Add impactPaths field to rule properties in Sarif output for SCA scan

Author: kerenr-jfrog

utils/formats/sarifutils/sarifutils.go

@@ -11,10 +11,11 @@ import (
 )
 
 const (
-	WatchSarifPropertyKey      = "watch"
-	PoliciesSarifPropertyKey   = "policies"
-	JasIssueIdSarifPropertyKey = "issueId"
-	CWEPropertyKey             = "CWE"
+	WatchSarifPropertyKey           = "watch"
+	PoliciesSarifPropertyKey        = "policies"
+	JasIssueIdSarifPropertyKey      = "issueId"
+	CWEPropertyKey                  = "CWE"
+	SarifImpactPathsRulePropertyKey = "impactPaths"
 )
 
 // Specific JFrog Sarif Utils

utils/formats/sarifutils/test_sarifutils.go

@@ -1,6 +1,8 @@
 package sarifutils
 
 import (
+	"github.com/jfrog/jfrog-cli-security/utils/formats"
+	"github.com/jfrog/jfrog-cli-security/utils/severityutils"
 	"github.com/owenrumney/go-sarif/v2/sarif"
 )
 
@@ -78,6 +80,14 @@ func CreateRunWithDummyResultAndRuleProperties(result *sarif.Result, properties,
 	return run
 }
 
+func CreateDummyRule(impactPaths [][]formats.ComponentRow, ruleId, ruleDescription, summary, markdownDescription, maxCveScore string) *sarif.ReportingDescriptor {
+	var ruleProperties = sarif.NewPropertyBag()
+	ruleProperties.Add(severityutils.SarifSeverityRuleProperty, maxCveScore)
+	ruleProperties.Add(SarifImpactPathsRulePropertyKey, impactPaths)
+	return sarif.NewRule(ruleId).WithProperties(ruleProperties.Properties).WithDescription(ruleDescription).WithHelp(sarif.NewMultiformatMessageString(summary).WithMarkdown(markdownDescription))
+
+}
+
 func CreateDummyResultInPath(fileName string) *sarif.Result {
 	return CreateResultWithOneLocation(fileName, 0, 0, 0, 0, "snippet", "rule", "level")
 }

utils/results/conversion/sarifparser/sarifparser.go

@@ -85,6 +85,7 @@ type scaParseParams struct {
 	FixedVersions           []string
 	DirectComponents        []formats.ComponentRow
 	Violation               *violationContext
+	ImpactPaths             [][]formats.ComponentRow
 }
 
 // holds the violation context for the results
@@ -343,6 +344,7 @@ func addSarifScaVulnerability(cmdType utils.CommandType, sarifResults *[]*sarif.
 			ImpactedPackagesVersion: impactedPackagesVersion,
 			FixedVersions:           fixedVersions,
 			DirectComponents:        directComponents,
+			ImpactPaths:             impactPaths,
 		})
 		cveImpactedComponentRuleId := results.GetScaIssueId(impactedPackagesName, impactedPackagesVersion, results.GetIssueIdentifier(cves, vulnerability.IssueId, "_"))
 		if _, ok := (*rules)[cveImpactedComponentRuleId]; !ok {
@@ -379,6 +381,7 @@ func addSarifScaSecurityViolation(cmdType utils.CommandType, sarifResults *[]*sa
 			ImpactedPackagesVersion: impactedPackagesVersion,
 			FixedVersions:           fixedVersions,
 			DirectComponents:        directComponents,
+			ImpactPaths:             impactPaths,
 			Violation: &violationContext{
 				Watch:    violation.WatchName,
 				Policies: results.ConvertPolicesToString(violation.Policies),
@@ -419,6 +422,7 @@ func addSarifScaLicenseViolation(cmdType utils.CommandType, sarifResults *[]*sar
 			ImpactedPackagesVersion: impactedPackagesVersion,
 			FixedVersions:           fixedVersions,
 			DirectComponents:        directComponents,
+			ImpactPaths:             impactPaths,
 			Violation: &violationContext{
 				Watch:    violation.WatchName,
 				Policies: results.ConvertPolicesToString(violation.Policies),
@@ -441,6 +445,7 @@ func parseScaToSarifFormat(params scaParseParams) (sarifResults []*sarif.Result,
 	level := severityutils.SeverityToSarifSeverityLevel(params.Severity)
 	// Add rule for the cve if not exists
 	rule = getScaIssueSarifRule(
+		params.ImpactPaths,
 		cveImpactedComponentRuleId,
 		params.GenerateTitleFunc(params.ImpactedPackagesName, params.ImpactedPackagesVersion, issueId, params.Watch),
 		params.CveScore,
@@ -478,9 +483,12 @@ func parseScaToSarifFormat(params scaParseParams) (sarifResults []*sarif.Result,
 	return
 }
 
