phpcs:chore - Update PHP_CodeSniffer to show severity and code (#935)

I update the PHP_CodeSniffer tool to have a little
more information such as:
- All warnings can be shown as long as their severity is above 5
- All vulnerabilities pointed out have a correct level
of severity based on the tool
- We now demonstrate the vulnerable code in the analysis output

Signed-off-by: wilian <wilian.silva@zup.com.br>
(cherry picked from commit 5d8b435)

e2e/analysis/test_case.go

@@ -77,9 +77,9 @@ func NewTestCase() []*TestCase {
 					fmt.Sprintf(messages.MsgPrintFinishAnalysisWithStatus, analysis.Success),
 					messages.MsgDebugVulnHashToFix,
 					messages.MsgWarnAnalysisFoundVulns[16:],
-					"In this analysis, a total of 66 possible vulnerabilities were found and we classified them into:",
-					"Total of Vulnerability CRITICAL is: 17",
-					"Total of Vulnerability HIGH is: 22",
+					"In this analysis, a total of 69 possible vulnerabilities were found and we classified them into:",
+					"Total of Vulnerability CRITICAL is: 18",
+					"Total of Vulnerability HIGH is: 24",
 					"Total of Vulnerability MEDIUM is: 24",
 					"Total of Vulnerability LOW is: 3",
 					fmt.Sprintf("{HORUSEC_CLI} Running %s - %s", tools.HorusecEngine, languages.CSharp),

internal/controllers/language_detect/language_detect_test.go

@@ -184,7 +184,8 @@ func TestLanguageDetect(t *testing.T) {
 		assert.Contains(t, langs, languages.Leaks)
 		assert.Contains(t, langs, languages.Java)
 		assert.Contains(t, langs, languages.Generic)
-		assert.Len(t, langs, 3)
+		assert.Contains(t, langs, languages.Shell)
+		assert.Len(t, langs, 4)
 	})
 
 	t.Run("Should run language detect and return JAVASCRIPT and GITLEAKS", func(t *testing.T) {
@@ -212,6 +213,30 @@ func TestLanguageDetect(t *testing.T) {
 		assert.Len(t, langs, 4)
 	})
 
+	t.Run("Should run language detect and return PHP, LEAKS, GENERIC in example2", func(t *testing.T) {
+		controller := NewLanguageDetect(config.New(), uuid.New())
+
+		langs, err := controller.Detect(testutil.PHPExample2)
+
+		assert.NoError(t, err)
+		assert.Contains(t, langs, languages.Leaks)
+		assert.Contains(t, langs, languages.Generic)
+		assert.Contains(t, langs, languages.PHP)
+		assert.Len(t, langs, 3)
+	})
+
+	t.Run("Should run language detect and return PHP, LEAKS, GENERIC in example1", func(t *testing.T) {
+		controller := NewLanguageDetect(config.New(), uuid.New())
+
+		langs, err := controller.Detect(testutil.PHPExample1)
+
+		assert.NoError(t, err)
+		assert.Contains(t, langs, languages.Leaks)
+		assert.Contains(t, langs, languages.Generic)
+		assert.Contains(t, langs, languages.PHP)
+		assert.Len(t, langs, 3)
+	})
+
 	t.Run("Should run language detect and return KOTLIN and GITLEAKS", func(t *testing.T) {
 		controller := NewLanguageDetect(config.New(), uuid.New())
 

internal/services/formatters/php/phpcs/entities/message.go

@@ -17,13 +17,29 @@ package entities
 import (
 	"strconv"
 	"strings"
+
+	"github.com/ZupIT/horusec-devkit/pkg/enums/severities"
+)
+
+const (
+	MessageError   = "ERROR"
+	MessageWarning = "WARNING"
+)
+
+const (
+	SeverityLevelLow      = 2
+	SeverityLevelMedium   = 3
+	SeverityLevelHigh     = 4
+	SeverityLevelCritical = 5
 )
 
 type Message struct {
-	Message string `json:"message"`
-	Line    int    `json:"line"`
-	Column  int    `json:"column"`
-	Type    string `json:"type"`
+	Severity int    `json:"severity"`
+	Source   string `json:"source"`
+	Message  string `json:"message"`
+	Line     int    `json:"line"`
+	Column   int    `json:"column"`
+	Type     string `json:"type"`
 }
 
 func (m *Message) GetLine() string {
@@ -34,7 +50,37 @@ func (m *Message) GetColumn() string {
 	return strconv.Itoa(m.Column)
 }
 
-func (m *Message) IsValidMessage() bool {
-	return m.Type == "ERROR" &&
-		!strings.Contains(m.Message, "This implies that some PHP code is not scanned by PHPCS")
+func (m *Message) IsAllowedMessage() bool {
+	return m.isWarningMessage() || m.isErrorMessage()
+}
+
+func (m *Message) isErrorMessage() bool {
+	return m.Type == MessageError
+}
+
+func (m *Message) isWarningMessage() bool {
+	return m.Type == MessageWarning
+}
+
+func (m *Message) IsNotFailedToScan() bool {
+	return !strings.Contains(strings.ToLower(m.Message),
+		"this implies that some php code is not scanned by phpcs")
+}
+
+// nolint:funlen,gocyclo // method of validation
+func (m *Message) GetSeverity() severities.Severity {
+	switch {
+	case m.isWarningMessage() && m.Severity >= SeverityLevelCritical:
+		return severities.Info
+	case m.Severity < SeverityLevelLow:
+		return severities.Low
+	case m.Severity >= SeverityLevelLow && m.Severity <= SeverityLevelMedium:
+		return severities.Medium
+	case m.Severity == SeverityLevelHigh:
+		return severities.High
+	case m.Severity >= SeverityLevelCritical:
+		return severities.Critical
+	default:
+		return severities.Unknown
+	}
 }

internal/services/formatters/php/phpcs/entities/message_test.go

@@ -47,21 +47,30 @@ func TestGetColumn(t *testing.T) {
 }
 
 func TestIsValidMessage(t *testing.T) {
-	t.Run("should return false if invalid message", func(t *testing.T) {
+	t.Run("should return true if valid error message", func(t *testing.T) {
 		message := &Message{
-			Message: "This implies that some PHP code is not scanned by PHPCS",
-			Type:    "ERROR",
+			Type: "ERROR",
 		}
 
-		assert.False(t, message.IsValidMessage())
+		assert.True(t, message.isErrorMessage())
+		assert.True(t, message.IsAllowedMessage())
 	})
 
-	t.Run("should return true if valid message", func(t *testing.T) {
+	t.Run("should return true if valid warning message", func(t *testing.T) {
 		message := &Message{
-			Message: "",
-			Type:    "ERROR",
+			Type: "WARNING",
 		}
 
-		assert.True(t, message.IsValidMessage())
+		assert.True(t, message.isWarningMessage())
+		assert.True(t, message.IsAllowedMessage())
+	})
+	t.Run("should return false if invalid type message", func(t *testing.T) {
+		message := &Message{
+			Type: "other",
+		}
+
+		assert.False(t, message.isErrorMessage())
+		assert.False(t, message.isWarningMessage())
+		assert.False(t, message.IsAllowedMessage())
 	})
 }

internal/services/formatters/php/phpcs/formatter.go

@@ -16,10 +16,10 @@ package phpcs
 
 import (
 	"encoding/json"
+	"fmt"
 
 	"github.com/ZupIT/horusec-devkit/pkg/entities/vulnerability"
 	"github.com/ZupIT/horusec-devkit/pkg/enums/languages"
-	"github.com/ZupIT/horusec-devkit/pkg/enums/severities"
 	"github.com/ZupIT/horusec-devkit/pkg/enums/tools"
 	"github.com/ZupIT/horusec-devkit/pkg/utils/logger"
 
@@ -28,6 +28,7 @@ import (
 	"github.com/ZupIT/horusec/internal/helpers/messages"
 	"github.com/ZupIT/horusec/internal/services/formatters"
 	"github.com/ZupIT/horusec/internal/services/formatters/php/phpcs/entities"
+	fileutils "github.com/ZupIT/horusec/internal/utils/file"
 	vulnhash "github.com/ZupIT/horusec/internal/utils/vuln_hash"
 )
 
@@ -94,20 +95,26 @@ func (f *Formatter) parseResults(results map[string]interface{}) {
 
 func (f *Formatter) parseMessages(filepath string, result interface{}) {
 	for _, message := range f.parseToResult(result).Messages {
-		if message.IsValidMessage() {
-			f.AddNewVulnerabilityIntoAnalysis(f.setVulnerabilityData(filepath, message))
+		if message.IsAllowedMessage() && message.IsNotFailedToScan() {
+			vuln := f.setVulnerabilityData(filepath, message)
+			f.AddNewVulnerabilityIntoAnalysis(vuln)
 		}
 	}
 }
 
 func (f *Formatter) setVulnerabilityData(filepath string, result entities.Message) *vulnerability.Vulnerability {
 	vuln := f.getDefaultVulnerabilitySeverity()
-	vuln.Severity = severities.Unknown
+	vuln.Severity = result.GetSeverity()
 	vuln.Details = result.Message
 	vuln.Line = result.GetLine()
 	vuln.Column = result.GetColumn()
 	vuln.File = f.RemoveSrcFolderFromPath(filepath)
 	vuln = vulnhash.Bind(vuln)
+
+	// NOTE: code and details were set after the vulnhash.Bind to avoid changes in the hash generation
+	vuln.Code, _ = fileutils.GetCode(f.GetConfigProjectPath(), vuln.File, result.GetLine())
+	vuln.Details += fmt.Sprintf("\n %s", result.Source)
+
 	return f.SetCommitAuthor(vuln)
 }