Skip to content

Commit

Permalink
Apply Min-Severity filter on Jas results (#192)
Browse files Browse the repository at this point in the history
  • Loading branch information
attiasas authored Sep 26, 2024
1 parent 6356c7f commit a19bcdc
Show file tree
Hide file tree
Showing 13 changed files with 45 additions and 20 deletions.
2 changes: 1 addition & 1 deletion commands/audit/audit.go
Original file line number Diff line number Diff line change
Expand Up @@ -248,7 +248,7 @@ func RunJasScans(auditParallelRunner *utils.SecurityParallelRunner, auditParams
err = fmt.Errorf("failed to get server details: %s", err.Error())
return
}
jasScanner, err = jas.CreateJasScanner(jfrogAppsConfig, serverDetails, jas.GetAnalyzerManagerXscEnvVars(auditParams.commonGraphScanParams.MultiScanId, results.ExtendedScanResults.SecretValidation, results.GetScaScannedTechnologies()...), auditParams.Exclusions()...)
jasScanner, err = jas.CreateJasScanner(jfrogAppsConfig, serverDetails, auditParams.minSeverityFilter, jas.GetAnalyzerManagerXscEnvVars(auditParams.commonGraphScanParams.MultiScanId, results.ExtendedScanResults.SecretValidation, results.GetScaScannedTechnologies()...), auditParams.Exclusions()...)
if err != nil {
err = fmt.Errorf("failed to create jas scanner: %s", err.Error())
return
Expand Down
2 changes: 1 addition & 1 deletion commands/scan/scan.go
Original file line number Diff line number Diff line change
Expand Up @@ -451,7 +451,7 @@ func (scanCmd *ScanCommand) createIndexerHandlerFunc(file *spec.File, entitledFo
log.Error(fmt.Sprintf("failed to create JFrogAppsConfig: %s", err.Error()))
indexedFileErrors[threadId] = append(indexedFileErrors[threadId], formats.SimpleJsonError{FilePath: filePath, ErrorMessage: err.Error()})
}
scanner, err := jas.CreateJasScanner(jfrogAppsConfig, scanCmd.serverDetails, jas.GetAnalyzerManagerXscEnvVars(scanResults.MultiScanId, validateSecrets, techutils.Technology(graphScanResults.ScannedPackageType)))
scanner, err := jas.CreateJasScanner(jfrogAppsConfig, scanCmd.serverDetails, scanCmd.minSeverityFilter, jas.GetAnalyzerManagerXscEnvVars(scanResults.MultiScanId, validateSecrets, techutils.Technology(graphScanResults.ScannedPackageType)))
if err != nil {
log.Error(fmt.Sprintf("failed to create jas scanner: %s", err.Error()))
indexedFileErrors[threadId] = append(indexedFileErrors[threadId], formats.SimpleJsonError{FilePath: filePath, ErrorMessage: err.Error()})
Expand Down
2 changes: 1 addition & 1 deletion jas/applicability/applicabilitymanager.go
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@ func (asm *ApplicabilityScanManager) Run(module jfrogappsconfig.Module) (err err
if err = asm.runAnalyzerManager(); err != nil {
return
}
workingDirResults, err := jas.ReadJasScanRunsFromFile(asm.resultsFileName, module.SourceRoot, applicabilityDocsUrlSuffix)
workingDirResults, err := jas.ReadJasScanRunsFromFile(asm.resultsFileName, module.SourceRoot, applicabilityDocsUrlSuffix, asm.scanner.MinSeverity)
if err != nil {
return
}
Expand Down
2 changes: 1 addition & 1 deletion jas/applicability/applicabilitymanager_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -310,7 +310,7 @@ func TestParseResults_NewApplicabilityStatuses(t *testing.T) {
t.Run(tc.name, func(t *testing.T) {
applicabilityManager.resultsFileName = filepath.Join(jas.GetTestDataPath(), "applicability-scan", tc.fileName)
var err error
applicabilityManager.applicabilityScanResults, err = jas.ReadJasScanRunsFromFile(applicabilityManager.resultsFileName, scanner.JFrogAppsConfig.Modules[0].SourceRoot, applicabilityDocsUrlSuffix)
applicabilityManager.applicabilityScanResults, err = jas.ReadJasScanRunsFromFile(applicabilityManager.resultsFileName, scanner.JFrogAppsConfig.Modules[0].SourceRoot, applicabilityDocsUrlSuffix, scanner.MinSeverity)
if assert.NoError(t, err) && assert.NotNil(t, applicabilityManager.applicabilityScanResults) {
assert.Len(t, applicabilityManager.applicabilityScanResults, 1)
assert.Len(t, applicabilityManager.applicabilityScanResults[0].Results, tc.expectedResults)
Expand Down
29 changes: 26 additions & 3 deletions jas/common.go
Original file line number Diff line number Diff line change
Expand Up @@ -44,9 +44,10 @@ type JasScanner struct {
ScannerDirCleanupFunc func() error
EnvVars map[string]string
Exclusions []string
MinSeverity severityutils.Severity
}

