Skip to content

Fix bugs when converting results to SARIF #234

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
attiasas merged 2 commits into from
Nov 18, 2024
Merged

Fix bugs when converting results to SARIF #234

attiasas merged 2 commits into from
Nov 18, 2024

Conversation

@attiasas
Copy link
Contributor

@attiasas attiasas commented Nov 14, 2024
edited
Loading

  • The pull request is targeting the dev branch.
  • The code has been validated to compile successfully by running go vet ./....
  • The code has been formatted properly using go fmt ./....
  • All static analysis checks passed.
  • All tests have passed. If this feature is not already covered by the tests, new tests have been added.
  • Updated the Contributing page / ReadMe page / CI Workflow files if needed.
  • All changes are detailed at the description. if not already covered at JFrog Documentation, new documentation have been added.

Fixing the following bugs when parsing the results to SARIF format

Duplicate [Secret in Binary found]

image

  • Some attributes were not copied when parsing to format, when parsing for the second time it already was "padded" with the prefix which resulted in duplicate "padding"

Uri attribute is empty on binary scan

  "locations": [
           {
             "physicalLocation": {
               "artifactLocation": {
                 "uri": ""
               }
             },
             "logicalLocations": [
               {
                 "name": "38610c0cfc18becc30c87e0af68f1c43c5cdc0ef10d920dde284df0d58fb00e1",
                 "kind": "layer",
                 "properties": {
                   "algorithm": "sha256"
                 }
               }
             ]
           }
         ],
  • For Docker targets (and some binaries), the target.Target is a file and not a directory and we set it as the wd of the SCA Sarig run, when we are translating the results location to relative paths it had uri=wd which resulted in leaving empty value

@attiasas attiasas added bug Something isn't working safe to test Approve running integration tests on a pull request labels Nov 14, 2024
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Nov 14, 2024
@attiasas attiasas added the safe to test Approve running integration tests on a pull request label Nov 17, 2024
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Nov 17, 2024
@github-actions
Copy link

github-actions bot commented Nov 17, 2024

👍 Frogbot scanned this pull request and did not find any new security issues.

hadarshjfrog
hadarshjfrog reviewed Nov 18, 2024
View reviewed changes
utils/results/conversion/sarifparser/sarifparser.go
func (sc *CmdResultsSarifConverter) createScaRun(target results.ScanTarget, errorCount int) *sarif.Run {
run := sarif.NewRunWithInformationURI(ScaScannerToolName, utils.BaseDocumentationURL+"sca")
run.Tool.Driver.Version = &sc.xrayVersion
wd := target.Target
Copy link
Contributor

@hadarshjfrog hadarshjfrog Nov 18, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just my take - not crucial - but I'd keep the name close to target (t, actualTarget, etc)

hadarshjfrog
hadarshjfrog approved these changes Nov 18, 2024
View reviewed changes
Copy link
Contributor

@hadarshjfrog hadarshjfrog left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code is fine - please add an explanation to the PR desc to explain the change in the satif copy mechanism

@attiasas attiasas merged commit bb72551 into jfrog:dev Nov 18, 2024
49 of 50 checks passed
@attiasas attiasas deleted the fix_sarif_parsing_bugs branch November 18, 2024 07:43
@BrewTestBot BrewTestBot mentioned this pull request Nov 28, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eranturgeman eranturgeman Awaiting requested review from eranturgeman

1 more reviewer

@hadarshjfrog hadarshjfrog hadarshjfrog approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@attiasas @hadarshjfrog