add github-sarif writer for github suited sarif output (#907)

* add --github flag for github suited sarif output

* fixed golden file for scan -h

* changed to using github-sarif writer than --github flag

go.mod

@@ -12,6 +12,7 @@ require (
 	github.com/VerbalExpressions/GoVerbalExpressions v0.0.0-20200410162751-4d76a1099a6e
 	github.com/awslabs/goformation/v4 v4.19.1
 	github.com/ghodss/yaml v1.0.0
+	github.com/go-errors/errors v1.0.1
 	github.com/google/uuid v1.2.0
 	github.com/gorilla/handlers v1.5.1
 	github.com/gorilla/mux v1.8.0
@@ -39,7 +40,7 @@ require (
 	github.com/stretchr/testify v1.7.0
 	github.com/zclconf/go-cty v1.8.2
 	go.uber.org/zap v1.16.0
-	golang.org/x/sys v0.0.0-20210616094352-59db8d763f22
+	golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c
 	golang.org/x/tools v0.1.4 // indirect
 	gopkg.in/src-d/go-git.v4 v4.13.1
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b

go.sum

@@ -1188,6 +1188,8 @@ golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210616094352-59db8d763f22 h1:RqytpXGR1iVNX7psjB3ff8y7sNFinVFvkx1c8SjBkio=
 golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c h1:F1jZWGFhYfh0Ci55sIpILtKKK8p3i2/krTr0H1rg74I=
+golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=

pkg/cli/register.go

@@ -37,7 +37,7 @@ func RegisterCommand(baseCommand *cobra.Command, command *cobra.Command) {
 func Execute() {
 	rootCmd.PersistentFlags().StringVarP(&LogLevel, "log-level", "l", "info", "log level (debug, info, warn, error, panic, fatal)")
 	rootCmd.PersistentFlags().StringVarP(&LogType, "log-type", "x", "console", "log output type (console, json)")
-	rootCmd.PersistentFlags().StringVarP(&OutputType, "output", "o", "human", "output type (human, json, yaml, xml, junit-xml, sarif)")
+	rootCmd.PersistentFlags().StringVarP(&OutputType, "output", "o", "human", "output type (human, json, yaml, xml, junit-xml, sarif, github-sarif)")
 	rootCmd.PersistentFlags().StringVarP(&ConfigFile, "config-path", "c", "", "config file path")
 
 	// Function to execute before processing commands

pkg/cli/root.go

@@ -27,7 +27,7 @@ var (
 	// LogType Logging output type (console, json)
 	LogType string
 
-	// OutputType Violation output type (human, json, yaml, xml)
+	// OutputType Violation output type (human, json, yaml, xml, sarif)
 	OutputType string
 
 	// ConfigFile Config file path

pkg/cli/run.go

@@ -33,6 +33,7 @@ import (
 
 const (
 	humanOutputFormat = "human"
+	sarifOutputFormat = "sarif"
 )
 
 // ScanOptions represents scan command and its optional flags
@@ -135,6 +136,7 @@ func (s ScanOptions) validate() error {
 	if s.configOnly && strings.EqualFold(s.outputType, humanOutputFormat) {
 		return errors.New("please use yaml or json output format when using --config-only flag")
 	}
+
 	return nil
 }
 

pkg/writer/github_sarif.go

@@ -0,0 +1,34 @@
+/*
+    Copyright (C) 2020 Accurics, Inc.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+*/
+
+package writer
+
+import (
+	"io"
+)
+
+const (
+	githubSarifFormat supportedFormat = "github-sarif"
+)
+
+func init() {
+	RegisterWriter(githubSarifFormat, GithubSarifWriter)
+}
+
+// GithubSarifWriter writes sarif formatted violation results report that are well suited for github codescanning alerts display
+func GithubSarifWriter(data interface{}, writer io.Writer) error {
+	return writeSarif(data, writer, true)
+}

