Skip to content

Commit

Permalink
feat(general): leverage SARIF helpUri for guideline and SCA link (#3492)
Browse files Browse the repository at this point in the history 
* leverage SARIF helpUri for guideline and SCA link

* adjust SARIF image test
  • Loading branch information
@gruebel
gruebel authored Sep 18, 2022
1 parent b4e9234 commit 4694ead
Show file tree
Hide file tree
Showing 4 changed files with 122 additions and 15 deletions.
9 changes: 8 additions & 1 deletion checkov/common/output/report.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -245,6 +245,12 @@ def get_sarif_json(self, tool: str) -> Dict[str, Any]:
for record in self.failed_checks + self.skipped_checks:
if self.check_type == CheckType.SCA_PACKAGE and record.check_name != SCA_PACKAGE_SCAN_CHECK_NAME:
continue

help_uri = record.guideline
if record.vulnerability_details:
# use the CVE link, if it is a SCA record
help_uri = record.vulnerability_details.get("link")

rule = {
"id": record.check_id,
"name": record.check_name,
Expand All @@ -255,8 +261,9 @@ def get_sarif_json(self, tool: str) -> Dict[str, Any]:
"text": record.description if record.description else record.check_name,
},
"help": {
"text": f'"{record.check_name}\nResource: {record.resource}\nGuideline: {record.guideline}"',
"text": f'"{record.check_name}\nResource: {record.resource}"',
},
"helpUri": help_uri,
"defaultConfiguration": {"level": "error"},
}
if record.check_id not in ruleset:
Expand Down
91 changes: 90 additions & 1 deletion tests/common/output/test_sarif_report.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ def test_valid_passing_valid_testcases(self):
file_abs_path=",.",
entity_tags={"tag1": "value1"},
)
record1.set_guideline("https://docs.bridgecrew.io/docs/s3_16-enable-versioning")

record2 = Record(
check_id="CKV_AWS_3",
Expand All @@ -37,17 +38,96 @@ def test_valid_passing_valid_testcases(self):
file_abs_path=",.",
entity_tags={"tag1": "value1"},
)
record2.set_guideline("https://docs.bridgecrew.io/docs/general_7")

r = Report("terraform")
r.add_record(record=record1)
r.add_record(record=record2)
json_structure = r.get_sarif_json("")
print(json.dumps(json_structure))

self.assertEqual(
None,
jsonschema.validate(instance=json_structure, schema=get_sarif_schema()),
)

self.assertDictEqual(
json_structure,
{
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
"version": "2.1.0",
"runs": [
{
"tool": {
"driver": {
"name": "Bridgecrew",
"version": "2.1.201",
"informationUri": "https://docs.bridgecrew.io",
"rules": [
{
"id": "CKV_AWS_21",
"name": "Some Check",
"shortDescription": {"text": "Some Check"},
"fullDescription": {"text": "Some Check"},
"help": {"text": '"Some Check\nResource: aws_s3_bucket.operations"'},
"helpUri": "https://docs.bridgecrew.io/docs/s3_16-enable-versioning",
"defaultConfiguration": {"level": "error"},
},
{
"id": "CKV_AWS_3",
"name": "Ensure all data stored in the EBS is securely encrypted",
"shortDescription": {
"text": "Ensure all data stored in the EBS is securely encrypted"
},
"fullDescription": {
"text": "Ensure all data stored in the EBS is securely encrypted"
},
"help": {
"text": '"Ensure all data stored in the EBS is securely encrypted\nResource: aws_ebs_volume.web_host_storage"'
},
"helpUri": "https://docs.bridgecrew.io/docs/general_7",
"defaultConfiguration": {"level": "error"},
},
],
"organization": "bridgecrew",
}
},
"results": [
{
"ruleId": "CKV_AWS_21",
"ruleIndex": 0,
"level": "error",
"attachments": [],
"message": {"text": "Some Check"},
"locations": [
{
"physicalLocation": {
"artifactLocation": {"uri": "./s3.tf"},
"region": {"startLine": 1, "endLine": 3},
}
}
],
},
{
"ruleId": "CKV_AWS_3",
"ruleIndex": 1,
"level": "error",
"attachments": [],
"message": {"text": "Ensure all data stored in the EBS is securely encrypted"},
"locations": [
{
"physicalLocation": {
"artifactLocation": {"uri": "./ec2.tf"},
"region": {"startLine": 1, "endLine": 3},
}
}
],
},
],
}
],
},
)

def test_multiple_instances_of_same_rule_do_not_break_schema(self):
record1 = Record(
check_id="CKV_AWS_21",
Expand All @@ -62,6 +142,7 @@ def test_multiple_instances_of_same_rule_do_not_break_schema(self):
file_abs_path=",.",
entity_tags={"tag1": "value1"},
)
record1.set_guideline("")

record2 = Record(
check_id="CKV_AWS_111",
Expand All @@ -76,6 +157,7 @@ def test_multiple_instances_of_same_rule_do_not_break_schema(self):
file_abs_path=",.",
entity_tags={"tag1": "value1"},
)
record2.set_guideline("")

