Add Custom rules to SAST scan (#474)

jfrog · May 20, 2024 · 79fcff5 · 79fcff5
1 parent 2f214b6
commit 79fcff5
Show file tree

Hide file tree

Showing 7 changed files with 33 additions and 6 deletions.
diff --git a/.github/workflows/frogbot-scan-and-fix.yml b/.github/workflows/frogbot-scan-and-fix.yml
@@ -21,7 +21,7 @@ jobs:
 
       # Install prerequisites
       - name: Setup NodeJS
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: "16.x"
 

diff --git a/.github/workflows/frogbot-scan-pull-request.yml b/.github/workflows/frogbot-scan-pull-request.yml
@@ -18,7 +18,7 @@ jobs:
 
       # Install prerequisites
       - name: Setup NodeJS
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: "16.x"
 

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -15,7 +15,7 @@ jobs:
             git config --global user.name "jfrog-ecosystem"
             git config --global user.email "eco-system@jfrog.com"
       - name: Setup NodeJS
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: "16"
           check-latest: true

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -32,7 +32,7 @@ jobs:
         with:
           python-version: "3.x"
       - name: Setup NodeJS
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: "16"
           check-latest: true
@@ -58,7 +58,7 @@ jobs:
         run: curl -fL https://install-cli.jfrog.io | sh && jf -v
 
       - name: Setup NodeJS for tests
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node }}
           check-latest: true

diff --git a/package.json b/package.json
@@ -85,6 +85,11 @@
                     "pattern": "^$|^\\d+\\.\\d+\\.\\d+$",
                     "markdownDescription": "Specifies the JFrog Scanners version to use. (format X.X.X). By default the latest scanners version is used."
                 },
+                "jfrog.customRulesPath": {
+                    "type": "string",
+                    "scope": "resource",
+                    "markdownDescription": "Absolute Path to a local custom rules file. The file should be in JSON format and contain the additional custom rules to be applied during the scan."
+                },
                 "jfrog.xray.exclusions": {
                     "type": "string",
                     "default": "**/*{.git,test,venv,node_modules,target}*",

diff --git a/src/main/scanLogic/scanRunners/sastScan.ts b/src/main/scanLogic/scanRunners/sastScan.ts
@@ -5,6 +5,7 @@ import { AnalyzerUtils } from '../../treeDataProviders/utils/analyzerUtils';
 import { StepProgress } from '../../treeDataProviders/utils/stepProgress';
 import { Severity } from '../../types/severity';
 import { ScanResults } from '../../types/workspaceIssuesDetails';
+import { Configuration } from '../../utils/configuration';
 import { AppsConfigModule } from '../../utils/jfrogAppsConfig/jfrogAppsConfig';
 import { Translators } from '../../utils/translators';
 import { AnalyzerManager } from './analyzerManager';
@@ -26,6 +27,7 @@ import { BinaryEnvParams, JasRunner, RunArgs } from './jasRunner';
  */
 export interface SastScanRequest extends AnalyzeScanRequest {
     language: LanguageType;
+    user_rules: string;
     exclude_patterns: string[];
     excluded_rules: string[];
 }
@@ -92,6 +94,7 @@ export class SastRunner extends JasRunner {
             type: this._scanType,
             roots: this._config.GetSourceRoots(this._scanType),
             language: this._config.GetScanLanguage(),
+            user_rules: Configuration.getSastCustomRulesPath(this._logManager),
             excluded_rules: this._config.getExcludeRules(),
             exclude_patterns: this._config.GetExcludePatterns(this._scanType)
         } as SastScanRequest;

diff --git a/src/main/utils/configuration.ts b/src/main/utils/configuration.ts
@@ -1,5 +1,6 @@
 import * as vscode from 'vscode';
-import { LogLevel } from '../log/logManager';
+import * as fs from 'fs';
+import { LogLevel, LogManager } from '../log/logManager';
 export class Configuration {
     public static jfrogSectionConfigurationKey: string = 'jfrog';
     public static readonly JFROG_IDE_RELEASES_REPO_ENV: string = 'JFROG_IDE_RELEASES_REPO';
@@ -73,6 +74,24 @@ export class Configuration {
         return version;
     }
 
+    public static getSastCustomRulesPath(logManager?: LogManager): string {
+        let customRulesPath: string = vscode.workspace.getConfiguration(this.jfrogSectionConfigurationKey).get('customRulesPath', '');
+        if (customRulesPath === '') {
+            return '';
+        }
+        let fileExists: boolean = fs.existsSync(customRulesPath);
+        if (!fileExists) {
+            if (logManager) {
+                logManager.logMessage('Custom rules file not found: ' + customRulesPath, 'WARN');
+            }
+            return '';
+        }
+        if (logManager) {
+            logManager.logMessage('Using custom rules from: ' + customRulesPath, 'DEBUG');
+        }
+        return customRulesPath;
+    }
+
     /**
      * @returns the log level
      */