From a05c319d4f2c1e1f5ce2a1d8e523f536027f19da Mon Sep 17 00:00:00 2001 From: Andreas Kohn Date: Wed, 21 Sep 2022 10:14:37 +0200 Subject: [PATCH] fix(general): only add `helpUri` to SARIF if it is non-empty (#3542) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * fix(general): only add `helpUri` to SARIF if it is non-empty * simplify if condition Co-authored-by: Anton GrĂ¼bel --- checkov/common/output/report.py | 4 ++- tests/common/output/test_sarif_report.py | 44 ++++++++++++++++++++++++ tests/sca_image/test_output_reports.py | 1 - 3 files changed, 47 insertions(+), 2 deletions(-) diff --git a/checkov/common/output/report.py b/checkov/common/output/report.py index cec56a3b130..f646dbeecd9 100644 --- a/checkov/common/output/report.py +++ b/checkov/common/output/report.py @@ -263,9 +263,11 @@ def get_sarif_json(self, tool: str) -> Dict[str, Any]: "help": { "text": f'"{record.check_name}\nResource: {record.resource}"', }, - "helpUri": help_uri, "defaultConfiguration": {"level": "error"}, } + if help_uri: + rule["helpUri"] = help_uri + if record.check_id not in ruleset: ruleset.add(record.check_id) rules.append(rule) diff --git a/tests/common/output/test_sarif_report.py b/tests/common/output/test_sarif_report.py index 65aa3970edf..847b6e1acd5 100644 --- a/tests/common/output/test_sarif_report.py +++ b/tests/common/output/test_sarif_report.py @@ -266,6 +266,38 @@ def test_multiple_instances_of_same_rule_do_not_break_schema(self): ) record9.set_guideline("") + # Record with non-empty guideline + record10 = Record( + check_id="CKV_AWS_23", + check_name="Some Check", + check_result={"result": CheckResult.FAILED}, + code_block=None, + file_path="./s3.tf", + file_line_range=[1, 3], + resource="aws_s3_bucket.operations", + evaluations=None, + check_class=None, + file_abs_path=",.", + entity_tags={"tag1": "value1"}, + ) + record10.set_guideline("https://example.com") + + # Record without guideline + record11 = Record( + check_id="CKV_AWS_24", + check_name="Some Check", + check_result={"result": CheckResult.FAILED}, + code_block=None, + file_path="./s3.tf", + file_line_range=[1, 3], + resource="aws_s3_bucket.operations", + evaluations=None, + check_class=None, + file_abs_path=",.", + entity_tags={"tag1": "value1"}, + ) + # No guideline here + r = Report("terraform") r.add_record(record=record1) r.add_record(record=record2) @@ -276,6 +308,8 @@ def test_multiple_instances_of_same_rule_do_not_break_schema(self): r.add_record(record=record7) r.add_record(record=record8) r.add_record(record=record9) + r.add_record(record=record10) + r.add_record(record=record11) json_structure = r.get_sarif_json("") print(json.dumps(json_structure)) self.assertEqual( @@ -284,6 +318,7 @@ def test_multiple_instances_of_same_rule_do_not_break_schema(self): ) self.assertFalse(are_duplicates_in_sarif_rules(json_structure)) self.assertTrue(are_rule_indexes_correct_in_results(json_structure)) + self.assertTrue(are_rules_without_help_uri_correct(json_structure)) def get_sarif_schema(): @@ -314,6 +349,15 @@ def are_rule_indexes_correct_in_results(sarif_json) -> bool: return False return True +def are_rules_without_help_uri_correct(sarif_json) -> bool: + rules = sarif_json["runs"][0]["tool"]["driver"]["rules"] + results = sarif_json["runs"][0]["results"] + for rule in rules: + if "helpUri" in rule: + if rule["helpUri"] is None or rule["helpUri"] == "": + return False + return True + if __name__ == "__main__": unittest.main() diff --git a/tests/sca_image/test_output_reports.py b/tests/sca_image/test_output_reports.py index b58f5276cee..0d1c8bc8b6d 100644 --- a/tests/sca_image/test_output_reports.py +++ b/tests/sca_image/test_output_reports.py @@ -134,7 +134,6 @@ def test_get_sarif_json(sca_image_report_scope_function): "help": { "text": "\"SCA license\nResource: path/to/Dockerfile (sha256:123456).perl\"" }, - "helpUri": None, "defaultConfiguration": { "level": "error" }