Return note field in case of zero violations (#42)

pankhurisaxena28 · sethvargo · web-flow · commit ac8f305e800c · 2024-06-27T23:20:06.000+05:30
&lt;!--
Thank you for proposing a pull request! Please note that SOME TESTS WILL
LIKELY FAIL due to how GitHub exposes secrets in Pull Requests from
forks.
Someone from the team will review your Pull Request and respond.

Please describe your change and any implementation details below.
--&gt;

---------

Signed-off-by: pankhurisaxena28 &lt;76627925+pankhurisaxena28@users.noreply.github.com&gt;
Co-authored-by: Seth Vargo &lt;seth@sethvargo.com&gt;
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -108,7 +108,7 @@ jobs:
           if [ "${{ steps.violations-found.outputs.iac_scan_result }}" != "passed" ]; then
             exit 1
           fi
-      
+
       - id: 'no-violations-found'
         name: 'No violations found in plan file'
         uses: './'
@@ -119,13 +119,15 @@ jobs:
           failure_criteria: 'CRITICAL:2, Operator:OR'
       - name: 'Check scan result and report not generated.'
         run: |
-          if [ "${{ steps.no-violations-found.outputs.iac_scan_result_sarif_path }}" != "" ]; then
+          report_expected="tests/resources/zero_violations_sarif.json"
+          report_generated="${{ steps.no-violations-found.outputs.iac_scan_result_sarif_path }}"
+          if cmp -s "$report_expected" "$report_generated"; then
             exit 1
           fi
           if [ "${{ steps.no-violations-found.outputs.iac_scan_result }}" != "passed" ]; then
             exit 1
           fi
-    
+
       - id: 'failure-criteria-satisfied'
         name: 'Failure criteria satisfied'
         uses: './'
diff --git a/.gitignore b/.gitignore
@@ -1,5 +1,6 @@
 node_modules/
 runner/
+dist/
 
 # Rest of the file pulled from https://github.com/github/gitignore/blob/main/Node.gitignore
 # Logs
diff --git a/dist/main/index.js b/dist/main/index.js
diff --git a/src/reports/iac_scan_report_processor.ts b/src/reports/iac_scan_report_processor.ts
@@ -43,11 +43,6 @@ export abstract class IACScanReportProcessor {
     reportGenerator: ReportGenerator,
     reportName: string,
   ) {
-    if (report.violations?.length == 0) {
-      // no violations, returning as no action to take.
-      return;
-    }
-
     const generatedReport = reportGenerator.generate(report);
     logDebug(`IaC scan report generated`);
 
@@ -85,10 +80,14 @@ export class SarifReportGenerator implements ReportGenerator {
    * @param violations non empty list of violation fetched from scan API response.
    */
   generate(report: IACValidationReport): string {
+    const note: string = <string>report.note;
+    if (report.violations?.length === 0) {
+      const sarifReport: SARIFTemplate = this.constructSARIFReport(<Rule[]>[], <Result[]>[], note);
+      return JSON.stringify(sarifReport, null, 2);
+    }
     const policyToViolationMap = this.getUniqueViolation(<Violation[]>report.violations);
     const rules: Rule[] = this.constructRules(policyToViolationMap);
     const results: Result[] = this.constructResults(<Violation[]>report.violations);
-    const note: string = <string>report.note;
     const sarifReport: SARIFTemplate = this.constructSARIFReport(rules, results, note);
     return JSON.stringify(sarifReport, null, 2);
   }
diff --git a/tests/iac_scan_report_processor.test.ts b/tests/iac_scan_report_processor.test.ts
@@ -157,5 +157,21 @@ test(
         assert.deepStrictEqual(sarifJson.runs.at(0)?.results.length, 2);
       },
     );
+
+    await suite.test('zero violations, generates report with only the note', async () => {
+      const reportGenerator = new SarifReportGenerator('version');
+
+      const report: IACValidationReport = {
+        note: 'IaC validation is limited to certain asset types and policies. For information about supported asset types and policies for IaC validation, see https://cloud.google.com/security-command-center/docs/supported-iac-assets-policies.',
+        violations: <Violation[]>[],
+      };
+
+      await IACScanReportProcessor.processReport(report, reportGenerator, 'sarif.json');
+      const sarif = await fs.readFile('./sarif.json', 'utf-8');
+      const sarifJson: SARIFTemplate = JSON.parse(sarif);
+
+      assert.deepStrictEqual(sarifJson.runs.at(0)?.tool.driver.rules.length, 0);
+      assert.deepStrictEqual(sarifJson.runs.at(0)?.results.length, 0);
+    });
   },
 );
diff --git a/tests/resources/sarif.json b/tests/resources/sarif.json
@@ -3,6 +3,7 @@
     "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
     "runs": [
       {
+        "note": "IaC validation is limited to certain asset types and policies. For information about supported asset types and policies for IaC validation, see https://cloud.google.com/security-command-center/docs/supported-iac-assets-policies.",
         "tool": {
           "driver": {
             "name": "analyze-code-security-scc",

-Original file line number
+Diff line change
@@ @@ -1,5 +1,6 @@ @@
 node_modules/
 runner/
 +dist/
 # Rest of the file pulled from https://github.com/github/gitignore/blob/main/Node.gitignore
 # Logs
Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,7 @@`
`3`	`3`	`"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",`
`4`	`4`	`"runs": [`
`5`	`5`	`{`
	`6`	`+ "note": "IaC validation is limited to certain asset types and policies. For information about supported asset types and policies for IaC validation, see https://cloud.google.com/security-command-center/docs/supported-iac-assets-policies.",`
`6`	`7`	`"tool": {`
`7`	`8`	`"driver": {`
`8`	`9`	`"name": "analyze-code-security-scc",`