func CreateJasScanner(jfrogAppsConfig *jfrogappsconfig.JFrogAppsConfig, serverDetails *config.ServerDetails, envVars map[string]string, exclusions ...string) (scanner *JasScanner, err error) {
func CreateJasScanner(jfrogAppsConfig *jfrogappsconfig.JFrogAppsConfig, serverDetails *config.ServerDetails, minSeverity severityutils.Severity, envVars map[string]string, exclusions ...string) (scanner *JasScanner, err error) {
if serverDetails == nil {
err = errors.New(NoServerDetailsError)
return
Expand All @@ -70,6 +71,7 @@ func CreateJasScanner(jfrogAppsConfig *jfrogappsconfig.JFrogAppsConfig, serverDe
scanner.ServerDetails = serverDetails
scanner.JFrogAppsConfig = jfrogAppsConfig
scanner.Exclusions = exclusions
scanner.MinSeverity = minSeverity
return
}

Expand Down Expand Up @@ -121,7 +123,7 @@ func (a *JasScanner) Run(scannerCmd ScannerCmd, module jfrogappsconfig.Module) (
return
}

func ReadJasScanRunsFromFile(fileName, wd, informationUrlSuffix string) (sarifRuns []*sarif.Run, err error) {
func ReadJasScanRunsFromFile(fileName, wd, informationUrlSuffix string, minSeverity severityutils.Severity) (sarifRuns []*sarif.Run, err error) {
if sarifRuns, err = sarifutils.ReadScanRunsFromFile(fileName); err != nil {
return
}
Expand All @@ -136,6 +138,7 @@ func ReadJasScanRunsFromFile(fileName, wd, informationUrlSuffix string) (sarifRu
// Process runs values
fillMissingRequiredDriverInformation(utils.BaseDocumentationURL+informationUrlSuffix, GetAnalyzerManagerVersion(), sarifRun)
sarifRun.Results = excludeSuppressResults(sarifRun.Results)
sarifRun.Results = excludeMinSeverityResults(sarifRun.Results, minSeverity)
addScoreToRunRules(sarifRun)
}
return
Expand Down Expand Up @@ -171,6 +174,26 @@ func excludeSuppressResults(sarifResults []*sarif.Result) []*sarif.Result {
return results
}

func excludeMinSeverityResults(sarifResults []*sarif.Result, minSeverity severityutils.Severity) []*sarif.Result {
if minSeverity == "" {
// No minimum severity to exclude
return sarifResults
}
results := []*sarif.Result{}
for _, sarifResult := range sarifResults {
resultSeverity, err := severityutils.ParseSeverity(sarifutils.GetResultLevel(sarifResult), true)
if err != nil {
log.Warn(fmt.Sprintf("Failed to parse Sarif level %s: %s", sarifutils.GetResultLevel(sarifResult), err.Error()))
resultSeverity = severityutils.Unknown
}
// Exclude results with severity lower than the minimum severity
if severityutils.GetSeverityPriority(resultSeverity, jasutils.ApplicabilityUndetermined) >= severityutils.GetSeverityPriority(minSeverity, jasutils.ApplicabilityUndetermined) {
results = append(results, sarifResult)
}
}
return results
}

