fixed problem with id in suppression and added migration info (#52)

* fix old tests

* fix problem with skipping suppression when there is suppresion with id

* add migration info

Author: marwin1991

README.md

@@ -174,3 +174,29 @@ secret_convert:
     reports:
       junit: gl-secret-detection-report.xml
 ```
+
+
+### Development
+
+Create Python Virtual Environment
+```bash
+python -m venv ./venv
+```
+
+Activate Python Virtual Environment
+```bash
+source ./venv/bin/activate
+```
+
+Install dependencies
+```bash
+poetry install
+```
+
+Run tests
+```bash
+poetry run pytest
+```
+
+
+

secscanner2junit/__init__.py

@@ -44,6 +44,13 @@ def parse_arguments(args):
 
 
 def main(args=None):
+
+    print("-------------------------------------------------------------------------------")
+    print("-------- Hello! Project migrated to organisation https://logchange.dev --------")
+    print("--------    If you want to get new version change docker image to      --------")
+    print("--------                 logchange/secscanner2junit:latest             --------")
+    print("-------------------------------------------------------------------------------")
+
     if args is None:
         args = parse_arguments(sys.argv[1:])
     if args.config:
@@ -63,6 +70,12 @@ def main(args=None):
     testsuite = parser.parse()
     save_junit_report(testsuite, args.output_file)
 
+    print("-------------------------------------------------------------------------------")
+    print("-------- Hello! Project migrated to organisation https://logchange.dev --------")
+    print("--------    If you want to get new version change docker image to      --------")
+    print("--------                 logchange/secscanner2junit:latest             --------")
+    print("-------------------------------------------------------------------------------")
+
 
 if __name__ == '__main__':
     main()

secscanner2junit/config.py

@@ -48,7 +48,8 @@ def __is_vulnerability_suppressed(self, vulnerability):
                 return False
 
             if suppression.id is not None:
-                return suppression.id == vulnerability['id']
+                if suppression.id == vulnerability['id']:
+                    return True
 
             for identifier in vulnerability['identifiers']:
                 if suppression.type == identifier['type'] and suppression.value == identifier['value']:

tests/resources/test_sast/test_sast_suppression_by_id_or_type/gl-sast-report-many-with-same-name.json

@@ -0,0 +1,174 @@
+{
+  "version": "14.0.4",
+  "vulnerabilities": [
+    {
+      "id": "cccabffcfcf176e47f9138d7fbd763a83b310b071529b687cde3537a935cf251",
+      "category": "sast",
+      "name": "Spring CSRF unrestricted RequestMapping",
+      "message": "Spring CSRF unrestricted RequestMapping",
+      "description": "Unrestricted Spring's RequestMapping makes the method vulnerable to CSRF attacks",
+      "cve": "86d80cd1d198812fc1ba6860a9e965e1:SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING:src/main/java/pl/com/abc/example/springbootabcexample/PingController.java:23",
+      "severity": "Medium",
+      "confidence": "High",
+      "scanner": {
+        "id": "find_sec_bugs",
+        "name": "Find Security Bugs"
+      },
+      "location": {
+        "file": "src/main/java/pl/com/abc/example/springbootabcexample/PingController.java",
+        "start_line": 23,
+        "class": "pl.com.abc.example.springbootabcexample.PingController",
+        "method": "ping"
+      },
+      "identifiers": [
+        {
+          "type": "find_sec_bugs_type",
+          "name": "Find Security Bugs-SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING",
+          "value": "SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING",
+          "url": "https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING"
+        },
+        {
+          "type": "cwe",
+          "name": "CWE-352",
+          "value": "352",
+          "url": "https://cwe.mitre.org/data/definitions/352.html"
+        }
+      ]
+    },
+    {
