diff --git a/src/lib/parser-cov.cc b/src/lib/parser-cov.cc index 5539e167..b0b8be4c 100644 --- a/src/lib/parser-cov.cc +++ b/src/lib/parser-cov.cc @@ -31,6 +31,9 @@ #include +#define RE_CHECKER_LINE_ANNOT " *\\([^)]+\\)" +#define RE_CHECKER_LINE_SUFFIX "(?: \\[#def[0-9]+\\])?(?: \\[important\\])?" + namespace CovParserImpl { class LineReader { @@ -147,8 +150,10 @@ class ErrFileLexer { const RE reComment_ = RE("^(#)(.*)$"); - const RE reChecker_ = - RE("^Error: *(" RE_CHECKER_NAME ")( *\\([^)]+\\))? *:(?: \\[#def[0-9]+\\])?$"); + const RE reChecker_ = RE( + "^Error: *(" RE_CHECKER_NAME ")" + "(" RE_CHECKER_LINE_ANNOT ")? *:" + RE_CHECKER_LINE_SUFFIX "$"); const RE reEvent_ = RE(/* location */ "^(" RE_PATH ")(?::([0-9]+|<[Uu]nknown>))?(?::([0-9]+))?" diff --git a/tests/csgrep/0126-cov-parser-imp-flag-args.txt b/tests/csgrep/0126-cov-parser-imp-flag-args.txt new file mode 100644 index 00000000..7df3c951 --- /dev/null +++ b/tests/csgrep/0126-cov-parser-imp-flag-args.txt @@ -0,0 +1 @@ +--mode=json diff --git a/tests/csgrep/0126-cov-parser-imp-flag-stdin.txt b/tests/csgrep/0126-cov-parser-imp-flag-stdin.txt new file mode 100644 index 00000000..51fd6176 --- /dev/null +++ b/tests/csgrep/0126-cov-parser-imp-flag-stdin.txt @@ -0,0 +1,3 @@ +Error: SIGMA.container_requesting_net_raw (CWE-269): [#def1] [important] +unpacked_remote_sources/cachito-gomod-with-deps/app/vertical-pod-autoscaler/hack/e2e/k8s-metrics-server.yaml:184: Sigma main event: The Kubernetes container requests the `NET_RAW` capability, either explicitly or by default, granting access to the host's network interfaces. +unpacked_remote_sources/cachito-gomod-with-deps/app/vertical-pod-autoscaler/hack/e2e/k8s-metrics-server.yaml:184: remediation: Explicitly remove the `NET_RAW` capability for a container by adding either `NET_RAW` or `ALL` to the `securityContext.capabilities.drop` list, avoid adding the `NET_RAW` capability to the `securityContext.capabilities.add` list. diff --git a/tests/csgrep/0126-cov-parser-imp-flag-stdout.txt b/tests/csgrep/0126-cov-parser-imp-flag-stdout.txt new file mode 100644 index 00000000..ccd182ea --- /dev/null +++ b/tests/csgrep/0126-cov-parser-imp-flag-stdout.txt @@ -0,0 +1,26 @@ +{ + "defects": [ + { + "checker": "SIGMA.container_requesting_net_raw", + "cwe": 269, + "tool": "coverity", + "key_event_idx": 0, + "events": [ + { + "file_name": "unpacked_remote_sources/cachito-gomod-with-deps/app/vertical-pod-autoscaler/hack/e2e/k8s-metrics-server.yaml", + "line": 184, + "event": "Sigma main event", + "message": "The Kubernetes container requests the `NET_RAW` capability, either explicitly or by default, granting access to the host's network interfaces.", + "verbosity_level": 0 + }, + { + "file_name": "unpacked_remote_sources/cachito-gomod-with-deps/app/vertical-pod-autoscaler/hack/e2e/k8s-metrics-server.yaml", + "line": 184, + "event": "remediation", + "message": "Explicitly remove the `NET_RAW` capability for a container by adding either `NET_RAW` or `ALL` to the `securityContext.capabilities.drop` list, avoid adding the `NET_RAW` capability to the `securityContext.capabilities.add` list.", + "verbosity_level": 1 + } + ] + } + ] +} diff --git a/tests/csgrep/CMakeLists.txt b/tests/csgrep/CMakeLists.txt index 0eb6b87f..c620ca2f 100644 --- a/tests/csgrep/CMakeLists.txt +++ b/tests/csgrep/CMakeLists.txt @@ -169,3 +169,4 @@ test_csgrep("0122-json-parser-cov-v10-column" ) test_csgrep("0123-csgrep-hash-v1" ) test_csgrep("0124-sarif-writer-imp" ) test_csgrep("0125-sarif-parser-bom" ) +test_csgrep("0126-cov-parser-imp-flag" )