fix some bugs

Author: attiasas

jas/runner/jasrunner.go

@@ -137,15 +137,12 @@ func runSecretsScan(securityParallelRunner *utils.SecurityParallelRunner, scanne
 		vulnerabilitiesResults, violationsResults, err := secrets.RunSecretsScan(scanner, secretsScanType, module, threadId)
 		securityParallelRunner.ResultsMu.Lock()
 		defer securityParallelRunner.ResultsMu.Unlock()
-
+		// We first add the scan results and than check for errors to store the exit code to report it in the end
 		extendedScanResults.NewJasScanResults(jasutils.Secrets, vulnerabilitiesResults, violationsResults, jas.GetAnalyzerManagerExitCode(err))
-		err = jas.ParseAnalyzerManagerError(jasutils.Secrets, err)
-
-		if err != nil {
+		if err = jas.ParseAnalyzerManagerError(jasutils.Secrets, err); err != nil {
 			return fmt.Errorf("%s%s", clientutils.GetLogMsgPrefix(threadId, false), err.Error())
 		}
-		err = dumpSarifRunToFileIfNeeded(vulnerabilitiesResults, scansOutputDir, jasutils.Secrets)
-		return
+		return dumpSarifRunToFileIfNeeded(vulnerabilitiesResults, scansOutputDir, jasutils.Secrets)
 	}
 }
 
@@ -158,15 +155,12 @@ func runIacScan(securityParallelRunner *utils.SecurityParallelRunner, scanner *j
 		vulnerabilitiesResults, violationsResults, err := iac.RunIacScan(scanner, module, threadId)
 		securityParallelRunner.ResultsMu.Lock()
 		defer securityParallelRunner.ResultsMu.Unlock()
-
+		// We first add the scan results and than check for errors to store the exit code to report it in the end
 		extendedScanResults.NewJasScanResults(jasutils.IaC, vulnerabilitiesResults, violationsResults, jas.GetAnalyzerManagerExitCode(err))
-		err = jas.ParseAnalyzerManagerError(jasutils.IaC, err)
-
-		if err != nil {
+		if err = jas.ParseAnalyzerManagerError(jasutils.IaC, err); err != nil {
 			return fmt.Errorf("%s%s", clientutils.GetLogMsgPrefix(threadId, false), err.Error())
 		}
-		err = dumpSarifRunToFileIfNeeded(vulnerabilitiesResults, scansOutputDir, jasutils.IaC)
-		return
+		return dumpSarifRunToFileIfNeeded(vulnerabilitiesResults, scansOutputDir, jasutils.IaC)
 	}
 }
 
@@ -179,15 +173,12 @@ func runSastScan(securityParallelRunner *utils.SecurityParallelRunner, scanner *
 		vulnerabilitiesResults, violationsResults, err := sast.RunSastScan(scanner, module, signedDescriptions, threadId)
 		securityParallelRunner.ResultsMu.Lock()
 		defer securityParallelRunner.ResultsMu.Unlock()
-
+		// We first add the scan results and than check for errors to store the exit code to report it in the end
 		extendedScanResults.NewJasScanResults(jasutils.Sast, vulnerabilitiesResults, violationsResults, jas.GetAnalyzerManagerExitCode(err))
-		err = jas.ParseAnalyzerManagerError(jasutils.Sast, err)
-
-		if err != nil {
+		if err = jas.ParseAnalyzerManagerError(jasutils.Sast, err); err != nil {
 			return fmt.Errorf("%s%s", clientutils.GetLogMsgPrefix(threadId, false), err.Error())
 		}
-		err = dumpSarifRunToFileIfNeeded(vulnerabilitiesResults, scansOutputDir, jasutils.Sast)
-		return
+		return dumpSarifRunToFileIfNeeded(vulnerabilitiesResults, scansOutputDir, jasutils.Sast)
 	}
 }
 