+      "id": "db914ce5737b49650ae650fc3b0fe38a531eadd8ea780f48a013419c4adec7f0",
+      "category": "sast",
+      "name": "Found Spring endpoint",
+      "message": "Found Spring endpoint",
+      "description": "pl.com.abc.example.springbootabcexample.PingController is a Spring endpoint (Controller)",
+      "cve": "21254b1dfdebd6b8bbd05e4ed8a960c3:SPRING_ENDPOINT:src/main/java/pl/com/abc/example/springbootabcexample/PingController.java:23",
+      "severity": "Low",
+      "confidence": "Low",
+      "scanner": {
+        "id": "find_sec_bugs",
+        "name": "Find Security Bugs"
+      },
+      "location": {
+        "file": "src/main/java/pl/com/abc/example/springbootabcexample/PingController.java",
+        "start_line": 23,
+        "class": "pl.com.abc.example.springbootabcexample.PingController",
+        "method": "ping"
+      },
+      "identifiers": [
+        {
+          "type": "find_sec_bugs_type",
+          "name": "Find Security Bugs-SPRING_ENDPOINT",
+          "value": "SPRING_ENDPOINT",
+          "url": "https://find-sec-bugs.github.io/bugs.htm#SPRING_ENDPOINT"
+        }
+      ]
+    },
+    {
+      "id": "f4e1ee2a65c5d8837cfe6e3b16fc368f23462596f41ca15b182625a259a58baf",
+      "category": "sast",
+      "name": "Found Spring endpoint",
+      "message": "Found Spring endpoint",
+      "description": "pl.com.abc.example.springbootabcexample.FakeErrorController is a Spring endpoint (Controller)",
+      "cve": "62a35767e47f86da1958c888ab0ddb98:SPRING_ENDPOINT:src/main/java/pl/com/abc/example/springbootabcexample/FakeErrorController.java:16",
+      "severity": "Low",
+      "confidence": "Low",
+      "scanner": {
+        "id": "find_sec_bugs",
+        "name": "Find Security Bugs"
+      },
+      "location": {
+        "file": "src/main/java/pl/com/abc/example/springbootabcexample/FakeErrorController.java",
+        "start_line": 16,
+        "class": "pl.com.abc.example.springbootabcexample.FakeErrorController",
+        "method": "getDomainError"
+      },
+      "identifiers": [
+        {
+          "type": "find_sec_bugs_type",
+          "name": "Find Security Bugs-SPRING_ENDPOINT",
+          "value": "SPRING_ENDPOINT",
+          "url": "https://find-sec-bugs.github.io/bugs.htm#SPRING_ENDPOINT"
+        }
+      ]
+    },
+    {
+      "id": "e5104af1e9b781ffa19a0f9299e9c44bb62b3dd62c4483e9f2e087dc03e8cd95",
+      "category": "sast",
+      "name": "HTTP headers untrusted",
+      "message": "HTTP headers untrusted",
+      "description": "Request header can easily be altered by the client",
+      "cve": "6b0c63f9593aecd2ad80afdc4a85656d:SERVLET_HEADER:src/main/java/pl/com/abc/example/springbootabcexample/PingController.java:50",
+      "severity": "Low",
+      "confidence": "Low",
+      "scanner": {
+        "id": "find_sec_bugs",
+        "name": "Find Security Bugs"
+      },
+      "location": {
+        "file": "src/main/java/pl/com/abc/example/springbootabcexample/PingController.java",
+        "start_line": 50,
+        "class": "pl.com.abc.example.springbootabcexample.PingController$IpAddressUtils",
+        "method": "getIpAddressFromRequest"
+      },
+      "identifiers": [
+        {
+          "type": "find_sec_bugs_type",
+          "name": "Find Security Bugs-SERVLET_HEADER",
+          "value": "SERVLET_HEADER",
+          "url": "https://find-sec-bugs.github.io/bugs.htm#SERVLET_HEADER"
+        }
+      ]
+    },
+    {
+      "id": "dd623e3dafc27991b80b00c2b38b8ec69ef4b2635a5838622b3efb921e2cbfac",
+      "category": "sast",
+      "name": "Found Spring endpoint",
+      "message": "Found Spring endpoint",
+      "description": "pl.com.softnet.example.springbootsoftnetexample.FakeErrorController is a Spring endpoint (Controller)",
+      "cve": "8e968b3dea7c8b68b43c07ab9b37c120:SPRING_ENDPOINT:src/main/java/pl/com/softnet/example/springbootsoftnetexample/FakeErrorController.java:11",
+      "severity": "Low",
+      "confidence": "Low",
+      "scanner": {
+        "id": "find_sec_bugs",
+        "name": "Find Security Bugs"
+      },
+      "location": {
