Sarif to HDF converter (#93)

shaopeng-gh · web-flow · commit 4144606441e2 · 2021-05-07T12:11:20.000-07:00
Signed-off-by: Shaopeng &lt;81775155+shaopeng-gh@users.noreply.github.com&gt;
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -50,6 +50,12 @@ jobs:
           jq 'del(.version, .platform.release)' nikto_output.json > nikto_output_jq.json
           jq 'del(.version, .platform.release)' ./sample_jsons/nikto_mapper/zero.webappsecurity.json > nikto_sample.json
           diff nikto_sample.json nikto_output_jq.json
+      - name: Test sarif mapper
+        run: |
+          heimdall_tools sarif_mapper -j ./sample_jsons/sarif_mapper/sample_input_jsons/sarif_input.sarif -o sarif_output.json
+          jq 'del(.version, .platform.release)' sarif_output.json > sarif_output_jq.json
+          jq 'del(.version, .platform.release)' ./sample_jsons/sarif_mapper/sarif_output.json > sarif_sample.json
+          diff sarif_sample.json sarif_output_jq.json
       - name: Test zap mapper webgoat.json
         run: |
           heimdall_tools zap_mapper -j ./sample_jsons/zap_mapper/sample_input_jsons/webgoat.json -n "http://mymac.com:8191" -o zap_output_webgoat.json
diff --git a/.gitignore b/.gitignore
@@ -16,3 +16,5 @@ test/tmp
 test/version_tmp
 tmp
 **/.DS_Store
+.vs/
+.vscode/
diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml
@@ -113,6 +113,7 @@ Style/GlobalVars:
     - 'lib/heimdall_tools/jfrog_xray_mapper.rb'
     - 'lib/heimdall_tools/nessus_mapper.rb'
     - 'lib/heimdall_tools/nikto_mapper.rb'
+    - 'lib/heimdall_tools/sarif_mapper.rb'
     - 'lib/heimdall_tools/snyk_mapper.rb'
 
 # Offense count: 10
@@ -128,5 +129,6 @@ Style/OptionalBooleanParameter:
     - 'lib/heimdall_tools/nessus_mapper.rb'
     - 'lib/heimdall_tools/netsparker_mapper.rb'
     - 'lib/heimdall_tools/nikto_mapper.rb'
+    - 'lib/heimdall_tools/sarif_mapper.rb'
     - 'lib/heimdall_tools/snyk_mapper.rb'
     - 'lib/heimdall_tools/zap_mapper.rb'
diff --git a/README.md b/README.md
@@ -16,6 +16,7 @@ HeimdallTools supplies several methods to convert output from various tools to "
 - **dbprotect_mapper** - database vulnerability scanner
 - **aws_config_mapper** - assess, audit, and evaluate AWS resources
 - **netsparker_mapper** - web application security scanner
+- **sarif_mapper** - static analysis results interchange format
 
 ## Want to recommend a mapper for another tool? Please use these steps:
   1. Create an [issue](https://github.com/mitre/heimdall_tools/issues/new), and email saf@groups.mitre.org citing the issue link so we can help
@@ -267,6 +268,21 @@ FLAGS:
 example: heimdall_tools netsparker_mapper -x netsparker_results.xml -o netsparker_hdf.json
 ```
 
+## sarif_mapper
+
+sarif_mapper translates a SARIF JSON file into HDF format JSON to be viewable in Heimdall
+
+```
+USAGE: heimdall_tools sarif_mapper [OPTIONS] -j <sarif-results-json> -o <hdf-scan-results.json>
+
+FLAGS:
+    -j <sarif_results_json>          : path to SARIF results JSON file.
+    -o --output_prefix <prefix>      : path to output scan-results json.
+    -V --verbose                     : verbose run [optional].
