Merge pull request #2 from tjgurwara99/fix-reporting-descriptor

Fix reportingDescriptor according to sarif validator
tjgurwara99 · Feb 5, 2023 · b6f79fe · b6f79fe
2 parents 5ae587c + 6debfcd
commit b6f79fe
Show file tree

Hide file tree

Showing 3 changed files with 60 additions and 10 deletions.
diff --git a/.vscode/launch.json b/.vscode/launch.json
@@ -9,8 +9,8 @@
             "type": "go",
             "request": "launch",
             "mode": "auto",
-            "program": "/Users/taj/personal/vulnny/cmd/vulnny",
-            "cwd": "/Users/taj/personal/vulnny/cmd/vulnny/testdata/vuln",
+            "program": "/Users/taj/personal/vulnny",
+            "cwd": "${workspaceFolder}/testdata/vuln",
         }
     ]
 }
diff --git a/internal/sarif/sarif.go b/internal/sarif/sarif.go
@@ -1,6 +1,7 @@
 package sarif
 
 import (
+	"fmt"
 	"go/build"
 	"os"
 	"strings"
@@ -15,6 +16,7 @@ func FromResult(r *vulncheck.Result) (*Log, error) {
 	})
 	var j int
 	var results []Result
+	var rules []ReportingDescriptor
 	for i, v := range filtered {
 		fn, ok := r.Calls.Functions[v.CallSink]
 		if !ok {
@@ -45,21 +47,45 @@ func FromResult(r *vulncheck.Result) (*Log, error) {
 			}
 			locations = append(locations, loc)
 		}
+		shortDescription := fmt.Sprintf("Vulnerable package %s is being used", v.ModPath)
 		message := Message{
-			Text: v.OSV.Details,
+			Text: shortDescription,
 		}
 		level := LevelError
 		ruleID := v.OSV.ID
+		rule := ReportingDescriptor{
+			ID:      ruleID,
+			Name:    "VulnerablePackage",
+			HelpURI: fmt.Sprintf("https://osv.dev/vulnerability/%s", strings.ToLower(v.OSV.ID)),
+			ShortDescription: &MultiFormatMessageString{
+				Text: shortDescription,
+			},
+			FullDescription: &MultiFormatMessageString{
+				Text: v.OSV.Details,
+			},
+			Properties: &RDProperties{
+				ID:          v.OSV.ID,
+				Problem:     string(level),
+				Name:        shortDescription,
+				Description: v.OSV.Details,
+				Kind:        "problem",
+				Tags:        []string{"security", "vulnerability"},
+			},
+		}
 		results = append(results, Result{
 			Message:   &message,
-			Level:     level,
 			RuleID:    ruleID,
+			Level:     level,
 			Locations: locations,
 		})
+		rules = append(rules, rule)
 	}
 	tool := Tool{
 		Driver: ToolComponent{
-			Name: "Vulnny",
+			Name:            "Vulnny",
+			SemanitcVersion: "0.0.2",
+			InformationURI:  "https://github.com/tjgurwara99/vulnny",
+			Rules:           rules,
 		},
 	}
 	runs := []Run{

diff --git a/internal/sarif/spec.go b/internal/sarif/spec.go
@@ -16,13 +16,36 @@ type MultiFormatMessageString struct {
 	Markdown string `json:"markdown,omitempty"`
 }
 
+type RDProperties struct {
+	ID          string   `json:"id,omitempty"`
+	Name        string   `json:"name,omitempty"`
+	Description string   `json:"description,omitempty"`
+	Kind        string   `json:"kind,omitempty"`
+	Precision   string   `json:"precision,omitempty"`
+	Tags        []string `json:"tags,omitempty"`
+	Problem     string   `json:"problem.severity,omitempty"`
+}
+
+type ReportingDescriptor struct {
+	ID               string                    `json:"id"`
+	Name             string                    `json:"name,omitempty"`
+	HelpURI          string                    `json:"helpUri,omitempty"`
+	ShortDescription *MultiFormatMessageString `json:"shortDescription,omitempty"`
+	FullDescription  *MultiFormatMessageString `json:"fullDescription,omitempty"`
+	Help             *MultiFormatMessageString `json:"help,omitempty"`
+	// propertyBag that makes sense for this tool.
+	Properties *RDProperties `json:"properties,omitempty"`
+}
+
 type ToolComponent struct {
 	Name             string                    `json:"name"`
 	GUID             string                    `json:"guid,omitempty"`
 	SemanitcVersion  string                    `json:"semanticVersion,omitempty"`
 	Language         string                    `json:"language,omitempty"`
 	ShortDescription *MultiFormatMessageString `json:"shortDescription,omitempty"`
 	FullDescription  *MultiFormatMessageString `json:"fullDescription,omitempty"`
+	InformationURI   string                    `json:"informationUri,omitempty"`
+	Rules            []ReportingDescriptor     `json:"rules,omitempty"`
 	// there are some other fields that might be useful
 	// but at this stage it would be overengineering.
 }
@@ -110,11 +133,12 @@ type Location struct {
 }
 
 type Result struct {
-	Message   *Message   `json:"message"`
-	RuleID    string     `json:"ruleId,omitempty"`
-	RuleIndex int        `json:"ruleIndex,omitempty"` // default -1 & minimum -1
-	Level     Level      `json:"level,omitempty"`
-	Locations []Location `json:"locations,omitempty"`
+	Message   *Message             `json:"message"`
+	RuleID    string               `json:"ruleId,omitempty"`
+	RuleIndex int                  `json:"ruleIndex,omitempty"` // default -1 & minimum -1
+	Rule      *ReportingDescriptor `json:"rule,omitempty"`
+	Level     Level                `json:"level,omitempty"`
+	Locations []Location           `json:"locations,omitempty"`
 }
 
 type Run struct {