def sarif_output(outfile, scan_results, njsscan_version): log = om.SarifLog( schema_uri=('https://raw.githubusercontent.com/oasis-tcs/' 'sarif-spec/master/Schemata/sarif-schema-2.1.0.json'), version='2.1.0', runs=[ om.Run( tool=om.Tool(driver=om.ToolComponent( name='nodejsscan', information_uri='https://github.com/ajinabraham/njsscan', semantic_version=njsscan_version, version=njsscan_version), ), invocations=[ om.Invocation( end_time_utc=datetime.utcnow().strftime(TS_FORMAT), execution_successful=True, ), ], ), ], ) run = log.runs[0] add_results(scan_results, run) json_out = to_json(log) if outfile: with open(outfile, 'w') as of: of.write(json_out) else: print(json_out) return json_out
def report(manager, fileobj, sev_level, conf_level, lines=-1): """Prints issues in SARIF format :param manager: the bandit manager object :param fileobj: The output file object, which may be sys.stdout :param sev_level: Filtering severity level :param conf_level: Filtering confidence level :param lines: Number of lines to report, -1 for all """ log = om.SarifLog( schema_uri="https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.4.json", version="2.1.0", runs=[ om.Run( tool=om.Tool(driver=om.ToolComponent(name="Bandit")), invocations=[ om.Invocation( end_time_utc=datetime.datetime.utcnow().strftime(TS_FORMAT), execution_successful=True, ) ], properties={"metrics": manager.metrics.data}, ) ], ) run = log.runs[0] invocation = run.invocations[0] skips = manager.get_skipped() add_skipped_file_notifications(skips, invocation) issues = manager.get_issue_list(sev_level=sev_level, conf_level=conf_level) add_results(issues, run) serializedLog = to_json(log) with fileobj: fileobj.write(serializedLog) if fileobj.name != sys.stdout.name: LOG.info("SARIF output written to file: %s", fileobj.name)
def report( tool_name, tool_args, working_dir, metrics, skips, issues, crep_fname, file_path_list=None, ): """Prints issues in SARIF format :param tool_name: tool name :param tool_args: Args used for the tool :param working_dir: Working directory :param metrics: metrics data :param skips: skips data :param issues: issues data :param crep_fname: The output file name :param file_path_list: Full file path for any manipulation :return serialized_log: SARIF output data """ if not tool_args: tool_args = [] tool_args_str = tool_args if isinstance(tool_args, list): tool_args_str = " ".join(tool_args) repo_details = find_repo_details(working_dir) log_uuid = str(uuid.uuid4()) run_uuid = config.get("run_uuid") # working directory to use in the log WORKSPACE_PREFIX = config.get("WORKSPACE", None) wd_dir_log = WORKSPACE_PREFIX if WORKSPACE_PREFIX is not None else working_dir driver_name = config.tool_purpose_message.get(tool_name, tool_name) # Construct SARIF log log = om.SarifLog( schema_uri="https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", version="2.1.0", inline_external_properties=[ om.ExternalProperties(guid=log_uuid, run_guid=run_uuid) ], runs=[ om.Run( automation_details=om.RunAutomationDetails( guid=log_uuid, description=om.Message( text="Static Analysis Security Test results using @ShiftLeft/sast-scan" ), ), tool=om.Tool( driver=om.ToolComponent( name=driver_name, full_name=driver_name, version="1.0.0-scan" ) ), invocations=[ om.Invocation( end_time_utc=datetime.datetime.utcnow().strftime(TS_FORMAT), execution_successful=True, working_directory=om.ArtifactLocation(uri=to_uri(wd_dir_log)), ) ], conversion={ "tool": om.Tool( driver=om.ToolComponent(name="@ShiftLeft/sast-scan") ), "invocation": om.Invocation( execution_successful=True, command_line=tool_args_str, arguments=tool_args, working_directory=om.ArtifactLocation(uri=to_uri(wd_dir_log)), end_time_utc=datetime.datetime.utcnow().strftime(TS_FORMAT), ), }, version_control_provenance=[ om.VersionControlDetails( repository_uri=repo_details["repositoryUri"], branch=repo_details["branch"], revision_id=repo_details["revisionId"], ) ], ) ], ) run = log.runs[0] invocation = run.invocations[0] add_skipped_file_notifications(skips, invocation) add_results(tool_name, issues, run, file_path_list, working_dir) serialized_log = to_json(log) if crep_fname: html_file = crep_fname.replace(".sarif", ".html") with io.open(crep_fname, "w") as fileobj: fileobj.write(serialized_log) if tool_name != "empty-scan": render_html(json.loads(serialized_log), html_file) if fileobj.name != sys.stdout.name: LOG.debug( "SARIF and HTML report written to file: %s, %s :thumbsup:", fileobj.name, html_file, ) return serialized_log