pkg/writer/github_sarif_test.go

@@ -0,0 +1,101 @@
+package writer
+
+import (
+	"bytes"
+	"fmt"
+	"github.com/accurics/terrascan/pkg/utils"
+	"github.com/accurics/terrascan/pkg/version"
+	"strings"
+	"testing"
+)
+
+const violationTemplateForGH = `{
+          "version": "2.1.0",
+          "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+          "runs": [
+            {
+              "tool": {
+                "driver": {
+                  "name": "terrascan",
+                  "version": "%s",
+                  "informationUri": "https://github.com/accurics/terrascan",
+                  "rules": [
+                    {
+                      "id": "AWS.S3Bucket.DS.High.1043",
+                      "name": "s3EnforceUserACL",
+                      "shortDescription": {
+                        "text": "S3 bucket Access is allowed to all AWS Account Users."
+                      },
+                      "properties": {
+                        "category": "S3",
+                        "severity": "HIGH"
+                      }
+                    }
+                  ]
+                }
+              },
+              "results": [
+                {
+                  "ruleId": "AWS.S3Bucket.DS.High.1043",
+                  "level": "error",
+                  "message": {
+                    "text": "S3 bucket Access is allowed to all AWS Account Users."
+                  },
+                  "locations": [
+                    {
+                      "physicalLocation": {
+                        "artifactLocation": {
+                          "uri": "%s",
+						  "uriBaseId": "test"
+                        },
+                        "region": {
+                          "startLine": 20
+                        }
+                      },
+                      "logicalLocations": [
+                        {
+                          "name": "bucket",
+                          "kind": "aws_s3_bucket"
+                        }
+                      ]
+                    }
+                  ]
+                }
+              ]
+            }
+          ]
+        }`
+
+var expectedSarifViolationOutputGH = fmt.Sprintf(violationTemplateForGH, version.GetNumeric(), testpathForGH)
+
+func TestGithubSarifWriter(t *testing.T) {
+
+	type funcInput interface{}
+	tests := []struct {
+		name           string
+		input          funcInput
+		expectedError  bool
+		expectedOutput string
+	}{
+		{
+			name:           "Sarif Writer for Github: Violations",
+			input:          violationsInput,
+			expectedOutput: expectedSarifViolationOutputGH,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			writer := &bytes.Buffer{}
+			if err := GithubSarifWriter(tt.input, writer); (err != nil) != tt.expectedError {
+				t.Errorf("HumanReadbleWriter() error = gotErr: %v, wantErr: %v", err, tt.expectedError)
+			}
+			outputBytes := writer.Bytes()
+			gotOutput := string(bytes.TrimSpace(outputBytes))
+
+			if equal, _ := utils.AreEqualJSON(strings.TrimSpace(gotOutput), strings.TrimSpace(tt.expectedOutput)); !equal {
+				t.Errorf("HumanReadbleWriter() = got: %v, want: %v", gotOutput, tt.expectedOutput)
+			}
+		})
+	}
+}

pkg/writer/sarif.go

@@ -21,6 +21,7 @@ import (
 	"github.com/accurics/terrascan/pkg/policy"
 	"github.com/accurics/terrascan/pkg/utils"
 	"github.com/accurics/terrascan/pkg/version"
+	"github.com/go-errors/errors"
 	"github.com/owenrumney/go-sarif/sarif"
 	"go.uber.org/zap"
 	"io"
@@ -38,6 +39,10 @@ func init() {
 
 // SarifWriter writes sarif formatted violation results report
 func SarifWriter(data interface{}, writer io.Writer) error {
+	return writeSarif(data, writer, false)
+}
+
+func writeSarif(data interface{}, writer io.Writer, forGithub bool) error {
 	outputData := data.(policy.EngineOutput)
 	report, err := sarif.New(sarif.Version210)
 	if err != nil {
@@ -46,7 +51,6 @@ func SarifWriter(data interface{}, writer io.Writer) error {
 
 	run := sarif.NewRun("terrascan", "https://github.com/accurics/terrascan")
 	run.Tool.Driver.WithVersion(version.GetNumeric())
-
 	// add a run to the report
 	report.AddRun(run)
 
@@ -55,7 +59,7 @@ func SarifWriter(data interface{}, writer io.Writer) error {
 		m["category"] = passedRule.Category
 		m["severity"] = passedRule.Severity
 
-		run.AddRule(string(passedRule.RuleID)).
+		run.AddRule(passedRule.RuleID).
 			WithDescription(passedRule.Description).WithName(passedRule.RuleName).WithProperties(m)
 	}
 
@@ -65,19 +69,24 @@ func SarifWriter(data interface{}, writer io.Writer) error {
 		m["category"] = violation.Category
 		m["severity"] = violation.Severity
 
-		rule := run.AddRule(string(violation.RuleID)).
+		rule := run.AddRule(violation.RuleID).
 			WithDescription(violation.Description).WithName(violation.RuleName).WithProperties(m)
 
