Support related locations with the SARIF parser

northwood-labs · Jun 16, 2024 · 3a7b1db · 3a7b1db
1 parent 52abe98
commit 3a7b1db
Show file tree

Hide file tree

Showing 2 changed files with 127 additions and 21 deletions.
diff --git a/parser/sarif.go b/parser/sarif.go
@@ -91,23 +91,23 @@ func (p *SarifParser) Parse(r io.Reader) ([]*rdf.Diagnostic, error) {
 					suggestionsMap[path] = suggestions
 				}
 			}
-			for _, location := range result.Locations {
-				physicalLocation := location.PhysicalLocation
-				artifactLocation := physicalLocation.ArtifactLocation
-				loc := sarif.ArtifactLocation{}
-				if artifactLocation != nil {
-					loc = *artifactLocation
-				}
-				path, err := getPath(loc, baseURIs, basedir)
+
+			relatedLocs := []*rdf.RelatedLocation{}
+			for _, relLoc := range result.RelatedLocations {
+				loc, err := toRDFormatLocation(relLoc, baseURIs, basedir)
 				if err != nil {
-					// invalid path
 					return nil, err
 				}
-				region := sarif.Region{}
-				if physicalLocation.Region != nil {
-					region = *physicalLocation.Region
+				l := &rdf.RelatedLocation{
+					Location: loc,
 				}
-				rng := getRdfRange(region)
+				if relLoc.Message != nil {
+					l.Message = getText(*relLoc.Message)
+				}
+				relatedLocs = append(relatedLocs, l)
+			}
+
+			for _, location := range result.Locations {
 				var code *rdf.Code
 				if ruleID != "" {
 					code = &rdf.Code{
@@ -117,20 +117,22 @@ func (p *SarifParser) Parse(r io.Reader) ([]*rdf.Diagnostic, error) {
 						code.Url = *rule.HelpURI
 					}
 				}
+				loc, err := toRDFormatLocation(location, baseURIs, basedir)
+				if err != nil {
+					return nil, err
+				}
 				d := &rdf.Diagnostic{
-					Message: message,
-					Location: &rdf.Location{
-						Path:  path,
-						Range: rng,
-					},
+					Message:  message,
+					Location: loc,
 					Severity: severity(level),
 					Source: &rdf.Source{
 						Name: name,
 						Url:  informationURI,
 					},
-					Code:           code,
-					Suggestions:    suggestionsMap[path],
-					OriginalOutput: string(original),
+					Code:             code,
+					Suggestions:      suggestionsMap[loc.GetPath()],
+					RelatedLocations: relatedLocs,
+					OriginalOutput:   string(original),
 				}
 				ds = append(ds, d)
 			}
@@ -139,6 +141,31 @@ func (p *SarifParser) Parse(r io.Reader) ([]*rdf.Diagnostic, error) {
 	return ds, nil
 }
 
+func toRDFormatLocation(location sarif.Location,
+	baseURIs map[string]sarif.ArtifactLocation,
+	basedir string,
+) (*rdf.Location, error) {
+	physicalLocation := location.PhysicalLocation
+	artifactLocation := physicalLocation.ArtifactLocation
+	loc := sarif.ArtifactLocation{}
+	if artifactLocation != nil {
+		loc = *artifactLocation
+	}
+	path, err := getPath(loc, baseURIs, basedir)
+	if err != nil {
+		// invalid path
+		return nil, err
+	}
+	region := sarif.Region{}
+	if physicalLocation.Region != nil {
+		region = *physicalLocation.Region
+	}
+	return &rdf.Location{
+		Path:  path,
+		Range: getRdfRange(region),
+	}, nil
+}
+
 func getPath(
 	l sarif.ArtifactLocation,
 	baseURIs map[string]sarif.ArtifactLocation,

diff --git a/parser/sarif_test.go b/parser/sarif_test.go
@@ -356,5 +356,84 @@ var fixtures = [][]string{{
 		"value": "CVE-2018-14618/curl",
 		"url": "https://avd.aquasec.com/nvd/cve-2018-14618"
 	}
+}`},
+	{fmt.Sprintf(`{
+	"runs": [ {
+		"originalUriBaseIds": {
+			"ROOTPATH": {
+			  "uri": "%s"
+			}
+		},
+		"tool": {
+			"driver": {
+				"name": "driver_name"
+			}
+		},
+		"results": [
+			{
+				"ruleId": "PY2335",
+				"message": {
+          "text": "Use of tainted variable 'expr' in the insecure function 'eval'."
+        },
+				"locations": [
+					{
+						"physicalLocation": {
+							"artifactLocation": {
+								"uri": "3-Beyond-basics/bad-eval.py"
+							},
+							"region": {
+								"startLine": 4
+							}
+						}
+					}
+				],
+				"relatedLocations": [
+					{
+						"message": {
+							"text": "The tainted data entered the system here."
+						},
+						"physicalLocation": {
+							"artifactLocation": {
+								"uri": "3-Beyond-basics/bad-eval.py"
+							},
+							"region": {
+								"startLine": 3
+							}
+						}
+					}
+				]
+			}
+			]
+	  } ]
+  }
+`, basedir()), `{
+	"message": "Use of tainted variable 'expr' in the insecure function 'eval'.",
+	"location": {
+		"path": "3-Beyond-basics/bad-eval.py",
+    "range": {
+      "start": {
+        "line": 4
+      }
+    }
+	},
+	"source": {
+		"name": "driver_name"
+	},
+	"code": {
+		"value": "PY2335"
+	},
+  "relatedLocations": [
+    {
+      "message": "The tainted data entered the system here.",
+			"location": {
+				"path": "3-Beyond-basics/bad-eval.py",
+				"range": {
+					"start": {
+						"line": 3
+					}
+				}
+			}
+    }
+  ]
 }`},
 }