mirror of
https://github.com/securego/gosec.git
synced 2024-12-25 03:55:54 +00:00
d6aeaad931
Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com>
251 lines
6.7 KiB
Go
251 lines
6.7 KiB
Go
package sarif
|
|
|
|
import (
|
|
"fmt"
|
|
"sort"
|
|
"strconv"
|
|
"strings"
|
|
|
|
"github.com/google/uuid"
|
|
|
|
"github.com/securego/gosec/v2"
|
|
"github.com/securego/gosec/v2/cwe"
|
|
"github.com/securego/gosec/v2/issue"
|
|
)
|
|
|
|
// GenerateReport converts a gosec report into a SARIF report
|
|
func GenerateReport(rootPaths []string, data *gosec.ReportInfo) (*Report, error) {
|
|
rules := []*ReportingDescriptor{}
|
|
|
|
results := []*Result{}
|
|
cweTaxa := []*ReportingDescriptor{}
|
|
weaknesses := map[string]*cwe.Weakness{}
|
|
|
|
for _, issue := range data.Issues {
|
|
if issue.Cwe != nil {
|
|
_, ok := weaknesses[issue.Cwe.ID]
|
|
if !ok {
|
|
weakness := cwe.Get(issue.Cwe.ID)
|
|
weaknesses[issue.Cwe.ID] = weakness
|
|
cweTaxon := parseSarifTaxon(weakness)
|
|
cweTaxa = append(cweTaxa, cweTaxon)
|
|
}
|
|
}
|
|
|
|
rule := parseSarifRule(issue)
|
|
var ruleIndex int
|
|
rules, ruleIndex = addRuleInOrder(rules, rule)
|
|
|
|
location, err := parseSarifLocation(issue, rootPaths)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
result := NewResult(
|
|
issue.RuleID,
|
|
ruleIndex,
|
|
getSarifLevel(issue.Severity.String()),
|
|
issue.What,
|
|
buildSarifSuppressions(issue.Suppressions),
|
|
).WithLocations(location)
|
|
|
|
results = append(results, result)
|
|
}
|
|
|
|
sort.SliceStable(cweTaxa, func(i, j int) bool { return cweTaxa[i].ID < cweTaxa[j].ID })
|
|
|
|
tool := NewTool(buildSarifDriver(rules, data.GosecVersion))
|
|
|
|
cweTaxonomy := buildCWETaxonomy(cweTaxa)
|
|
|
|
run := NewRun(tool).
|
|
WithTaxonomies(cweTaxonomy).
|
|
WithResults(results...)
|
|
|
|
return NewReport(Version, Schema).
|
|
WithRuns(run), nil
|
|
}
|
|
|
|
// addRuleInOrder inserts a rule into the rules slice keeping the rules IDs order, it returns the new rules
|
|
// slice and the position where the rule was inserted
|
|
func addRuleInOrder(rules []*ReportingDescriptor, rule *ReportingDescriptor) ([]*ReportingDescriptor, int) {
|
|
position := 0
|
|
for i, r := range rules {
|
|
if r.ID < rule.ID {
|
|
continue
|
|
}
|
|
if r.ID == rule.ID {
|
|
return rules, i
|
|
}
|
|
position = i
|
|
break
|
|
}
|
|
rules = append(rules, nil)
|
|
copy(rules[position+1:], rules[position:])
|
|
rules[position] = rule
|
|
return rules, position
|
|
}
|
|
|
|
// parseSarifRule return SARIF rule field struct
|
|
func parseSarifRule(i *issue.Issue) *ReportingDescriptor {
|
|
cwe := issue.GetCweByRule(i.RuleID)
|
|
name := i.RuleID
|
|
if cwe != nil {
|
|
name = cwe.Name
|
|
}
|
|
return &ReportingDescriptor{
|
|
ID: i.RuleID,
|
|
Name: name,
|
|
ShortDescription: NewMultiformatMessageString(i.What),
|
|
FullDescription: NewMultiformatMessageString(i.What),
|
|
Help: NewMultiformatMessageString(fmt.Sprintf("%s\nSeverity: %s\nConfidence: %s\n",
|
|
i.What, i.Severity.String(), i.Confidence.String())),
|
|
Properties: &PropertyBag{
|
|
"tags": []string{"security", i.Severity.String()},
|
|
"precision": strings.ToLower(i.Confidence.String()),
|
|
},
|
|
DefaultConfiguration: &ReportingConfiguration{
|
|
Level: getSarifLevel(i.Severity.String()),
|
|
},
|
|
Relationships: []*ReportingDescriptorRelationship{
|
|
buildSarifReportingDescriptorRelationship(i.Cwe),
|
|
},
|
|
}
|
|
}
|
|
|
|
func buildSarifReportingDescriptorRelationship(weakness *cwe.Weakness) *ReportingDescriptorRelationship {
|
|
if weakness == nil {
|
|
return nil
|
|
}
|
|
return &ReportingDescriptorRelationship{
|
|
Target: &ReportingDescriptorReference{
|
|
ID: weakness.ID,
|
|
GUID: uuid3(weakness.SprintID()),
|
|
ToolComponent: NewToolComponentReference(cwe.Acronym),
|
|
},
|
|
Kinds: []string{"superset"},
|
|
}
|
|
}
|
|
|
|
func buildCWETaxonomy(taxa []*ReportingDescriptor) *ToolComponent {
|
|
return NewToolComponent(cwe.Acronym, cwe.Version, cwe.InformationURI).
