feat(report): add secrets to sarif format (#2820)

Co-authored-by: AMF <work@afdesk.com>
aquasecurity · Sep 12, 2022 · acb65d5 · acb65d5
1 parent a18cd7c
commit acb65d5
Show file tree

Hide file tree

Showing 2 changed files with 96 additions and 0 deletions.
diff --git a/pkg/report/sarif.go b/pkg/report/sarif.go
@@ -18,6 +18,7 @@ const (
 	sarifOsPackageVulnerability        = "OsPackageVulnerability"
 	sarifLanguageSpecificVulnerability = "LanguageSpecificPackageVulnerability"
 	sarifConfigFiles                   = "Misconfiguration"
+	sarifSecretFiles                   = "Secret"
 	sarifUnknownIssue                  = "UnknownIssue"
 
 	sarifError   = "error"
@@ -26,6 +27,8 @@ const (
 	sarifNone    = "none"
 
 	columnKind = "utf16CodeUnits"
+
+	builtinRulesUrl = "https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/secret/builtin-rules.go" // list all secrets
 )
 
 var (
@@ -176,6 +179,27 @@ func (sw SarifWriter) Write(report types.Report) error {
 					res.Target, res.Type, misconf.ID, misconf.Severity, misconf.Message, misconf.ID, misconf.PrimaryURL),
 			})
 		}
+		for _, secret := range res.Secrets {
+			sw.addSarifResult(&sarifData{
+				title:            "secret",
+				vulnerabilityId:  secret.RuleID,
+				severity:         secret.Severity,
+				cvssScore:        severityToScore(secret.Severity),
+				url:              builtinRulesUrl,
+				resourceClass:    string(res.Class),
+				artifactLocation: target,
+				startLine:        secret.StartLine,
+				endLine:          secret.EndLine,
+				resultIndex:      getRuleIndex(secret.RuleID, ruleIndexes),
+				fullDescription:  html.EscapeString(secret.Match),
+				helpText: fmt.Sprintf("Secret %v\nSeverity: %v\nMatch: %s",
+					secret.Title, secret.Severity, secret.Match),
+				helpMarkdown: fmt.Sprintf("**Secret %v**\n| Severity | Match |\n| --- | --- |\n|%v|%v|",
+					secret.Title, secret.Severity, secret.Match),
+				message: fmt.Sprintf("Artifact: %v\nType: %v\nSecret %v\nSeverity: %v\nMatch: %v",
+					res.Target, res.Type, secret.Title, secret.Severity, secret.Match),
+			})
+		}
 	}
 	sw.run.ColumnKind = columnKind
 	sw.run.OriginalUriBaseIDs = map[string]*sarif.ArtifactLocation{
@@ -193,6 +217,8 @@ func toSarifRuleName(class string) string {
 		return sarifLanguageSpecificVulnerability
 	case types.ClassConfig:
 		return sarifConfigFiles
+	case types.ClassSecret:
+		return sarifSecretFiles
 	default:
 		return sarifUnknownIssue
 	}

diff --git a/pkg/report/sarif_test.go b/pkg/report/sarif_test.go
@@ -10,6 +10,7 @@ import (
 
 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
+	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/report"
 	"github.com/aquasecurity/trivy/pkg/types"
 )
@@ -235,6 +236,75 @@ func TestReportWriter_Sarif(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "report with secrets",
+			input: types.Results{
+				{
+					Target: "library/test",
+					Class:  types.ClassSecret,
+					Secrets: []ftypes.SecretFinding{
+						{
+							RuleID:    "aws-secret-access-key",
+							Category:  "AWS",
+							Severity:  "CRITICAL",
+							Title:     "AWS Secret Access Key",
+							StartLine: 1,
+							EndLine:   1,
+							Match:     "'AWS_secret_KEY'=\"****************************************\"",
+						},
+					},
+				},
+			},
+			wantResults: []*sarif.Result{
+				{
+					RuleID:    toPtr("aws-secret-access-key"),
+					RuleIndex: toPtr[uint](0),
+					Level:     toPtr("error"),
+					Message:   sarif.Message{Text: toPtr("Artifact: library/test\nType: \nSecret AWS Secret Access Key\nSeverity: CRITICAL\nMatch: 'AWS_secret_KEY'=\"****************************************\"")},
+					Locations: []*sarif.Location{
+						{
+							PhysicalLocation: &sarif.PhysicalLocation{
+								ArtifactLocation: &sarif.ArtifactLocation{
+									URI:       toPtr("library/test"),
+									URIBaseId: toPtr("ROOTPATH"),
+								},
+								Region: &sarif.Region{
+									StartLine:   toPtr(1),
+									EndLine:     toPtr(1),
+									StartColumn: toPtr(1),
+									EndColumn:   toPtr(1),
+								},
+							},
+						},
+					},
+				},
+			},
+			wantRules: []*sarif.ReportingDescriptor{
+				{
+					ID:               "aws-secret-access-key",
+					Name:             toPtr("Secret"),
+					ShortDescription: &sarif.MultiformatMessageString{Text: toPtr("aws-secret-access-key")},
+					FullDescription:  &sarif.MultiformatMessageString{Text: toPtr("\u0026#39;AWS_secret_KEY\u0026#39;=\u0026#34;****************************************\u0026#34;")},
+					DefaultConfiguration: &sarif.ReportingConfiguration{
+						Level: "error",
+					},
+					HelpURI: toPtr("https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/secret/builtin-rules.go"),
+					Properties: map[string]interface{}{
+						"tags": []interface{}{
+							"secret",
+							"security",
+							"CRITICAL",
+						},
+						"precision":         "very-high",
+						"security-severity": "9.5",
+					},
+					Help: &sarif.MultiformatMessageString{
+						Text:     toPtr("Secret AWS Secret Access Key\nSeverity: CRITICAL\nMatch: 'AWS_secret_KEY'=\"****************************************\""),
+						Markdown: toPtr("**Secret AWS Secret Access Key**\n| Severity | Match |\n| --- | --- |\n|CRITICAL|'AWS_secret_KEY'=\"****************************************\"|"),
+					},
+				},
+			},
+		},
 		{
 			name:        "no vulns",
 			wantResults: []*sarif.Result{},