@@ -202,15 +193,12 @@ func runContextualScan(securityParallelRunner *utils.SecurityParallelRunner, sca
 		caScanResults, err := applicability.RunApplicabilityScan(scanResults.GetScaScansXrayResults(), *directDependencies, scanner, thirdPartyApplicabilityScan, scanType, module, threadId)
 		securityParallelRunner.ResultsMu.Lock()
 		defer securityParallelRunner.ResultsMu.Unlock()
-
+		// We first add the scan results and than check for errors to store the exit code to report it in the end
 		scanResults.JasResults.NewApplicabilityScanResults(caScanResults, jas.GetAnalyzerManagerExitCode(err))
-		err = jas.ParseAnalyzerManagerError(jasutils.Applicability, err)
-
-		if err != nil {
+		if err = jas.ParseAnalyzerManagerError(jasutils.Applicability, err); err != nil {
 			return fmt.Errorf("%s%s", clientutils.GetLogMsgPrefix(threadId, false), err.Error())
 		}
-		err = dumpSarifRunToFileIfNeeded(caScanResults, scansOutputDir, jasutils.Applicability)
-		return
+		return dumpSarifRunToFileIfNeeded(caScanResults, scansOutputDir, jasutils.Applicability)
 	}
 }
 

utils/formats/sarifutils/sarifutils.go

@@ -681,7 +681,7 @@ func GetRuleById(run *sarif.Run, ruleId string) *sarif.ReportingDescriptor {
 }
 
 func GetRuleFullDescription(rule *sarif.ReportingDescriptor) string {
-	if rule.FullDescription != nil && rule.FullDescription.Text != nil {
+	if rule != nil && rule.FullDescription != nil && rule.FullDescription.Text != nil {
 		return *rule.FullDescription.Text
 	}
 	return ""
@@ -710,7 +710,7 @@ func GetRuleHelpMarkdown(rule *sarif.ReportingDescriptor) string {
 }
 
 func GetRuleShortDescription(rule *sarif.ReportingDescriptor) string {
-	if rule.ShortDescription != nil && rule.ShortDescription.Text != nil {
+	if rule != nil && rule.ShortDescription != nil && rule.ShortDescription.Text != nil {
 		return *rule.ShortDescription.Text
 	}
 	return ""

utils/formats/simplejsonapi.go

@@ -38,6 +38,7 @@ type ScanStatus struct {
 
 type ViolationContext struct {
 	Watch    string   `json:"watch,omitempty"`
+	IssueId  string   `json:"issueId,omitempty"`
 	Policies []string `json:"policies,omitempty"`
 }
 
@@ -97,15 +98,19 @@ type OperationalRiskViolationRow struct {
 type SourceCodeRow struct {
 	SeverityDetails
 	ViolationContext
+	ScannerInfo
 	Location
-	RuleId             string         `json:"ruleId"`
-	IssueId            string         `json:"issueId"`
-	CWE                []string       `json:"cwe,omitempty"`
-	Finding            string         `json:"finding,omitempty"`
-	Fingerprint        string         `json:"fingerprint,omitempty"`
-	Applicability      *Applicability `json:"applicability,omitempty"`
-	ScannerDescription string         `json:"scannerDescription,omitempty"`
-	CodeFlow           [][]Location   `json:"codeFlow,omitempty"`
+	Finding       string         `json:"finding,omitempty"`
+	Fingerprint   string         `json:"fingerprint,omitempty"`
+	Applicability *Applicability `json:"applicability,omitempty"`
+	CodeFlow      [][]Location   `json:"codeFlow,omitempty"`
+}
+
+type ScannerInfo struct {
+	RuleId                  string   `json:"ruleId"`
+	Cwe                     []string `json:"cwe,omitempty"`
+	ScannerShortDescription string   `json:"scannerShortDescription,omitempty"`
+	ScannerDescription      string   `json:"scannerDescription,omitempty"`
 }
 
 type Location struct {

utils/results/common.go

@@ -549,6 +549,9 @@ func getApplicabilityStatusFromRule(rule *sarif.ReportingDescriptor) jasutils.Ap
 }
 
 func GetDependencyId(depName, version string) string {
+	if version == "" {
+		return depName
+	}
 	return fmt.Sprintf("%s:%s", depName, version)
 }
 

utils/results/conversion/convertor_test.go

@@ -46,6 +46,12 @@ func getAuditValidationParams() validations.ValidationParams {
 	}
 }
 