-		absFilePath, err := getAbsoluteFilePath(outputData.Summary.ResourcePath, violation.File)
-
-		if err != nil {
-			return err
+		var artifactLocation *sarif.ArtifactLocation
+
+		if forGithub {
+			artifactLocation = sarif.NewSimpleArtifactLocation(violation.File).
+				WithUriBaseId(outputData.Summary.ResourcePath)
+		} else {
+			absFilePath, err := getAbsoluteFilePath(outputData.Summary.ResourcePath, violation.File)
+			if err != nil {
+				return errors.Errorf("unable to create absolute path, error: %v", err)
+			}
+			artifactLocation = sarif.NewSimpleArtifactLocation(fmt.Sprintf("file://%s", absFilePath))
 		}
 
-		location := sarif.NewLocation().
-			WithPhysicalLocation(sarif.NewPhysicalLocation().
-				WithArtifactLocation(sarif.NewSimpleArtifactLocation(fmt.Sprintf("file://%s", absFilePath))).
-				WithRegion(sarif.NewRegion().WithStartLine(violation.LineNumber)))
+		location := sarif.NewLocation().WithPhysicalLocation(sarif.NewPhysicalLocation().
+			WithArtifactLocation(artifactLocation).WithRegion(sarif.NewRegion().WithStartLine(violation.LineNumber)))
 
 		if len(violation.ResourceType) > 0 && len(violation.ResourceName) > 0 {
 			location.LogicalLocations = append(location.LogicalLocations, sarif.NewLogicalLocation().

pkg/writer/sarif_test.go

@@ -12,9 +12,11 @@ import (
 	"github.com/accurics/terrascan/pkg/version"
 )
 
-var testpath, _ = getAbsoluteFilePath(violationsInput.Summary.ResourcePath, violationsInput.Violations[0].File)
+var abstestpath, _ = getAbsoluteFilePath(violationsInput.Summary.ResourcePath, violationsInput.Violations[0].File)
+var testpath = fmt.Sprintf("file://%s", abstestpath)
+var testpathForGH = violationsInput.Violations[0].File
 
-var expectedSarifOutput1 = fmt.Sprintf(`{
+const violationTemplate = `{
           "version": "2.1.0",
           "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
           "runs": [
@@ -68,7 +70,9 @@ var expectedSarifOutput1 = fmt.Sprintf(`{
               ]
             }
           ]
-        }`, version.GetNumeric(), fmt.Sprintf("file://%s", testpath))
+        }`
+
+var expectedSarifOutput1 = fmt.Sprintf(violationTemplate, version.GetNumeric(), testpath)
 
 var expectedSarifOutput2 = fmt.Sprintf(`{
           "version": "2.1.0",
@@ -127,7 +131,7 @@ func TestSarifWriter(t *testing.T) {
 		expectedOutput string
 	}{
 		{
-			name:           "Human Readable Writer: Violations",
+			name:           "Sarif Writer: Violations",
 			input:          violationsInput,
 			expectedOutput: expectedSarifOutput1,
 		},

test/e2e/help/golden/help_command.txt

@@ -18,6 +18,6 @@ Flags:
   -h, --help                 help for terrascan
   -l, --log-level string     log level (debug, info, warn, error, panic, fatal) (default "info")
   -x, --log-type string      log output type (console, json) (default "console")
-  -o, --output string        output type (human, json, yaml, xml, junit-xml, sarif) (default "human")
+  -o, --output string        output type (human, json, yaml, xml, junit-xml, sarif, github-sarif) (default "human")
 
 Use "terrascan [command] --help" for more information about a command.

test/e2e/help/golden/help_flag.txt

@@ -16,6 +16,6 @@ Flags:
   -c, --config-path string   config file path
   -l, --log-level string     log level (debug, info, warn, error, panic, fatal) (default "info")
   -x, --log-type string      log output type (console, json) (default "console")
-  -o, --output string        output type (human, json, yaml, xml, junit-xml, sarif) (default "human")
+  -o, --output string        output type (human, json, yaml, xml, junit-xml, sarif, github-sarif) (default "human")
 
 Use "terrascan [command] --help" for more information about a command.

