From 2b5fc991dbb6e189b88409014d70a57383d170c4 Mon Sep 17 00:00:00 2001 From: Craig Andrews Date: Fri, 7 Oct 2022 18:03:57 -0400 Subject: [PATCH] feat(report): set location.message (#3002) Signed-off-by: Craig Andrews --- pkg/report/sarif.go | 6 +++++- pkg/report/sarif_test.go | 4 ++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/pkg/report/sarif.go b/pkg/report/sarif.go index c85077db4a41..165c139269be 100644 --- a/pkg/report/sarif.go +++ b/pkg/report/sarif.go @@ -56,6 +56,7 @@ type sarifData struct { url string resultIndex int artifactLocation string + locationMessage string message string cvssScore string startLine int @@ -104,7 +105,7 @@ func (sw *SarifWriter) addSarifResult(data *sarifData) { WithRuleIndex(data.resultIndex). WithMessage(sarif.NewTextMessage(data.message)). WithLevel(toSarifErrorLevel(data.severity)). - WithLocations([]*sarif.Location{sarif.NewLocation().WithPhysicalLocation(location)}) + WithLocations([]*sarif.Location{sarif.NewLocation().WithMessage(sarif.NewTextMessage(data.locationMessage)).WithPhysicalLocation(location)}) sw.run.AddResult(result) } @@ -148,6 +149,7 @@ func (sw SarifWriter) Write(report types.Report) error { url: vuln.PrimaryURL, resourceClass: string(res.Class), artifactLocation: path, + locationMessage: fmt.Sprintf("%v: %v@%v", path, vuln.PkgName, vuln.InstalledVersion), resultIndex: getRuleIndex(vuln.VulnerabilityID, ruleIndexes), fullDescription: html.EscapeString(fullDescription), helpText: fmt.Sprintf("Vulnerability %v\nSeverity: %v\nPackage: %v\nFixed Version: %v\nLink: [%v](%v)\n%v", @@ -167,6 +169,7 @@ func (sw SarifWriter) Write(report types.Report) error { url: misconf.PrimaryURL, resourceClass: string(res.Class), artifactLocation: target, + locationMessage: target, startLine: misconf.CauseMetadata.StartLine, endLine: misconf.CauseMetadata.EndLine, resultIndex: getRuleIndex(misconf.ID, ruleIndexes), @@ -188,6 +191,7 @@ func (sw SarifWriter) Write(report types.Report) error { url: builtinRulesUrl, resourceClass: string(res.Class), artifactLocation: target, + locationMessage: target, startLine: secret.StartLine, endLine: secret.EndLine, resultIndex: getRuleIndex(secret.RuleID, ruleIndexes), diff --git a/pkg/report/sarif_test.go b/pkg/report/sarif_test.go index 5fa6c02abb08..4e008babc124 100644 --- a/pkg/report/sarif_test.go +++ b/pkg/report/sarif_test.go @@ -96,6 +96,7 @@ func TestReportWriter_Sarif(t *testing.T) { Message: sarif.Message{Text: toPtr("Package: foo\nInstalled Version: 1.2.3\nVulnerability CVE-2020-0001\nSeverity: HIGH\nFixed Version: 3.4.5\nLink: [CVE-2020-0001](https://avd.aquasec.com/nvd/cve-2020-0001)")}, Locations: []*sarif.Location{ { + Message: sarif.Message{Text: toPtr("library/test: foo@1.2.3")}, PhysicalLocation: &sarif.PhysicalLocation{ ArtifactLocation: &sarif.ArtifactLocation{ URI: toPtr("library/test"), @@ -149,6 +150,7 @@ func TestReportWriter_Sarif(t *testing.T) { Message: sarif.Message{Text: toPtr("Artifact: library/test\nType: \nVulnerability KSV001\nSeverity: HIGH\nMessage: Message\nLink: [KSV001](https://avd.aquasec.com/appshield/ksv001)")}, Locations: []*sarif.Location{ { + Message: sarif.Message{Text: toPtr("library/test")}, PhysicalLocation: &sarif.PhysicalLocation{ ArtifactLocation: &sarif.ArtifactLocation{ URI: toPtr("library/test"), @@ -171,6 +173,7 @@ func TestReportWriter_Sarif(t *testing.T) { Message: sarif.Message{Text: toPtr("Artifact: library/test\nType: \nVulnerability KSV002\nSeverity: CRITICAL\nMessage: Message\nLink: [KSV002](https://avd.aquasec.com/appshield/ksv002)")}, Locations: []*sarif.Location{ { + Message: sarif.Message{Text: toPtr("library/test")}, PhysicalLocation: &sarif.PhysicalLocation{ ArtifactLocation: &sarif.ArtifactLocation{ URI: toPtr("library/test"), @@ -263,6 +266,7 @@ func TestReportWriter_Sarif(t *testing.T) { Message: sarif.Message{Text: toPtr("Artifact: library/test\nType: \nSecret AWS Secret Access Key\nSeverity: CRITICAL\nMatch: 'AWS_secret_KEY'=\"****************************************\"")}, Locations: []*sarif.Location{ { + Message: "library/test", PhysicalLocation: &sarif.PhysicalLocation{ ArtifactLocation: &sarif.ArtifactLocation{ URI: toPtr("library/test"),