From 8890969765dce46be61e96c5c998b63b276bfa8f Mon Sep 17 00:00:00 2001 From: attiasas Date: Mon, 16 Oct 2023 18:09:56 +0300 Subject: [PATCH 1/9] fix xray version output --- xray/commands/scan/buildscan.go | 6 +++--- xray/commands/scan/scan.go | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/xray/commands/scan/buildscan.go b/xray/commands/scan/buildscan.go index ec9f9a37e..d44a9dcb2 100644 --- a/xray/commands/scan/buildscan.go +++ b/xray/commands/scan/buildscan.go @@ -101,7 +101,7 @@ func (bsc *BuildScanCommand) Run() (err error) { Rescan: bsc.rescan, } - isFailBuildResponse, err := bsc.runBuildScanAndPrintResults(xrayManager, params) + isFailBuildResponse, err := bsc.runBuildScanAndPrintResults(xrayManager, xrayVersion, params) if err != nil { return err } @@ -112,7 +112,7 @@ func (bsc *BuildScanCommand) Run() (err error) { return } -func (bsc *BuildScanCommand) runBuildScanAndPrintResults(xrayManager *xray.XrayServicesManager, params services.XrayBuildParams) (isFailBuildResponse bool, err error) { +func (bsc *BuildScanCommand) runBuildScanAndPrintResults(xrayManager *xray.XrayServicesManager, xrayVersion string, params services.XrayBuildParams) (isFailBuildResponse bool, err error) { buildScanResults, noFailBuildPolicy, err := xrayManager.BuildScan(params, bsc.includeVulnerabilities) if err != nil { return false, err @@ -126,7 +126,7 @@ func (bsc *BuildScanCommand) runBuildScanAndPrintResults(xrayManager *xray.XrayS XrayDataUrl: buildScanResults.MoreDetailsUrl, }} - extendedScanResults := &xrutils.ExtendedScanResults{XrayResults: scanResponse} + extendedScanResults := &xrutils.ExtendedScanResults{XrayResults: scanResponse, XrayVersion: xrayVersion} resultsPrinter := xrutils.NewResultsWriter(extendedScanResults). SetOutputFormat(bsc.outputFormat). diff --git a/xray/commands/scan/scan.go b/xray/commands/scan/scan.go index cd910ea0a..7a291a21c 100644 --- a/xray/commands/scan/scan.go +++ b/xray/commands/scan/scan.go @@ -241,7 +241,7 @@ func (scanCmd *ScanCommand) Run() (err error) { } scanErrors = appendErrorSlice(scanErrors, fileProducerErrors) scanErrors = appendErrorSlice(scanErrors, indexedFileProducerErrors) - extendedScanResults := &xrutils.ExtendedScanResults{XrayResults: flatResults} + extendedScanResults := &xrutils.ExtendedScanResults{XrayResults: flatResults, XrayVersion: xrayVersion} if err = xrutils.NewResultsWriter(extendedScanResults). SetOutputFormat(scanCmd.outputFormat). From 5fb061c0f1385a98ba9dae9edb81ebfcadbb5498 Mon Sep 17 00:00:00 2001 From: attiasas Date: Tue, 17 Oct 2023 12:29:49 +0300 Subject: [PATCH 2/9] done --- xray/utils/resultwriter.go | 49 +++++++++++++++++++++++++------------- 1 file changed, 32 insertions(+), 17 deletions(-) diff --git a/xray/utils/resultwriter.go b/xray/utils/resultwriter.go index 553f37388..2e545974d 100644 --- a/xray/utils/resultwriter.go +++ b/xray/utils/resultwriter.go @@ -267,27 +267,19 @@ func addXrayCveIssueToSarifRun(cves []formats.CveRow, issueId, severity string, if err != nil { return err } - cveId := GetIssueIdentifier(cves, issueId) - msg := getVulnerabilityOrViolationSarifHeadline(impactedDependencyName, impactedDependencyVersion, cveId) location, err := getXrayIssueLocationIfValidExists(tech, run) if err != nil { return err } - if rule, isNewRule := addResultToSarifRun(cveId, msg, severity, location, run); isNewRule { - cveRuleProperties := sarif.NewPropertyBag() - if maxCveScore != MissingCveScore { - cveRuleProperties.Add("security-severity", maxCveScore) - } - rule.WithProperties(cveRuleProperties.Properties) - formattedDirectDependencies, err := getDirectDependenciesFormatted(components) - if err != nil { - return err - } - markdownDescription := getSarifTableDescription(formattedDirectDependencies, maxCveScore, applicable, fixedVersions) + "\n" - rule.WithHelp(&sarif.MultiformatMessageString{ - Text: &summary, - Markdown: &markdownDescription, - }) + formattedDirectDependencies, err := getDirectDependenciesFormatted(components) + if err != nil { + return err + } + cveId := GetIssueIdentifier(cves, issueId) + ruleId := getXrayCveRuleId(cveId, applicable, impactedDependencyName, impactedDependencyVersion, maxCveScore, formattedDirectDependencies, summary, fixedVersions, run) + + for _, directDependency := range components { + addResultToSarifRun(ruleId, getVulnerabilityOrViolationSarifHeadline(directDependency.Name, directDependency.Version, cveId), severity, location, run) } return nil } @@ -322,6 +314,29 @@ func getXrayIssueLocationIfValidExists(tech coreutils.Technology, run *sarif.Run return sarif.NewLocation().WithPhysicalLocation(sarif.NewPhysicalLocation().WithArtifactLocation(sarif.NewArtifactLocation().WithUri("file://" + descriptorPath))), nil } +func getXrayCveRuleId(cveId, applicable, impactedDependencyName, impactedDependencyVersion, maxCveScore, formattedDirectDependencies, summary string, fixedVersions []string, run *sarif.Run) (ruleId string) { + ruleId = fmt.Sprintf("%s_%s_%s", cveId, impactedDependencyName, impactedDependencyVersion) + rule, _ := run.GetRuleById(ruleId) + if rule != nil { + return + } + // Add new rule with the information + rule = run.AddRule(ruleId) + cveRuleProperties := sarif.NewPropertyBag() + if maxCveScore != MissingCveScore { + cveRuleProperties.Add("security-severity", maxCveScore) + } + rule.WithProperties(cveRuleProperties.Properties) + rule.WithDescription(getVulnerabilityOrViolationSarifHeadline(impactedDependencyName, impactedDependencyVersion, cveId)) + markdownDescription := getSarifTableDescription(formattedDirectDependencies, maxCveScore, applicable, fixedVersions) + rule.WithHelp(&sarif.MultiformatMessageString{ + Text: &summary, + Markdown: &markdownDescription, + }) + + return +} + func addResultToSarifRun(issueId, msg, severity string, location *sarif.Location, run *sarif.Run) (rule *sarif.ReportingDescriptor, isNewRule bool) { if rule, _ = run.GetRuleById(issueId); rule == nil { isNewRule = true From 141ed3e044f37c02c8c4dd28670d26751c48da29 Mon Sep 17 00:00:00 2001 From: attiasas Date: Tue, 17 Oct 2023 13:06:12 +0300 Subject: [PATCH 3/9] review changes --- xray/utils/resultwriter.go | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/xray/utils/resultwriter.go b/xray/utils/resultwriter.go index 2e545974d..7f2da60a7 100644 --- a/xray/utils/resultwriter.go +++ b/xray/utils/resultwriter.go @@ -276,10 +276,16 @@ func addXrayCveIssueToSarifRun(cves []formats.CveRow, issueId, severity string, return err } cveId := GetIssueIdentifier(cves, issueId) - ruleId := getXrayCveRuleId(cveId, applicable, impactedDependencyName, impactedDependencyVersion, maxCveScore, formattedDirectDependencies, summary, fixedVersions, run) + ruleId := getVulnerabilityOrViolationSarifRuleId(impactedDependencyName, impactedDependencyVersion, cveId) + if rule, _ := run.GetRuleById(ruleId); rule == nil { + ruleDescription := getVulnerabilityOrViolationSarifHeadline(impactedDependencyName, impactedDependencyVersion, cveId) + markdownDescription := getSarifTableDescription(formattedDirectDependencies, maxCveScore, applicable, fixedVersions) + addXrayCveRule(ruleId, ruleDescription, maxCveScore, summary, markdownDescription, run) + } for _, directDependency := range components { - addResultToSarifRun(ruleId, getVulnerabilityOrViolationSarifHeadline(directDependency.Name, directDependency.Version, cveId), severity, location, run) + msg := getVulnerabilityOrViolationSarifHeadline(directDependency.Name, directDependency.Version, cveId) + addResultToSarifRun(ruleId, msg, severity, location, run) } return nil } @@ -314,21 +320,14 @@ func getXrayIssueLocationIfValidExists(tech coreutils.Technology, run *sarif.Run return sarif.NewLocation().WithPhysicalLocation(sarif.NewPhysicalLocation().WithArtifactLocation(sarif.NewArtifactLocation().WithUri("file://" + descriptorPath))), nil } -func getXrayCveRuleId(cveId, applicable, impactedDependencyName, impactedDependencyVersion, maxCveScore, formattedDirectDependencies, summary string, fixedVersions []string, run *sarif.Run) (ruleId string) { - ruleId = fmt.Sprintf("%s_%s_%s", cveId, impactedDependencyName, impactedDependencyVersion) - rule, _ := run.GetRuleById(ruleId) - if rule != nil { - return - } - // Add new rule with the information - rule = run.AddRule(ruleId) +func addXrayCveRule(ruleId, ruleDescription, maxCveScore, summary, markdownDescription string, run *sarif.Run) { + rule := run.AddRule(ruleId) cveRuleProperties := sarif.NewPropertyBag() if maxCveScore != MissingCveScore { cveRuleProperties.Add("security-severity", maxCveScore) } rule.WithProperties(cveRuleProperties.Properties) - rule.WithDescription(getVulnerabilityOrViolationSarifHeadline(impactedDependencyName, impactedDependencyVersion, cveId)) - markdownDescription := getSarifTableDescription(formattedDirectDependencies, maxCveScore, applicable, fixedVersions) + rule.WithDescription(ruleDescription) rule.WithHelp(&sarif.MultiformatMessageString{ Text: &summary, Markdown: &markdownDescription, @@ -413,6 +412,10 @@ func GetIssueIdentifier(cvesRow []formats.CveRow, issueId string) string { return identifier } +func getVulnerabilityOrViolationSarifRuleId(depName, version, key string) string { + return fmt.Sprintf("%s_%s_%s", key, depName, version) +} + func getVulnerabilityOrViolationSarifHeadline(depName, version, key string) string { return fmt.Sprintf("[%s] %s %s", key, depName, version) } From 56c82f19eb185c32eb4e61653164610ec55fbfa4 Mon Sep 17 00:00:00 2001 From: attiasas Date: Tue, 17 Oct 2023 13:07:37 +0300 Subject: [PATCH 4/9] fix static --- xray/utils/resultwriter.go | 2 -- 1 file changed, 2 deletions(-) diff --git a/xray/utils/resultwriter.go b/xray/utils/resultwriter.go index 7f2da60a7..8c3f5b04a 100644 --- a/xray/utils/resultwriter.go +++ b/xray/utils/resultwriter.go @@ -332,8 +332,6 @@ func addXrayCveRule(ruleId, ruleDescription, maxCveScore, summary, markdownDescr Text: &summary, Markdown: &markdownDescription, }) - - return } func addResultToSarifRun(issueId, msg, severity string, location *sarif.Location, run *sarif.Run) (rule *sarif.ReportingDescriptor, isNewRule bool) { From 5619086ef1ee9ae161f94c9a2a367856b175e699 Mon Sep 17 00:00:00 2001 From: attiasas Date: Tue, 17 Oct 2023 14:52:10 +0300 Subject: [PATCH 5/9] fix license as well and combine --- xray/utils/resultwriter.go | 127 +++++++++++++++++--------------- xray/utils/resultwriter_test.go | 4 +- 2 files changed, 69 insertions(+), 62 deletions(-) diff --git a/xray/utils/resultwriter.go b/xray/utils/resultwriter.go index 8c3f5b04a..ac1011bd7 100644 --- a/xray/utils/resultwriter.go +++ b/xray/utils/resultwriter.go @@ -220,74 +220,90 @@ func convertXrayResponsesToSarifRun(extendedResults *ExtendedScanResults, isMult func extractXrayIssuesToSarifRun(run *sarif.Run, xrayJson formats.SimpleJsonResults) error { for _, vulnerability := range xrayJson.Vulnerabilities { - if err := addXrayCveIssueToSarifRun( - vulnerability.Cves, - vulnerability.IssueId, - vulnerability.Severity, - vulnerability.Technology, - vulnerability.Components, - vulnerability.Applicable, - vulnerability.ImpactedDependencyName, - vulnerability.ImpactedDependencyVersion, - vulnerability.Summary, - vulnerability.FixedVersions, - run, - ); err != nil { + if err := addXrayCveIssueToSarifRun(vulnerability, run); err != nil { return err } } for _, violation := range xrayJson.SecurityViolations { - if err := addXrayCveIssueToSarifRun( - violation.Cves, - violation.IssueId, - violation.Severity, - violation.Technology, - violation.Components, - violation.Applicable, - violation.ImpactedDependencyName, - violation.ImpactedDependencyVersion, - violation.Summary, - violation.FixedVersions, - run, - ); err != nil { + if