test/e2e/help/golden/help_init.txt

@@ -12,4 +12,4 @@ Global Flags:
   -c, --config-path string   config file path
   -l, --log-level string     log level (debug, info, warn, error, panic, fatal) (default "info")
   -x, --log-type string      log output type (console, json) (default "console")
-  -o, --output string        output type (human, json, yaml, xml, junit-xml, sarif) (default "human")
+  -o, --output string        output type (human, json, yaml, xml, junit-xml, sarif, github-sarif) (default "human")

test/e2e/help/golden/help_scan.txt

@@ -29,4 +29,4 @@ Global Flags:
   -c, --config-path string   config file path
   -l, --log-level string     log level (debug, info, warn, error, panic, fatal) (default "info")
   -x, --log-type string      log output type (console, json) (default "console")
-  -o, --output string        output type (human, json, yaml, xml, junit-xml, sarif) (default "human")
+  -o, --output string        output type (human, json, yaml, xml, junit-xml, sarif, github-sarif) (default "human")

test/e2e/help/golden/help_server.txt

@@ -15,4 +15,4 @@ Global Flags:
   -c, --config-path string   config file path
   -l, --log-level string     log level (debug, info, warn, error, panic, fatal) (default "info")
   -x, --log-type string      log output type (console, json) (default "console")
-  -o, --output string        output type (human, json, yaml, xml, junit-xml, sarif) (default "human")
+  -o, --output string        output type (human, json, yaml, xml, junit-xml, sarif, github-sarif) (default "human")

test/e2e/help/golden/help_unsupported_command.txt

@@ -13,6 +13,6 @@ Flags:
   -c, --config-path string   config file path
   -l, --log-level string     log level (debug, info, warn, error, panic, fatal) (default "info")
   -x, --log-type string      log output type (console, json) (default "console")
-  -o, --output string        output type (human, json, yaml, xml, junit-xml, sarif) (default "human")
+  -o, --output string        output type (human, json, yaml, xml, junit-xml, sarif, github-sarif) (default "human")
 
 Use "terrascan [command] --help" for more information about a command.

test/e2e/help/golden/help_version.txt

@@ -12,4 +12,4 @@ Global Flags:
   -c, --config-path string   config file path
   -l, --log-level string     log level (debug, info, warn, error, panic, fatal) (default "info")
   -x, --log-type string      log output type (console, json) (default "console")
-  -o, --output string        output type (human, json, yaml, xml, junit-xml, sarif) (default "human")
+  -o, --output string        output type (human, json, yaml, xml, junit-xml, sarif, github-sarif) (default "human")

test/e2e/help/golden/no_command.txt

@@ -18,6 +18,6 @@ Flags:
   -h, --help                 help for terrascan
   -l, --log-level string     log level (debug, info, warn, error, panic, fatal) (default "info")
   -x, --log-type string      log output type (console, json) (default "console")
-  -o, --output string        output type (human, json, yaml, xml, junit-xml, sarif) (default "human")
+  -o, --output string        output type (human, json, yaml, xml, junit-xml, sarif, github-sarif) (default "human")
 
 Use "terrascan [command] --help" for more information about a command.

test/e2e/help/help_test.go

@@ -88,21 +88,21 @@ var _ = Describe("Help", func() {
 		})
 
 		Context("for scan command", func() {
-			It("should print help for init and exit with status code 0", func() {
+			It("should print help for scan and exit with status code 0", func() {
 				session = helper.RunCommand(terrascanBinaryPath, outWriter, errWriter, helpCommand, "scan")
 				helpUtils.ValidateExitCodeAndOutput(session, helper.ExitCodeZero, filepath.Join("golden", "help_scan.txt"), true)
 			})
 		})
 
 		Context("for server command", func() {
-			It("should print help for init and exit with status code 0", func() {
+			It("should print help for server and exit with status code 0", func() {
 				session = helper.RunCommand(terrascanBinaryPath, outWriter, errWriter, helpCommand, "server")
 				helpUtils.ValidateExitCodeAndOutput(session, helper.ExitCodeZero, filepath.Join("golden", "help_server.txt"), true)
 			})
 		})
 
 		Context("for version command", func() {
-			It("should print help for init and exit with status code 0", func() {
+			It("should print help for version and exit with status code 0", func() {
 				session = helper.RunCommand(terrascanBinaryPath, outWriter, errWriter, helpCommand, "version")
 				helpUtils.ValidateExitCodeAndOutput(session, helper.ExitCodeZero, filepath.Join("golden", "help_version.txt"), true)
 			})