record3 = Record(
check_id="CKV2_AWS_3",
Expand All @@ -90,6 +172,7 @@ def test_multiple_instances_of_same_rule_do_not_break_schema(self):
file_abs_path=",.",
entity_tags={"tag1": "value1"},
)
record3.set_guideline("")

record4 = Record(
check_id="CKV2_AWS_3",
Expand All @@ -104,6 +187,7 @@ def test_multiple_instances_of_same_rule_do_not_break_schema(self):
file_abs_path=",.",
entity_tags={"tag1": "value1"},
)
record4.set_guideline("")

record5 = Record(
check_id="CKV2_AWS_3",
Expand All @@ -118,6 +202,7 @@ def test_multiple_instances_of_same_rule_do_not_break_schema(self):
file_abs_path=",.",
entity_tags={"tag1": "value1"},
)
record5.set_guideline("")

record6 = Record(
check_id="CKV2_AWS_3",
Expand All @@ -132,6 +217,7 @@ def test_multiple_instances_of_same_rule_do_not_break_schema(self):
file_abs_path=",.",
entity_tags={"tag1": "value1"},
)
record6.set_guideline("")

record7 = Record(
check_id="CKV_AWS_107",
Expand All @@ -146,6 +232,7 @@ def test_multiple_instances_of_same_rule_do_not_break_schema(self):
file_abs_path=",.",
entity_tags={"tag1": "value1"},
)
record7.set_guideline("")

record8 = Record(
check_id="CKV_AWS_110",
Expand All @@ -160,6 +247,7 @@ def test_multiple_instances_of_same_rule_do_not_break_schema(self):
file_abs_path=",.",
entity_tags={"tag1": "value1"},
)
record8.set_guideline("")

record9 = Record(
check_id="CKV_AWS_110",
Expand All @@ -174,6 +262,7 @@ def test_multiple_instances_of_same_rule_do_not_break_schema(self):
file_abs_path=",.",
entity_tags={"tag1": "value1"},
)
record9.set_guideline("")

r = Report("terraform")
r.add_record(record=record1)
Expand Down
13 changes: 8 additions & 5 deletions tests/sca_image/test_output_reports.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -110,7 +110,6 @@ def test_get_sarif_json(sca_image_report_scope_function):

# then
sarif_output["runs"][0]["tool"]["driver"]["version"] = "2.0.x"
print(sarif_output)
assert sarif_output == \
{
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
Expand All @@ -133,8 +132,9 @@ def test_get_sarif_json(sca_image_report_scope_function):
"text": "SCA license"
},
"help": {
"text": "\"SCA license\nResource: path/to/Dockerfile (sha256:123456).perl\nGuideline: None\""
"text": "\"SCA license\nResource: path/to/Dockerfile (sha256:123456).perl\""
},
"helpUri": None,
"defaultConfiguration": {
"level": "error"
}
Expand All @@ -149,8 +149,9 @@ def test_get_sarif_json(sca_image_report_scope_function):
"text": "CPAN 2.28 allows Signature Verification Bypass."
},
"help": {
"text": "\"SCA package scan\nResource: path/to/Dockerfile (sha256:123456).perl\nGuideline: None\""
"text": "\"SCA package scan\nResource: path/to/Dockerfile (sha256:123456).perl\""
},
"helpUri": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-16156",
"defaultConfiguration": {
"level": "error"
}
Expand All @@ -165,8 +166,9 @@ def test_get_sarif_json(sca_image_report_scope_function):
"text": "An out-of-bounds read vulnerability was discovered in the PCRE2 library in the get_recurse_data_length() function of the pcre2_jit_compile.c file. This issue affects recursions in JIT-compiled regular expressions caused by duplicate data transfers."
},
"help": {
"text": "\"SCA package scan\nResource: path/to/Dockerfile (sha256:123456).pcre2\nGuideline: None\""
"text": "\"SCA package scan\nResource: path/to/Dockerfile (sha256:123456).pcre2\""
},
"helpUri": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-1587",
"defaultConfiguration": {
"level": "error"
}
Expand All @@ -181,8 +183,9 @@ def test_get_sarif_json(sca_image_report_scope_function):
"text": "An out-of-bounds read vulnerability was discovered in the PCRE2 library in the compile_xclass_matchingpath() function of the pcre2_jit_compile.c file. This involves a unicode property matching issue in JIT-compiled regular expressions. The issue occurs because the character was not fully read in case-less matching within JIT."
},
"help": {
"text": "\"SCA package scan\nResource: path/to/Dockerfile (sha256:123456).pcre2\nGuideline: None\""
"text": "\"SCA package scan\nResource: path/to/Dockerfile (sha256:123456).pcre2\""
},
"helpUri": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-1586",
"defaultConfiguration": {
"level": "error"
}
Expand Down
Loading

0 comments on commit 4694ead

Please sign in to comment.