Add SignedDescriptions SAST flag for sarif results

attiasas · attiasas · commit 49dcd3576dec · 2024-10-15T13:46:47.000+03:00
diff --git a/commands/audit/audit.go b/commands/audit/audit.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 
 	jfrogappsconfig "github.com/jfrog/jfrog-apps-config/go"
+	"github.com/jfrog/jfrog-cli-core/v2/common/format"
 	"github.com/jfrog/jfrog-cli-core/v2/utils/config"
 	"github.com/jfrog/jfrog-cli-core/v2/utils/coreutils"
 	"github.com/jfrog/jfrog-cli-security/commands/audit/sca"
@@ -303,6 +304,7 @@ func downloadAnalyzerManagerAndRunScanners(auditParallelRunner *utils.SecurityPa
 			DirectDependencies:          auditParams.DirectDependencies(),
 			ThirdPartyApplicabilityScan: auditParams.thirdPartyApplicabilityScan,
 			ApplicableScanType:          applicability.ApplicabilityScannerType,
+			SignedDescriptions:          auditParams.OutputFormat() == format.Sarif,
 			ScanResults:                 scan,
 			TargetOutputDir:             auditParams.scanResultsOutputDir,
 		}
diff --git a/jas/runner/jasrunner.go b/jas/runner/jasrunner.go
@@ -32,11 +32,14 @@ type JasRunnerParams struct {
 
 	ScansToPreform []utils.SubScanType
 
+	// Secret scan flags
 	SecretsScanType secrets.SecretsScanType
-
+	// Contextual Analysis scan flags
+	ApplicableScanType          applicability.ApplicabilityScanType
 	DirectDependencies          *[]string
 	ThirdPartyApplicabilityScan bool
-	ApplicableScanType          applicability.ApplicabilityScanType
+	// SAST scan flags
+	SignedDescriptions bool
 
 	ScanResults     *results.TargetResults
 	TargetOutputDir string
@@ -68,7 +71,7 @@ func AddJasScannersTasks(params JasRunnerParams) (err error) {
 	if err = addJasScanTaskForModuleIfNeeded(params, utils.IacScan, runIacScan(params.Runner, params.Scanner, params.ScanResults.JasResults, params.Module, params.TargetOutputDir)); err != nil {
 		return
 	}
-	return addJasScanTaskForModuleIfNeeded(params, utils.SastScan, runSastScan(params.Runner, params.Scanner, params.ScanResults.JasResults, params.Module, params.TargetOutputDir))
+	return addJasScanTaskForModuleIfNeeded(params, utils.SastScan, runSastScan(params.Runner, params.Scanner, params.ScanResults.JasResults, params.Module, params.TargetOutputDir, params.SignedDescriptions))
 }
 
 func addJasScanTaskForModuleIfNeeded(params JasRunnerParams, subScan utils.SubScanType, task parallel.TaskFunc) (err error) {
@@ -157,12 +160,12 @@ func runIacScan(securityParallelRunner *utils.SecurityParallelRunner, scanner *j
 }
 
 func runSastScan(securityParallelRunner *utils.SecurityParallelRunner, scanner *jas.JasScanner, extendedScanResults *results.JasScansResults,
-	module jfrogappsconfig.Module, scansOutputDir string) parallel.TaskFunc {
+	module jfrogappsconfig.Module, scansOutputDir string, signedDescriptions bool) parallel.TaskFunc {
 	return func(threadId int) (err error) {
 		defer func() {
 			securityParallelRunner.JasScannersWg.Done()
 		}()
-		results, err := sast.RunSastScan(scanner, module, threadId)
+		results, err := sast.RunSastScan(scanner, module, signedDescriptions, threadId)
 		if err != nil {
 			return fmt.Errorf("%s %s", clientutils.GetLogMsgPrefix(threadId, false), err.Error())
 		}
diff --git a/jas/sast/sastscanner.go b/jas/sast/sastscanner.go
@@ -23,16 +23,17 @@ const (
 type SastScanManager struct {
 	sastScannerResults []*sarif.Run
 	scanner            *jas.JasScanner
+	signedDescriptions bool
 	configFileName     string
 	resultsFileName    string
 }
 
-func RunSastScan(scanner *jas.JasScanner, module jfrogappsconfig.Module, threadId int) (results []*sarif.Run, err error) {
+func RunSastScan(scanner *jas.JasScanner, module jfrogappsconfig.Module, signedDescriptions bool, threadId int) (results []*sarif.Run, err error) {
 	var scannerTempDir string
 	if scannerTempDir, err = jas.CreateScannerTempDirectory(scanner, jasutils.Sast.String()); err != nil {
 		return
 	}
-	sastScanManager := newSastScanManager(scanner, scannerTempDir)
+	sastScanManager := newSastScanManager(scanner, scannerTempDir, signedDescriptions)
 	log.Info(clientutils.GetLogMsgPrefix(threadId, false) + "Running SAST scan...")
 	if err = sastScanManager.scanner.Run(sastScanManager, module); err != nil {
 		err = jas.ParseAnalyzerManagerError(jasutils.Sast, err)
@@ -45,16 +46,17 @@ func RunSastScan(scanner *jas.JasScanner, module jfrogappsconfig.Module, threadI
 	return
 }
 