+func getAuditTestResults() *results.SecurityCommandResults {
+	cmdResults := results.NewCommandResults(utils.SourceCode)
+
+	return cmdResults
+}
+
 // For Summary we count unique CVE finding (issueId), for SARIF and SimpleJson we count all findings (pair of issueId+impactedComponent)
 // We have in the result 2 CVE with 2 impacted components each
 func getDockerScanValidationParams(unique bool) validations.ValidationParams {
@@ -73,6 +79,12 @@ func getDockerScanValidationParams(unique bool) validations.ValidationParams {
 	return params
 }
 
+func getDockerScanTestResults() *results.SecurityCommandResults {
+	cmdResults := results.NewCommandResults(utils.DockerImage)
+
+	return cmdResults
+}
+
 func TestConvertResults(t *testing.T) {
 	auditInputResults := testUtils.ReadCmdScanResults(t, filepath.Join(testDataDir, "audit", "audit_results.json"))
 	dockerScanInputResults := testUtils.ReadCmdScanResults(t, filepath.Join(testDataDir, "dockerscan", "docker_results.json"))

utils/results/conversion/simplejsonparser/simplejsonparser.go

@@ -72,13 +72,11 @@ func (sjc *CmdResultsSimpleJsonConverter) ParseScaIssues(target results.ScanTarg
 	if sjc.current.Statuses.ScaStatusCode == nil || *sjc.current.Statuses.ScaStatusCode == 0 {
 		sjc.current.Statuses.ScaStatusCode = &scaResponse.StatusCode
 	}
-
-	for _, applicabilityScanResult := range applicableScan {
+	for _, applicableScan := range applicableScan {
 		if sjc.current.Statuses.ApplicabilityStatusCode == nil || *sjc.current.Statuses.ApplicabilityStatusCode == 0 {
-			sjc.current.Statuses.ApplicabilityStatusCode = &applicabilityScanResult.StatusCode
+			sjc.current.Statuses.ApplicabilityStatusCode = &applicableScan.StatusCode
 		}
 	}
-
 	if violations {
 		err = sjc.parseScaViolations(target, scaResponse.Scan, results.ScanResultsToRuns(applicableScan)...)
 	} else {
@@ -209,7 +207,7 @@ func PrepareSimpleJsonViolations(target results.ScanTarget, scaResponse services
 		scaResponse.Violations,
 		jasEntitled,
 		applicabilityRuns,
-		addSimpleJsonSecurityViolation(&securityViolationsRows, pretty),
+		addSimpleJsonSecurityViolation(target, &securityViolationsRows, pretty),
 		addSimpleJsonLicenseViolation(&licenseViolationsRows, pretty),
 		addSimpleJsonOperationalRiskViolation(&operationalRiskViolationsRows, pretty),
 	)
@@ -223,13 +221,17 @@ func PrepareSimpleJsonVulnerabilities(target results.ScanTarget, scaResponse ser
 		scaResponse.Vulnerabilities,
 		entitledForJas,
 		applicabilityRuns,
-		addSimpleJsonVulnerability(&vulnerabilitiesRows, pretty),
+		addSimpleJsonVulnerability(target, &vulnerabilitiesRows, pretty),
 	)
 	return vulnerabilitiesRows, err
 }
 
-func addSimpleJsonVulnerability(vulnerabilitiesRows *[]formats.VulnerabilityOrViolationRow, pretty bool) results.ParseScaVulnerabilityFunc {
+func addSimpleJsonVulnerability(target results.ScanTarget, vulnerabilitiesRows *[]formats.VulnerabilityOrViolationRow, pretty bool) results.ParseScaVulnerabilityFunc {
 	return func(vulnerability services.Vulnerability, cves []formats.CveRow, applicabilityStatus jasutils.ApplicabilityStatus, severity severityutils.Severity, impactedPackagesName, impactedPackagesVersion, impactedPackagesType string, fixedVersion []string, directComponents []formats.ComponentRow, impactPaths [][]formats.ComponentRow) error {
+		tech := target.Technology
+		if tech == "" {
+			tech = techutils.Technology(impactedPackagesType)
+		}
 		*vulnerabilitiesRows = append(*vulnerabilitiesRows,
 			formats.VulnerabilityOrViolationRow{
 				Summary: vulnerability.Summary,
@@ -246,16 +248,20 @@ func addSimpleJsonVulnerability(vulnerabilitiesRows *[]formats.VulnerabilityOrVi
 				References:               vulnerability.References,
 				JfrogResearchInformation: convertJfrogResearchInformation(vulnerability.ExtendedInformation),
 				ImpactPaths:              impactPaths,
-				Technology:               techutils.Technology(vulnerability.Technology),
+				Technology:               tech,
 				Applicable:               applicabilityStatus.ToString(pretty),
 			},
 		)
 		return nil
 	}
 }
 