+        "file": "src/main/java/pl/com/softnet/example/springbootsoftnetexample/FakeErrorController.java",
+        "start_line": 11,
+        "class": "pl.com.softnet.example.springbootsoftnetexample.FakeErrorController",
+        "method": "getSomeFakeError"
+      },
+      "identifiers": [
+        {
+          "type": "find_sec_bugs_type",
+          "name": "Find Security Bugs-SPRING_ENDPOINT",
+          "value": "SPRING_ENDPOINT",
+          "url": "https://find-sec-bugs.github.io/bugs.htm#SPRING_ENDPOINT"
+        }
+      ]
+    }
+  ],
+  "scan": {
+    "analyzer": {
+      "id": "spotbugs",
+      "name": "Spotbugs",
+      "vendor": {
+        "name": "GitLab"
+      },
+      "version": "3.2.1"
+    },
+    "scanner": {
+      "id": "find_sec_bugs",
+      "name": "Find Security Bugs",
+      "url": "https://spotbugs.github.io",
+      "vendor": {
+        "name": "GitLab"
+      },
+      "version": "4.7.0"
+    },
+    "type": "sast",
+    "start_time": "2022-08-04T05:31:38",
+    "end_time": "2022-08-04T05:32:16",
+    "status": "success"
+  }
+}

tests/resources/test_sast/test_sast_suppression_by_id_or_type/ss2ju-config.yml

@@ -0,0 +1,7 @@
+sast:
+  suppressions:
+    - id: "cccabffcfcf176e47f9138d7fbd763a83b310b071529b687cde3537a935cf251"
+    - type: "cwe"
+      value: "2555"
+    - type: "find_sec_bugs_type"
+      value: "SPRING_ENDPOINT"

tests/test_config.py

@@ -7,7 +7,7 @@ class TestConfig(unittest.TestCase):
 
     def test_get_config_no_file(self):
         # given:
-        input_config_path = "resources/test_config/test_get_config_no_file/ss2ju-config.yml"
+        input_config_path = "tests/resources/test_config/test_get_config_no_file/ss2ju-config.yml"
 
         # when:
         config = get_config(input_config_path)
@@ -18,7 +18,7 @@ def test_get_config_no_file(self):
 
     def test_get_config_empty_file(self):
         # given:
-        input_config_path = "resources/test_config/test_get_config_empty_file/ss2ju-config.yml"
+        input_config_path = "tests/resources/test_config/test_get_config_empty_file/ss2ju-config.yml"
 
         # when:
         config = get_config(input_config_path)
@@ -29,7 +29,7 @@ def test_get_config_empty_file(self):
 
     def test_get_config(self):
         # given:
-        input_config_path = "resources/test_config/test_get_config/ss2ju-config.yml"
+        input_config_path = "tests/resources/test_config/test_get_config/ss2ju-config.yml"
 
         # when:
         config = get_config(input_config_path)

tests/test_container_scanning.py

@@ -9,8 +9,8 @@ class TestContainerScanningParser(unittest.TestCase):
 
     def test_basic(self):
         # given:
-        input_report_path = "resources/test_container_scanning/test_basic/gl-container-scanning-report.json"
-        missing_config_path = "resources/test_container_scanning/test_basic/ss2ju-config.yml"
+        input_report_path = "tests/resources/test_container_scanning/test_basic/gl-container-scanning-report.json"
+        missing_config_path = "tests/resources/test_container_scanning/test_basic/ss2ju-config.yml"
 
         report = get_report(input_report_path)
         config = get_config(missing_config_path)

tests/test_sast.py

@@ -8,8 +8,8 @@
 class TestSast(unittest.TestCase):
 
     def test_empty_report(self):
-        input_report_path = "resources/test_sast/test_empty/gl-sast-report.json"
-        missing_config_path = "resources/test_sast/test_empty/no-config.yml"
+        input_report_path = "tests/resources/test_sast/test_empty/gl-sast-report.json"
+        missing_config_path = "tests/resources/test_sast/test_empty/no-config.yml"
 
         report = get_report(input_report_path)
         config = get_config(missing_config_path)
@@ -22,8 +22,8 @@ def test_empty_report(self):
         self.assertEqual(len(testsuite.pop().test_cases), 0)
 
     def test_sast_basic(self):
-        input_report_path = "resources/test_sast/test_basic/gl-sast-report.json"
-        missing_config_path = "resources/test_sast/test_basic/no-config.yml"
+        input_report_path = "tests/resources/test_sast/test_basic/gl-sast-report.json"
