From abf620b1bc48dda401de33a5d1f56c8e66e0b563 Mon Sep 17 00:00:00 2001
From: Andreas Kohn <andreas.kohn@gmail.com>
Date: Tue, 20 Sep 2022 14:18:49 +0200
Subject: [PATCH 1/2] fix(general): only add `helpUri` to SARIF if it is
 non-empty

---
 checkov/common/output/report.py          |  4 ++-
 tests/common/output/test_sarif_report.py | 44 ++++++++++++++++++++++++
 tests/sca_image/test_output_reports.py   |  1 -
 3 files changed, 47 insertions(+), 2 deletions(-)

diff --git a/checkov/common/output/report.py b/checkov/common/output/report.py
index cec56a3b130..cb561e94c98 100644
--- a/checkov/common/output/report.py
+++ b/checkov/common/output/report.py
@@ -263,9 +263,11 @@ def get_sarif_json(self, tool: str) -> Dict[str, Any]:
                 "help": {
                     "text": f'"{record.check_name}\nResource: {record.resource}"',
                 },
-                "helpUri": help_uri,
                 "defaultConfiguration": {"level": "error"},
             }
+            if help_uri is not None and len(help_uri) > 0:
+                rule["helpUri"] = help_uri
+
             if record.check_id not in ruleset:
                 ruleset.add(record.check_id)
                 rules.append(rule)
diff --git a/tests/common/output/test_sarif_report.py b/tests/common/output/test_sarif_report.py
index 65aa3970edf..847b6e1acd5 100644
--- a/tests/common/output/test_sarif_report.py
+++ b/tests/common/output/test_sarif_report.py
@@ -266,6 +266,38 @@ def test_multiple_instances_of_same_rule_do_not_break_schema(self):
         )
         record9.set_guideline("")
 
+        # Record with non-empty guideline
+        record10 = Record(
+            check_id="CKV_AWS_23",
+            check_name="Some Check",
+            check_result={"result": CheckResult.FAILED},
+            code_block=None,
+            file_path="./s3.tf",
+            file_line_range=[1, 3],
+            resource="aws_s3_bucket.operations",
+            evaluations=None,
+            check_class=None,
+            file_abs_path=",.",
+            entity_tags={"tag1": "value1"},
+        )
+        record10.set_guideline("https://example.com")
+
+        # Record without guideline
+        record11 = Record(
+            check_id="CKV_AWS_24",
+            check_name="Some Check",
+            check_result={"result": CheckResult.FAILED},
+            code_block=None,
+            file_path="./s3.tf",
+            file_line_range=[1, 3],
+            resource="aws_s3_bucket.operations",
+            evaluations=None,
+            check_class=None,
+            file_abs_path=",.",
+            entity_tags={"tag1": "value1"},
+        )
+        # No guideline here
+
         r = Report("terraform")
         r.add_record(record=record1)
         r.add_record(record=record2)
@@ -276,6 +308,8 @@ def test_multiple_instances_of_same_rule_do_not_break_schema(self):
         r.add_record(record=record7)
         r.add_record(record=record8)
         r.add_record(record=record9)
+        r.add_record(record=record10)
+        r.add_record(record=record11)
         json_structure = r.get_sarif_json("")
         print(json.dumps(json_structure))
         self.assertEqual(
@@ -284,6 +318,7 @@ def test_multiple_instances_of_same_rule_do_not_break_schema(self):
         )
         self.assertFalse(are_duplicates_in_sarif_rules(json_structure))
         self.assertTrue(are_rule_indexes_correct_in_results(json_structure))
+        self.assertTrue(are_rules_without_help_uri_correct(json_structure))
 
 
 def get_sarif_schema():
@@ -314,6 +349,15 @@ def are_rule_indexes_correct_in_results(sarif_json) -> bool:
                     return False
     return True
 
+def are_rules_without_help_uri_correct(sarif_json) -> bool:
+    rules = sarif_json["runs"][0]["tool"]["driver"]["rules"]
+    results = sarif_json["runs"][0]["results"]
+    for rule in rules:
+        if "helpUri" in rule:
+            if rule["helpUri"] is None or rule["helpUri"] == "":
+                return False
+    return True
+
 
 if __name__ == "__main__":
     unittest.main()
diff --git a/tests/sca_image/test_output_reports.py b/tests/sca_image/test_output_reports.py
index b58f5276cee..0d1c8bc8b6d 100644
--- a/tests/sca_image/test_output_reports.py
+++ b/tests/sca_image/test_output_reports.py
@@ -134,7 +134,6 @@ def test_get_sarif_json(sca_image_report_scope_function):
                                        "help": {
                                            "text": "\"SCA license\nResource: path/to/Dockerfile (sha256:123456).perl\""
                                        },
-                                       "helpUri": None,
                                        "defaultConfiguration": {
                                            "level": "error"
                                        }

From beb25cec1433f212f9931f23d2922f4d6c3383d2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Anton=20Gr=C3=BCbel?= <anton.gruebel@gmail.com>
Date: Wed, 21 Sep 2022 09:39:42 +0200
Subject: [PATCH 2/2] simplify if condition

---
 checkov/common/output/report.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/checkov/common/output/report.py b/checkov/common/output/report.py
index cb561e94c98..f646dbeecd9 100644
--- a/checkov/common/output/report.py
+++ b/checkov/common/output/report.py
@@ -265,7 +265,7 @@ def get_sarif_json(self, tool: str) -> Dict[str, Any]:
                 },
                 "defaultConfiguration": {"level": "error"},
             }
-            if help_uri is not None and len(help_uri) > 0:
+            if help_uri:
                 rule["helpUri"] = help_uri
 
             if record.check_id not in ruleset: