Skip to content

Commit

Permalink
feat(report): add licenses to sarif format (aquasecurity#4866)
Browse files Browse the repository at this point in the history
* feat(report): add licenses to sarif format

* update doc
  • Loading branch information
nikpivkin authored Aug 23, 2023
1 parent 07ddf47 commit 2fa264a
Show file tree
Hide file tree
Showing 3 changed files with 116 additions and 1 deletion.
2 changes: 1 addition & 1 deletion docs/docs/configuration/reporting.md
Original file line number Diff line number Diff line change
Expand Up @@ -246,7 +246,7 @@ $ trivy image -f json -o results.json golang:1.12-alpine
| Vulnerability ||
| Misconfiguration ||
| Secret ||
| License | |
| License | |

[SARIF][sarif] can be generated with the `--format sarif` flag.

Expand Down
26 changes: 26 additions & 0 deletions pkg/report/sarif.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ const (
sarifLanguageSpecificVulnerability = "LanguageSpecificPackageVulnerability"
sarifConfigFiles = "Misconfiguration"
sarifSecretFiles = "Secret"
sarifLicenseFiles = "License"
sarifUnknownIssue = "UnknownIssue"

sarifError = "error"
Expand Down Expand Up @@ -213,6 +214,29 @@ func (sw *SarifWriter) Write(report types.Report) error {
res.Target, res.Type, secret.Title, secret.Severity, secret.Match),
})
}
for _, license := range res.Licenses {
id := fmt.Sprintf("%s:%s", license.PkgName, license.Name)
desc := fmt.Sprintf("%s in %s", license.Name, license.PkgName)
sw.addSarifResult(&sarifData{
title: "license",
vulnerabilityId: id,
severity: license.Severity,
cvssScore: severityToScore(license.Severity),
url: license.Link,
resourceClass: string(res.Class),
artifactLocation: target,
resultIndex: getRuleIndex(id, ruleIndexes),
shortDescription: desc,
fullDescription: desc,
helpText: fmt.Sprintf("License %s\nClassification: %s\nPkgName: %s\nPath: %s",
license.Name, license.Category, license.PkgName, license.FilePath),
helpMarkdown: fmt.Sprintf("**License %s**\n| PkgName | Classification | Path |\n| --- | --- | --- |\n|%s|%s|%s|",
license.Name, license.PkgName, license.Category, license.FilePath),
message: fmt.Sprintf("Artifact: %s\nLicense %s\nPkgName: %s\n Classification: %s\n Path: %s",
res.Target, license.Name, license.Category, license.PkgName, license.FilePath),
})
}

}
sw.run.ColumnKind = columnKind
sw.run.OriginalUriBaseIDs = map[string]*sarif.ArtifactLocation{
Expand Down Expand Up @@ -259,6 +283,8 @@ func toSarifRuleName(class string) string {
return sarifConfigFiles
case types.ClassSecret:
return sarifSecretFiles
case types.ClassLicense, types.ClassLicenseFile:
return sarifLicenseFiles
default:
return sarifUnknownIssue
}
Expand Down
89 changes: 89 additions & 0 deletions pkg/report/sarif_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -425,6 +425,95 @@ func TestReportWriter_Sarif(t *testing.T) {
},
},
},
{
name: "report with licenses",
input: types.Report{
Results: types.Results{
{
Target: "OS Packages",
Class: "license",
Licenses: []types.DetectedLicense{
{
Severity: "HIGH",
Category: "restricted",
PkgName: "alpine-base",
FilePath: "",
Name: "GPL-3.0",
Confidence: 1,
Link: "",
},
},
},
},
},
want: &sarif.Report{
Version: "2.1.0",
Schema: "https://json.schemastore.org/sarif-2.1.0.json",
Runs: []*sarif.Run{
{
Tool: sarif.Tool{
Driver: &sarif.ToolComponent{
FullName: lo.ToPtr("Trivy Vulnerability Scanner"),
Name: "Trivy",
Version: lo.ToPtr(""),
InformationURI: lo.ToPtr("https://github.com/aquasecurity/trivy"),
Rules: []*sarif.ReportingDescriptor{
{
ID: "alpine-base:GPL-3.0",
Name: lo.ToPtr("License"),
ShortDescription: sarif.NewMultiformatMessageString("GPL-3.0 in alpine-base"),
FullDescription: sarif.NewMultiformatMessageString("GPL-3.0 in alpine-base"),
DefaultConfiguration: sarif.NewReportingConfiguration().WithLevel("error"),
Help: sarif.NewMultiformatMessageString("License GPL-3.0\nClassification: restricted\nPkgName: alpine-base\nPath: ").
WithMarkdown("**License GPL-3.0**\n| PkgName | Classification | Path |\n| --- | --- | --- |\n|alpine-base|restricted||"),
Properties: map[string]interface{}{
"tags": []interface{}{
"license",
"security",
"HIGH",
},
"precision": "very-high",
"security-severity": "8.0",
},
},
},
},
},
Results: []*sarif.Result{
{
RuleID: lo.ToPtr("alpine-base:GPL-3.0"),
RuleIndex: lo.ToPtr(uint(0)),
Level: lo.ToPtr("error"),
Message: sarif.Message{Text: lo.ToPtr("Artifact: OS Packages\nLicense GPL-3.0\nPkgName: restricted\n Classification: alpine-base\n Path: ")},
Locations: []*sarif.Location{
{
Message: sarif.NewTextMessage(""),
PhysicalLocation: &sarif.PhysicalLocation{
ArtifactLocation: &sarif.ArtifactLocation{
URI: lo.ToPtr("OS Packages"),
URIBaseId: lo.ToPtr("ROOTPATH"),
},
Region: &sarif.Region{
StartLine: lo.ToPtr(1),
EndLine: lo.ToPtr(1),
StartColumn: lo.ToPtr(1),
EndColumn: lo.ToPtr(1),
},
},
},
},
},
},
ColumnKind: "utf16CodeUnits",
OriginalUriBaseIDs: map[string]*sarif.ArtifactLocation{
"ROOTPATH": {
URI: lo.ToPtr("file:///"),
},
},
},
},
},
},
{
name: "no vulns",
want: &sarif.Report{
Expand Down

0 comments on commit 2fa264a

Please sign in to comment.