Combine multiple runs with same Tool name in SARIF format (#384)

Author: attiasas

commands/audit/sca/pnpm/pnpm_test.go

@@ -44,7 +44,7 @@ func TestBuildDependencyTreeLimitedDepth(t *testing.T) {
 			name:      "With transitive dependencies",
 			treeDepth: "1",
 			expectedUniqueDeps: []string{
-				"npm://axios:1.8.2",
+				"npm://axios:1.8.3",
 				"npm://balaganjs:1.0.0",
 				"npm://yargs:13.3.0",
 				"npm://zen-website:1.0.0",
@@ -54,7 +54,7 @@ func TestBuildDependencyTreeLimitedDepth(t *testing.T) {
 				Nodes: []*xrayUtils.GraphNode{
 					{
 						Id:    "npm://balaganjs:1.0.0",
-						Nodes: []*xrayUtils.GraphNode{{Id: "npm://axios:1.8.2"}, {Id: "npm://yargs:13.3.0"}},
+						Nodes: []*xrayUtils.GraphNode{{Id: "npm://axios:1.8.3"}, {Id: "npm://yargs:13.3.0"}},
 					},
 				},
 			},

utils/formats/sarifutils/sarifutils.go

@@ -84,7 +84,34 @@ func CombineReports(reports ...*sarif.Report) (combined *sarif.Report, err error
 	}
 	for _, report := range reports {
 		for _, run := range report.Runs {
-			combined.AddRun(run)
+			appendRunInfoToReport(combined, run)
+		}
+	}
+	return
+}
+
+func CombineMultipleRunsWithSameTool(report *sarif.Report) (combined *sarif.Report, err error) {
+	if combined, err = NewReport(); err != nil {
+		return
+	}
+	for _, run := range report.Runs {
+		appendRunInfoToReport(combined, run)
+	}
+	return
+}
+
+func appendRunInfoToReport(combined *sarif.Report, run *sarif.Run) {
+	if existingRun := getRunByToolName(GetRunToolName(run), combined); existingRun != nil {
+		AggregateMultipleRunsIntoSingle([]*sarif.Run{run}, existingRun)
+	} else {
+		combined.AddRun(run)
+	}
+}
+
+func getRunByToolName(toolName string, report *sarif.Report) (run *sarif.Run) {
+	for _, r := range report.Runs {
+		if GetRunToolName(r) == toolName {
+			return r
 		}
 	}
 	return

utils/formats/sarifutils/test_sarifutils.go

@@ -84,7 +84,8 @@ func CreateDummyRule(impactPaths [][]formats.ComponentRow, ruleId, ruleDescripti
 	var ruleProperties = sarif.NewPropertyBag()
 	ruleProperties.Add(severityutils.SarifSeverityRuleProperty, maxCveScore)
 	ruleProperties.Add(SarifImpactPathsRulePropertyKey, impactPaths)
-	return sarif.NewRule(ruleId).WithProperties(ruleProperties.Properties).WithDescription(ruleDescription).WithHelp(sarif.NewMultiformatMessageString(summary).WithMarkdown(markdownDescription))
+	description := sarif.NewMultiformatMessageString(summary).WithMarkdown(markdownDescription)
+	return sarif.NewRule(ruleId).WithName(ruleId).WithProperties(ruleProperties.Properties).WithDescription(ruleDescription).WithHelp(description).WithFullDescription(description)
 
 }
 

utils/results/common.go

@@ -570,6 +570,11 @@ func GetScaIssueId(depName, version, issueId string) string {
 	return fmt.Sprintf("%s_%s_%s", issueId, depName, version)
 }
 
+// replaces underscore with dash
+func IdToName(input string) string {
+	return strings.Join(strings.Split(input, "_"), "-")
+}
+
 // GetUniqueKey returns a unique string key of format "vulnerableDependency:vulnerableVersion:xrayID:fixVersionExist"
 func GetUniqueKey(vulnerableDependency, vulnerableVersion, xrayID string, fixVersionExist bool) string {
 	return strings.Join([]string{vulnerableDependency, vulnerableVersion, xrayID, strconv.FormatBool(fixVersionExist)}, ":")

utils/results/conversion/sarifparser/sarifparser.go

@@ -106,7 +106,7 @@ func (sc *CmdResultsSarifConverter) Get() (*sarif.Report, error) {
 	if err := sc.ParseNewTargetResults(results.ScanTarget{}, nil); err != nil {
 		return sarifutils.NewReport()
 	}
-	return sc.current, nil
+	return sarifutils.CombineMultipleRunsWithSameTool(sc.current)
 }
 
 func (sc *CmdResultsSarifConverter) Reset(cmdType utils.CommandType, _, xrayVersion string, entitledForJas, _ bool, _ error) (err error) {
@@ -490,7 +490,9 @@ func getScaIssueSarifRule(impactPaths [][]formats.ComponentRow, ruleId, ruleDesc
 		cveRuleProperties.Add(sarifutils.SarifImpactPathsRulePropertyKey, impactPaths)
 	}
 	return sarif.NewRule(ruleId).
+		WithName(results.IdToName(ruleId)).
 		WithDescription(ruleDescription).
+		WithFullDescription(sarif.NewMultiformatMessageString(summary).WithMarkdown(markdownDescription)).
 		WithHelp(sarif.NewMultiformatMessageString(summary).WithMarkdown(markdownDescription)).
 		WithProperties(cveRuleProperties.Properties)
 }