-func newSastScanManager(scanner *jas.JasScanner, scannerTempDir string) (manager *SastScanManager) {
+func newSastScanManager(scanner *jas.JasScanner, scannerTempDir string, signedDescriptions bool) (manager *SastScanManager) {
 	return &SastScanManager{
 		sastScannerResults: []*sarif.Run{},
 		scanner:            scanner,
+		signedDescriptions: signedDescriptions,
 		configFileName:     filepath.Join(scannerTempDir, "config.yaml"),
 		resultsFileName:    filepath.Join(scannerTempDir, "results.sarif")}
 }
 
 func (ssm *SastScanManager) Run(module jfrogappsconfig.Module) (err error) {
-	if err = ssm.createConfigFile(module, ssm.scanner.Exclusions...); err != nil {
+	if err = ssm.createConfigFile(module, ssm.signedDescriptions, ssm.scanner.Exclusions...); err != nil {
 		return
 	}
 	if err = ssm.runAnalyzerManager(filepath.Dir(ssm.scanner.AnalyzerManager.AnalyzerManagerFullPath)); err != nil {
@@ -74,14 +76,15 @@ type sastScanConfig struct {
 }
 
 type scanConfiguration struct {
-	Roots           []string `yaml:"roots,omitempty"`
-	Type            string   `yaml:"type,omitempty"`
-	Language        string   `yaml:"language,omitempty"`
-	ExcludePatterns []string `yaml:"exclude_patterns,omitempty"`
-	ExcludedRules   []string `yaml:"excluded-rules,omitempty"`
+	Roots              []string `yaml:"roots,omitempty"`
+	Type               string   `yaml:"type,omitempty"`
+	Language           string   `yaml:"language,omitempty"`
+	ExcludePatterns    []string `yaml:"exclude_patterns,omitempty"`
+	ExcludedRules      []string `yaml:"excluded-rules,omitempty"`
+	SignedDescriptions bool     `yaml:"signed_descriptions,omitempty"`
 }
 
-func (ssm *SastScanManager) createConfigFile(module jfrogappsconfig.Module, exclusions ...string) error {
+func (ssm *SastScanManager) createConfigFile(module jfrogappsconfig.Module, signedDescriptions bool, exclusions ...string) error {
 	sastScanner := module.Scanners.Sast
 	if sastScanner == nil {
 		sastScanner = &jfrogappsconfig.SastScanner{}
@@ -93,11 +96,12 @@ func (ssm *SastScanManager) createConfigFile(module jfrogappsconfig.Module, excl
 	configFileContent := sastScanConfig{
 		Scans: []scanConfiguration{
 			{
-				Type:            sastScannerType,
-				Roots:           roots,
-				Language:        sastScanner.Language,
-				ExcludedRules:   sastScanner.ExcludedRules,
-				ExcludePatterns: jas.GetExcludePatterns(module, &sastScanner.Scanner, exclusions...),
+				Type:               sastScannerType,
+				Roots:              roots,
+				Language:           sastScanner.Language,
+				ExcludedRules:      sastScanner.ExcludedRules,
+				SignedDescriptions: signedDescriptions,
+				ExcludePatterns:    jas.GetExcludePatterns(module, &sastScanner.Scanner, exclusions...),
 			},
 		},
 	}
diff --git a/jas/sast/sastscanner_test.go b/jas/sast/sastscanner_test.go
@@ -17,11 +17,12 @@ func TestNewSastScanManager(t *testing.T) {
 	jfrogAppsConfigForTest, err := jas.CreateJFrogAppsConfig([]string{"currentDir"})
 	assert.NoError(t, err)
 	// Act
-	sastScanManager := newSastScanManager(scanner, "temoDirPath")
+	sastScanManager := newSastScanManager(scanner, "temoDirPath", true)
 
 	// Assert
 	if assert.NotNil(t, sastScanManager) {
 		assert.NotEmpty(t, sastScanManager.configFileName)
+		assert.True(t, sastScanManager.signedDescriptions)
 		assert.NotEmpty(t, sastScanManager.resultsFileName)
 		assert.NotEmpty(t, jfrogAppsConfigForTest.Modules[0].SourceRoot)
 		assert.Equal(t, &jas.FakeServerDetails, sastScanManager.scanner.ServerDetails)
@@ -35,7 +36,7 @@ func TestSastParseResults_EmptyResults(t *testing.T) {
 	assert.NoError(t, err)
 
 	// Arrange
-	sastScanManager := newSastScanManager(scanner, "temoDirPath")
+	sastScanManager := newSastScanManager(scanner, "temoDirPath", true)
 	sastScanManager.resultsFileName = filepath.Join(jas.GetTestDataPath(), "sast-scan", "no-violations.sarif")
 
 	// Act
@@ -57,7 +58,7 @@ func TestSastParseResults_ResultsContainIacViolations(t *testing.T) {
 	jfrogAppsConfigForTest, err := jas.CreateJFrogAppsConfig([]string{})
 	assert.NoError(t, err)
 	// Arrange
-	sastScanManager := newSastScanManager(scanner, "temoDirPath")
+	sastScanManager := newSastScanManager(scanner, "temoDirPath", false)
 	sastScanManager.resultsFileName = filepath.Join(jas.GetTestDataPath(), "sast-scan", "contains-sast-violations.sarif")
 
 	// Act
