feat(reporting): Use understandable value for shortDescription in SAR…

…IF reports (#3008) Use the vulnerability title as the value of shortDescription. > The shortDescription property SHOULD be a single sentence that is understandable when visible space is limited to a single line of text. See: https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/sarif-v2.1.0-os.html#_Toc34317845 Signed-off-by: Craig Andrews <candrews@integralblue.com>
aquasecurity · Oct 11, 2022 · 722a4cf · 722a4cf
1 parent 68128f1
commit 722a4cf
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 4 deletions.
diff --git a/pkg/report/sarif.go b/pkg/report/sarif.go
@@ -48,6 +48,7 @@ type SarifWriter struct {
 type sarifData struct {
 	title            string
 	vulnerabilityId  string
+	shortDescription string
 	fullDescription  string
 	helpText         string
 	helpMarkdown     string
@@ -67,6 +68,7 @@ func (sw *SarifWriter) addSarifRule(data *sarifData) {
 	r := sw.run.AddRule(data.vulnerabilityId).
 		WithName(toSarifRuleName(data.resourceClass)).
 		WithDescription(data.vulnerabilityId).
+		WithShortDescription(&sarif.MultiformatMessageString{Text: &data.shortDescription}).
 		WithFullDescription(&sarif.MultiformatMessageString{Text: &data.fullDescription}).
 		WithHelp(&sarif.MultiformatMessageString{
 			Text:     &data.helpText,
@@ -151,6 +153,7 @@ func (sw SarifWriter) Write(report types.Report) error {
 				artifactLocation: path,
 				locationMessage:  fmt.Sprintf("%v: %v@%v", path, vuln.PkgName, vuln.InstalledVersion),
 				resultIndex:      getRuleIndex(vuln.VulnerabilityID, ruleIndexes),
+				shortDescription: html.EscapeString(vuln.Title),
 				fullDescription:  html.EscapeString(fullDescription),
 				helpText: fmt.Sprintf("Vulnerability %v\nSeverity: %v\nPackage: %v\nFixed Version: %v\nLink: [%v](%v)\n%v",
 					vuln.VulnerabilityID, vuln.Severity, vuln.PkgName, vuln.FixedVersion, vuln.VulnerabilityID, vuln.PrimaryURL, vuln.Description),
@@ -173,6 +176,7 @@ func (sw SarifWriter) Write(report types.Report) error {
 				startLine:        misconf.CauseMetadata.StartLine,
 				endLine:          misconf.CauseMetadata.EndLine,
 				resultIndex:      getRuleIndex(misconf.ID, ruleIndexes),
+				shortDescription: html.EscapeString(misconf.Title),
 				fullDescription:  html.EscapeString(misconf.Description),
 				helpText: fmt.Sprintf("Misconfiguration %v\nType: %s\nSeverity: %v\nCheck: %v\nMessage: %v\nLink: [%v](%v)\n%s",
 					misconf.ID, misconf.Type, misconf.Severity, misconf.Title, misconf.Message, misconf.ID, misconf.PrimaryURL, misconf.Description),
@@ -195,6 +199,7 @@ func (sw SarifWriter) Write(report types.Report) error {
 				startLine:        secret.StartLine,
 				endLine:          secret.EndLine,
 				resultIndex:      getRuleIndex(secret.RuleID, ruleIndexes),
+				shortDescription: html.EscapeString(secret.Title),
 				fullDescription:  html.EscapeString(secret.Match),
 				helpText: fmt.Sprintf("Secret %v\nSeverity: %v\nMatch: %s",
 					secret.Title, secret.Severity, secret.Match),

diff --git a/pkg/report/sarif_test.go b/pkg/report/sarif_test.go
@@ -67,7 +67,7 @@ func TestReportWriter_Sarif(t *testing.T) {
 				{
 					ID:               "CVE-2020-0001",
 					Name:             toPtr("OsPackageVulnerability"),
-					ShortDescription: &sarif.MultiformatMessageString{Text: toPtr("CVE-2020-0001")},
+					ShortDescription: &sarif.MultiformatMessageString{Text: toPtr("foobar")},
 					FullDescription:  &sarif.MultiformatMessageString{Text: toPtr("baz")},
 					DefaultConfiguration: &sarif.ReportingConfiguration{
 						Level: "error",
@@ -194,7 +194,7 @@ func TestReportWriter_Sarif(t *testing.T) {
 				{
 					ID:               "KSV001",
 					Name:             toPtr("Misconfiguration"),
-					ShortDescription: &sarif.MultiformatMessageString{Text: toPtr("KSV001")},
+					ShortDescription: &sarif.MultiformatMessageString{Text: toPtr("Image tag ':latest' used")},
 					FullDescription:  &sarif.MultiformatMessageString{Text: toPtr("")},
 					DefaultConfiguration: &sarif.ReportingConfiguration{
 						Level: "error",
@@ -217,7 +217,7 @@ func TestReportWriter_Sarif(t *testing.T) {
 				{
 					ID:               "KSV002",
 					Name:             toPtr("Misconfiguration"),
-					ShortDescription: &sarif.MultiformatMessageString{Text: toPtr("KSV002")},
+					ShortDescription: &sarif.MultiformatMessageString{Text: toPtr("SYS_ADMIN capability added")},
 					FullDescription:  &sarif.MultiformatMessageString{Text: toPtr("")},
 					DefaultConfiguration: &sarif.ReportingConfiguration{
 						Level: "error",
@@ -287,7 +287,7 @@ func TestReportWriter_Sarif(t *testing.T) {
 				{
 					ID:               "aws-secret-access-key",
 					Name:             toPtr("Secret"),
-					ShortDescription: &sarif.MultiformatMessageString{Text: toPtr("aws-secret-access-key")},
+					ShortDescription: &sarif.MultiformatMessageString{Text: toPtr("AWS Secret Access Key")},
 					FullDescription:  &sarif.MultiformatMessageString{Text: toPtr("\u0026#39;AWS_secret_KEY\u0026#39;=\u0026#34;****************************************\u0026#34;")},
 					DefaultConfiguration: &sarif.ReportingConfiguration{
 						Level: "error",