From c38af872123c96e5ad9f9b58a6ab0299d0e044fa Mon Sep 17 00:00:00 2001 From: Shaopeng <81775155+shaopeng-gh@users.noreply.github.com> Date: Tue, 20 Apr 2021 16:02:20 -0700 Subject: [PATCH] Add Cwe relationship to FlawFinder sarif (#2332) * Add Cwe relationship to FlawFinder sarif * Fix the test cases --- src/Sarif.Converters/FlawFinderConverter.cs | 32 +++++++++- .../ExpectedOutputs/NoResults.sarif | 22 ++++++- .../ExpectedOutputs/ValidResults.sarif | 64 +++++++++++++++++-- 3 files changed, 110 insertions(+), 8 deletions(-) diff --git a/src/Sarif.Converters/FlawFinderConverter.cs b/src/Sarif.Converters/FlawFinderConverter.cs index ba69dbf16..bd2ad9f85 100644 --- a/src/Sarif.Converters/FlawFinderConverter.cs +++ b/src/Sarif.Converters/FlawFinderConverter.cs @@ -48,9 +48,23 @@ public override void Convert(Stream input, IResultLogWriter output, OptionallyEm Version = flawFinderCsvResults?.FirstOrDefault()?.ToolVersion, InformationUri = new Uri(ToolInformationUri), Rules = rules, + SupportedTaxonomies = new List() { new ToolComponentReference() { Name = "CWE", Guid = "FFC64C90-42B6-44CE-8BEB-F6B7DAE649E5" } } + } + }, + ExternalPropertyFileReferences = new ExternalPropertyFileReferences() + { + Taxonomies = new List() + { + new ExternalPropertyFileReference() + { + Location = new ArtifactLocation() + { + Uri = new Uri("https://raw.githubusercontent.com/sarif-standard/taxonomies/main/CWE_v4.4.sarif"), + }, + Guid = "FFC64C90-42B6-44CE-8BEB-F6B7DAE649E5" + } } }, - Results = results, }; @@ -106,6 +120,22 @@ private static ReportingDescriptor SarifRuleFromFlawFinderCsvResult(FlawFinderCs Level = SarifLevelFromFlawFinderLevel(flawFinderCsvResult.DefaultLevel), }, HelpUri = new Uri(flawFinderCsvResult.HelpUri), + Relationships = new List( + flawFinderCsvResult.CWEs.Split(new char[] { ',', '/' }, StringSplitOptions.RemoveEmptyEntries) + .Select(p => p.Trim()).Where(p => !string.IsNullOrWhiteSpace(p)).ToList().OrderBy(o => int.Parse(o.Replace("CWE-", "").Replace("!", ""))) + .Select(s => new ReportingDescriptorRelationship() + { + Target = new ReportingDescriptorReference() + { + Id = s.Replace("!", ""), + ToolComponent = new ToolComponentReference() + { + Name = "CWE", + Guid = "FFC64C90-42B6-44CE-8BEB-F6B7DAE649E5" + } + }, + Kinds = new List() { s.EndsWith("!") ? "incomparable" : "relevant" }, + })) }; private static Result SarifResultFromFlawFinderCsvResult(FlawFinderCsvResult flawFinderCsvResult) diff --git a/src/Test.UnitTests.Sarif.Converters/TestData/FlawFinder/ExpectedOutputs/NoResults.sarif b/src/Test.UnitTests.Sarif.Converters/TestData/FlawFinder/ExpectedOutputs/NoResults.sarif index c42ee3793..42d5eec66 100644 --- a/src/Test.UnitTests.Sarif.Converters/TestData/FlawFinder/ExpectedOutputs/NoResults.sarif +++ b/src/Test.UnitTests.Sarif.Converters/TestData/FlawFinder/ExpectedOutputs/NoResults.sarif @@ -1,4 +1,4 @@ -{ +{ "$schema": "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.5.json", "version": "2.1.0", "runs": [ @@ -7,10 +7,26 @@ "tool": { "driver": { "name": "Flawfinder", - "informationUri": "https://dwheeler.com/flawfinder/" + "informationUri": "https://dwheeler.com/flawfinder/", + "supportedTaxonomies": [ + { + "name": "CWE", + "guid": "FFC64C90-42B6-44CE-8BEB-F6B7DAE649E5" + } + ] } }, - "columnKind": "utf16CodeUnits" + "columnKind": "utf16CodeUnits", + "externalPropertyFileReferences": { + "taxonomies": [ + { + "location": { + "uri": "https://raw.githubusercontent.com/sarif-standard/taxonomies/main/CWE_v4.4.sarif" + }, + "guid": "FFC64C90-42B6-44CE-8BEB-F6B7DAE649E5" + } + ] + } } ] } \ No newline at end of file diff --git a/src/Test.UnitTests.Sarif.Converters/TestData/FlawFinder/ExpectedOutputs/ValidResults.sarif b/src/Test.UnitTests.Sarif.Converters/TestData/FlawFinder/ExpectedOutputs/ValidResults.sarif index 7ac9eaac4..19156899b 100644 --- a/src/Test.UnitTests.Sarif.Converters/TestData/FlawFinder/ExpectedOutputs/ValidResults.sarif +++ b/src/Test.UnitTests.Sarif.Converters/TestData/FlawFinder/ExpectedOutputs/ValidResults.sarif @@ -1,4 +1,4 @@ -{ +{ "$schema": "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.5.json", "version": "2.1.0", "runs": [ @@ -107,7 +107,21 @@ "defaultConfiguration": { "level": "error" }, - "helpUri": "https://dwheeler.com/flawfinder#FF1001" + "helpUri": "https://dwheeler.com/flawfinder#FF1001", + "relationships": [ + { + "target": { + "id": "CWE-120", + "toolComponent": { + "name": "CWE", + "guid": "FFC64C90-42B6-44CE-8BEB-F6B7DAE649E5" + } + }, + "kinds": [ + "relevant" + ] + } + ] }, { "id": "FF1002", @@ -118,12 +132,54 @@ "defaultConfiguration": { "level": "note" }, - "helpUri": "https://dwheeler.com/flawfinder#FF1002" + "helpUri": "https://dwheeler.com/flawfinder#FF1002", + "relationships": [ + { + "target": { + "id": "CWE-119", + "toolComponent": { + "name": "CWE", + "guid": "FFC64C90-42B6-44CE-8BEB-F6B7DAE649E5" + } + }, + "kinds": [ + "incomparable" + ] + }, + { + "target": { + "id": "CWE-120", + "toolComponent": { + "name": "CWE", + "guid": "FFC64C90-42B6-44CE-8BEB-F6B7DAE649E5" + } + }, + "kinds": [ + "relevant" + ] + } + ] + } + ], + "supportedTaxonomies": [ + { + "name": "CWE", + "guid": "FFC64C90-42B6-44CE-8BEB-F6B7DAE649E5" } ] } }, - "columnKind": "utf16CodeUnits" + "columnKind": "utf16CodeUnits", + "externalPropertyFileReferences": { + "taxonomies": [ + { + "location": { + "uri": "https://raw.githubusercontent.com/sarif-standard/taxonomies/main/CWE_v4.4.sarif" + }, + "guid": "FFC64C90-42B6-44CE-8BEB-F6B7DAE649E5" + } + ] + } } ] } \ No newline at end of file