-
Notifications
You must be signed in to change notification settings - Fork 582
/
reporting.go
244 lines (208 loc) · 9.89 KB
/
reporting.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
package fortify
import (
"bytes"
"compress/gzip"
"crypto/sha1"
"encoding/json"
"fmt"
"math"
"path/filepath"
"strconv"
"strings"
"time"
"github.com/SAP/jenkins-library/pkg/format"
"github.com/SAP/jenkins-library/pkg/log"
"github.com/SAP/jenkins-library/pkg/piperutils"
"github.com/SAP/jenkins-library/pkg/reporting"
"github.com/piper-validation/fortify-client-go/models"
"github.com/pkg/errors"
)
type FortifyReportData struct {
ToolName string `json:"toolName"`
ToolInstance string `json:"toolInstance"`
ProjectID int64 `json:"projectID"`
ProjectName string `json:"projectName"`
ProjectVersion string `json:"projectVersion"`
ProjectVersionID int64 `json:"projectVersionID"`
Violations int `json:"violations"`
CorporateTotal int `json:"corporateTotal"`
CorporateAudited int `json:"corporateAudited"`
AuditAllTotal int `json:"auditAllTotal"`
AuditAllAudited int `json:"auditAllAudited"`
SpotChecksTotal int `json:"spotChecksTotal"`
SpotChecksAudited int `json:"spotChecksAudited"`
SpotChecksGap int `json:"spotChecksGap"`
Suspicious int `json:"suspicious"`
Exploitable int `json:"exploitable"`
Suppressed int `json:"suppressed"`
AtleastOneSpotChecksCategoryAudited bool `json:"atleastOneSpotChecksCategoryAudited"`
IsSpotChecksPerCategoryAudited bool `json:"isSpotChecksPerCategoryAudited"`
URL string `json:"url"`
SpotChecksCategories *[]SpotChecksAuditCount `json:"spotChecksCategories"`
}
type SpotChecksAuditCount struct {
Audited int `json:"audited"`
Total int `json:"total"`
Type string `json:"type"`
}
func CreateCustomReport(data FortifyReportData, issueGroups []*models.ProjectVersionIssueGroup) reporting.ScanReport {
scanReport := reporting.ScanReport{
ReportTitle: "Fortify SAST Report",
Subheaders: []reporting.Subheader{
{Description: "Fortify project name", Details: data.ProjectName},
{Description: "Fortify project version", Details: data.ProjectVersion},
{Description: "Fortify URL", Details: data.URL},
},
Overview: []reporting.OverviewRow{
{Description: "Number of compliance violations", Details: fmt.Sprint(data.Violations)},
{Description: "Number of issues suppressed", Details: fmt.Sprint(data.Suppressed)},
{Description: "Unaudited corporate issues", Details: fmt.Sprint(data.CorporateTotal - data.CorporateAudited)},
{Description: "Unaudited audit all issues", Details: fmt.Sprint(data.AuditAllTotal - data.AuditAllAudited)},
{Description: "Unaudited spot check issues", Details: fmt.Sprint(data.SpotChecksTotal - data.SpotChecksAudited)},
{Description: "Number of suspicious issues", Details: fmt.Sprint(data.Suspicious)},
{Description: "Number of exploitable issues", Details: fmt.Sprint(data.Exploitable)},
},
ReportTime: time.Now(),
}
detailTable := reporting.ScanDetailTable{
NoRowsMessage: "No findings detected",
Headers: []string{
"Issue group",
"Total count",
"Audited count",
},
WithCounter: true,
CounterHeader: "Entry #",
}
for _, group := range issueGroups {
row := reporting.ScanRow{}
row.AddColumn(fmt.Sprint(*group.CleanName), 0)
row.AddColumn(fmt.Sprint(*group.TotalCount), 0)
row.AddColumn(fmt.Sprint(*group.AuditedCount), 0)
detailTable.Rows = append(detailTable.Rows, row)
}
scanReport.DetailTable = detailTable
scanReport.SuccessfulScan = data.Violations == 0
return scanReport
}
func CreateJSONReport(reportData FortifyReportData, spotChecksCountByCategory []SpotChecksAuditCount, serverURL string) FortifyReportData {
reportData.AtleastOneSpotChecksCategoryAudited = true
reportData.IsSpotChecksPerCategoryAudited = true
for _, spotChecksElement := range spotChecksCountByCategory {
if spotChecksElement.Total > 0 && spotChecksElement.Audited == 0 {
reportData.AtleastOneSpotChecksCategoryAudited = false
}
spotCheckMinimumPercentageValue := int(math.Ceil(float64(0.10 * float64(spotChecksElement.Total))))
if spotChecksElement.Audited < spotCheckMinimumPercentageValue && spotChecksElement.Audited < 10 {
reportData.IsSpotChecksPerCategoryAudited = false
}
if !reportData.IsSpotChecksPerCategoryAudited && !reportData.AtleastOneSpotChecksCategoryAudited {
break
}
}
reportData.SpotChecksCategories = &spotChecksCountByCategory
reportData.URL = serverURL + "/html/ssc/version/" + strconv.FormatInt(reportData.ProjectVersionID, 10)
reportData.ToolInstance = serverURL
reportData.ToolName = "fortify"
return reportData
}
func WriteJSONReport(jsonReport FortifyReportData) ([]piperutils.Path, error) {
utils := piperutils.Files{}
reportPaths := []piperutils.Path{}