+
+example: heimdall_tools sarif_mapper -j sarif_results.json -o sarif_results_hdf.json
+```
+
 ## version  
 
 Prints out the gem version
diff --git a/lib/heimdall_tools.rb b/lib/heimdall_tools.rb
@@ -16,4 +16,5 @@ module HeimdallTools
   autoload :DBProtectMapper, 'heimdall_tools/dbprotect_mapper'
   autoload :AwsConfigMapper, 'heimdall_tools/aws_config_mapper'
   autoload :NetsparkerMapper, 'heimdall_tools/netsparker_mapper'
+  autoload :SarifMapper, 'heimdall_tools/sarif_mapper'
 end
diff --git a/lib/heimdall_tools/cli.rb b/lib/heimdall_tools/cli.rb
@@ -123,6 +123,18 @@ def netsparker_mapper
       puts options[:output].to_s
     end
 
+    desc 'sarif_mapper', 'sarif_mapper translates a SARIF JSON file into HDF format JSON to be viewable in Heimdall'
+    long_desc Help.text(:sarif_mapper)
+    option :json, required: true, aliases: '-j'
+    option :output, required: true, aliases: '-o'
+    option :verbose, type: :boolean, aliases: '-V'
+    def sarif_mapper
+      hdf = HeimdallTools::SarifMapper.new(File.read(options[:json])).to_hdf
+      File.write(options[:output], hdf)
+      puts "\r\HDF Generated:\n"
+      puts options[:output].to_s
+    end
+
     desc 'version', 'prints version'
     def version
       puts VERSION
diff --git a/lib/heimdall_tools/help/sarif_mapper.md b/lib/heimdall_tools/help/sarif_mapper.md
@@ -0,0 +1,12 @@
+  sarif_mapper translates a SARIF JSON file into HDF format JSON to be viewable in Heimdall
+
+SARIF level to HDF impact Mapping:
+  SARIF level error -> HDF impact 0.7
+  SARIF level warning -> HDF impact 0.5
+  SARIF level note -> HDF impact 0.3
+  SARIF level none -> HDF impact 0.0
+  SARIF level not provided -> HDF impact 0.5 as default
+
+Examples:
+
+  heimdall_tools sarif_mapper [OPTIONS] -j <sarif-results-json> -o <hdf-scan-results.json>
diff --git a/lib/heimdall_tools/sarif_mapper.rb b/lib/heimdall_tools/sarif_mapper.rb
@@ -0,0 +1,198 @@
+require 'json'
+require 'csv'
+require 'heimdall_tools/hdf'
+
+RESOURCE_DIR = Pathname.new(__FILE__).join('../../data')
+
+CWE_NIST_MAPPING_FILE = File.join(RESOURCE_DIR, 'cwe-nist-mapping.csv')
+
+IMPACT_MAPPING = {
+  error: 0.7,
+  warning: 0.5,
+  note: 0.3,
+  none: 0.0
+}.freeze
+
+DEFAULT_NIST_TAG = %w{SA-11 RA-5}.freeze
+
+# Loading spinner sign
+$spinner = Enumerator.new do |e|
+  loop do
+    e.yield '|'
+    e.yield '/'
+    e.yield '-'
+    e.yield '\\'
+  end
+end
+
+module HeimdallTools
+  class SarifMapper
+    def initialize(sarif_json, _name = nil, verbose = false)
+      @sarif_json = sarif_json
+      @verbose = verbose
+      begin
+        @cwe_nist_mapping = parse_mapper
+        @sarif_log = JSON.parse(@sarif_json)
+      rescue StandardError => e
+        raise "Invalid SARIF JSON file provided\n\nException: #{e}"
+      end
+    end
+
+    def extract_scaninfo(sarif_log)
+      info = {}
+      begin
+        info['policy'] = 'SARIF'
+        info['version'] = sarif_log['version']
+        info['projectName'] = 'Static Analysis Results Interchange Format'
+        info['summary'] = NA_STRING
+        info
+      rescue StandardError => e
+        raise "Error extracting project info from SARIF JSON file provided Exception: #{e}"
+      end
+    end
+
+    def finding(result)
+      finding = {}
+      finding['status'] = 'failed'
+      finding['code_desc'] = ''
+      if get_location(result)['uri']
+        finding['code_desc'] += " URL : #{get_location(result)['uri']}"
+      end
+      if get_location(result)['start_line']
+        finding['code_desc'] += " LINE : #{get_location(result)['start_line']}"
+      end
+      if get_location(result)['start_column']
+        finding['code_desc'] += " COLUMN : #{get_location(result)['start_column']}"
+      end
+      finding['code_desc'].strip!
+      finding['run_time'] = NA_FLOAT
+      finding['start_time'] = NA_STRING
+      finding
+    end
+
+    def add_nist_tag_from_cwe(cweid, taxonomy_name, tags_node)
+      entries = @cwe_nist_mapping.select { |x| cweid.include?(x[:cweid].to_s) && !x[:nistid].nil? }
+      tags = entries.map { |x| x[:nistid] }
+      result_tags = tags.empty? ? DEFAULT_NIST_TAG : tags.flatten.uniq
+      if result_tags.count.positive?
