add violation context and attribs to simple-json and sarif

Author: attiasas

go.mod

@@ -112,7 +112,7 @@ require (
 )
 
 // attiasas:add_repo_context_scan_graph
-replace github.com/jfrog/jfrog-client-go => github.com/attiasas/jfrog-client-go v0.0.0-20241202080241-23f62508099d
+replace github.com/jfrog/jfrog-client-go => github.com/attiasas/jfrog-client-go v0.0.0-20241202121042-ba0c6c74db7a
 
 // replace github.com/jfrog/jfrog-cli-core/v2 => github.com/jfrog/jfrog-cli-core/v2 dev
 

go.sum

@@ -22,8 +22,8 @@ github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuW
 github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
-github.com/attiasas/jfrog-client-go v0.0.0-20241202080241-23f62508099d h1:fiImxqhkajkfANzZHJ4vE9cT99t8oRfhZlb15ndioGg=
-github.com/attiasas/jfrog-client-go v0.0.0-20241202080241-23f62508099d/go.mod h1:1a7bmQHkRmPEza9wva2+WVrYzrGbosrMymq57kyG5gU=
+github.com/attiasas/jfrog-client-go v0.0.0-20241202121042-ba0c6c74db7a h1:47orWZJqdB4YIiqnYd0ysEjvqXiwy3eadwKkHo6s1qg=
+github.com/attiasas/jfrog-client-go v0.0.0-20241202121042-ba0c6c74db7a/go.mod h1:1a7bmQHkRmPEza9wva2+WVrYzrGbosrMymq57kyG5gU=
 github.com/beevik/etree v1.4.0 h1:oz1UedHRepuY3p4N5OjE0nK1WLCqtzHf25bxplKOHLs=
 github.com/beevik/etree v1.4.0/go.mod h1:cyWiXwGoasx60gHvtnEh5x8+uIjUVnjWqBvEnhnqKDA=
 github.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M=

utils/formats/sarifutils/sarifutils.go

@@ -10,6 +10,61 @@ import (
 	"github.com/owenrumney/go-sarif/v2/sarif"
 )
 
+const (
+	WatchSarifPropertyKey      = "watch"
+	PoliciesSarifPropertyKey   = "policies"
+	JasIssueIdSarifPropertyKey = "issueId"
+	CWEPropertyKey             = "CWE"
+)
+
+// Specific JFrog Sarif Utils
+
+func GetResultWatches(result *sarif.Result) (watches string) {
+	if watchesProperty, ok := result.Properties[WatchSarifPropertyKey]; ok {
+		if watchesValue, ok := watchesProperty.(string); ok {
+			return watchesValue
+		}
+	}
+	return
+}
+
+func GetResultPolicies(result *sarif.Result) (policies []string) {
+	if policiesProperty, ok := result.Properties[PoliciesSarifPropertyKey]; ok {
+		if policiesValue, ok := policiesProperty.(string); ok {
+			split := strings.Split(policiesValue, ",")
+			for _, policy := range split {
+				policies = append(policies, strings.TrimSpace(policy))
+			}
+			return
+		}
+	}
+	return
+}
+
+func GetResultIssueId(result *sarif.Result) (issueId string) {
+	if issueIdProperty, ok := result.Properties[JasIssueIdSarifPropertyKey]; ok {
+		if issueIdValue, ok := issueIdProperty.(string); ok {
+			return issueIdValue
+		}
+	}
+	return
+}
+
+func GetRuleCWE(rule *sarif.ReportingDescriptor) (cwe string) {
+	if rule == nil || rule.DefaultConfiguration == nil || rule.DefaultConfiguration.Parameters == nil || rule.DefaultConfiguration.Parameters.Properties == nil {
+		// No CWE property
+		return
+	}
+	if cweProperty, ok := rule.DefaultConfiguration.Parameters.Properties[CWEPropertyKey]; ok {
+		if cweValue, ok := cweProperty.(string); ok {
+			return cweValue
+		}
+	}
+	return
+}
+
+// General Sarif Utils
+
 func NewReport() (*sarif.Report, error) {
 	report, err := sarif.New(sarif.Version210)
 	if err != nil {

utils/formats/simplejsonapi.go

@@ -26,6 +26,11 @@ type SimpleJsonResults struct {
 	MultiScanId               string                        `json:"multiScanId,omitempty"`
 }
 