def report( tool_name, tool_args, working_dir, metrics, skips, issues, crep_fname, file_path_list=None, ): """Prints issues in SARIF format :param tool_name: tool name :param tool_args: Args used for the tool :param working_dir: Working directory :param metrics: metrics data :param skips: skips data :param issues: issues data :param crep_fname: The output file name :param file_path_list: Full file path for any manipulation :return serialized_log: SARIF output data """ if not tool_args: tool_args = [] tool_args_str = tool_args if isinstance(tool_args, list): tool_args_str = " ".join(tool_args) repo_details = find_repo_details(working_dir) log_uuid = str(uuid.uuid4()) run_uuid = config.get("run_uuid") # Populate metrics metrics = { "total": 0, "critical": 0, "high": 0, "medium": 0, "low": 0, } total = 0 for issue in issues: issue_dict = issue_from_dict(issue).as_dict() rule_id = issue_dict.get("test_id") # Is this rule ignored globally? if rule_id in config.ignored_rules: continue total += 1 issue_severity = issue_dict["issue_severity"] # Fix up severity for certain tools issue_severity = tweak_severity(tool_name, issue_dict) key = issue_severity.lower() if not metrics.get(key): metrics[key] = 0 metrics[key] += 1 metrics["total"] = total # working directory to use in the log WORKSPACE_PREFIX = config.get("WORKSPACE", None) wd_dir_log = WORKSPACE_PREFIX if WORKSPACE_PREFIX is not None else working_dir driver_name = config.tool_purpose_message.get(tool_name, tool_name) if tool_name != "inspect" and config.get("CI") or config.get( "GITHUB_ACTIONS"): driver_name = "ShiftLeft " + driver_name # Construct SARIF log log = om.SarifLog( schema_uri= "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", version="2.1.0", inline_external_properties=[ om.ExternalProperties(guid=log_uuid, run_guid=run_uuid) ], runs=[ om.Run( automation_details=om.RunAutomationDetails( guid=log_uuid, description=om.Message( text= "Static Analysis Security Test results using @ShiftLeft/sast-scan" ), ), tool=om.Tool(driver=om.ToolComponent(name=driver_name)), invocations=[ om.Invocation( end_time_utc=datetime.datetime.utcnow().strftime( TS_FORMAT), execution_successful=True, working_directory=om.ArtifactLocation( uri=to_uri(wd_dir_log)), ) ], conversion={ "tool": om.Tool(driver=om.ToolComponent( name="@ShiftLeft/sast-scan")), "invocation": om.Invocation( execution_successful=True, command_line=tool_args_str, arguments=tool_args, working_directory=om.ArtifactLocation( uri=to_uri(wd_dir_log)), end_time_utc=datetime.datetime.utcnow().strftime( TS_FORMAT), ), }, properties={"metrics": metrics}, version_control_provenance=[ om.VersionControlDetails( repository_uri=repo_details["repositoryUri"], branch=repo_details["branch"], revision_id=repo_details["revisionId"], ) ], ) ], ) run = log.runs[0] invocation = run.invocations[0] add_skipped_file_notifications(skips, invocation) add_results(tool_name, issues, run, file_path_list, working_dir) serialized_log = to_json(log) if crep_fname: html_file = crep_fname.replace(".sarif", ".html") with io.open(crep_fname, "w") as fileobj: fileobj.write(serialized_log) render_html(json.loads(serialized_log), html_file) if fileobj.name != sys.stdout.name: LOG.debug( "SARIF and HTML report written to file: %s, %s 👍", fileobj.name, html_file, ) return serialized_log
def print_matches(self, matches, rules=None, filenames=None): """Output all the matches""" if not rules: rules = RulesCollection() # These "base" rules are not passed into formatters rules.extend([ParseError(), TransformError(), RuleError()]) results = [] for match in matches: results.append( sarif.Result( rule_id=match.rule.id, message=sarif.Message(text=match.message), level=self._to_sarif_level(match.rule.severity), locations=[ sarif.Location( physical_location=sarif.PhysicalLocation( artifact_location=sarif.ArtifactLocation( uri=match.filename, uri_base_id=self.uri_base_id, ), region=sarif.Region( start_column=match.columnnumber, start_line=match.linenumber, end_column=match.columnnumberend, end_line=match.linenumberend, ), )) ], )) # Output only the rules that have matches matched_rules = set(r.rule_id for r in results) rules_map = {r.id: r for r in list(rules)} rules = [ sarif.ReportingDescriptor( id=rule_id, short_description=sarif.MultiformatMessageString( text=rules_map[rule_id].shortdesc), full_description=sarif.MultiformatMessageString( text=rules_map[rule_id].description), help_uri=rules_map[rule_id].source_url if rules_map[rule_id] else None) for rule_id in matched_rules ] run = sarif.Run( tool=sarif.Tool(driver=sarif.ToolComponent( name='cfn-lint', short_description=sarif.MultiformatMessageString( text=('Validates AWS CloudFormation templates against' ' the resource specification and additional' ' checks.')), information_uri= 'https://github.com/aws-cloudformation/cfn-lint', rules=rules, version=cfnlint.version.__version__, ), ), original_uri_base_ids={ self.uri_base_id: sarif.ArtifactLocation( description=sarif.MultiformatMessageString( 'The directory in which cfn-lint was run.')) }, results=results, ) log = sarif.SarifLog(version=self.version, schema_uri=self.schema, runs=[run]) # IMPORTANT: 'warning' is the default level in SARIF and will be # stripped by serialization. return to_json(log)
