From 8306f5b9b5a1e1ddf9336f09540f13dfa1ba74da Mon Sep 17 00:00:00 2001 From: Eyal Kapon Date: Mon, 23 Sep 2024 14:22:32 +0300 Subject: [PATCH] Show only requested scanners in SARIF format (#185) --- commands/scan/dockerscan.go | 2 +- commands/scan/scan.go | 2 +- utils/resultwriter.go | 33 +++++++++++++++++++------------- utils/securityJobSummary.go | 4 ++-- utils/securityJobSummary_test.go | 11 +++++------ 5 files changed, 29 insertions(+), 23 deletions(-) diff --git a/commands/scan/dockerscan.go b/commands/scan/dockerscan.go index dfb9c59c..88728882 100644 --- a/commands/scan/dockerscan.go +++ b/commands/scan/dockerscan.go @@ -106,7 +106,7 @@ func (dsc *DockerScanCommand) Run() (err error) { } } dsc.analyticsMetricsService.UpdateGeneralEvent(dsc.analyticsMetricsService.CreateXscAnalyticsGeneralEventFinalizeFromAuditResults(scanResults)) - if err = utils.RecordSarifOutput(scanResults); err != nil { + if err = utils.RecordSarifOutput(scanResults, utils.GetAllSupportedScans()); err != nil { return } return utils.RecordSecurityCommandSummary(utils.NewDockerScanSummary( diff --git a/commands/scan/scan.go b/commands/scan/scan.go index 1d34dbef..b580e70a 100644 --- a/commands/scan/scan.go +++ b/commands/scan/scan.go @@ -201,7 +201,7 @@ func (scanCmd *ScanCommand) indexFile(filePath string) (*xrayUtils.BinaryGraphNo func (scanCmd *ScanCommand) Run() (err error) { return scanCmd.RunAndRecordResults(utils.Binary, func(scanResults *utils.Results) (err error) { - if err = utils.RecordSarifOutput(scanResults); err != nil { + if err = utils.RecordSarifOutput(scanResults, utils.GetAllSupportedScans()); err != nil { return } return utils.RecordSecurityCommandSummary(utils.NewBinaryScanSummary( diff --git a/utils/resultwriter.go b/utils/resultwriter.go index 9eb70064..cb5f72d6 100644 --- a/utils/resultwriter.go +++ b/utils/resultwriter.go @@ -141,7 +141,7 @@ func (rw *ResultsWriter) PrintScanResults() error { case format.Json: return PrintJson(rw.results.GetScaScansXrayResults()) case format.Sarif: - return PrintSarif(rw.results, rw.isMultipleRoots, rw.includeLicenses) + return PrintSarif(rw.results, rw.isMultipleRoots, rw.includeLicenses, rw.subScansPreformed) } return nil } @@ -157,7 +157,7 @@ func (rw *ResultsWriter) printScanResultsTables() (err error) { printMessage(coreutils.PrintTitle("The full scan results are available here: ") + coreutils.PrintLink(resultsPath)) } log.Output() - if shouldPrintTable(rw.subScansPreformed, ScaScan, rw.results.ResultType) { + if shouldScannerBeCalled(rw.subScansPreformed, ScaScan, rw.results.ResultType) { if rw.hasViolationContext { if err = PrintViolationsTable(violations, rw.results, rw.isMultipleRoots, rw.printExtended); err != nil { return @@ -174,23 +174,23 @@ func (rw *ResultsWriter) printScanResultsTables() (err error) { } } } - if shouldPrintTable(rw.subScansPreformed, SecretsScan, rw.results.ResultType) { + if shouldScannerBeCalled(rw.subScansPreformed, SecretsScan, rw.results.ResultType) { if err = PrintSecretsTable(rw.results.ExtendedScanResults.SecretsScanResults, rw.results.ExtendedScanResults.EntitledForJas, rw.results.ExtendedScanResults.SecretValidation); err != nil { return } } - if shouldPrintTable(rw.subScansPreformed, IacScan, rw.results.ResultType) { + if shouldScannerBeCalled(rw.subScansPreformed, IacScan, rw.results.ResultType) { if err = PrintIacTable(rw.results.ExtendedScanResults.IacScanResults, rw.results.ExtendedScanResults.EntitledForJas); err != nil { return } } - if !shouldPrintTable(rw.subScansPreformed, SastScan, rw.results.ResultType) { + if !shouldScannerBeCalled(rw.subScansPreformed, SastScan, rw.results.ResultType) { return nil } return PrintSastTable(rw.results.ExtendedScanResults.SastScanResults, rw.results.ExtendedScanResults.EntitledForJas) } -func shouldPrintTable(requestedScans []SubScanType, subScan SubScanType, scanType CommandType) bool { +func shouldScannerBeCalled(requestedScans []SubScanType, subScan SubScanType, scanType CommandType) bool { if scanType.IsTargetBinary() && (subScan == IacScan || subScan == SastScan) { return false } @@ -210,7 +210,14 @@ func printMessage(message string) { log.Output("💬" + message) } -func GenerateSarifReportFromResults(results *Results, isMultipleRoots, includeLicenses bool, allowedLicenses []string) (report *sarif.Report, err error) { +func filterAndPatchRunsIfRequired(requestedScans []SubScanType, subScan