SARIF 2.1.0 Support Results Missing Location
ejohn20 opened this issue · comments
The SarifParser does not work for results transformed from vulnerability scanners that do not have a locations
element specified. Output from the ng warnings parser using a SARIF file converted from CIS benchmark scan results, produces no results:
Searching for all files in '/var/lib/jenkins/workspace/cis-scanner' that match the pattern 'scan-results/38/cis.sarif'
-> found 1 file
Successfully parsed file /var/lib/jenkins/workspace/cis-scanner/scan-results/38/cis.sarif
-> found 0 issues (skipped 0 duplicates)
According to the specification, location is not required: https://docs.oasis-open.org/sarif/sarif/v2.1.0/csprd01/sarif-v2.1.0-csprd01.html#_Toc10540999.
Sample SARIF data, which passes schema validation using the sarif-sdk:
{
"$schema": "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.5.json",
"version": "2.1.0",
"runs": [
{
"results": [
{
"ruleId": "rule.id.2",
"level": "error",
"message": {
"text": "Rule id 2 title"
},
"fingerprints": {
"0": "d23eea429d06cfe703ab69b8d0d0c1abd41fc9e26b4167575e3356733c97bf61"
}
}
],
"tool": {
"driver": {
"name": "CisCat",
"fullName": "CIS Benchmark Title",
"version": "2.1.0",
"semanticVersion": "2.1.0",
"informationUri": "https://www.cisecurity.org/cybersecurity-tools/cis-cat-pro_pre",
"rules": [
{
"id": "rule.id.1",
"name": "Rule id 1 title",
"fullDescription": {
"text": "Rule id 1 title",
"markdown": "Rule id 1 title"
},
"help": {
"text": "Rule id 1 title",
"markdown": "Rule id 1 title"
}
},
{
"id": "rule.id.2",
"name": "Rule id 2 title",
"fullDescription": {
"text": "Rule id 2 title",
"markdown": "Rule id 2 title"
},
"help": {
"text": "Rule id 2 title",
"markdown": "Rule id 2 title"
}
}
],
"properties": {
"benchmarkId": "cis.benchmark.id",
"profileId": "profile.id",
"profileTitle": "profile.title",
"score": "50.00"
}
}
},
"columnKind": "utf16CodeUnits"
}
]
}
This appears to be related to this block of code that skips the result if no location.region or location.physicalLocation is found in the JSON data:
I released a fix for this. Open issue again if not working as expected.
Wow, thank you! I was just getting ready to send in a PR for this 🥳 I'll validate the test cases on my side and report back.
I found one minor issue with this implementation that I will submit a pull request for.
The .setMessage(this.getRuleHelpOrId(helpMap, ruleId))
method only returns the help text from the rule, rather than the rule name and short description. I will be submitting a PR to display this information rather than the help text.