func addScoreToRunRules(sarifRun *sarif.Run) {
for _, sarifResult := range sarifRun.Results {
if rule, err := sarifRun.GetRuleById(*sarifResult.RuleID); err == nil {
Expand Down Expand Up @@ -225,7 +248,7 @@ func InitJasTest(t *testing.T, workingDirs ...string) (*JasScanner, func()) {
assert.NoError(t, DownloadAnalyzerManagerIfNeeded(0))
jfrogAppsConfigForTest, err := CreateJFrogAppsConfig(workingDirs)
assert.NoError(t, err)
scanner, err := CreateJasScanner(jfrogAppsConfigForTest, &FakeServerDetails, GetAnalyzerManagerXscEnvVars("", false))
scanner, err := CreateJasScanner(jfrogAppsConfigForTest, &FakeServerDetails, "", GetAnalyzerManagerXscEnvVars("", false))
assert.NoError(t, err)
return scanner, func() {
assert.NoError(t, scanner.ScannerDirCleanupFunc())
Expand Down
2 changes: 1 addition & 1 deletion jas/iac/iacscanner.go
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ func (iac *IacScanManager) Run(module jfrogappsconfig.Module) (err error) {
if err = iac.runAnalyzerManager(); err != nil {
return
}
workingDirResults, err := jas.ReadJasScanRunsFromFile(iac.resultsFileName, module.SourceRoot, iacDocsUrlSuffix)
workingDirResults, err := jas.ReadJasScanRunsFromFile(iac.resultsFileName, module.SourceRoot, iacDocsUrlSuffix, iac.scanner.MinSeverity)
if err != nil {
return
}
Expand Down
4 changes: 2 additions & 2 deletions jas/iac/iacscanner_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ func TestIacParseResults_EmptyResults(t *testing.T) {

// Act
var err error
iacScanManager.iacScannerResults, err = jas.ReadJasScanRunsFromFile(iacScanManager.resultsFileName, scanner.JFrogAppsConfig.Modules[0].SourceRoot, iacDocsUrlSuffix)
iacScanManager.iacScannerResults, err = jas.ReadJasScanRunsFromFile(iacScanManager.resultsFileName, scanner.JFrogAppsConfig.Modules[0].SourceRoot, iacDocsUrlSuffix, scanner.MinSeverity)
if assert.NoError(t, err) && assert.NotNil(t, iacScanManager.iacScannerResults) {
assert.Len(t, iacScanManager.iacScannerResults, 1)
assert.Empty(t, iacScanManager.iacScannerResults[0].Results)
Expand All @@ -81,7 +81,7 @@ func TestIacParseResults_ResultsContainIacViolations(t *testing.T) {

// Act
var err error
iacScanManager.iacScannerResults, err = jas.ReadJasScanRunsFromFile(iacScanManager.resultsFileName, scanner.JFrogAppsConfig.Modules[0].SourceRoot, iacDocsUrlSuffix)
iacScanManager.iacScannerResults, err = jas.ReadJasScanRunsFromFile(iacScanManager.resultsFileName, scanner.JFrogAppsConfig.Modules[0].SourceRoot, iacDocsUrlSuffix, scanner.MinSeverity)
if assert.NoError(t, err) && assert.NotNil(t, iacScanManager.iacScannerResults) {
assert.Len(t, iacScanManager.iacScannerResults, 1)
assert.Len(t, iacScanManager.iacScannerResults[0].Results, 4)
Expand Down
6 changes: 3 additions & 3 deletions jas/runner/jasrunner_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ func TestJasRunner_AnalyzerManagerNotExist(t *testing.T) {
defer func() {
assert.NoError(t, os.Unsetenv(coreutils.HomeDir))
}()
scanner, err := jas.CreateJasScanner(nil, &jas.FakeServerDetails, jas.GetAnalyzerManagerXscEnvVars("", false))
scanner, err := jas.CreateJasScanner(nil, &jas.FakeServerDetails, "", jas.GetAnalyzerManagerXscEnvVars("", false))
assert.NoError(t, err)
if scanner.AnalyzerManager.AnalyzerManagerFullPath, err = jas.GetAnalyzerManagerExecutable(); err != nil {
return
Expand All @@ -42,7 +42,7 @@ func TestJasRunner(t *testing.T) {

