def convert_sarif(app_name, repo_context, sarif_files, findings_fname):
"""
Method to convert sarif to findings json
:param app_name: Application name
:param sarif_file:
:param findings_fname:
:return:
"""
finding_id = 1
with open(findings_fname, mode="w") as out_file:
for sf in sarif_files:
with open(sf, mode="r") as report_file:
report_data = json.loads(report_file.read())
# skip this file if the data is empty
if not report_data or not report_data.get("runs"):
continue
# Iterate through all the runs
for run in report_data["runs"]:
try:
rules = {
r["id"]: r
for r in run["tool"]["driver"]["rules"]
}
results = run["results"]
for result in results:
rule = rules.get(result["ruleId"])
for location in result["locations"]:
finding = {
"app":
app_name,
"type":
"vuln",
"title":
result["message"]["text"],
"description":
rule["fullDescription"]["text"],
"internal_id":
"{}/{}".format(
result["ruleId"],
utils.calculate_line_hash(
location["physicalLocation"]
["region"]["snippet"]["text"]),
),
"severity":
convert_severity(result["properties"]
["issue_severity"]),
"owasp_category":
"",
"category":
result["ruleId"],
"details": {
"repoContext":
repo_context,
"name":
result["message"]["text"],
"tags":
",".join(rule["properties"]["tags"]),
"fileName":
location["physicalLocation"]
["artifactLocation"]["uri"],
"DATA_TYPE":
"OSS_SCAN",
"lineNumber":
location["physicalLocation"]["region"]
["startLine"],
},
}
out_file.write(json.dumps(finding))
finding_id = finding_id + 1
except Exception as e:
LOG.warning(
"Unable to convert the run to findings format")
def convert_sarif(app_name, repo_context, sarif_files, findings_fname):
"""
Method to convert sarif to findings json
:param app_name: Application name
:param sarif_file:
:param findings_fname:
:return:
"""
finding_id = 1
findings_list = []
rule_id_owasp_cache = {}
for sf in sarif_files:
with open(sf, mode="r") as report_file:
report_data = None
try:
report_data = json.loads(report_file.read())
# skip this file if the data is empty
if not report_data or not report_data.get("runs"):
continue
# Iterate through all the runs
for run in report_data["runs"]:
results = run.get("results")
if not results:
continue
tool_name = run.get("tool", {}).get("driver", {}).get("name")
rules = {
r["id"]: r
for r in run.get("tool", {}).get("driver", {}).get("rules")
if r and r.get("id")
}
for result in results:
rule_id = result.get("ruleId", "")
rule = rules.get(rule_id)
if not rule:
continue
owasp_category = rule_id_owasp_cache.get(rule_id, "")
if not owasp_category:
# Check the config for any available owasp category mapping
for rok, rov in config.get("rules_owasp_category").items():
if (
rok.upper() == rule_id.upper()
or rok.upper() in rule_id.upper()
):
rule_id_owasp_cache[rule_id] = rov
owasp_category = rov
category = rule.get("name")
if not category:
category = rule_id
desc = get_help(
rule_id,
rule_obj=rule,
tool_name=tool_name,
owasp_category=owasp_category,
)
short_desc = rule.get("shortDescription", {}).get("text")
if not short_desc:
short_desc = result.get("message", {}).get("text")
ngsev = convert_severity(
result.get("properties", {})["issue_severity"]
)
# Populate tags
tags = []
if "CWE" in rule_id:
tags.append(
{
"key": "cwe_category",
"value": rule_id.replace("CWE-", ""),
"shiftleft_managed": True,
}
)
if "CKV_" in rule_id or "CIS_" in rule_id or "AWS" in rule_id:
cis_rule = cis.get_rule(rule_id)
if cis_rule:
tags.append(
{
"key": "cis_category",
"value": cis_rule.get("id", ""),
"shiftleft_managed": False,
}
)
if cis_rule.get("scored"):
tags.append(
{
"key": "cis_status",
"value": "SCORED",
"shiftleft_managed": False,
}
)
for location in result.get("locations"):
filename = location["physicalLocation"]["artifactLocation"][
"uri"
]
lineno = location.get("physicalLocation", {})["region"][
"startLine"
]
end_lineno = location.get("physicalLocation", {})[
"contextRegion"
]["endLine"]
finding = {
"app": app_name,
"type": "extscan",
"title": result.get("message", {})["text"],
"description": desc,
"internal_id": "{}/{}".format(
rule_id,
utils.calculate_line_hash(
filename,
lineno,
end_lineno,
location.get("physicalLocation", {})["region"][
"snippet"
]["text"],
short_desc,
),
),
"severity": ngsev,
"owasp_category": owasp_category,
"category": category,
"details": {
"repoContext": repo_context,
"name": result.get("message", {})["text"],
"tags": ",".join(rule["properties"]["tags"]),
"fileName": filename,
"DATA_TYPE": "OSS_SCAN",
"lineNumber": lineno,
"ruleId": rule_id,
"ruleName": rule.get("name"),
"contextText": location.get("physicalLocation", {})[
"region"
]["snippet"]["text"],
"snippetText": location.get("physicalLocation", {})[
"contextRegion"
]["snippet"]["text"],
},
"tags": tags,
}
findings_list.append(finding)
finding_id = finding_id + 1
except Exception as e:
LOG.debug(e)
continue
with open(findings_fname, mode="w") as out_file:
json.dump({"findings": findings_list}, out_file)
def convert_sarif(app_name, repo_context, sarif_files, findings_fname):
"""
Method to convert sarif to findings json
:param app_name: Application name
:param sarif_file:
:param findings_fname:
:return:
"""
finding_id = 1
findings_list = []
with open(findings_fname, mode="w") as out_file:
for sf in sarif_files:
with open(sf, mode="r") as report_file:
report_data = json.loads(report_file.read())
# skip this file if the data is empty
if not report_data or not report_data.get("runs"):
continue
# Iterate through all the runs
for run in report_data["runs"]:
results = run.get("results")
if not results:
continue
rules = {
r["id"]: r
for r in run.get("tool", {}).get("driver", {}).get(
"rules") if r and r.get("id")
}
for result in results:
rule = rules.get(result.get("ruleId"))
if not rule:
continue
for location in result.get("locations"):
filename = location["physicalLocation"][
"artifactLocation"]["uri"]
lineno = location.get("physicalLocation",
{})["region"]["startLine"]
finding = {
"app":
app_name,
"type":
"extscan",
"title":
result.get("message", {}).get("text"),
"description":
rule.get("fullDescription", {}).get("text"),
"internal_id":
"{}/{}".format(
result["ruleId"],
utils.calculate_line_hash(
filename,
lineno,
location.get(
"physicalLocation",
{})["region"]["snippet"]["text"],
),
),
"severity":
convert_severity(
result.get("properties",
{})["issue_severity"]),
"owasp_category":
"",
"category":
result["ruleId"],
"details": {
"repoContext":
repo_context,
"name":
result.get("message", {})["text"],
"tags":
",".join(rule["properties"]["tags"]),
"fileName":
filename,
"DATA_TYPE":
"OSS_SCAN",
"lineNumber":
lineno,
"ruleId":
result["ruleId"],
"ruleName":
rule.get("name"),
"snippetText":
location.get(
"physicalLocation",
{})["region"]["snippet"]["text"],
"contextText":
location.get("physicalLocation", {})
["contextRegion"]["snippet"]["text"],
},
}
findings_list.append(finding)
finding_id = finding_id + 1
try:
json.dump({"findings": findings_list}, out_file)
except Exception:
LOG.debug("Unable to convert the run to findings format")