gosec/report/sarif/formatter.go

package sarif

import (
	"fmt"
	"sort"
	"strconv"
	"strings"

	"github.com/google/uuid"
	"github.com/securego/gosec/v2"
	"github.com/securego/gosec/v2/cwe"
	"github.com/securego/gosec/v2/issue"
)

// GenerateReport converts a gosec report into a SARIF report
func GenerateReport(rootPaths []string, data *gosec.ReportInfo) (*Report, error) {
	rules := []*ReportingDescriptor{}

	results := []*Result{}
	cweTaxa := []*ReportingDescriptor{}
	weaknesses := map[string]*cwe.Weakness{}

	for _, issue := range data.Issues {
		if issue.Cwe != nil {
			_, ok := weaknesses[issue.Cwe.ID]
			if !ok {
				weakness := cwe.Get(issue.Cwe.ID)
				weaknesses[issue.Cwe.ID] = weakness
				cweTaxon := parseSarifTaxon(weakness)
				cweTaxa = append(cweTaxa, cweTaxon)
			}
		}

		rule := parseSarifRule(issue)
		var ruleIndex int
		rules, ruleIndex = addRuleInOrder(rules, rule)

		location, err := parseSarifLocation(issue, rootPaths)
		if err != nil {
			return nil, err
		}

		result := NewResult(
			issue.RuleID,
			ruleIndex,
			getSarifLevel(issue.Severity.String()),
			issue.What,
			buildSarifSuppressions(issue.Suppressions),
		).WithLocations(location)

		results = append(results, result)
	}

	sort.SliceStable(cweTaxa, func(i, j int) bool { return cweTaxa[i].ID < cweTaxa[j].ID })

	tool := NewTool(buildSarifDriver(rules, data.GosecVersion))

	cweTaxonomy := buildCWETaxonomy(cweTaxa)

	run := NewRun(tool).
		WithTaxonomies(cweTaxonomy).
		WithResults(results...)

	return NewReport(Version, Schema).
		WithRuns(run), nil
}

// addRuleInOrder inserts a rule into the rules slice keeping the rules IDs order, it returns the new rules
// slice and the position where the rule was inserted
func addRuleInOrder(rules []*ReportingDescriptor, rule *ReportingDescriptor) ([]*ReportingDescriptor, int) {
	position := 0
	for i, r := range rules {
		if r.ID < rule.ID {
			continue
		}
		if r.ID == rule.ID {
			return rules, i
		}
		position = i
		break
	}
	rules = append(rules, nil)
	copy(rules[position+1:], rules[position:])
	rules[position] = rule
	return rules, position
}

// parseSarifRule return SARIF rule field struct
func parseSarifRule(i *issue.Issue) *ReportingDescriptor {
	cwe := issue.GetCweByRule(i.RuleID)
	name := i.RuleID
	if cwe != nil {
		name = cwe.Name
	}
	return &ReportingDescriptor{
		ID:               i.RuleID,
		Name:             name,
		ShortDescription: NewMultiformatMessageString(i.What),
		FullDescription:  NewMultiformatMessageString(i.What),
		Help: NewMultiformatMessageString(fmt.Sprintf("%s\nSeverity: %s\nConfidence: %s\n",
			i.What, i.Severity.String(), i.Confidence.String())),
		Properties: &PropertyBag{
			"tags":      []string{"security", i.Severity.String()},
			"precision": strings.ToLower(i.Confidence.String()),
		},
		DefaultConfiguration: &ReportingConfiguration{
			Level: getSarifLevel(i.Severity.String()),
		},
		Relationships: []*ReportingDescriptorRelationship{
			buildSarifReportingDescriptorRelationship(i.Cwe),
		},
	}
}

func buildSarifReportingDescriptorRelationship(weakness *cwe.Weakness) *ReportingDescriptorRelationship {
	if weakness == nil {
		return nil
	}
	return &ReportingDescriptorRelationship{
		Target: &ReportingDescriptorReference{
			ID:            weakness.ID,
			GUID:          uuid3(weakness.SprintID()),
			ToolComponent: NewToolComponentReference(cwe.Acronym),
		},
		Kinds: []string{"superset"},
	}
}