jfrogAppsConfigForTest, err := jas.CreateJFrogAppsConfig(nil)
assert.NoError(t, err)
jasScanner, err := jas.CreateJasScanner(jfrogAppsConfigForTest, &jas.FakeServerDetails, jas.GetAnalyzerManagerXscEnvVars("", false, scanResults.GetScaScannedTechnologies()...))
jasScanner, err := jas.CreateJasScanner(jfrogAppsConfigForTest, &jas.FakeServerDetails, "", jas.GetAnalyzerManagerXscEnvVars("", false, scanResults.GetScaScannedTechnologies()...))
assert.NoError(t, err)
err = AddJasScannersTasks(securityParallelRunnerForTest, scanResults, &[]string{"issueId_1_direct_dependency", "issueId_2_direct_dependency"}, false, jasScanner, applicability.ApplicabilityScannerType, secrets.SecretsScannerType, securityParallelRunnerForTest.AddErrorToChan, utils.GetAllSupportedScans(), nil, "")
assert.NoError(t, err)
Expand All @@ -52,7 +52,7 @@ func TestJasRunner_AnalyzerManagerReturnsError(t *testing.T) {
assert.NoError(t, jas.DownloadAnalyzerManagerIfNeeded(0))

jfrogAppsConfigForTest, _ := jas.CreateJFrogAppsConfig(nil)
scanner, _ := jas.CreateJasScanner(nil, &jas.FakeServerDetails, jas.GetAnalyzerManagerXscEnvVars("", false))
scanner, _ := jas.CreateJasScanner(nil, &jas.FakeServerDetails, "", jas.GetAnalyzerManagerXscEnvVars("", false))
_, err := applicability.RunApplicabilityScan(jas.FakeBasicXrayResults, []string{"issueId_2_direct_dependency", "issueId_1_direct_dependency"},
scanner, false, applicability.ApplicabilityScannerType, jfrogAppsConfigForTest.Modules[0], 0)
// Expect error:
Expand Down
2 changes: 1 addition & 1 deletion jas/sast/sastscanner.go
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ func (ssm *SastScanManager) Run(module jfrogappsconfig.Module) (err error) {
if err = ssm.runAnalyzerManager(filepath.Dir(ssm.scanner.AnalyzerManager.AnalyzerManagerFullPath)); err != nil {
return
}
workingDirRuns, err := jas.ReadJasScanRunsFromFile(ssm.resultsFileName, module.SourceRoot, sastDocsUrlSuffix)
workingDirRuns, err := jas.ReadJasScanRunsFromFile(ssm.resultsFileName, module.SourceRoot, sastDocsUrlSuffix, ssm.scanner.MinSeverity)
if err != nil {
return
}
Expand Down
4 changes: 2 additions & 2 deletions jas/sast/sastscanner_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ func TestSastParseResults_EmptyResults(t *testing.T) {

// Act
var err error
sastScanManager.sastScannerResults, err = jas.ReadJasScanRunsFromFile(sastScanManager.resultsFileName, scanner.JFrogAppsConfig.Modules[0].SourceRoot, sastDocsUrlSuffix)
sastScanManager.sastScannerResults, err = jas.ReadJasScanRunsFromFile(sastScanManager.resultsFileName, scanner.JFrogAppsConfig.Modules[0].SourceRoot, sastDocsUrlSuffix, scanner.MinSeverity)

// Assert
if assert.NoError(t, err) && assert.NotNil(t, sastScanManager.sastScannerResults) {
Expand All @@ -57,7 +57,7 @@ func TestSastParseResults_ResultsContainIacViolations(t *testing.T) {

