Fix applicability status calculation (#613)

Author: attiasas

commands/audit/audit_test.go

@@ -326,10 +326,7 @@ func TestAuditWithConfigProfile(t *testing.T) {
 				}},
 				IsDefault: false,
 			},
-			expectedCaApplicable:    3,
-			expectedCaUndetermined:  6,
-			expectedCaNotCovered:    4,
-			expectedCaNotApplicable: 2,
+			expectedCaNotCovered: 15,
 		},
 		// TODO Add testcase for Sca and Applicability with exclusions after resolving the Glob patterns issues
 		{
@@ -550,13 +547,10 @@ func TestAuditWithConfigProfile(t *testing.T) {
 				}},
 				IsDefault: false,
 			},
-			expectedSastIssues:      4,
-			expectedSecretsIssues:   16,
-			expectedIacIssues:       9,
-			expectedCaApplicable:    3,
-			expectedCaUndetermined:  6,
-			expectedCaNotCovered:    4,
-			expectedCaNotApplicable: 2,
+			expectedSastIssues:    4,
+			expectedSecretsIssues: 16,
+			expectedIacIssues:     9,
+			expectedCaNotCovered:  15,
 		},
 		{
 			name:        "All scanners enabled but some with exclude patterns",
@@ -589,13 +583,10 @@ func TestAuditWithConfigProfile(t *testing.T) {
 				}},
 				IsDefault: false,
 			},
-			expectedSastIssues:      0,
-			expectedSecretsIssues:   7,
-			expectedIacIssues:       9,
-			expectedCaApplicable:    3,
-			expectedCaUndetermined:  6,
-			expectedCaNotCovered:    4,
-			expectedCaNotApplicable: 2,
+			expectedSastIssues:    0,
+			expectedSecretsIssues: 7,
+			expectedIacIssues:     9,
+			expectedCaNotCovered:  15,
 		},
 	}
 	assert.NoError(t, securityTestUtils.PrepareAnalyzerManagerResource())

sca/bom/buildinfo/technologies/conan/conan_test.go

@@ -18,10 +18,10 @@ var expectedResult = &xrayUtils.GraphNode{
 	Nodes: []*xrayUtils.GraphNode{
 		{Id: "conan://zlib:1.3.1"},
 		{Id: "conan://openssl:3.0.9", Nodes: []*xrayUtils.GraphNode{{Id: "conan://zlib:1.3.1"}}},
-		{Id: "conan://meson:1.4.1", Nodes: []*xrayUtils.GraphNode{{Id: "conan://ninja:1.13.1"}}},
+		{Id: "conan://meson:1.4.1", Nodes: []*xrayUtils.GraphNode{{Id: "conan://ninja:1.13.2"}}},
 	},
 }
-var expectedUniqueDeps = []string{"conan://openssl:3.0.9", "conan://zlib:1.3.1", "conan://meson:1.4.1", "conan://ninja:1.13.1"}
+var expectedUniqueDeps = []string{"conan://openssl:3.0.9", "conan://zlib:1.3.1", "conan://meson:1.4.1", "conan://ninja:1.13.2"}
 
 func TestParseConanDependencyTree(t *testing.T) {
 	_, cleanUp := technologies.CreateTestWorkspace(t, filepath.Join("other", "conan"))
@@ -58,7 +58,7 @@ func TestCalculateUniqueDeps(t *testing.T) {
 		"1": {Name: "zlib", Version: "1.3.1"},
 		"2": {Name: "openssl", Version: "3.0.9"},
 		"3": {Name: "meson", Version: "1.4.1"},
-		"4": {Name: "ninja", Version: "1.13.1"},
+		"4": {Name: "ninja", Version: "1.13.2"},
 		"5": {Name: "openssl", Version: "3.0.9"}, // duplicate, should be removed
 	}
 