err := addXrayCveIssueToSarifRun(violation, run); err != nil { return err } } for _, license := range xrayJson.LicensesViolations { - msg := getVulnerabilityOrViolationSarifHeadline(license.LicenseKey, license.ImpactedDependencyName, license.ImpactedDependencyVersion) - if rule, isNewRule := addResultToSarifRun(license.LicenseKey, msg, license.Severity, nil, run); isNewRule { - rule.WithDescription("License watch violations") + if err := addXrayLicenseViolationToSarifRun(license, run); err != nil { + return err } } return nil } -func addXrayCveIssueToSarifRun(cves []formats.CveRow, issueId, severity string, tech coreutils.Technology, components []formats.ComponentRow, applicable, impactedDependencyName, impactedDependencyVersion, summary string, fixedVersions []string, run *sarif.Run) error { - maxCveScore, err := findMaxCVEScore(cves) +func addXrayCveIssueToSarifRun(issue formats.VulnerabilityOrViolationRow, run *sarif.Run) (err error) { + maxCveScore, err := findMaxCVEScore(issue.Cves) if err != nil { - return err + return } - location, err := getXrayIssueLocationIfValidExists(tech, run) + location, err := getXrayIssueLocationIfValidExists(issue.Technology, run) if err != nil { - return err + return } - formattedDirectDependencies, err := getDirectDependenciesFormatted(components) + formattedDirectDependencies, err := getDirectDependenciesFormatted(issue.Components) if err != nil { - return err + return } - cveId := GetIssueIdentifier(cves, issueId) - ruleId := getVulnerabilityOrViolationSarifRuleId(impactedDependencyName, impactedDependencyVersion, cveId) + cveId := GetIssueIdentifier(issue.Cves, issue.IssueId) + markdownDescription := getSarifTableDescription(formattedDirectDependencies, maxCveScore, issue.Applicable, issue.FixedVersions) + addXrayIssueToSarifRun( + cveId, + issue.ImpactedDependencyName, + issue.ImpactedDependencyVersion, + issue.Severity, + maxCveScore, + issue.Summary, + markdownDescription, + issue.Components, + location, + run, + ) + return +} + +func addXrayLicenseViolationToSarifRun(license formats.LicenseRow, run *sarif.Run) (err error) { + formattedDirectDependencies, err := getDirectDependenciesFormatted(license.Components) + if err != nil { + return + } + licenseViolationSummary := fmt.Sprint("Dependency %s version %s is using a license (%s) that is not allowed.", license.ImpactedDependencyName, license.ImpactedDependencyVersion, license.LicenseKey) + licenseViolationMarkdownDescription := fmt.Sprint("**The following direct dependencies are utilizing the `%s %s` dependency with a `%s` license violation:**\n%s", formattedDirectDependencies) + addXrayIssueToSarifRun( + license.LicenseKey, + license.ImpactedDependencyName, + license.ImpactedDependencyVersion, + license.Severity, + MissingCveScore, + licenseViolationSummary, + licenseViolationMarkdownDescription, + license.Components, + nil, + run, + ) + return +} +func addXrayIssueToSarifRun(issueId, impactedDependencyName, impactedDependencyVersion, severity, severityScore, summary, markdownDescription string, components []formats.ComponentRow, location *sarif.Location, run *sarif.Run) { + // Add rule if not exists + ruleId := getXrayIssueSarifRuleId(impactedDependencyName, impactedDependencyVersion, issueId) if rule, _ := run.GetRuleById(ruleId); rule == nil { - ruleDescription := getVulnerabilityOrViolationSarifHeadline(impactedDependencyName, impactedDependencyVersion, cveId) - markdownDescription := getSarifTableDescription(formattedDirectDependencies, maxCveScore, applicable, fixedVersions) - addXrayCveRule(ruleId, ruleDescription, maxCveScore, summary, markdownDescription, run) + ruleDescription := getXrayIssueSarifHeadline(impactedDependencyName, impactedDependencyVersion, issueId) + addXrayRule(ruleId, ruleDescription, severityScore, summary, markdownDescription, run) } + // Add result for each component for _, directDependency := range components { - msg := getVulnerabilityOrViolationSarifHeadline(directDependency.Name, directDependency.Version, cveId) - addResultToSarifRun(ruleId, msg, severity, location, run) + msg := getXrayIssueSarifHeadline(directDependency.Name, directDependency.Version, issueId) + if result := run.CreateResultForRule(ruleId).WithMessage(sarif.NewTextMessage(msg)).WithLevel(ConvertToSarifLevel(severity)); location != nil { + result.AddLocation(location) + } } - return nil + } func getDescriptorFullPath(tech coreutils.Technology, run *sarif.Run) (string, error) { @@ -320,13 +336,15 @@ func getXrayIssueLocationIfValidExists(tech coreutils.Technology, run *sarif.Run return sarif.NewLocation().WithPhysicalLocation(sarif.NewPhysicalLocation().WithArtifactLocation(sarif.NewArtifactLocation().WithUri("file://" + descriptorPath))), nil } -func addXrayCveRule(ruleId, ruleDescription, maxCveScore, summary, markdownDescription string, run *sarif.Run) { +func addXrayRule(ruleId, ruleDescription, maxCveScore, summary, markdownDescription string, run *sarif.Run) { rule := run.AddRule(ruleId) - cveRuleProperties := sarif.NewPropertyBag() + if maxCveScore != MissingCveScore { + cveRuleProperties := sarif.NewPropertyBag() cveRuleProperties.Add("security-severity", maxCveScore) + rule.WithProperties(cveRuleProperties.Properties) } - rule.WithProperties(cveRuleProperties.Properties) + rule.WithDescription(ruleDescription) rule.WithHelp(&sarif.MultiformatMessageString{ Text: &summary, @@ -334,17 +352,6 @@ func addXrayCveRule(ruleId, ruleDescription, maxCveScore, summary, markdownDescr }) } -func addResultToSarifRun(issueId, msg, severity string, location *sarif.Location, run *sarif.Run) (rule *sarif.ReportingDescriptor, isNewRule bool) { - if rule, _ = run.GetRuleById(issueId); rule == nil { - isNewRule = true - rule = run.AddRule(issueId) - } - if result := run.CreateResultForRule(issueId).WithMessage(sarif.NewTextMessage(msg)).WithLevel(ConvertToSarifLevel(severity)); location != nil { - result.AddLocation(location) - } - return -} - func convertXrayScanToSimpleJson(extendedResults *ExtendedScanResults, isMultipleRoots, includeLicenses, simplifiedOutput bool) (formats.SimpleJsonResults, error) { violations, vulnerabilities, licenses := SplitScanResults(extendedResults.XrayResults) jsonTable := formats.SimpleJsonResults{} @@ -410,11 +417,11 @@ func GetIssueIdentifier(cvesRow []formats.CveRow, issueId string) string { return identifier } -func getVulnerabilityOrViolationSarifRuleId(depName, version, key string) string { +func getXrayIssueSarifRuleId(depName, version, key string) string { return fmt.Sprintf("%s_%s_%s", key, depName, version) } -func getVulnerabilityOrViolationSarifHeadline(depName, version, key string) string { +func getXrayIssueSarifHeadline(depName, version, key string) string { return fmt.Sprintf("[%s] %s %s", key, depName, version) } diff --git a/xray/utils/resultwriter_test.go b/xray/utils/resultwriter_test.go index a67dfe86c..b6fa06d11 100644 --- a/xray/utils/resultwriter_test.go +++ b/xray/utils/resultwriter_test.go @@ -13,8 +13,8 @@ import ( ) func TestGetVulnerabilityOrViolationSarifHeadline(t *testing.T) { - assert.Equal(t, "[CVE-2022-1234] loadsh 1.4.1", getVulnerabilityOrViolationSarifHeadline("loadsh", "1.4.1", "CVE-2022-1234")) - assert.NotEqual(t, "[CVE-2022-1234] loadsh 1.4.1", getVulnerabilityOrViolationSarifHeadline("loadsh", "1.2.1", "CVE-2022-1234")) + assert.Equal(t, "[CVE-2022-1234] loadsh 1.4.1", getXrayIssueSarifHeadline("loadsh", "1.4.1", "CVE-2022-1234")) + assert.NotEqual(t, "[CVE-2022-1234] loadsh 1.4.1", getXrayIssueSarifHeadline("loadsh", "1.2.1", "CVE-2022-1234")) } func TestGetIssueIdentifier(t *testing.T) { From 09372c1f66f845039c976118245fb598cb7f5ace Mon Sep 17 00:00:00 2001 From: attiasas Date: Tue, 17 Oct 2023 14:59:34 +0300 Subject: [PATCH 6/9] fix static --- xray/utils/resultwriter.go | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/xray/utils/resultwriter.go b/xray/utils/resultwriter.go index ac1011bd7..4892404ed 100644 --- a/xray/utils/resultwriter.go +++ b/xray/utils/resultwriter.go @@ -272,16 +272,14 @@ func addXrayLicenseViolationToSarifRun(license formats.LicenseRow, run *sarif.Ru if err != nil { return } - licenseViolationSummary := fmt.Sprint("Dependency %s version %s is using a license (%s) that is not allowed.", license.ImpactedDependencyName, license.ImpactedDependencyVersion, license.LicenseKey) - licenseViolationMarkdownDescription := fmt.Sprint("**The following direct dependencies are utilizing the `%s %s` dependency with a `%s` license violation:**\n%s", formattedDirectDependencies) addXrayIssueToSarifRun( license.LicenseKey, license.ImpactedDependencyName, license.ImpactedDependencyVersion, license.Severity, MissingCveScore, - licenseViolationSummary, - licenseViolationMarkdownDescription, + getLicenseViolationSummary(license.ImpactedDependencyName, license.ImpactedDependencyVersion, license.LicenseKey), + getLicenseViolationMarkdown(formattedDirectDependencies), license.Components, nil, run, @@ -425,6 +423,14 @@ func getXrayIssueSarifHeadline(depName, version, key string) string { return fmt.Sprintf("[%s] %s %s", key, depName, version) } +func getLicenseViolationSummary(depName, version, key string) string { + return fmt.Sprint("Dependency %s version %s is using a license (%s) that is not allowed.", depName, version, key) +} + +func getLicenseViolationMarkdown(formattedDirectDependencies string) string { + return fmt.Sprint("**The following direct dependencies are utilizing the `%s %s` dependency with a `%s` license violation:**\n%s", formattedDirectDependencies) +} + func getDirectDependenciesFormatted(directDependencies []formats.ComponentRow) (string, error) { var formattedDirectDependencies strings.Builder for _, dependency := range directDependencies { From e72129a66d34ab0dd606a4cf6030d501bbbbd7a9 Mon Sep 17 00:00:00 2001 From: attiasas Date: Tue, 17 Oct 2023 15:00:29 +0300 Subject: [PATCH 7/9] fix static --- xray/utils/resultwriter.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/xray/utils/resultwriter.go b/xray/utils/resultwriter.go index 4892404ed..02d12d25a 100644 --- a/xray/utils/resultwriter.go +++ b/xray/utils/resultwriter.go @@ -424,11 +424,11 @@ func getXrayIssueSarifHeadline(depName, version, key string) string { } func getLicenseViolationSummary(depName, version, key string) string { - return fmt.Sprint("Dependency %s version %s is using a license (%s) that is not allowed.", depName, version, key) + return fmt.Sprintf("Dependency %s version %s is using a license (%s) that is not allowed.", depName, version, key) } func getLicenseViolationMarkdown(formattedDirectDependencies string) string { - return fmt.Sprint("**The following direct dependencies are utilizing the `%s %s` dependency with a `%s` license violation:**\n%s", formattedDirectDependencies) + return fmt.Sprintf("**The following direct dependencies are utilizing the `%s %s` dependency with a `%s` license violation:**\n%s", formattedDirectDependencies) } func getDirectDependenciesFormatted(directDependencies []formats.ComponentRow) (string, error) { From c576584ff09916e24d6b8e3609e8edfbcc4ad895 Mon Sep 17 00:00:00 2001 From: attiasas Date: Tue, 17 Oct 2023 15:01:52 +0300 Subject: [PATCH 8/9] fix text --- xray/utils/resultwriter.