From 3a7b1db3603213a6909405bb33015d9178725afa Mon Sep 17 00:00:00 2001 From: haya14busa Date: Sun, 16 Jun 2024 22:04:23 +0900 Subject: [PATCH] Support related locations with the SARIF parser --- parser/sarif.go | 69 ++++++++++++++++++++++++++------------ parser/sarif_test.go | 79 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 127 insertions(+), 21 deletions(-) diff --git a/parser/sarif.go b/parser/sarif.go index d6a51f46..ee147fa2 100644 --- a/parser/sarif.go +++ b/parser/sarif.go @@ -91,23 +91,23 @@ func (p *SarifParser) Parse(r io.Reader) ([]*rdf.Diagnostic, error) { suggestionsMap[path] = suggestions } } - for _, location := range result.Locations { - physicalLocation := location.PhysicalLocation - artifactLocation := physicalLocation.ArtifactLocation - loc := sarif.ArtifactLocation{} - if artifactLocation != nil { - loc = *artifactLocation - } - path, err := getPath(loc, baseURIs, basedir) + + relatedLocs := []*rdf.RelatedLocation{} + for _, relLoc := range result.RelatedLocations { + loc, err := toRDFormatLocation(relLoc, baseURIs, basedir) if err != nil { - // invalid path return nil, err } - region := sarif.Region{} - if physicalLocation.Region != nil { - region = *physicalLocation.Region + l := &rdf.RelatedLocation{ + Location: loc, } - rng := getRdfRange(region) + if relLoc.Message != nil { + l.Message = getText(*relLoc.Message) + } + relatedLocs = append(relatedLocs, l) + } + + for _, location := range result.Locations { var code *rdf.Code if ruleID != "" { code = &rdf.Code{ @@ -117,20 +117,22 @@ func (p *SarifParser) Parse(r io.Reader) ([]*rdf.Diagnostic, error) { code.Url = *rule.HelpURI } } + loc, err := toRDFormatLocation(location, baseURIs, basedir) + if err != nil { + return nil, err + } d := &rdf.Diagnostic{ - Message: message, - Location: &rdf.Location{ - Path: path, - Range: rng, - }, + Message: message, + Location: loc, Severity: severity(level), Source: &rdf.Source{ Name: name, Url: informationURI, }, - Code: code, - Suggestions: suggestionsMap[path], - OriginalOutput: string(original), + Code: code, + Suggestions: suggestionsMap[loc.GetPath()], + RelatedLocations: relatedLocs, + OriginalOutput: string(original), } ds = append(ds, d) } @@ -139,6 +141,31 @@ func (p *SarifParser) Parse(r io.Reader) ([]*rdf.Diagnostic, error) { return ds, nil } +func toRDFormatLocation(location sarif.Location, + baseURIs map[string]sarif.ArtifactLocation, + basedir string, +) (*rdf.Location, error) { + physicalLocation := location.PhysicalLocation + artifactLocation := physicalLocation.ArtifactLocation + loc := sarif.ArtifactLocation{} + if artifactLocation != nil { + loc = *artifactLocation + } + path, err := getPath(loc, baseURIs, basedir) + if err != nil { + // invalid path + return nil, err + } + region := sarif.Region{} + if physicalLocation.Region != nil { + region = *physicalLocation.Region + } + return &rdf.Location{ + Path: path, + Range: getRdfRange(region), + }, nil +} + func getPath( l sarif.ArtifactLocation, baseURIs map[string]sarif.ArtifactLocation, diff --git a/parser/sarif_test.go b/parser/sarif_test.go index 7fde7a60..4d90e5ac 100644 --- a/parser/sarif_test.go +++ b/parser/sarif_test.go @@ -356,5 +356,84 @@ var fixtures = [][]string{{ "value": "CVE-2018-14618/curl", "url": "https://avd.aquasec.com/nvd/cve-2018-14618" } +}`}, + {fmt.Sprintf(`{ + "runs": [ { + "originalUriBaseIds": { + "ROOTPATH": { + "uri": "%s" + } + }, + "tool": { + "driver": { + "name": "driver_name" + } + }, + "results": [ + { + "ruleId": "PY2335", + "message": { + "text": "Use of tainted variable 'expr' in the insecure function 'eval'." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "3-Beyond-basics/bad-eval.py" + }, + "region": { + "startLine": 4 + } + } + } + ], + "relatedLocations": [ + { + "message": { + "text": "The tainted data entered the system here." + }, + "physicalLocation": { + "artifactLocation": { + "uri": "3-Beyond-basics/bad-eval.py" + }, + "region": { + "startLine": 3 + } + } + } + ] + } + ] + } ] + } +`, basedir()), `{ + "message": "Use of tainted variable 'expr' in the insecure function 'eval'.", + "location": { + "path": "3-Beyond-basics/bad-eval.py", + "range": { + "start": { + "line": 4 + } + } + }, + "source": { + "name": "driver_name" + }, + "code": { + "value": "PY2335" + }, + "relatedLocations": [ + { + "message": "The tainted data entered the system here.", + "location": { + "path": "3-Beyond-basics/bad-eval.py", + "range": { + "start": { + "line": 3 + } + } + } + } + ] }`}, }