+        if !tags_node
+          tags_node = {}
+        end
+        if !tags_node.key?(taxonomy_name)
+          tags_node[taxonomy_name] = []
+        end
+        result_tags.each do |t|
+          tags_node[taxonomy_name] |= [t]
+        end
+      end
+      tags_node
+    end
+
+    def get_location(result)
+      location_info = {}
+      location_info['uri'] = result.dig('locations', 0, 'physicalLocation', 'artifactLocation', 'uri')
+      location_info['start_line'] = result.dig('locations', 0, 'physicalLocation', 'region', 'startLine')
+      location_info['start_column'] = result.dig('locations', 0, 'physicalLocation', 'region', 'startColumn')
+      location_info
+    end
+
+    def get_rule_info(run, result, rule_id)
+      finding = {}
+      driver = run.dig('tool', 'driver')
+      finding['driver_name'] = driver['name']
+      finding['driver_version'] = driver['version']
+      rules = driver['rules']
+      if rules
+        rule = rules.find { |x| x['id'].eql?(rule_id) }
+        if rule
+          finding['rule_name'] = rule&.[]('name')
+          finding['rule_short_description'] = rule&.[]('shortDescription')&.[]('text')
+          finding['rule_tags'] = get_tags(rule)
+          finding['rule_name'] = rule&.[]('messageStrings')&.[]('default')&.[]('text') unless finding['rule_name']
+        end
+      end
+      finding['rule_name'] = result&.[]('message')&.[]('text') unless finding['rule_name']
+      finding
+    end
+
+    def get_tags(rule)
+      result = {}
+      Array(rule&.[]('relationships')).each do |relationship|
+        taxonomy_name = relationship['target']['toolComponent']['name'].downcase
+        taxonomy_id = relationship['target']['id']
+        if !result.key?(taxonomy_name)
+          result[taxonomy_name] = []
+        end
+        result[taxonomy_name] |= [taxonomy_id]
+      end
+      result
+    end
+
+    def parse_identifiers(rule_tags, ref)
+      # Extracting id number from reference style CWE-297
+      rule_tags[ref.downcase].map { |e| e.downcase.split("#{ref.downcase}-")[1] }
+    rescue StandardError
+      []
+    end
+
+    def impact(severity)
+      severity_mapping = IMPACT_MAPPING[severity.to_sym]
+      severity_mapping.nil? ? 0.1 : severity_mapping
+    end
+
+    def parse_mapper
+      csv_data = CSV.read(CWE_NIST_MAPPING_FILE, **{ encoding: 'UTF-8',
+                                                   headers: true,
+                                                   header_converters: :symbol,
+                                                   converters: :all })
+      csv_data.map(&:to_hash)
+    end
+
+    def desc_tags(data, label)
+      { data: data || NA_STRING, label: label || NA_STRING }
+    end
+
+    def process_item(run, result, controls)
+      printf("\rProcessing: %s", $spinner.next)
+      control = controls.find { |x| x['id'].eql?(result['ruleId']) }
+
+      if control
+        control['results'] << finding(result)
+      else
+        rule_info = get_rule_info(run, result, result['ruleId'])
+        item = {}
+        item['tags']               = rule_info['rule_tags']
+        item['descriptions']       = []
+        item['refs']               = NA_ARRAY
+        item['source_location']    = { ref: get_location(result)['uri'], line: get_location(result)['start_line'] }
+        item['descriptions']       = NA_ARRAY
+        item['title']              = rule_info['rule_name'].to_s
+        item['id']                 = result['ruleId'].to_s
+        item['desc']               = rule_info['rule_short_description'].to_s
+        item['impact']             = impact(result['level'].to_s)
+        item['code']               = NA_STRING
+        item['results']            = [finding(result)]
+        item['tags']               = add_nist_tag_from_cwe(parse_identifiers(rule_info['rule_tags'], 'CWE'), 'nist', item['tags'])
+        controls << item
+      end
+    end
+
+    def to_hdf
+      controls = []
+      @sarif_log['runs'].each do |run|
+        run['results'].each do |result|
+          process_item(run, result, controls)
+        end
+      end
+
+      scaninfo = extract_scaninfo(@sarif_log)
+      results = HeimdallDataFormat.new(profile_name: scaninfo['policy'],
+                                       version: scaninfo['version'],
+                                       title: scaninfo['projectName'],
+                                       summary: scaninfo['summary'],
+                                       controls: controls,
+                                       target_id: scaninfo['projectName'])
+      results.to_hdf
+    end
+  end
+end
diff --git a/sample_jsons/sarif_mapper/sample_input_jsons/sarif_input.sarif b/sample_jsons/sarif_mapper/sample_input_jsons/sarif_input.sarif
diff --git a/sample_jsons/sarif_mapper/sarif_output.json b/sample_jsons/sarif_mapper/sarif_output.json