-func addSimpleJsonSecurityViolation(securityViolationsRows *[]formats.VulnerabilityOrViolationRow, pretty bool) results.ParseScaViolationFunc {
+func addSimpleJsonSecurityViolation(target results.ScanTarget, securityViolationsRows *[]formats.VulnerabilityOrViolationRow, pretty bool) results.ParseScaViolationFunc {
 	return func(violation services.Violation, cves []formats.CveRow, applicabilityStatus jasutils.ApplicabilityStatus, severity severityutils.Severity, impactedPackagesName, impactedPackagesVersion, impactedPackagesType string, fixedVersion []string, directComponents []formats.ComponentRow, impactPaths [][]formats.ComponentRow) error {
+		tech := target.Technology
+		if tech == "" {
+			tech = techutils.Technology(impactedPackagesType)
+		}
 		*securityViolationsRows = append(*securityViolationsRows,
 			formats.VulnerabilityOrViolationRow{
 				Summary: violation.Summary,
@@ -276,7 +282,7 @@ func addSimpleJsonSecurityViolation(securityViolationsRows *[]formats.Vulnerabil
 				References:               violation.References,
 				JfrogResearchInformation: convertJfrogResearchInformation(violation.ExtendedInformation),
 				ImpactPaths:              impactPaths,
-				Technology:               techutils.Technology(violation.Technology),
+				Technology:               tech,
 				Applicable:               applicabilityStatus.ToString(pretty),
 			},
 		)
@@ -374,23 +380,22 @@ func addSimpleJsonLicense(licenseViolationsRows *[]formats.LicenseRow) results.P
 func PrepareSimpleJsonJasIssues(entitledForJas, pretty bool, jasIssues ...*sarif.Run) ([]formats.SourceCodeRow, error) {
 	var rows []formats.SourceCodeRow
 	err := results.ApplyHandlerToJasIssues(jasIssues, entitledForJas, func(run *sarif.Run, rule *sarif.ReportingDescriptor, severity severityutils.Severity, result *sarif.Result, location *sarif.Location) error {
-		scannerDescription := ""
-		if rule != nil {
-			scannerDescription = sarifutils.GetRuleFullDescription(rule)
-		}
 		rows = append(rows,
 			formats.SourceCodeRow{
-				RuleId:  sarifutils.GetResultRuleId(result),
-				IssueId: sarifutils.GetResultIssueId(result),
-				CWE:     sarifutils.GetRuleCWE(rule),
+				ScannerInfo: formats.ScannerInfo{
+					RuleId:                  sarifutils.GetResultRuleId(result),
+					Cwe:                     sarifutils.GetRuleCWE(rule),
+					ScannerDescription:      sarifutils.GetRuleFullDescription(rule),
+					ScannerShortDescription: sarifutils.GetRuleShortDescription(rule),
+				},
 				ViolationContext: formats.ViolationContext{
 					Watch:    sarifutils.GetResultWatches(result),
+					IssueId:  sarifutils.GetResultIssueId(result),
 					Policies: sarifutils.GetResultPolicies(result),
 				},
-				SeverityDetails:    severityutils.GetAsDetails(severity, jasutils.Applicable, pretty),
-				Finding:            sarifutils.GetResultMsgText(result),
-				ScannerDescription: scannerDescription,
-				Fingerprint:        sarifutils.GetResultFingerprint(result),
+				SeverityDetails: severityutils.GetAsDetails(severity, jasutils.Applicable, pretty),
+				Finding:         sarifutils.GetResultMsgText(result),
+				Fingerprint:     sarifutils.GetResultFingerprint(result),
 				Location: formats.Location{
 					File:        sarifutils.GetRelativeLocationFileName(location, run.Invocations),
 					StartLine:   sarifutils.GetLocationStartLine(location),

