Skip to content

Commit c1b37f6

Browse files
author
Orlando Barrera II
committed
Testing the sarif file parsing
1 parent b5b7b53 commit c1b37f6

File tree

1 file changed

+7
-9
lines changed

1 file changed

+7
-9
lines changed

socketsecurity/core/messages.py

Lines changed: 7 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -41,11 +41,10 @@ def find_line_in_file(packagename: str, packageversion: str, manifest_file: str)
4141
Supports:
4242
1) JSON-based manifest files (package-lock.json, Pipfile.lock, composer.lock)
4343
- Locates a dictionary entry with the matching package & version
44-
- Does a rough line-based search to find the actual line in the raw text
44+
- Does a rough line-based search (by matching the key) in the raw text
4545
2) Text-based (requirements.txt, package.json, yarn.lock, etc.)
4646
- Uses compiled regex patterns to detect a match line by line
4747
"""
48-
# Extract just the file name to detect manifest type
4948
file_type = Path(manifest_file).name
5049
logging.debug("Processing file for line lookup: %s", manifest_file)
5150

@@ -68,20 +67,21 @@ def find_line_in_file(packagename: str, packageversion: str, manifest_file: str)
6867
found_key = None
6968
found_info = None
7069
for key, value in packages_dict.items():
70+
# For NPM package-lock, keys might look like "node_modules/axios"
7171
if key.endswith(packagename) and "version" in value:
7272
if value["version"] == packageversion:
7373
found_key = key
7474
found_info = value
7575
break
7676

7777
if found_key and found_info:
78+
# Only use the found key to locate the line
7879
needle_key = f'"{found_key}":'
79-
needle_version = f'"version": "{packageversion}"'
8080
lines = raw_text.splitlines()
8181
logging.debug("Total lines in %s: %d", manifest_file, len(lines))
8282
for i, line in enumerate(lines, start=1):
83-
if (needle_key in line) or (needle_version in line):
84-
logging.debug("Found match at line %d in %s: %s", i, manifest_file, line.strip())
83+
if needle_key in line:
84+
logging.debug("Match found at line %d in %s: %s", i, manifest_file, line.strip())
8585
return i, line.strip()
8686
return 1, f'"{found_key}": {found_info}'
8787
else:
@@ -94,7 +94,6 @@ def find_line_in_file(packagename: str, packageversion: str, manifest_file: str)
9494
# 2) Text-based / line-based manifests
9595
# ----------------------------------------------------
9696
search_patterns = {
97-
# Updated pattern for package.json to allow optional '^' or '~'
9897
"package.json": rf'"{packagename}":\s*"[\^~]?{re.escape(packageversion)}"',
9998
"yarn.lock": rf'{packagename}@{packageversion}',
10099
"pnpm-lock.yaml": rf'"{re.escape(packagename)}"\s*:\s*\{{[^}}]*"version":\s*"{re.escape(packageversion)}"',
@@ -226,10 +225,9 @@ def create_security_comment_sarif(diff) -> dict:
226225

227226
if not manifest_files:
228227
logging.error("Alert %s: No manifest file found; cannot determine file location.", rule_id)
229-
continue # Skip this alert if no manifest is provided
228+
continue
230229

231230
logging.debug("Alert %s - using manifest_files for processing: %s", rule_id, manifest_files)
232-
233231
# Use the first manifest for URL generation.
234232
logging.debug("Alert %s - Using file for URL generation: %s", rule_id, manifest_files[0])
235233
socket_url = Messages.get_manifest_type_url(manifest_files[0], pkg_name, pkg_version)
@@ -255,7 +253,7 @@ def create_security_comment_sarif(diff) -> dict:
255253
logging.debug("Alert %s - Processing manifest file: %s", rule_id, mf)
256254
line_number, line_content = Messages.find_line_in_file(pkg_name, pkg_version, mf)
257255
if line_number < 1:
258-
line_number = 1 # Ensure SARIF compliance.
256+
line_number = 1
259257
logging.debug("Alert %s: Manifest %s, line %d: %s", rule_id, mf, line_number, line_content)
260258
locations.append({
261259
"physicalLocation": {

0 commit comments

Comments
 (0)