tests/testdata/other/conan/dependencies.json

@@ -145,8 +145,8 @@
                         "visible": true
                     },
                     "4": {
-                        "ref": "ninja/1.13.1",
-                        "require": "ninja/1.13.1",
+                        "ref": "ninja/1.13.2",
+                        "require": "ninja/1.13.2",
                         "run": true,
                         "libs": false,
                         "skip": false,
@@ -965,7 +965,7 @@
                 },
                 "dependencies": {
                     "4": {
-                        "ref": "ninja/1.13.1",
+                        "ref": "ninja/1.13.2",
                         "require": "ninja/[>=1.10.2 <2]",
                         "run": true,
                         "libs": false,
@@ -985,7 +985,7 @@
                 "test": false
             },
             "4": {
-                "ref": "ninja/1.13.1#294f8721dbcde145674f7ba44994700e",
+                "ref": "ninja/1.13.2#294f8721dbcde145674f7ba44994700e",
                 "id": "4",
                 "recipe": "Downloaded",
                 "package_id": "3593751651824fb813502c69c971267624ced41a",
@@ -1016,7 +1016,7 @@
                 "win_bash_run": null,
                 "default_options": null,
                 "options_description": null,
-                "version": "1.13.1",
+                "version": "1.13.2",
                 "topics": [
                     "ninja",
                     "build"
@@ -1079,7 +1079,7 @@
                     }
                 },
                 "conf_info": {},
-                "label": "ninja/1.13.1",
+                "label": "ninja/1.13.2",
                 "info": {
                     "settings": {
                         "os": "Linux",
@@ -1090,9 +1090,9 @@
                 "vendor": false,
                 "conandata": {
                     "sources": {
-                        "1.13.1": {
+                        "1.13.2": {
                             "sha256": "f0055ad0369bf2e372955ba55128d000cfcc21777057806015b45e4accbebf23",
-                            "url": "https://github.com/ninja-build/ninja/archive/v1.13.1.tar.gz"
+                            "url": "https://github.com/ninja-build/ninja/archive/v1.13.2.tar.gz"
                         }
                     }
                 },
@@ -1106,7 +1106,7 @@
         },
         "overrides": {},
         "resolved_ranges": {
-            "ninja/[>=1.10.2 <2]": "ninja/1.13.1"
+            "ninja/[>=1.10.2 <2]": "ninja/1.13.2"
         },
         "replaced_requires": {},
         "error": null

utils/formats/sarifutils/sarifutils.go

@@ -577,7 +577,7 @@ func GetResultMsgText(result *sarif.Result) string {
 }
 
 func GetResultRuleId(result *sarif.Result) string {
-	if result.RuleID != nil {
+	if result != nil && result.RuleID != nil {
 		return *result.RuleID
 	}
 	return ""

utils/results/common.go

@@ -476,41 +476,27 @@ func GetCveApplicabilityField(cveId string, applicabilityScanResults []*sarif.Ru
 		return nil
 	}
 	applicability := formats.Applicability{}
-	resultFound := false
 	var applicabilityStatuses []jasutils.ApplicabilityStatus
 	for _, applicabilityRun := range applicabilityScanResults {
+		// Get applicability information from the rule
 		if rule := sarifutils.GetRuleById(applicabilityRun, jasutils.CveToApplicabilityRuleId(cveId)); rule != nil {
 			applicability.ScannerDescription = sarifutils.GetRuleFullDescription(rule)
 			applicability.UndeterminedReason = sarifutils.GetRuleUndeterminedReason(rule)
-			status := getApplicabilityStatusFromRule(rule)
-			if status != "" {
+			if status := getApplicabilityStatusFromRule(rule); status != jasutils.NotScanned {
 				applicabilityStatuses = append(applicabilityStatuses, status)
 			}
 		}
-		cveResults := sarifutils.GetResultsByRuleId(jasutils.CveToApplicabilityRuleId(cveId), applicabilityRun)
-		if len(cveResults) == 0 {
-			continue
-		}
-		resultFound = true
-		for _, result := range cveResults {
-			// Add new evidences from locations
+		// Get applicability evidence from the results
+		for _, result := range sarifutils.GetResultsByRuleId(jasutils.CveToApplicabilityRuleId(cveId), applicabilityRun) {
 			for _, location := range result.Locations {
 				if evidence := getEvidence(result, location, applicabilityRun.Invocations...); evidence != nil {
 					applicability.Evidence = append(applicability.Evidence, *evidence)
 				}
 			}
 		}
 	}
-	switch {
-	case len(applicabilityStatuses) > 0:
-		applicability.Status = string(GetFinalApplicabilityStatus(applicabilityStatuses))
-	case !resultFound:
-		applicability.Status = string(jasutils.ApplicabilityUndetermined)
-	case len(applicability.Evidence) == 0:
-		applicability.Status = string(jasutils.NotApplicable)
-	default:
-		applicability.Status = string(jasutils.Applicable)
-	}
+	// Calculate final applicability status
+	applicability.Status = GetFinalApplicabilityStatus(true, applicabilityStatuses).String()
 	return &applicability
 }
 
