Merge pull request #83 from advanced-security/add-category-tags

Add category tags

Author: aegilops

.eslintrc.json

@@ -45,7 +45,9 @@
       "semi": "off",
       "@typescript-eslint/semi": ["error", "never"],
       "@typescript-eslint/type-annotation-spacing": "error",
-      "@typescript-eslint/unbound-method": "error"
+      "@typescript-eslint/unbound-method": "error",
+      "no-shadow": "off",
+      "@typescript-eslint/no-shadow": "warn"
     },
     "env": {
       "node": true,

.github/workflows/test.yml

@@ -1,5 +1,6 @@
 name: 'build-test'
-on: # rebuild any PRs and main branch changes
+
+on:
   pull_request:
   push:
     branches:
@@ -19,12 +20,22 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      - uses: ./
+      - name: Run action
+        uses: ./
         with:
           sarifFile: test-data/webgoat.sarif
-      - run: grep -c '"owasp-top10-2021"' test-data/webgoat.sarif
+          outputFile: test-data/webgoat-with-security-standard-tag.sarif
+      - name: Check output
+        run: |
+          grep -c '"owasp-top10-2021"' test-data/webgoat-with-security-standard-tag.sarif
+          diff test-data/webgoat-with-security-standard-tag.sarif test-data/webgoat-with-security-standard-tag.sarif.expected
+      - name: Check error handling
+        uses: ./
+        continue-on-error: true
+        with:
+          sarifFile: test-data/webgoat1.sarif
       - name: Archive SARIF output
         uses: actions/upload-artifact@v3
         with:
           name: sarif-output
-          path: test-data/webgoat.sarif
+          path: test-data/webgoat-with-security-standard-tag.sarif

.vscode/tasks.json

@@ -6,7 +6,7 @@
         {
             "label": "Remove output SARIF file",
             "type": "shell",
-            "command": "rm ${workspaceFolder}/test-data/webgoat-with-security-standard-tag.sarif"
+            "command": "rm -f ${workspaceFolder}/test-data/webgoat-with-security-standard-tag.sarif"
         },
         {
             "label": "Build & remove output SARIF file",

README.md

@@ -3,7 +3,7 @@
 Compare a CodeQL SARIF results file to a security standard CWE list and annotate the SARIF rules with a tag to highlight results applicable to the security standard
 
 - Defaults to a comparison against the OWASP Top 10 2021 CWE mapping taken from https://cwe.mitre.org/data/xml/views/1344.xml.zip
-- Any XML file can be provided as an alternative, with the option to provide an XPath query that identifies the CWE ID values to use in the conparison
+- Any XML file can be provided as an alternative, with the option to provide an XPath query that identifies the CWE ID values to use in the comparison
 - Tag value is configurable
 
 This supports the ability to filter the Security dashboards by `tag`

design/requirements.md

@@ -1,10 +1,5 @@
 ### Requirements ###
 
 * Input a SARIF file
-* Output a report detailing alerts that map to the OWASP Top 10 2021
-  * And include alerts that are above a configurable (default high) severity rating that are not in the OWASP Top 10 2021.
+* Output a SARIF file with alerts tagged that map to the OWASP Top 10 2021
 * Allow to be run as an Action
-
-#### Stretch Goals ####
-
-* Allow timestamping via online service using hash of report