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/xray/utils/resultwriter.go b/xray/utils/resultwriter.go index 02d12d25a..e945de0aa 100644 --- a/xray/utils/resultwriter.go +++ b/xray/utils/resultwriter.go @@ -279,7 +279,7 @@ func addXrayLicenseViolationToSarifRun(license formats.LicenseRow, run *sarif.Ru license.Severity, MissingCveScore, getLicenseViolationSummary(license.ImpactedDependencyName, license.ImpactedDependencyVersion, license.LicenseKey), - getLicenseViolationMarkdown(formattedDirectDependencies), + getLicenseViolationMarkdown(license.ImpactedDependencyName, license.ImpactedDependencyVersion, license.LicenseKey, formattedDirectDependencies), license.Components, nil, run, @@ -427,8 +427,8 @@ func getLicenseViolationSummary(depName, version, key string) string { return fmt.Sprintf("Dependency %s version %s is using a license (%s) that is not allowed.", depName, version, key) } -func getLicenseViolationMarkdown(formattedDirectDependencies string) string { - return fmt.Sprintf("**The following direct dependencies are utilizing the `%s %s` dependency with a `%s` license violation:**\n%s", formattedDirectDependencies) +func getLicenseViolationMarkdown(depName, version, key, formattedDirectDependencies string) string { + return fmt.Sprintf("**The following direct dependencies are utilizing the `%s %s` dependency with `%s` license violation:**\n%s", depName, version, key, formattedDirectDependencies) } func getDirectDependenciesFormatted(directDependencies []formats.ComponentRow) (string, error) { From 439485fcc421a6c99f15cb569ad35adbb43e5356 Mon Sep 17 00:00:00 2001 From: attiasas Date: Tue, 17 Oct 2023 15:15:52 +0300 Subject: [PATCH 9/9] fix title --- xray/utils/resultwriter.go | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/xray/utils/resultwriter.go b/xray/utils/resultwriter.go index e945de0aa..35a8fafd4 100644 --- a/xray/utils/resultwriter.go +++ b/xray/utils/resultwriter.go @@ -259,6 +259,7 @@ func addXrayCveIssueToSarifRun(issue formats.VulnerabilityOrViolationRow, run *s issue.Severity, maxCveScore, issue.Summary, + getXrayIssueSarifHeadline(issue.ImpactedDependencyName, issue.ImpactedDependencyVersion, cveId), markdownDescription, issue.Components, location, @@ -279,6 +280,7 @@ func addXrayLicenseViolationToSarifRun(license formats.LicenseRow, run *sarif.Ru license.Severity, MissingCveScore, getLicenseViolationSummary(license.ImpactedDependencyName, license.ImpactedDependencyVersion, license.LicenseKey), + getXrayLicenseSarifHeadline(license.ImpactedDependencyName, license.ImpactedDependencyVersion, license.LicenseKey), getLicenseViolationMarkdown(license.ImpactedDependencyName, license.ImpactedDependencyVersion, license.LicenseKey, formattedDirectDependencies), license.Components, nil, @@ -287,12 +289,11 @@ func addXrayLicenseViolationToSarifRun(license formats.LicenseRow, run *sarif.Ru return } -func addXrayIssueToSarifRun(issueId, impactedDependencyName, impactedDependencyVersion, severity, severityScore, summary, markdownDescription string, components []formats.ComponentRow, location *sarif.Location, run *sarif.Run) { +func addXrayIssueToSarifRun(issueId, impactedDependencyName, impactedDependencyVersion, severity, severityScore, summary, title, markdownDescription string, components []formats.ComponentRow, location *sarif.Location, run *sarif.Run) { // Add rule if not exists ruleId := getXrayIssueSarifRuleId(impactedDependencyName, impactedDependencyVersion, issueId) if rule, _ := run.GetRuleById(ruleId); rule == nil { - ruleDescription := getXrayIssueSarifHeadline(impactedDependencyName, impactedDependencyVersion, issueId) - addXrayRule(ruleId, ruleDescription, severityScore, summary, markdownDescription, run) + addXrayRule(ruleId, title, severityScore, summary, markdownDescription, run) } // Add result for each component for _, directDependency := range components { @@ -423,6 +424,10 @@ func getXrayIssueSarifHeadline(depName, version, key string) string { return fmt.Sprintf("[%s] %s %s", key, depName, version) } +func getXrayLicenseSarifHeadline(depName, version, key string) string { + return fmt.Sprintf("License violation [%s] %s %s", key, depName, version) +} + func getLicenseViolationSummary(depName, version, key string) string { return fmt.Sprintf("Dependency %s version %s is using a license (%s) that is not allowed.", depName, version, key) }