// Act
var err error
sastScanManager.sastScannerResults, err = jas.ReadJasScanRunsFromFile(sastScanManager.resultsFileName, scanner.JFrogAppsConfig.Modules[0].SourceRoot, sastDocsUrlSuffix)
sastScanManager.sastScannerResults, err = jas.ReadJasScanRunsFromFile(sastScanManager.resultsFileName, scanner.JFrogAppsConfig.Modules[0].SourceRoot, sastDocsUrlSuffix, scanner.MinSeverity)

// Assert
if assert.NoError(t, err) && assert.NotNil(t, sastScanManager.sastScannerResults) {
Expand Down
2 changes: 1 addition & 1 deletion jas/secrets/secretsscanner.go
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ func (ssm *SecretScanManager) Run(module jfrogappsconfig.Module) (err error) {
if err = ssm.runAnalyzerManager(); err != nil {
return
}
workingDirRuns, err := jas.ReadJasScanRunsFromFile(ssm.resultsFileName, module.SourceRoot, secretsDocsUrlSuffix)
workingDirRuns, err := jas.ReadJasScanRunsFromFile(ssm.resultsFileName, module.SourceRoot, secretsDocsUrlSuffix, ssm.scanner.MinSeverity)
if err != nil {
return
}
Expand Down
7 changes: 4 additions & 3 deletions jas/secrets/secretsscanner_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import (
"testing"

"github.com/jfrog/jfrog-cli-security/utils/jasutils"
"github.com/jfrog/jfrog-cli-security/utils/severityutils"
"github.com/stretchr/testify/require"

jfrogappsconfig "github.com/jfrog/jfrog-apps-config/go"
Expand Down Expand Up @@ -72,7 +73,7 @@ func TestParseResults_EmptyResults(t *testing.T) {

// Act
var err error
secretScanManager.secretsScannerResults, err = jas.ReadJasScanRunsFromFile(secretScanManager.resultsFileName, scanner.JFrogAppsConfig.Modules[0].SourceRoot, secretsDocsUrlSuffix)
secretScanManager.secretsScannerResults, err = jas.ReadJasScanRunsFromFile(secretScanManager.resultsFileName, scanner.JFrogAppsConfig.Modules[0].SourceRoot, secretsDocsUrlSuffix, scanner.MinSeverity)

// Assert
if assert.NoError(t, err) && assert.NotNil(t, secretScanManager.secretsScannerResults) {
Expand All @@ -95,15 +96,15 @@ func TestParseResults_ResultsContainSecrets(t *testing.T) {

// Act
var err error
secretScanManager.secretsScannerResults, err = jas.ReadJasScanRunsFromFile(secretScanManager.resultsFileName, scanner.JFrogAppsConfig.Modules[0].SourceRoot, secretsDocsUrlSuffix)
secretScanManager.secretsScannerResults, err = jas.ReadJasScanRunsFromFile(secretScanManager.resultsFileName, scanner.JFrogAppsConfig.Modules[0].SourceRoot, secretsDocsUrlSuffix, severityutils.Medium)

// Assert
if assert.NoError(t, err) && assert.NotNil(t, secretScanManager.secretsScannerResults) {
assert.Len(t, secretScanManager.secretsScannerResults, 1)
assert.NotEmpty(t, secretScanManager.secretsScannerResults[0].Results)
secretScanManager.secretsScannerResults = processSecretScanRuns(secretScanManager.secretsScannerResults)
assert.Len(t, secretScanManager.secretsScannerResults, 1)
assert.Len(t, secretScanManager.secretsScannerResults[0].Results, 7)
assert.Len(t, secretScanManager.secretsScannerResults[0].Results, 6)
}
assert.NoError(t, err)

Expand Down
1 change: 1 addition & 0 deletions tests/testdata/other/secrets-scan/contain-secrets.sarif
Original file line number Diff line number Diff line change
Expand Up @@ -177,6 +177,7 @@
"message": {
"text": "Hardcoded secrets were found in source files"
},
"level": "note",
"locations": [
{
"physicalLocation": {
Expand Down

0 comments on commit a19bcdc

Please sign in to comment.