Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(report): add secrets to sarif format #2820

Merged
merged 3 commits into from Sep 12, 2022
Merged

feat(report): add secrets to sarif format #2820

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
df4f2fd
add secret to sarif report
DmitriyLewen Sep 2, 2022
aeccee2
fix linter error
DmitriyLewen Sep 2, 2022
5f4dfb5
Merge branch 'main' of github.com:aquasecurity/trivy into feat/secret…
afdesk Sep 7, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
26 changes: 26 additions & 0 deletions pkg/report/sarif.go
View file
Open in desktop
Expand Up @@ -18,6 +18,7 @@ const (
sarifOsPackageVulnerability = "OsPackageVulnerability"
sarifLanguageSpecificVulnerability = "LanguageSpecificPackageVulnerability"
sarifConfigFiles = "Misconfiguration"
sarifSecretFiles = "Secret"
sarifUnknownIssue = "UnknownIssue"

sarifError = "error"
Expand All @@ -26,6 +27,8 @@ const (
sarifNone = "none"

columnKind = "utf16CodeUnits"

builtinRulesUrl = "https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/secret/builtin-rules.go" // list all secrets
)

var (
Expand Down Expand Up @@ -176,6 +179,27 @@ func (sw SarifWriter) Write(report types.Report) error {
res.Target, res.Type, misconf.ID, misconf.Severity, misconf.Message, misconf.ID, misconf.PrimaryURL),
})
}
for _, secret := range res.Secrets {
sw.addSarifResult(&sarifData{
title: "secret",
vulnerabilityId: secret.RuleID,
severity: secret.Severity,
cvssScore: severityToScore(secret.Severity),
url: builtinRulesUrl,
resourceClass: string(res.Class),
artifactLocation: target,
startLine: secret.StartLine,
endLine: secret.EndLine,
resultIndex: getRuleIndex(secret.RuleID, ruleIndexes),
fullDescription: html.EscapeString(secret.Match),
helpText: fmt.Sprintf("Secret %v\nSeverity: %v\nMatch: %s",
secret.Title, secret.Severity, secret.Match),
helpMarkdown: fmt.Sprintf("**Secret %v**\n| Severity | Match |\n| --- | --- |\n|%v|%v|",
secret.Title, secret.Severity, secret.Match),
message: fmt.Sprintf("Artifact: %v\nType: %v\nSecret %v\nSeverity: %v\nMatch: %v",
res.Target, res.Type, secret.Title, secret.Severity, secret.Match),
})
}
}
sw.run.ColumnKind = columnKind
sw.run.OriginalUriBaseIDs = map[string]*sarif.ArtifactLocation{
Expand All @@ -193,6 +217,8 @@ func toSarifRuleName(class string) string {
return sarifLanguageSpecificVulnerability
case types.ClassConfig:
return sarifConfigFiles
case types.ClassSecret:
return sarifSecretFiles
default:
return sarifUnknownIssue
}
Expand Down
70 changes: 70 additions & 0 deletions pkg/report/sarif_test.go
View file
Open in desktop
Expand Up @@ -10,6 +10,7 @@ import (

dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/report"
"github.com/aquasecurity/trivy/pkg/types"
)
Expand Down Expand Up @@ -235,6 +236,75 @@ func TestReportWriter_Sarif(t *testing.T) {
},
},
},
{
name: "report with secrets",
input: types.Results{
{
Target: "library/test",
Class: types.ClassSecret,
Secrets: []ftypes.SecretFinding{
{
RuleID: "aws-secret-access-key",
Category: "AWS",
Severity: "CRITICAL",
Title: "AWS Secret Access Key",
StartLine: 1,
EndLine: 1,
Match: "'AWS_secret_KEY'=\"****************************************\"",
},
},
},
},
wantResults: []*sarif.Result{
{
RuleID: toPtr("aws-secret-access-key"),
RuleIndex: toPtr[uint](0),
Level: toPtr("error"),
Message: sarif.Message{Text: toPtr("Artifact: library/test\nType: \nSecret AWS Secret Access Key\nSeverity: CRITICAL\nMatch: 'AWS_secret_KEY'=\"****************************************\"")},
Locations: []*sarif.Location{
{
PhysicalLocation: &sarif.PhysicalLocation{
ArtifactLocation: &sarif.ArtifactLocation{
URI: toPtr("library/test"),
URIBaseId: toPtr("ROOTPATH"),
},
Region: &sarif.Region{
StartLine: toPtr(1),
EndLine: toPtr(1),
StartColumn: toPtr(1),
EndColumn: toPtr(1),
},
},
},
},
},
},
wantRules: []*sarif.ReportingDescriptor{
{
ID: "aws-secret-access-key",
Name: toPtr("Secret"),
ShortDescription: &sarif.MultiformatMessageString{Text: toPtr("aws-secret-access-key")},
FullDescription: &sarif.MultiformatMessageString{Text: toPtr("\u0026#39;AWS_secret_KEY\u0026#39;=\u0026#34;****************************************\u0026#34;")},
DefaultConfiguration: &sarif.ReportingConfiguration{
Level: "error",
},
HelpURI: toPtr("https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/secret/builtin-rules.go"),
Properties: map[string]interface{}{
"tags": []interface{}{
"secret",
"security",
"CRITICAL",
},
"precision": "very-high",
"security-severity": "9.5",
},
Help: &sarif.MultiformatMessageString{
Text: toPtr("Secret AWS Secret Access Key\nSeverity: CRITICAL\nMatch: 'AWS_secret_KEY'=\"****************************************\""),
Markdown: toPtr("**Secret AWS Secret Access Key**\n| Severity | Match |\n| --- | --- |\n|CRITICAL|'AWS_secret_KEY'=\"****************************************\"|"),
},
},
},
},
{
name: "no vulns",
wantResults: []*sarif.Result{},
Expand Down