-func getScaIssueSarifRule(ruleId, ruleDescription, maxCveScore, summary, markdownDescription string) *sarif.ReportingDescriptor {
+func getScaIssueSarifRule(impactPaths [][]formats.ComponentRow, ruleId, ruleDescription, maxCveScore, summary, markdownDescription string) *sarif.ReportingDescriptor {
 	cveRuleProperties := sarif.NewPropertyBag()
 	cveRuleProperties.Add(severityutils.SarifSeverityRuleProperty, maxCveScore)
+	if len(impactPaths) > 0 {
+		cveRuleProperties.Add(sarifutils.SarifImpactPathsRulePropertyKey, impactPaths)
+	}
 	return sarif.NewRule(ruleId).
 		WithDescription(ruleDescription).
 		WithHelp(sarif.NewMultiformatMessageString(summary).WithMarkdown(markdownDescription)).

utils/results/conversion/sarifparser/sarifparser_test.go

@@ -192,6 +192,107 @@ func TestGetDirectDependenciesFormatted(t *testing.T) {
 	}
 }
 
+func TestGetScaIssueSarifRule(t *testing.T) {
+	impactPathsTC1 := [][]formats.ComponentRow{
+		{
+			{
+				Name:    "example-package",
+				Version: "1.0.0",
+			},
+			{
+				Name:    "dependency1",
+				Version: "1.0.0",
+			},
+		},
+	}
+	impactPathsTC2 := [][]formats.ComponentRow{
+		{
+			{
+				Name:    "example-package",
+				Version: "2.0.0",
+			},
+			{
+				Name:    "dependency1",
+				Version: "1.0.0",
+			},
+			{
+				Name:    "dependency2",
+				Version: "2.0.0",
+			},
+		},
+	}
+	impactPathsTC3 := [][]formats.ComponentRow{
+		{
+			{
+				Name:    "example-package-1",
+				Version: "1.0.0",
+			},
+			{
+				Name:    "dependency1",
+				Version: "1.0.0",
+			},
+		},
+		{
+			{
+				Name:    "example-package-2",
+				Version: "2.0.0",
+			},
+			{
+				Name:    "dependency2",
+				Version: "2.0.0",
+			},
+		},
+	}
+	testCases := []struct {
+		name                string
+		impactPaths         [][]formats.ComponentRow
+		ruleId              string
+		ruleDescription     string
+		maxCveScore         string
+		summary             string
+		markdownDescription string
+		expectedRule        *sarif.ReportingDescriptor
+	}{
+		{
+			name:                "rule with impact paths",
+			impactPaths:         impactPathsTC1,
+			ruleId:              "rule-id-tc1",
+			ruleDescription:     "rule-description-tc1",
+			maxCveScore:         "7.5",
+			summary:             "summary-tc1",
+			markdownDescription: "markdown-description-tc1",
+			expectedRule:        sarifutils.CreateDummyRule(impactPathsTC1, "rule-id-tc1", "rule-description-tc1", "summary-tc1", "markdown-description-tc1", "7.5"),
+		},
+		{
+			name:                "rule with impact paths with multiple dependencies",
+			impactPaths:         impactPathsTC2,
+			ruleId:              "rule-id-tc2",
+			ruleDescription:     "rule-description-tc2",
+			maxCveScore:         "8.0",
+			summary:             "summary-tc2",
+			markdownDescription: "markdown-description-tc2",
+			expectedRule:        sarifutils.CreateDummyRule(impactPathsTC2, "rule-id-tc2", "rule-description-tc2", "summary-tc2", "markdown-description-tc2", "8.0"),
+		},
+		{
+			name:                "rule with multiple impact paths",
+			impactPaths:         impactPathsTC3,
+			ruleId:              "rule-id-tc3",
+			ruleDescription:     "rule-description-tc3",
+			maxCveScore:         "9.0",
+			summary:             "summary-tc3",
+			markdownDescription: "markdown-description-tc3",
+			expectedRule:        sarifutils.CreateDummyRule(impactPathsTC3, "rule-id-tc3", "rule-description-tc3", "summary-tc3", "markdown-description-tc3", "9.0"),
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			output := getScaIssueSarifRule(tc.impactPaths, tc.ruleId, tc.ruleDescription, tc.maxCveScore, tc.summary, tc.markdownDescription)
+			assert.Equal(t, tc.expectedRule, output)
+		})
+	}
+}
+
 func TestGetScaLicenseViolationMarkdown(t *testing.T) {
 	testCases := []struct {
 		name               string