def report( tool_name, tool_args, working_dir, metrics, skips, issues, crep_fname, file_path_list=None, ): """Prints issues in SARIF format :param tool_name: tool name :param tool_args: Args used for the tool :param working_dir: Working directory :param metrics: metrics data :param skips: skips data :param issues: issues data :param crep_fname: The output file name :param file_path_list: Full file path for any manipulation :return serialized_log: SARIF output data """ if not tool_args: tool_args = [] tool_args_str = tool_args if isinstance(tool_args, list): tool_args_str = " ".join(tool_args) repo_details = find_repo_details(working_dir) log_uuid = str(uuid.uuid4()) run_uuid = config.get("run_uuid") # Populate metrics metrics = { "total": 0, "critical": 0, "high": 0, "medium": 0, "low": 0, } metrics["total"] = len(issues) for issue in issues: issue_dict = issue_from_dict(issue).as_dict() key = issue_dict["issue_severity"].lower() if not metrics.get(key): metrics[key] = 0 metrics[key] += 1 # Construct SARIF log log = om.SarifLog( schema_uri= "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", version="2.1.0", inline_external_properties=[ om.ExternalProperties(guid=log_uuid, run_guid=run_uuid) ], runs=[ om.Run( automation_details=om.RunAutomationDetails( guid=log_uuid, description=om.Message( text= "Static Analysis Security Test results using @AppThreat/sast-scan" ), ), tool=om.Tool(driver=om.ToolComponent( name=config.tool_purpose_message.get(tool_name, tool_name))), invocations=[ om.Invocation( end_time_utc=datetime.datetime.utcnow().strftime( TS_FORMAT), execution_successful=True, working_directory=om.ArtifactLocation( uri=to_uri(working_dir)), ) ], conversion={ "tool": om.Tool(driver=om.ToolComponent( name="@AppThreat/sast-scan")), "invocation": om.Invocation( execution_successful=True, command_line=tool_args_str, arguments=tool_args, working_directory=om.ArtifactLocation( uri=to_uri(working_dir)), end_time_utc=datetime.datetime.utcnow().strftime( TS_FORMAT), ), }, properties={"metrics": metrics}, version_control_provenance=[ om.VersionControlDetails( repository_uri=repo_details["repositoryUri"], branch=repo_details["branch"], revision_id=repo_details["revisionId"], ) ], ) ], ) run = log.runs[0] invocation = run.invocations[0] add_skipped_file_notifications(skips, invocation) add_results(tool_name, issues, run, file_path_list, working_dir) serialized_log = to_json(log) if crep_fname: with io.open(crep_fname, "w") as fileobj: fileobj.write(serialized_log) if fileobj.name != sys.stdout.name: LOG.info("SARIF output written to file: %s 👍", fileobj.name) return serialized_log
def report( tool_name, tool_args, working_dir, metrics, skips, issues, crep_fname, file_path_list=None, ): """Prints issues in SARIF format :param tool_name: tool name :param tool_args: Args used for the tool :param working_dir: Working directory :param metrics: metrics data :param skips: skips data :param issues: issues data :param crep_fname: The output file name :param file_path_list: Full file path for any manipulation :return serialized_log: SARIF output data """ if not tool_args: tool_args = [] tool_args_str = tool_args if isinstance(tool_args, list): tool_args_str = " ".join(tool_args) log = om.SarifLog( schema_uri= "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", version="2.1.0", runs=[ om.Run( tool=om.Tool(driver=om.ToolComponent(name=tool_name)), invocations=[ om.Invocation( end_time_utc=datetime.datetime.utcnow().strftime( TS_FORMAT), execution_successful=True, working_directory=om.ArtifactLocation( uri=to_uri(working_dir)), ) ], conversion={ "tool": om.Tool(driver=om.ToolComponent( name="@AppThreat/sast-scan")), "invocation": om.Invocation( execution_successful=True, command_line=tool_args_str, arguments=tool_args, working_directory=om.ArtifactLocation( uri=to_uri(working_dir)), end_time_utc=datetime.datetime.utcnow().strftime( TS_FORMAT), ), }, properties={"metrics": metrics}, ) ], ) run = log.runs[0] invocation = run.invocations[0] add_skipped_file_notifications(skips, invocation) add_results(issues, run, file_path_list) serialized_log = to_json(log) if crep_fname: with io.open(crep_fname, "w") as fileobj: fileobj.write(serialized_log) if fileobj.name != sys.stdout.name: LOG.info("SARIF output written to file: %s", fileobj.name) return serialized_log