Giters

tomasbjerre / violations-lib

Java library for parsing report files from static code analysis.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

SARIF 2.1.0 Support Results Missing Location

ejohn20 opened this issue · comments

commented

The SarifParser does not work for results transformed from vulnerability scanners that do not have a locations element specified. Output from the ng warnings parser using a SARIF file converted from CIS benchmark scan results, produces no results:

Searching for all files in '/var/lib/jenkins/workspace/cis-scanner' that match the pattern 'scan-results/38/cis.sarif'
-> found 1 file
Successfully parsed file /var/lib/jenkins/workspace/cis-scanner/scan-results/38/cis.sarif
-> found 0 issues (skipped 0 duplicates)

According to the specification, location is not required: https://docs.oasis-open.org/sarif/sarif/v2.1.0/csprd01/sarif-v2.1.0-csprd01.html#_Toc10540999.

Sample SARIF data, which passes schema validation using the sarif-sdk:

{
  "$schema": "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.5.json",
  "version": "2.1.0",
  "runs": [
    {
      "results": [
        {
          "ruleId": "rule.id.2",
          "level": "error",
          "message": {
            "text": "Rule id 2 title"
          },
          "fingerprints": {
            "0": "d23eea429d06cfe703ab69b8d0d0c1abd41fc9e26b4167575e3356733c97bf61"
          }
        }
      ],
      "tool": {
        "driver": {
          "name": "CisCat",
          "fullName": "CIS Benchmark Title",
          "version": "2.1.0",
          "semanticVersion": "2.1.0",
          "informationUri": "https://www.cisecurity.org/cybersecurity-tools/cis-cat-pro_pre",
          "rules": [
            {
              "id": "rule.id.1",
              "name": "Rule id 1 title",
              "fullDescription": {
                "text": "Rule id 1 title",
                "markdown": "Rule id 1 title"
              },
              "help": {
                "text": "Rule id 1 title",
                "markdown": "Rule id 1 title"
              }
            },
            {
              "id": "rule.id.2",
              "name": "Rule id 2 title",
              "fullDescription": {
                "text": "Rule id 2 title",
                "markdown": "Rule id 2 title"
              },
              "help": {
                "text": "Rule id 2 title",
                "markdown": "Rule id 2 title"
              }
            }
          ],
          "properties": {
            "benchmarkId": "cis.benchmark.id",
            "profileId": "profile.id",
            "profileTitle": "profile.title",
            "score": "50.00"
          }
        }
      },
      "columnKind": "utf16CodeUnits"
    }
  ]
}

This appears to be related to this block of code that skips the result if no location.region or location.physicalLocation is found in the JSON data:

violations-lib/src/main/java/se/bjurr/violations/lib/parsers/SarifParser.java

Line 82 in 151cd2c

final PhysicalLocation physicalLocation = location.getPhysicalLocation();

commented

I released a fix for this. Open issue again if not working as expected.

commented

Wow, thank you! I was just getting ready to send in a PR for this 🥳 I'll validate the test cases on my side and report back.

commented

Confirmed that the latest .jar file produces the expected result
Jenkins Build CIS CAT Results
s

commented

I found one minor issue with this implementation that I will submit a pull request for.

The .setMessage(this.getRuleHelpOrId(helpMap, ruleId)) method only returns the help text from the rule, rather than the rule name and short description. I will be submitting a PR to display this information rather than the help text.