+        missing_config_path = "tests/resources/test_sast/test_basic/no-config.yml"
 
         report = get_report(input_report_path)
         config = get_config(missing_config_path)
@@ -37,8 +37,8 @@ def test_sast_basic(self):
 
     def test_sast_suppression(self):
         # given:
-        input_report_path = "resources/test_sast/test_sast_suppression/gl-sast-report-many-with-same-name.json"
-        input_config_path = "resources/test_sast/test_sast_suppression/ss2ju-config.yml"
+        input_report_path = "tests/resources/test_sast/test_sast_suppression/gl-sast-report-many-with-same-name.json"
+        input_config_path = "tests/resources/test_sast/test_sast_suppression/ss2ju-config.yml"
 
         report = get_report(input_report_path)
         config = get_config(input_config_path)
@@ -52,8 +52,8 @@ def test_sast_suppression(self):
 
     def test_sast_suppression_by_id(self):
         # given:
-        input_report_path = "resources/test_sast/test_sast_suppression_by_id/gl-sast-report-many-with-same-name.json"
-        input_config_path = "resources/test_sast/test_sast_suppression_by_id/ss2ju-config.yml"
+        input_report_path = "tests/resources/test_sast/test_sast_suppression_by_id/gl-sast-report-many-with-same-name.json"
+        input_config_path = "tests/resources/test_sast/test_sast_suppression_by_id/ss2ju-config.yml"
 
         report = get_report(input_report_path)
         config = get_config(input_config_path)
@@ -65,6 +65,21 @@ def test_sast_suppression_by_id(self):
         # then:
         self.assertEqual(len(testsuite.pop().test_cases), 4)
 
+    def test_sast_suppression_by_id_or_type(self):
+        # given:
+        input_report_path = "tests/resources/test_sast/test_sast_suppression_by_id_or_type/gl-sast-report-many-with-same-name.json"
+        input_config_path = "tests/resources/test_sast/test_sast_suppression_by_id_or_type/ss2ju-config.yml"
+
+        report = get_report(input_report_path)
+        config = get_config(input_config_path)
+        parser = SastParser(report, input_report_path, config)
+
+        # when:
+        testsuite = parser.parse()
+
+        # then:
+        self.assertEqual(len(testsuite.pop().test_cases), 1)
+
 
 def get_report(path):
     with open(path) as input_file:

tests/test_secrets.py

@@ -9,8 +9,8 @@ class TestSecretsParser(unittest.TestCase):
 
     def test_empty_report(self):
         # given:
-        input_report_path = "resources/test_secrets/test_empty/gl-secret-detection-report.json"
-        missing_config_path = "resources/test_secrets/test_basic/ss2ju-config.yml"
+        input_report_path = "tests/resources/test_secrets/test_empty/gl-secret-detection-report.json"
+        missing_config_path = "tests/resources/test_secrets/test_basic/ss2ju-config.yml"
 
         report = get_report(input_report_path)
         config = get_config(missing_config_path)
@@ -24,8 +24,8 @@ def test_empty_report(self):
 
     def test_basic(self):
         # given:
-        input_report_path = "resources/test_secrets/test_basic/gl-secret-detection-report.json"
-        missing_config_path = "resources/test_secrets/test_basic/ss2ju-config.yml"
+        input_report_path = "tests/resources/test_secrets/test_basic/gl-secret-detection-report.json"
+        missing_config_path = "tests/resources/test_secrets/test_basic/ss2ju-config.yml"
 
         report = get_report(input_report_path)
         config = get_config(missing_config_path)
@@ -48,8 +48,8 @@ def test_basic(self):
 
     def test_secret_suppression(self):
         # given:
-        input_report_path = "resources/test_secrets/test_secrets_suppression/gl-secret-detection-report.json"
-        input_config_path = "resources/test_secrets/test_secrets_suppression/ss2ju-config.yml"
+        input_report_path = "tests/resources/test_secrets/test_secrets_suppression/gl-secret-detection-report.json"
+        input_config_path = "tests/resources/test_secrets/test_secrets_suppression/ss2ju-config.yml"
 
         report = get_report(input_report_path)
         config = get_config(input_config_path)