@@ -551,16 +537,13 @@ func GetApplicableCveStatus(entitledForJas bool, applicabilityScanResults []*sar
 	if !entitledForJas || len(applicabilityScanResults) == 0 {
 		return jasutils.NotScanned
 	}
-	if len(cves) == 0 {
-		return jasutils.NotCovered
-	}
 	var applicableStatuses []jasutils.ApplicabilityStatus
 	for _, cve := range cves {
 		if cve.Applicability != nil {
 			applicableStatuses = append(applicableStatuses, jasutils.ApplicabilityStatus(cve.Applicability.Status))
 		}
 	}
-	return GetFinalApplicabilityStatus(applicableStatuses)
+	return GetFinalApplicabilityStatus(true, applicableStatuses)
 }
 
 func getApplicabilityStatusFromRule(rule *sarif.ReportingDescriptor) jasutils.ApplicabilityStatus {
@@ -569,7 +552,7 @@ func getApplicabilityStatusFromRule(rule *sarif.ReportingDescriptor) jasutils.Ap
 		if !ok {
 			log.Debug(fmt.Sprintf("Failed to get applicability status from rule properties for rule_id %s", sarifutils.GetRuleId(rule)))
 		}
-		switch status {
+		switch strings.ToLower(status) {
 		case "not_covered":
 			return jasutils.NotCovered
 		case "undetermined":
@@ -632,45 +615,58 @@ func shouldDisqualifyEvidence(components map[string]services.Component, evidence
 	return
 }
 
-// If we don't get any statues it means the applicability scanner didn't run -> final value is not scanned
-// If at least one cve is applicable -> final value is applicable
-// Else if at least one cve is undetermined -> final value is undetermined
-// Else if at least one cve is missing context -> final value is missing context
-// Else if all cves are not covered -> final value is not covered
-// Else (case when all cves aren't applicable) -> final value is not applicable
-func GetFinalApplicabilityStatus(applicabilityStatuses []jasutils.ApplicabilityStatus) jasutils.ApplicabilityStatus {
-	if len(applicabilityStatuses) == 0 {
+// If we don't get any statues (not scanned are ignored) it means the applicability -> scanner didn't run = not scanned, scanner run = not covered
+// If only one status -> final value is that status
+// Else If at least one status is applicable -> final value is applicable
+// Else if at least one status is undetermined -> final value is undetermined
+// Else if at least one status is missing context -> final value is missing context
+// Else if all statuses are not applicable -> final value is not applicable
+// Else (at least one status is not covered) -> final value is not covered
+func GetFinalApplicabilityStatus(hasContextualAnalysisRun bool, applicabilityStatuses []jasutils.ApplicabilityStatus) jasutils.ApplicabilityStatus {
+	actualStatuses := []jasutils.ApplicabilityStatus{}
+	for _, status := range applicabilityStatuses {
+		if status != jasutils.NotScanned {
+			actualStatuses = append(actualStatuses, status)
+		}
+	}
+	if len(actualStatuses) == 0 {
+		if hasContextualAnalysisRun {
+			// Run exists but no statuses found
+			return jasutils.NotCovered
+		}
+		// No runs so not scanned
 		return jasutils.NotScanned
 	}
+	if len(actualStatuses) == 1 {
+		// Only one status so return it directly
+		return actualStatuses[0]
+	}
 	foundUndetermined := false
 	foundMissingContext := false
-	foundNotCovered := false
-	for _, status := range applicabilityStatuses {
+	allNotApplicable := true
+	for _, status := range actualStatuses {
 		if status == jasutils.Applicable {
+			// Has at least one applicable status
 			return jasutils.Applicable
 		}
-		if status == jasutils.ApplicabilityUndetermined {
-			foundUndetermined = true
-		}
-		if status == jasutils.MissingContext {
-			foundMissingContext = true
-		}
-		if status == jasutils.NotCovered {
-			foundNotCovered = true
-		}
-
+		foundUndetermined = foundUndetermined || (status == jasutils.ApplicabilityUndetermined)
+		foundMissingContext = foundMissingContext || (status == jasutils.MissingContext)
+		allNotApplicable = allNotApplicable && (status == jasutils.NotApplicable)
 	}
 	if foundUndetermined {
+		// Has at least one undetermined status and no applicable status
 		return jasutils.ApplicabilityUndetermined
 	}
 	if foundMissingContext {
+		// Has at least one missing context status and no applicable or undetermined status
 		return jasutils.MissingContext
 	}
-	if foundNotCovered {
-		return jasutils.NotCovered
+	if allNotApplicable {
+		// All statuses are not applicable
+		return jasutils.NotApplicable
 	}
-
-	return jasutils.NotApplicable
+	// At least one status is not covered (and no applicable, undetermined or missing context and not all are not applicable)
+	return jasutils.NotCovered
 }
 
 func GetJasResultApplicability(result *sarif.Result) *formats.Applicability {