+type ViolationContext struct {
+	Watch    string   `json:"watch,omitempty"`
+	Policies []string `json:"policies,omitempty"`
+}
+
 type SeverityDetails struct {
 	Severity         string `json:"severity"`
 	SeverityNumValue int    `json:"-"` // For sorting
@@ -42,12 +47,12 @@ type ImpactedDependencyDetails struct {
 // Used for vulnerabilities and security violations
 type VulnerabilityOrViolationRow struct {
 	ImpactedDependencyDetails
+	ViolationContext
 	Summary                  string                    `json:"summary"`
 	Applicable               string                    `json:"applicable"`
 	FixedVersions            []string                  `json:"fixedVersions"`
 	Cves                     []CveRow                  `json:"cves"`
 	IssueId                  string                    `json:"issueId"`
-	Watch                    string                    `json:"watch,omitempty"`
 	References               []string                  `json:"references"`
 	ImpactPaths              [][]ComponentRow          `json:"impactPaths"`
 	JfrogResearchInformation *JfrogResearchInformation `json:"jfrogResearchInformation"`
@@ -56,7 +61,7 @@ type VulnerabilityOrViolationRow struct {
 
 type LicenseViolationRow struct {
 	LicenseRow
-	Watch string `json:"watch,omitempty"`
+	ViolationContext
 }
 
 type LicenseRow struct {
@@ -68,6 +73,7 @@ type LicenseRow struct {
 
 type OperationalRiskViolationRow struct {
 	ImpactedDependencyDetails
+	ViolationContext
 	RiskReason    string `json:"riskReason"`
 	IsEol         string `json:"isEndOfLife"`
 	EolMessage    string `json:"endOfLifeMessage"`
@@ -80,7 +86,11 @@ type OperationalRiskViolationRow struct {
 
 type SourceCodeRow struct {
 	SeverityDetails
+	ViolationContext
 	Location
+	RuleId             string         `json:"ruleId"`
+	IssueId            string         `json:"issueId"`
+	CWE                string         `json:"cwe,omitempty"`
 	Finding            string         `json:"finding,omitempty"`
 	Fingerprint        string         `json:"fingerprint,omitempty"`
 	Applicability      *Applicability `json:"applicability,omitempty"`

utils/results/common.go

@@ -88,8 +88,8 @@ func ApplyHandlerToJasIssues(runs []*sarif.Run, entitledForJas bool, handler Par
 	return nil
 }
 
-// PrepareScaVulnerabilities allows to iterate over the provided SCA security vulnerabilities and call the provided handler for each impacted component/package with a vulnerability to process it.
-func PrepareScaVulnerabilities(target ScanTarget, vulnerabilities []services.Vulnerability, entitledForJas bool, applicabilityRuns []*sarif.Run, handler ParseScaVulnerabilityFunc) error {
+// ApplyHandlerToScaVulnerabilities allows to iterate over the provided SCA security vulnerabilities and call the provided handler for each impacted component/package with a vulnerability to process it.
+func ApplyHandlerToScaVulnerabilities(target ScanTarget, vulnerabilities []services.Vulnerability, entitledForJas bool, applicabilityRuns []*sarif.Run, handler ParseScaVulnerabilityFunc) error {
 	if handler == nil {
 		return nil
 	}
@@ -116,8 +116,8 @@ func PrepareScaVulnerabilities(target ScanTarget, vulnerabilities []services.Vul
 	return nil
 }
 
-// PrepareScaViolations allows to iterate over the provided SCA violations and call the provided handler for each impacted component/package with a violation to process it.
-func PrepareScaViolations(target ScanTarget, violations []services.Violation, entitledForJas bool, applicabilityRuns []*sarif.Run, securityHandler ParseScaViolationFunc, licenseHandler ParseScaViolationFunc, operationalRiskHandler ParseScaViolationFunc) (watches []string, failBuild bool, err error) {
+// ApplyHandlerToScaViolations allows to iterate over the provided SCA violations and call the provided handler for each impacted component/package with a violation to process it.
+func ApplyHandlerToScaViolations(target ScanTarget, violations []services.Violation, entitledForJas bool, applicabilityRuns []*sarif.Run, securityHandler ParseScaViolationFunc, licenseHandler ParseScaViolationFunc, operationalRiskHandler ParseScaViolationFunc) (watches []string, failBuild bool, err error) {
 	if securityHandler == nil && licenseHandler == nil && operationalRiskHandler == nil {
 		return
 	}
@@ -195,8 +195,8 @@ func PrepareScaViolations(target ScanTarget, violations []services.Violation, en
 	return
 }
 
-// PrepareLicenses allows to iterate over the provided licenses and call the provided handler for each component/package with a license to process it.
-func PrepareLicenses(target ScanTarget, licenses []services.License, handler ParseLicensesFunc) error {
+// ApplyHandlerToLicenses allows to iterate over the provided licenses and call the provided handler for each component/package with a license to process it.
+func ApplyHandlerToLicenses(target ScanTarget, licenses []services.License, handler ParseLicensesFunc) error {
 	if handler == nil {
 		return nil
 	}
@@ -627,3 +627,11 @@ func getFinalApplicabilityStatus(applicabilityStatuses []jasutils.ApplicabilityS
 
 	return jasutils.NotApplicable
 }
+
+func ConvertPolicesToString(policies []services.Policy) []string {
+	var policiesStr []string
+	for _, policy := range policies {
+		policiesStr = append(policiesStr, policy.Policy)
+	}
+	return policiesStr
+}