data *core.ReportInfo) error {
raw, err := yaml.Marshal(data)
if err != nil {
return err
}
_, err = w.Write(raw)
return err
}