// Standard JSON Report
jsonComplianceReportPath := filepath.Join(ReportsDirectory, "piper_fortify_report.json")
// Ensure reporting directory exists
if err := utils.MkdirAll(ReportsDirectory, 0777); err != nil {
return reportPaths, errors.Wrapf(err, "failed to create report directory")
}
file, _ := json.Marshal(jsonReport)
if err := utils.FileWrite(jsonComplianceReportPath, file, 0666); err != nil {
log.SetErrorCategory(log.ErrorConfiguration)
return reportPaths, errors.Wrapf(err, "failed to write fortify json compliance report")
}
reportPaths = append(reportPaths, piperutils.Path{Name: "Fortify JSON Compliance Report", Target: jsonComplianceReportPath})
return reportPaths, nil
}
func WriteSarif(sarif format.SARIF, fileName string) ([]piperutils.Path, error) {
utils := piperutils.Files{}
reportPaths := []piperutils.Path{}
sarifReportPath := filepath.Join(ReportsDirectory, fileName)
// Ensure reporting directory exists
if err := utils.MkdirAll(ReportsDirectory, 0777); err != nil {
return reportPaths, errors.Wrapf(err, "failed to create report directory")
}
// This solution did not allow for special HTML characters. If this causes any issue, revert l148-l157 with these two
/*file, _ := json.MarshalIndent(sarif, "", " ")
if err := utils.FileWrite(sarifReportPath, file, 0666); err != nil {*/
// HTML characters will most likely be present: we need to use encode: create a buffer to hold JSON data
buffer := new(bytes.Buffer)
// create JSON encoder for buffer
bufEncoder := json.NewEncoder(buffer)
// set options
bufEncoder.SetEscapeHTML(false)
bufEncoder.SetIndent("", " ")
//encode to buffer
bufEncoder.Encode(sarif)
log.Entry().Info("Writing file to disk: ", sarifReportPath)
if err := utils.FileWrite(sarifReportPath, buffer.Bytes(), 0666); err != nil {
log.SetErrorCategory(log.ErrorConfiguration)
return reportPaths, errors.Wrapf(err, "failed to write fortify SARIF report")
}
reportPaths = append(reportPaths, piperutils.Path{Name: "Fortify SARIF Report", Target: sarifReportPath})
return reportPaths, nil
}
func WriteGzipSarif(sarif format.SARIF, fileName string) ([]piperutils.Path, error) {
utils := piperutils.Files{}
reportPaths := []piperutils.Path{}
sarifReportPath := filepath.Join(ReportsDirectory, fileName)
// Ensure reporting directory exists
if err := utils.MkdirAll(ReportsDirectory, 0777); err != nil {
return reportPaths, errors.Wrapf(err, "failed to create report directory")
}
// HTML characters will most likely be present: we need to use encode: create a buffer to hold JSON data
// https://stackoverflow.com/questions/28595664/how-to-stop-json-marshal-from-escaping-and
buffer := new(bytes.Buffer)
// create JSON encoder for buffer
bufEncoder := json.NewEncoder(buffer)
// set options
bufEncoder.SetEscapeHTML(false)
bufEncoder.SetIndent("", " ")
//encode to buffer
bufEncoder.Encode(sarif)
// Initialize gzip
gzBuffer := &bytes.Buffer{}
gzWriter := gzip.NewWriter(gzBuffer)
gzWriter.Write([]byte(buffer.Bytes()))
gzWriter.Close()
log.Entry().Info("Writing file to disk: ", sarifReportPath)
if err := utils.FileWrite(sarifReportPath, gzBuffer.Bytes(), 0666); err != nil {
log.SetErrorCategory(log.ErrorConfiguration)
return reportPaths, errors.Wrapf(err, "failed to write Fortify SARIF gzip report")
}
reportPaths = append(reportPaths, piperutils.Path{Name: "Fortify SARIF gzip Report", Target: sarifReportPath})
return reportPaths, nil
}
func WriteCustomReports(scanReport reporting.ScanReport) ([]piperutils.Path, error) {
utils := piperutils.Files{}
reportPaths := []piperutils.Path{}
// ignore templating errors since template is in our hands and issues will be detected with the automated tests
htmlReport, _ := scanReport.ToHTML()
htmlReportPath := filepath.Join(ReportsDirectory, "piper_fortify_report.html")
// Ensure reporting directory exists
if err := utils.MkdirAll(ReportsDirectory, 0777); err != nil {
return reportPaths, errors.Wrapf(err, "failed to create report directory")
}
if err := utils.FileWrite(htmlReportPath, htmlReport, 0666); err != nil {
log.SetErrorCategory(log.ErrorConfiguration)
return reportPaths, errors.Wrapf(err, "failed to write html report")
}
reportPaths = append(reportPaths, piperutils.Path{Name: "Fortify Report", Target: htmlReportPath})
// we do not add the json report to the overall list of reports for now,
// since it is just an intermediary report used as input for later
// and there does not seem to be real benefit in archiving it.
return reportPaths, nil
}
func reportShaFortify(parts []string) string {
reportShaData := []byte(strings.Join(parts, ","))
return fmt.Sprintf("%x", sha1.Sum(reportShaData))
}