func buildCWETaxonomy(taxa []*ReportingDescriptor) *ToolComponent {
	return NewToolComponent(cwe.Acronym, cwe.Version, cwe.InformationURI).
		WithReleaseDateUtc(cwe.ReleaseDateUtc).
		WithDownloadURI(cwe.DownloadURI).
		WithOrganization(cwe.Organization).
		WithShortDescription(NewMultiformatMessageString(cwe.Description)).
		WithIsComprehensive(true).
		WithLanguage("en").
		WithMinimumRequiredLocalizedDataSemanticVersion(cwe.Version).
		WithTaxa(taxa...)
}

func parseSarifTaxon(weakness *cwe.Weakness) *ReportingDescriptor {
	return &ReportingDescriptor{
		ID:               weakness.ID,
		GUID:             uuid3(weakness.SprintID()),
		HelpURI:          weakness.SprintURL(),
		FullDescription:  NewMultiformatMessageString(weakness.Description),
		ShortDescription: NewMultiformatMessageString(weakness.Name),
	}
}

func parseSemanticVersion(version string) string {
	if len(version) == 0 {
		return "devel"
	}
	if strings.HasPrefix(version, "v") {
		return version[1:]
	}
	return version
}

func buildSarifDriver(rules []*ReportingDescriptor, gosecVersion string) *ToolComponent {
	semanticVersion := parseSemanticVersion(gosecVersion)
	return NewToolComponent("gosec", gosecVersion, "https://github.com/securego/gosec/").
		WithSemanticVersion(semanticVersion).
		WithSupportedTaxonomies(NewToolComponentReference(cwe.Acronym)).
		WithRules(rules...)
}

func uuid3(value string) string {
	return uuid.NewMD5(uuid.Nil, []byte(value)).String()
}

// parseSarifLocation return SARIF location struct
func parseSarifLocation(i *issue.Issue, rootPaths []string) (*Location, error) {
	region, err := parseSarifRegion(i)
	if err != nil {
		return nil, err
	}
	artifactLocation := parseSarifArtifactLocation(i, rootPaths)
	return NewLocation(NewPhysicalLocation(artifactLocation, region)), nil
}

func parseSarifArtifactLocation(i *issue.Issue, rootPaths []string) *ArtifactLocation {
	var filePath string
	for _, rootPath := range rootPaths {
		if strings.HasPrefix(i.File, rootPath) {
			filePath = strings.Replace(i.File, rootPath+"/", "", 1)
		}
	}
	return NewArtifactLocation(filePath)
}

func parseSarifRegion(i *issue.Issue) (*Region, error) {
	lines := strings.Split(i.Line, "-")
	startLine, err := strconv.Atoi(lines[0])
	if err != nil {
		return nil, err
	}
	endLine := startLine
	if len(lines) > 1 {
		endLine, err = strconv.Atoi(lines[1])
		if err != nil {
			return nil, err
		}
	}
	col, err := strconv.Atoi(i.Col)
	if err != nil {
		return nil, err
	}
	var code string
	line := startLine
	codeLines := strings.Split(i.Code, "\n")
	for _, codeLine := range codeLines {
		lineStart := fmt.Sprintf("%d:", line)
		if strings.HasPrefix(codeLine, lineStart) {
			code += strings.TrimSpace(
				strings.TrimPrefix(codeLine, lineStart))
			if endLine > startLine {
				code += "\n"
			}
			line++
			if line > endLine {
				break
			}
		}
	}
	snippet := NewArtifactContent(code)
	return NewRegion(startLine, endLine, col, col, "go").WithSnippet(snippet), nil
}

func getSarifLevel(s string) Level {
	switch s {
	case "LOW":
		return Warning
	case "MEDIUM":
		return Error
	case "HIGH":
		return Error
	default:
		return Note
	}
}

func buildSarifSuppressions(suppressions []issue.SuppressionInfo) []*Suppression {
	var sarifSuppressionList []*Suppression
	for _, s := range suppressions {
		sarifSuppressionList = append(sarifSuppressionList, NewSuppression(s.Kind, s.Justification))
	}
	return sarifSuppressionList
}