From d764c71ec35bd594412a481504d18e4bfbf15deb Mon Sep 17 00:00:00 2001 From: attiasas Date: Thu, 26 Dec 2024 16:59:20 +0300 Subject: [PATCH] Escape Job-Id for url --- .../jobSummary/binary_analytics_vulnerabilities.md | 2 +- .../build_scan_analytics_vulnerabilities.md | 2 +- .../output/jobSummary/violations_analytics.md | 2 +- utils/results/conversion/sarifparser/sarifparser.go | 3 ++- utils/results/output/securityJobSummary.go | 13 +++++++------ utils/results/output/securityJobSummary_test.go | 2 +- 6 files changed, 13 insertions(+), 11 deletions(-) diff --git a/tests/testdata/output/jobSummary/binary_analytics_vulnerabilities.md b/tests/testdata/output/jobSummary/binary_analytics_vulnerabilities.md index bc6f9bf2..90496612 100644 --- a/tests/testdata/output/jobSummary/binary_analytics_vulnerabilities.md +++ b/tests/testdata/output/jobSummary/binary_analytics_vulnerabilities.md @@ -1 +1 @@ -
44 Security issues are grouped by CVE number:	44 SCA

❗️ 33 Critical

🟡 11 Low

See the results of the scan in JFrog
\ No newline at end of file +
44 Security issues are grouped by CVE number:	44 SCA

❗️ 33 Critical

🟡 11 Low

See the results of the scan in JFrog
\ No newline at end of file diff --git a/tests/testdata/output/jobSummary/build_scan_analytics_vulnerabilities.md b/tests/testdata/output/jobSummary/build_scan_analytics_vulnerabilities.md index beb4376a..904377a1 100644 --- a/tests/testdata/output/jobSummary/build_scan_analytics_vulnerabilities.md +++ b/tests/testdata/output/jobSummary/build_scan_analytics_vulnerabilities.md @@ -1 +1 @@ -
24 Security Issues:	24 SCA

🔴 3 High

🟠 1 Medium

⚪️ 20 Unknown

See the results of the scan in JFrog
\ No newline at end of file +
24 Security Issues:	24 SCA

🔴 3 High

🟠 1 Medium

⚪️ 20 Unknown

See the results of the scan in JFrog
\ No newline at end of file diff --git a/tests/testdata/output/jobSummary/violations_analytics.md b/tests/testdata/output/jobSummary/violations_analytics.md index 9197b43c..15766051 100644 --- a/tests/testdata/output/jobSummary/violations_analytics.md +++ b/tests/testdata/output/jobSummary/violations_analytics.md @@ -1 +1 @@ -
watches: 
watch1, watch2, watch3, watch4
watch5

23 Policy Violations:	17 Security	2 Operational	1 License	3 Secrets

❗️ 8 Critical (2 Not Applicable)

🔴 6 High

🟠 3 Medium

🟡 5 Low (3 Not Applicable)

⚪️ 1 Unknown

See the results of the scan in JFrog
\ No newline at end of file +
watches: 
watch1, watch2, watch3, watch4
watch5

23 Policy Violations:	17 Security	2 Operational	1 License	3 Secrets

❗️ 8 Critical (2 Not Applicable)

🔴 6 High

🟠 3 Medium

🟡 5 Low (3 Not Applicable)

⚪️ 1 Unknown

See the results of the scan in JFrog
\ No newline at end of file diff --git a/utils/results/conversion/sarifparser/sarifparser.go b/utils/results/conversion/sarifparser/sarifparser.go index a334285c..fc668309 100644 --- a/utils/results/conversion/sarifparser/sarifparser.go +++ b/utils/results/conversion/sarifparser/sarifparser.go @@ -2,6 +2,7 @@ package sarifparser import ( "fmt" + "net/url" "os" "path/filepath" "regexp" @@ -775,7 +776,7 @@ func getAnalyticsHiddenPixel(baseUrl string, resultOfSubScan utils.SubScanType) return fmt.Sprintf( "![](%sui/api/v1/u?s=1&m=2&job_id=%s&run_id=%s&git_repo=%s&type=%s)", baseUrl, - jobId, + url.PathEscape(jobId), runId, gitRepo, resultOfSubScan.String(), diff --git a/utils/results/output/securityJobSummary.go b/utils/results/output/securityJobSummary.go index e27b0e01..dffc3106 100644 --- a/utils/results/output/securityJobSummary.go +++ b/utils/results/output/securityJobSummary.go @@ -3,6 +3,7 @@ package output import ( "errors" "fmt" + "net/url" "os" "path/filepath" "sort" @@ -542,13 +543,13 @@ func getJfrogUrl(index commandsummary.Index, args ResultSummaryArgs, summary *fo } // adds analytics query params to the url if running in Github -func addAnalyticsQueryParamsIfNeeded(url string, index commandsummary.Index) string { +func addAnalyticsQueryParamsIfNeeded(platformUrl string, index commandsummary.Index) string { githubJobId := os.Getenv(utils.JfrogExternalJobIdEnv) if githubJobId == "" { // Not running in Github no need to add analytics - return url + return platformUrl } - suffixValues := []string{fmt.Sprintf("gh_job_id=%s", githubJobId)} + suffixValues := []string{fmt.Sprintf("gh_job_id=%s", url.PathEscape(githubJobId))} // Add section analytics indexValue := "gh_section=" switch index { @@ -559,10 +560,10 @@ func addAnalyticsQueryParamsIfNeeded(url string, index commandsummary.Index) str } suffixValues = append(suffixValues, indexValue) // Add the suffix to the url - if strings.Contains(url, "?") { - return fmt.Sprintf("%s%s", url, strings.Join(suffixValues, "&")) + if strings.Contains(platformUrl, "?") { + return fmt.Sprintf("%s%s", platformUrl, strings.Join(suffixValues, "&")) } - return fmt.Sprintf("%s?%s", url, strings.Join(suffixValues, "&")) + return fmt.Sprintf("%s?%s", platformUrl, strings.Join(suffixValues, "&")) } func (mg DynamicMarkdownGenerator) generateResultsMarkdown(violations bool, moreInfoUrl string, content *formats.ScanResultSummary) (markdown string) { diff --git a/utils/results/output/securityJobSummary_test.go b/utils/results/output/securityJobSummary_test.go index 7d748802..4ec435b5 100644 --- a/utils/results/output/securityJobSummary_test.go +++ b/utils/results/output/securityJobSummary_test.go @@ -485,7 +485,7 @@ func TestGenerateJobSummaryMarkdown(t *testing.T) { t.Run(testCase.name, func(t *testing.T) { cleanUps := []func(){} if testCase.GithubEnvs { - cleanUps = append(cleanUps, clientTests.SetEnvWithCallbackAndAssert(t, utils.JfrogExternalJobIdEnv, "some-job-id")) + cleanUps = append(cleanUps, clientTests.SetEnvWithCallbackAndAssert(t, utils.JfrogExternalJobIdEnv, "some job id")) cleanUps = append(cleanUps, clientTests.SetEnvWithCallbackAndAssert(t, utils.JfrogExternalRunIdEnv, "some-run-id")) cleanUps = append(cleanUps, clientTests.SetEnvWithCallbackAndAssert(t, utils.JfrogExternalGitRepoEnv, "some-repo")) }