From df4f2fd37dd7330f39b5878ce2b965cbbc44779a Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Fri, 2 Sep 2022 13:52:31 +0600 Subject: [PATCH 1/2] add secret to sarif report --- pkg/report/sarif.go | 26 +++++++++++++++ pkg/report/sarif_test.go | 70 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 96 insertions(+) diff --git a/pkg/report/sarif.go b/pkg/report/sarif.go index f4525790da7..3e97d2c12f4 100644 --- a/pkg/report/sarif.go +++ b/pkg/report/sarif.go @@ -18,6 +18,7 @@ const ( sarifOsPackageVulnerability = "OsPackageVulnerability" sarifLanguageSpecificVulnerability = "LanguageSpecificPackageVulnerability" sarifConfigFiles = "Misconfiguration" + sarifSecretFiles = "Secret" sarifUnknownIssue = "UnknownIssue" sarifError = "error" @@ -26,6 +27,8 @@ const ( sarifNone = "none" columnKind = "utf16CodeUnits" + + secretBuiltinRulesUrl = "https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/secret/builtin-rules.go" ) var ( @@ -176,6 +179,27 @@ func (sw SarifWriter) Write(report types.Report) error { res.Target, res.Type, misconf.ID, misconf.Severity, misconf.Message, misconf.ID, misconf.PrimaryURL), }) } + for _, secret := range res.Secrets { + sw.addSarifResult(&sarifData{ + title: "secret", + vulnerabilityId: secret.RuleID, + severity: secret.Severity, + cvssScore: severityToScore(secret.Severity), + url: secretBuiltinRulesUrl, + resourceClass: string(res.Class), + artifactLocation: target, + startLine: secret.StartLine, + endLine: secret.EndLine, + resultIndex: getRuleIndex(secret.RuleID, ruleIndexes), + fullDescription: html.EscapeString(secret.Match), + helpText: fmt.Sprintf("Secret %v\nSeverity: %v\nMatch: %s", + secret.Title, secret.Severity, secret.Match), + helpMarkdown: fmt.Sprintf("**Secret %v**\n| Severity | Match |\n| --- | --- |\n|%v|%v|", + secret.Title, secret.Severity, secret.Match), + message: fmt.Sprintf("Artifact: %v\nType: %v\nSecret %v\nSeverity: %v\nMatch: %v", + res.Target, res.Type, secret.Title, secret.Severity, secret.Match), + }) + } } sw.run.ColumnKind = columnKind sw.run.OriginalUriBaseIDs = map[string]*sarif.ArtifactLocation{ @@ -193,6 +217,8 @@ func toSarifRuleName(class string) string { return sarifLanguageSpecificVulnerability case types.ClassConfig: return sarifConfigFiles + case types.ClassSecret: + return sarifSecretFiles default: return sarifUnknownIssue } diff --git a/pkg/report/sarif_test.go b/pkg/report/sarif_test.go index 07e51d72439..5fa6c02abb0 100644 --- a/pkg/report/sarif_test.go +++ b/pkg/report/sarif_test.go @@ -10,6 +10,7 @@ import ( dbTypes "github.com/aquasecurity/trivy-db/pkg/types" "github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability" + ftypes "github.com/aquasecurity/trivy/pkg/fanal/types" "github.com/aquasecurity/trivy/pkg/report" "github.com/aquasecurity/trivy/pkg/types" ) @@ -235,6 +236,75 @@ func TestReportWriter_Sarif(t *testing.T) { }, }, }, + { + name: "report with secrets", + input: types.Results{ + { + Target: "library/test", + Class: types.ClassSecret, + Secrets: []ftypes.SecretFinding{ + { + RuleID: "aws-secret-access-key", + Category: "AWS", + Severity: "CRITICAL", + Title: "AWS Secret Access Key", + StartLine: 1, + EndLine: 1, + Match: "'AWS_secret_KEY'=\"****************************************\"", + }, + }, + }, + }, + wantResults: []*sarif.Result{ + { + RuleID: toPtr("aws-secret-access-key"), + RuleIndex: toPtr[uint](0), + Level: toPtr("error"), + Message: sarif.Message{Text: toPtr("Artifact: library/test\nType: \nSecret AWS Secret Access Key\nSeverity: CRITICAL\nMatch: 'AWS_secret_KEY'=\"****************************************\"")}, + Locations: []*sarif.Location{ + { + PhysicalLocation: &sarif.PhysicalLocation{ + ArtifactLocation: &sarif.ArtifactLocation{ + URI: toPtr("library/test"), + URIBaseId: toPtr("ROOTPATH"), + }, + Region: &sarif.Region{ + StartLine: toPtr(1), + EndLine: toPtr(1), + StartColumn: toPtr(1), + EndColumn: toPtr(1), + }, + }, + }, + }, + }, + }, + wantRules: []*sarif.ReportingDescriptor{ + { + ID: "aws-secret-access-key", + Name: toPtr("Secret"), + ShortDescription: &sarif.MultiformatMessageString{Text: toPtr("aws-secret-access-key")}, + FullDescription: &sarif.MultiformatMessageString{Text: toPtr("\u0026#39;AWS_secret_KEY\u0026#39;=\u0026#34;****************************************\u0026#34;")}, + DefaultConfiguration: &sarif.ReportingConfiguration{ + Level: "error", + }, + HelpURI: toPtr("https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/secret/builtin-rules.go"), + Properties: map[string]interface{}{ + "tags": []interface{}{ + "secret", + "security", + "CRITICAL", + }, + "precision": "very-high", + "security-severity": "9.5", + }, + Help: &sarif.MultiformatMessageString{ + Text: toPtr("Secret AWS Secret Access Key\nSeverity: CRITICAL\nMatch: 'AWS_secret_KEY'=\"****************************************\""), + Markdown: toPtr("**Secret AWS Secret Access Key**\n| Severity | Match |\n| --- | --- |\n|CRITICAL|'AWS_secret_KEY'=\"****************************************\"|"), + }, + }, + }, + }, { name: "no vulns", wantResults: []*sarif.Result{}, From aeccee2b64b9914c56da5a434ec4f8a384cb9452 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Fri, 2 Sep 2022 14:54:10 +0600 Subject: [PATCH 2/2] fix linter error --- pkg/report/sarif.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/report/sarif.go b/pkg/report/sarif.go index 3e97d2c12f4..c85077db4a4 100644 --- a/pkg/report/sarif.go +++ b/pkg/report/sarif.go @@ -28,7 +28,7 @@ const ( columnKind = "utf16CodeUnits" - secretBuiltinRulesUrl = "https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/secret/builtin-rules.go" + builtinRulesUrl = "https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/secret/builtin-rules.go" // list all secrets ) var ( @@ -185,7 +185,7 @@ func (sw SarifWriter) Write(report types.Report) error { vulnerabilityId: secret.RuleID, severity: secret.Severity, cvssScore: severityToScore(secret.Severity), - url: secretBuiltinRulesUrl, + url: builtinRulesUrl, resourceClass: string(res.Class), artifactLocation: target, startLine: secret.StartLine,