utils/results/results.go

@@ -503,12 +503,14 @@ func (jsr *JasScansResults) HasInformation() bool {
 }
 
 func (jsr *JasScansResults) HasInformationByType(scanType jasutils.JasScanType) bool {
+	if scanType == jasutils.Applicability && len(jsr.ApplicabilityScanResults) > 0 {
+		return true
+	}
 	for _, run := range jsr.GetVulnerabilitiesResults(scanType) {
 		if len(run.Results) > 0 {
 			return true
 		}
 	}
-
 	for _, run := range jsr.GetViolationsResults(scanType) {
 		if len(run.Results) > 0 {
 			return true

utils/techutils/techutils.go

@@ -421,29 +421,6 @@ func getDirNoTechList(technologiesDetected map[Technology]map[string][]string, d
 		// If all children exists in childNoTechList, add only the parent directory to NoTech
 		noTechList = []string{dir}
 	}
-
-	// for _, techDirs := range technologiesDetected {
-	// 	if _, exist := techDirs[dir]; exist {
-	// 		// The directory is already mapped to a technology, no need to add the dir or its sub directories to NoTech
-	// 		break
-	// 	}
-	// 	for _, child := range children {
-	// 		childNoTechList := getDirNoTechList(technologiesDetected, child, dirsList)
-	// 	}
-
-	// 	if len(children) == 0 {
-	// 		// No children directories, add the directory to NoTech
-	// 		childNoTechList = append(childNoTechList, dir)
-	// 		break
-	// 	}
-	// 	for _, child := range children {
-	// 		childNoTechList = append(childNoTechList, getDirNoTechList(technologiesDetected, child, dirsList)...)
-	// 	}
-	// 	// If all children exists in childNoTechList, add only the parent directory to NoTech
-	// 	if len(children) == len(childNoTechList) {
-	// 		childNoTechList = []string{dir}
-	// 	}
-	// }
 	return
 }
 
@@ -456,58 +433,6 @@ func getDirChildren(dir string, dirsList []string) (children []string) {
 	return
 }
 
-// func addNoTechIfNeeded(technologiesDetected map[Technology]map[string][]string, path, excludePathPattern string) (finalMap map[Technology]map[string][]string, err error) {
-// 	finalMap = technologiesDetected
-// 	noTechMap := map[string][]string{}
-// 	// TODO: not only direct, need to see if multiple levels of directories are missing technology indicators
-// 	// if all directories in are found no need for anything else,
-// 	// if one missing need to add it to NoTech
-// 	// if not one detected add only parent directory no need for each directory
-// 	directories, err := getDirectDirectories(path, excludePathPattern)
-// 	if err != nil {
-// 		return
-// 	}
-// 	for _, dir := range directories {
-// 		// Check if the directory is already mapped to a technology
-// 		isMapped := false
-// 		for _, techDirs := range finalMap {
-// 			if _, exist := techDirs[dir]; exist {
-// 				isMapped = true
-// 				break
-// 			}
-// 		}
-// 		if !isMapped {
-// 			// Add the directory to NoTech (no indicators/descriptors were found)
-// 			noTechMap[dir] = []string{}
-// 		}
-// 	}
-// 	if len(technologiesDetected) == 0 || len(noTechMap) > 0 {
-// 		// no technologies detected at all (add NoTech without any directories) or some directories were added to NoTech
-// 		finalMap[NoTech] = noTechMap
-// 	}
-// 	return
-// }
-
-// func getDirectDirectories(path, excludePathPattern string) (directories []string, err error) {
-// 	// Get all files and directories in the path, not recursive
-// 	filesOrDirsInPath, err := fspatterns.ListFiles(path, false, true, true, true, excludePathPattern)
-// 	if err != nil {
-// 		return
-// 	}
-// 	// Filter to directories only
-// 	for _, potentialDir := range filesOrDirsInPath {
-// 		isDir, e := fileutils.IsDirExists(potentialDir, true)
-// 		if e != nil {
-// 			err = errors.Join(err, fmt.Errorf("failed to check if %s is a directory: %w", potentialDir, e))
-// 			continue
-// 		}
-// 		if isDir {
-// 			directories = append(directories, potentialDir)
-// 		}
-// 	}
-// 	return
-// }
-
 // Map files to relevant working directories according to the technologies' indicators/descriptors and requested descriptors.
 // files: The file paths to map.
 // requestedDescriptors: Special requested descriptors (for example in Pip requirement.txt can have different path) for each technology.