From 78cd067cb9c3430de1b4c766b6230e5db8b6c9ac Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Mon, 21 Mar 2022 15:35:20 -0400 Subject: [PATCH] Correct issue with SARIF dir scan relative paths (#682) --- grype/presenter/sarif/presenter.go | 43 ++++--- grype/presenter/sarif/presenter_test.go | 114 ++++++++++++++++-- .../snapshot/TestSarifPresenterDir.golden | 16 +-- 3 files changed, 137 insertions(+), 36 deletions(-) diff --git a/grype/presenter/sarif/presenter.go b/grype/presenter/sarif/presenter.go index ec748d8c908..a85b7f417a9 100644 --- a/grype/presenter/sarif/presenter.go +++ b/grype/presenter/sarif/presenter.go @@ -151,34 +151,44 @@ func (pres *Presenter) helpText(m match.Match, link string) *sarif.MultiformatMe // packagePath attempts to get the relative path of the package to the "scan root" func (pres *Presenter) packagePath(p pkg.Package) string { + if len(p.Locations) > 0 { + return locationPath(p.Locations[0]) + } + return pres.inputPath() +} + +// inputPath returns a friendlier relative path or absolute path depending on the input, not prefixed by . or ./ +func (pres *Presenter) inputPath() string { + if pres.srcMetadata == nil { + return "" + } inputPath := strings.TrimPrefix(pres.srcMetadata.Path, "./") if inputPath == "." { - inputPath = "" - } - if len(p.Locations) > 0 { - location := p.Locations[0] - packagePath := location.RealPath - if location.VirtualPath != "" { - packagePath = location.VirtualPath - } - if pres.srcMetadata.Scheme == source.DirectoryScheme { - packagePath = fmt.Sprintf("%s/%s", inputPath, packagePath) - } - return packagePath + return "" } return inputPath } +// locationPath returns a path for the location +func locationPath(l source.Location) string { + path := l.RealPath + if l.VirtualPath != "" { + path = l.VirtualPath + } + return strings.TrimPrefix(path, "./") +} + // locations the locations array is a single "physical" location with potentially multiple logical locations func (pres *Presenter) locations(m match.Match) []*sarif.Location { - var logicalLocations []*sarif.LogicalLocation physicalLocation := pres.packagePath(m.Package) - trimmedPath := strings.TrimPrefix(physicalLocation, "/") + + var logicalLocations []*sarif.LogicalLocation switch pres.srcMetadata.Scheme { case source.ImageScheme: img := pres.srcMetadata.ImageMetadata.UserInput for _, l := range m.Package.Locations { + trimmedPath := strings.TrimPrefix(locationPath(l), "/") logicalLocations = append(logicalLocations, &sarif.LogicalLocation{ FullyQualifiedName: sp(fmt.Sprintf("%s@%s:/%s", img, l.FileSystemID, trimmedPath)), Name: sp(l.RealPath), @@ -193,10 +203,13 @@ func (pres *Presenter) locations(m match.Match) []*sarif.Location { case source.FileScheme: for _, l := range m.Package.Locations { logicalLocations = append(logicalLocations, &sarif.LogicalLocation{ - FullyQualifiedName: sp(fmt.Sprintf("%s:/%s", pres.srcMetadata.Path, trimmedPath)), + FullyQualifiedName: sp(fmt.Sprintf("%s:/%s", pres.srcMetadata.Path, locationPath(l))), Name: sp(l.RealPath), }) } + case source.DirectoryScheme: + // Get a friendly relative location as well as possible + physicalLocation = strings.TrimPrefix(physicalLocation, pres.inputPath()) } return []*sarif.Location{ diff --git a/grype/presenter/sarif/presenter_test.go b/grype/presenter/sarif/presenter_test.go index a85edb8258d..c839319ae02 100644 --- a/grype/presenter/sarif/presenter_test.go +++ b/grype/presenter/sarif/presenter_test.go @@ -7,7 +7,6 @@ import ( "regexp" "testing" - "github.com/sergi/go-diff/diffmatchpatch" "github.com/stretchr/testify/assert" "github.com/anchore/go-testutils" @@ -132,6 +131,103 @@ func createDirPresenter(t *testing.T) *Presenter { return pres } +func Test_locations(t *testing.T) { + pres := createDirPresenter(t) + + // Check . + + pres.srcMetadata = &source.Metadata{ + Scheme: source.DirectoryScheme, + Path: ".", + } + assert.Equal(t, "", pres.inputPath()) + + path := pres.packagePath(pkg.Package{ + Locations: []source.Location{ + { + Coordinates: source.Coordinates{ + RealPath: "/bin/exe", + }, + VirtualPath: "./exe", + }, + }, + }) + + assert.Equal(t, "exe", path) + + path = pres.packagePath(pkg.Package{ + Locations: []source.Location{ + { + Coordinates: source.Coordinates{ + RealPath: "/bin/exe", + }, + }, + }, + }) + + assert.Equal(t, "/bin/exe", path) + + // check ./ + + pres.srcMetadata = &source.Metadata{ + Scheme: source.DirectoryScheme, + Path: "./", + } + assert.Equal(t, "", pres.inputPath()) + + path = pres.packagePath(pkg.Package{ + Locations: []source.Location{ + { + Coordinates: source.Coordinates{ + RealPath: "/bin/exe", + }, + }, + }, + }) + + assert.Equal(t, "/bin/exe", path) + + path = pres.packagePath(pkg.Package{ + Locations: []source.Location{ + { + Coordinates: source.Coordinates{ + RealPath: "/bin/exe", + }, + VirtualPath: "exe", + }, + }, + }) + + assert.Equal(t, "exe", path) + + // Check relative path + + pres.srcMetadata = &source.Metadata{ + Scheme: source.DirectoryScheme, + Path: "./file", + } + assert.Equal(t, "file", pres.inputPath()) + + // Check absolute path: + + pres.srcMetadata = &source.Metadata{ + Scheme: source.DirectoryScheme, + Path: "/usr", + } + assert.Equal(t, "/usr", pres.inputPath()) + + path = pres.packagePath(pkg.Package{ + Locations: []source.Location{ + { + VirtualPath: "/usr/bin/exe", + }, + }, + }) + + assert.Equal(t, "/usr/bin/exe", path) + +} + func Test_imageToSarifReport(t *testing.T) { pres := createImagePresenter(t) s, err := pres.toSarifReport() @@ -179,13 +275,13 @@ func Test_dirToSarifReport(t *testing.T) { assert.Equal(t, "CVE-1999-0001-package-1", *result.RuleID) assert.Len(t, result.Locations, 1) location := result.Locations[0] - assert.Equal(t, "/some/path/etc/pkg-1", *location.PhysicalLocation.ArtifactLocation.URI) + assert.Equal(t, "etc/pkg-1", *location.PhysicalLocation.ArtifactLocation.URI) result = run.Results[1] assert.Equal(t, "CVE-1999-0002-package-2", *result.RuleID) assert.Len(t, result.Locations, 1) location = result.Locations[0] - assert.Equal(t, "/some/path/pkg-2", *location.PhysicalLocation.ArtifactLocation.URI) + assert.Equal(t, "pkg-2", *location.PhysicalLocation.ArtifactLocation.URI) } func TestSarifPresenterImage(t *testing.T) { @@ -210,11 +306,7 @@ func TestSarifPresenterImage(t *testing.T) { actual = redact(actual) expected = redact(expected) - if !bytes.Equal(expected, actual) { - dmp := diffmatchpatch.New() - diffs := dmp.DiffMain(string(expected), string(actual), true) - t.Errorf("mismatched output:\n%s", dmp.DiffPrettyText(diffs)) - } + assert.JSONEq(t, string(expected), string(actual)) } func TestSarifPresenterDir(t *testing.T) { @@ -238,11 +330,7 @@ func TestSarifPresenterDir(t *testing.T) { actual = redact(actual) expected = redact(expected) - if !bytes.Equal(expected, actual) { - dmp := diffmatchpatch.New() - diffs := dmp.DiffMain(string(expected), string(actual), true) - t.Errorf("mismatched output:\n%s", dmp.DiffPrettyText(diffs)) - } + assert.JSONEq(t, string(expected), string(actual)) } func redact(s []byte) []byte { diff --git a/grype/presenter/sarif/test-fixtures/snapshot/TestSarifPresenterDir.golden b/grype/presenter/sarif/test-fixtures/snapshot/TestSarifPresenterDir.golden index 2bab6b8eaa9..d8881f66d2c 100644 --- a/grype/presenter/sarif/test-fixtures/snapshot/TestSarifPresenterDir.golden +++ b/grype/presenter/sarif/test-fixtures/snapshot/TestSarifPresenterDir.golden @@ -20,8 +20,8 @@ }, "helpUri": "https://github.com/anchore/grype", "help": { - "text": "Vulnerability CVE-1999-0001\nSeverity: low\nPackage: package-1\nVersion: 1.0.1\nFix Version: \nType: deb\nLocation: /some/path/etc/pkg-1\nData Namespace: source-1\nLink: CVE-1999-0001", - "markdown": "**Vulnerability CVE-1999-0001**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | package-1 | 1.0.1 | | deb | /some/path/etc/pkg-1 | source-1 | CVE-1999-0001 |\n" + "text": "Vulnerability CVE-1999-0001\nSeverity: low\nPackage: package-1\nVersion: 1.0.1\nFix Version: \nType: deb\nLocation: etc/pkg-1\nData Namespace: source-1\nLink: CVE-1999-0001", + "markdown": "**Vulnerability CVE-1999-0001**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | package-1 | 1.0.1 | | deb | etc/pkg-1 | source-1 | CVE-1999-0001 |\n" }, "properties": { "security-severity": "4.000000" @@ -38,8 +38,8 @@ }, "helpUri": "https://github.com/anchore/grype", "help": { - "text": "Vulnerability CVE-1999-0002\nSeverity: critical\nPackage: package-2\nVersion: 2.0.1\nFix Version: \nType: deb\nLocation: /some/path/pkg-2\nData Namespace: source-2\nLink: CVE-1999-0002", - "markdown": "**Vulnerability CVE-1999-0002**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| critical | package-2 | 2.0.1 | | deb | /some/path/pkg-2 | source-2 | CVE-1999-0002 |\n" + "text": "Vulnerability CVE-1999-0002\nSeverity: critical\nPackage: package-2\nVersion: 2.0.1\nFix Version: \nType: deb\nLocation: pkg-2\nData Namespace: source-2\nLink: CVE-1999-0002", + "markdown": "**Vulnerability CVE-1999-0002**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| critical | package-2 | 2.0.1 | | deb | pkg-2 | source-2 | CVE-1999-0002 |\n" }, "properties": { "security-severity": "1.000000" @@ -52,13 +52,13 @@ { "ruleId": "CVE-1999-0001-package-1", "message": { - "text": "The path /some/path/etc/pkg-1 reports package-1 at version 1.0.1 which would result in a vulnerable (deb) package installed" + "text": "The path etc/pkg-1 reports package-1 at version 1.0.1 which would result in a vulnerable (deb) package installed" }, "locations": [ { "physicalLocation": { "artifactLocation": { - "uri": "/some/path/etc/pkg-1" + "uri": "etc/pkg-1" }, "region": { "startLine": 1, @@ -73,13 +73,13 @@ { "ruleId": "CVE-1999-0002-package-2", "message": { - "text": "The path /some/path/pkg-2 reports package-2 at version 2.0.1 which would result in a vulnerable (deb) package installed" + "text": "The path pkg-2 reports package-2 at version 2.0.1 which would result in a vulnerable (deb) package installed" }, "locations": [ { "physicalLocation": { "artifactLocation": { - "uri": "/some/path/pkg-2" + "uri": "pkg-2" }, "region": { "startLine": 1,