|
|
WithReleaseDateUtc(cwe.ReleaseDateUtc).
|
|
WithDownloadURI(cwe.DownloadURI).
|
|
WithOrganization(cwe.Organization).
|
|
WithShortDescription(NewMultiformatMessageString(cwe.Description)).
|
|
WithIsComprehensive(true).
|
|
WithLanguage("en").
|
|
WithMinimumRequiredLocalizedDataSemanticVersion(cwe.Version).
|
|
WithTaxa(taxa...)
|
|
}
|
|
|
|
func parseSarifTaxon(weakness *cwe.Weakness) *ReportingDescriptor {
|
|
return &ReportingDescriptor{
|
|
ID: weakness.ID,
|
|
GUID: uuid3(weakness.SprintID()),
|
|
HelpURI: weakness.SprintURL(),
|
|
FullDescription: NewMultiformatMessageString(weakness.Description),
|
|
ShortDescription: NewMultiformatMessageString(weakness.Name),
|
|
}
|
|
}
|
|
|
|
func parseSemanticVersion(version string) string {
|
|
if len(version) == 0 {
|
|
return "devel"
|
|
}
|
|
if strings.HasPrefix(version, "v") {
|
|
return version[1:]
|
|
}
|
|
return version
|
|
}
|
|
|
|
func buildSarifDriver(rules []*ReportingDescriptor, gosecVersion string) *ToolComponent {
|
|
semanticVersion := parseSemanticVersion(gosecVersion)
|
|
return NewToolComponent("gosec", gosecVersion, "https://github.com/securego/gosec/").
|
|
WithSemanticVersion(semanticVersion).
|
|
WithSupportedTaxonomies(NewToolComponentReference(cwe.Acronym)).
|
|
WithRules(rules...)
|
|
}
|
|
|
|
func uuid3(value string) string {
|
|
return uuid.NewMD5(uuid.Nil, []byte(value)).String()
|
|
}
|
|
|
|
// parseSarifLocation return SARIF location struct
|
|
func parseSarifLocation(i *issue.Issue, rootPaths []string) (*Location, error) {
|
|
region, err := parseSarifRegion(i)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
artifactLocation := parseSarifArtifactLocation(i, rootPaths)
|
|
return NewLocation(NewPhysicalLocation(artifactLocation, region)), nil
|
|
}
|
|
|
|
func parseSarifArtifactLocation(i *issue.Issue, rootPaths []string) *ArtifactLocation {
|
|
var filePath string
|
|
for _, rootPath := range rootPaths {
|
|
if strings.HasPrefix(i.File, rootPath) {
|
|
filePath = strings.Replace(i.File, rootPath+"/", "", 1)
|
|
}
|
|
}
|
|
return NewArtifactLocation(filePath)
|
|
}
|
|
|
|
func parseSarifRegion(i *issue.Issue) (*Region, error) {
|
|
lines := strings.Split(i.Line, "-")
|
|
startLine, err := strconv.Atoi(lines[0])
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
endLine := startLine
|
|
if len(lines) > 1 {
|
|
endLine, err = strconv.Atoi(lines[1])
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
col, err := strconv.Atoi(i.Col)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
var code string
|
|
line := startLine
|
|
codeLines := strings.Split(i.Code, "\n")
|
|
for _, codeLine := range codeLines {
|
|
lineStart := fmt.Sprintf("%d:", line)
|
|
if strings.HasPrefix(codeLine, lineStart) {
|
|
code += strings.TrimSpace(
|
|
strings.TrimPrefix(codeLine, lineStart))
|
|
if endLine > startLine {
|
|
code += "\n"
|
|
}
|
|
line++
|
|
if line > endLine {
|
|
break
|
|
}
|
|
}
|
|
}
|
|
snippet := NewArtifactContent(code)
|
|
return NewRegion(startLine, endLine, col, col, "go").WithSnippet(snippet), nil
|
|
}
|
|
|
|
func getSarifLevel(s string) Level {
|
|
switch s {
|
|
case "LOW":
|
|
return Warning
|
|
case "MEDIUM":
|
|
return Error
|
|
case "HIGH":
|
|
return Error
|
|
default:
|
|
return Note
|
|
}
|
|
}
|
|
|
|
func buildSarifSuppressions(suppressions []issue.SuppressionInfo) []*Suppression {
|
|
var sarifSuppressionList []*Suppression
|
|
for _, s := range suppressions {
|
|
sarifSuppressionList = append(sarifSuppressionList, NewSuppression(s.Kind, s.Justification))
|
|
}
|
|
return sarifSuppressionList
|
|
}
|