SubScanType, results *Results, scanResults []*sarif.Run) (filtered []*sarif.Run) { + if !shouldScannerBeCalled(requestedScans, subScan, results.ResultType) { + return + } + return patchRunsToPassIngestionRules(subScan, results, scanResults...) +} + +func GenerateSarifReportFromResults(results *Results, isMultipleRoots, includeLicenses bool, allowedLicenses []string, requestedScans []SubScanType) (report *sarif.Report, err error) { report, err = sarifutils.NewReport() if err != nil { return @@ -220,10 +227,10 @@ func GenerateSarifReportFromResults(results *Results, isMultipleRoots, includeLi return } - report.Runs = append(report.Runs, patchRunsToPassIngestionRules(ScaScan, results, xrayRun)...) - report.Runs = append(report.Runs, patchRunsToPassIngestionRules(IacScan, results, results.ExtendedScanResults.IacScanResults...)...) - report.Runs = append(report.Runs, patchRunsToPassIngestionRules(SecretsScan, results, results.ExtendedScanResults.SecretsScanResults...)...) - report.Runs = append(report.Runs, patchRunsToPassIngestionRules(SastScan, results, results.ExtendedScanResults.SastScanResults...)...) + report.Runs = append(report.Runs, filterAndPatchRunsIfRequired(requestedScans, ScaScan, results, []*sarif.Run{xrayRun})...) + report.Runs = append(report.Runs, filterAndPatchRunsIfRequired(requestedScans, IacScan, results, results.ExtendedScanResults.IacScanResults)...) + report.Runs = append(report.Runs, filterAndPatchRunsIfRequired(requestedScans, SecretsScan, results, results.ExtendedScanResults.SecretsScanResults)...) + report.Runs = append(report.Runs, filterAndPatchRunsIfRequired(requestedScans, SastScan, results, results.ExtendedScanResults.SastScanResults)...) return } @@ -927,8 +934,8 @@ func PrintJson(output interface{}) error { return nil } -func PrintSarif(results *Results, isMultipleRoots, includeLicenses bool) error { - sarifReport, err := GenerateSarifReportFromResults(results, isMultipleRoots, includeLicenses, nil) +func PrintSarif(results *Results, isMultipleRoots, includeLicenses bool, subScans []SubScanType) error { + sarifReport, err := GenerateSarifReportFromResults(results, isMultipleRoots, includeLicenses, nil, subScans) if err != nil { return err } diff --git a/utils/securityJobSummary.go b/utils/securityJobSummary.go index e71d7d51..67b0a25b 100644 --- a/utils/securityJobSummary.go +++ b/utils/securityJobSummary.go @@ -173,7 +173,7 @@ func RecordSecurityCommandSummary(content ScanCommandResultSummary) (err error) return manager.Record(content) } -func RecordSarifOutput(cmdResults *Results) (err error) { +func RecordSarifOutput(cmdResults *Results, supportedScans []SubScanType) (err error) { manager, err := getRecordManager() if err != nil || manager == nil { return @@ -187,7 +187,7 @@ func RecordSarifOutput(cmdResults *Results) (err error) { log.Info("Results can be uploaded to Github security tab automatically by upgrading your JFrog subscription.") return } - sarifReport, err := GenerateSarifReportFromResults(cmdResults, true, false, nil) + sarifReport, err := GenerateSarifReportFromResults(cmdResults, true, false, nil, supportedScans) if err != nil { return err } diff --git a/utils/securityJobSummary_test.go b/utils/securityJobSummary_test.go index 218fbc1f..abcc4f3b 100644 --- a/utils/securityJobSummary_test.go +++ b/utils/securityJobSummary_test.go @@ -2,11 +2,6 @@ package utils import ( "fmt" - "os" - "path/filepath" - "strings" - "testing" - "github.com/jfrog/jfrog-cli-core/v2/artifactory/utils/commandsummary" coreUtils "github.com/jfrog/jfrog-cli-core/v2/utils/coreutils" coreTests "github.com/jfrog/jfrog-cli-core/v2/utils/tests" @@ -15,6 +10,10 @@ import ( "github.com/jfrog/jfrog-client-go/utils/io/fileutils" clientTests "github.com/jfrog/jfrog-client-go/utils/tests" "github.com/stretchr/testify/assert" + "os" + "path/filepath" + "strings" + "testing" ) var ( @@ -62,7 +61,7 @@ func TestSaveSarifOutputOnlyForJasEntitled(t *testing.T) { cleanUp := clientTests.SetEnvWithCallbackAndAssert(t, coreUtils.SummaryOutputDirPathEnv, tempDir) defer cleanUp() - assert.NoError(t, RecordSarifOutput(createDummyJasResult(testCase.isJasEntitled))) + assert.NoError(t, RecordSarifOutput(createDummyJasResult(testCase.isJasEntitled), GetAllSupportedScans())) assert.Equal(t, testCase.isJasEntitled, hasFilesInDir(t, filepath.Join(tempDir, commandsummary.OutputDirName, "security", string(commandsummary.SarifReport)))) }) }