@eurekadevsecops/radar 1.2.1 → 1.3.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@eurekadevsecops/radar",
-  "version": "1.2.1",
+  "version": "1.3.0",
   "description": "Radar is an open-source orchestrator of security scanners.",
   "homepage": "https://www.eurekadevsecops.com/radar",
   "keywords": [

package/src/commands/scan.js

@@ -1,12 +1,8 @@
-const util = require('node:util')
-const exec = util.promisify(require('node:child_process').exec)
 const fs = require('node:fs')
 const path = require('node:path')
-const { performance } = require('node:perf_hooks')
 const os = require('node:os')
-const { default: Spinner } = require('tiny-spinner')
-const humanize = require('../util/humanize')
-const sariftools = require('../util/sarif')
+const SARIF = require('../util/sarif')
+const runner = require('../util/runner')
 module.exports = {
   summary: 'scan for vulnerabilities',
   args: {
@@ -20,7 +16,7 @@ module.exports = {
   },
   options: [
     { name: 'CATEGORIES', short: 'c', long: 'categories', type: 'string', description: 'list of scanner categories' },
-    { name: 'ERRORS', short: 'e', long: 'errors', type: 'string', description: 'severities to treat as errors' },
+    { name: 'ESCALATE', short: 'e', long: 'escalate', type: 'string', description: 'severities to treat as high/error' },
     { name: 'FORMAT', short: 'f', long: 'format', type: 'string', description: 'severity format' },
     { name: 'OUTPUT', short: 'o', long: 'output', type: 'string', description: 'output SARIF file' },
     { name: 'QUIET', short: 'q', long: 'quiet', type: 'boolean', description: 'suppress stdout logging' },
@@ -35,23 +31,27 @@ module.exports = {
     suppress SARIF output on stdout, use the OUTPUT option to save findings into
     a file on disk.
 
-    By default, all scanners are used. If you want to limit your scan to a subset
-    of available scanners, use the SCANNERS option. You can provide a specific
-    list of scanners, comma-separated, that will be used to run the scan. Scanner
-    names passed into the SCANNERS option should match the scanner names returned
-    by the "scanners" command.
+    Select which scanners to use with the SCANNERS and CATEGORIES options. If
+    neither option is specified, all scanners are run.
 
     If you want to run all scanners of a certain type, such as SAST, SCA, or DAST,
     use the CATEGORIES option. All scanners are classified into categories and
     some may belong to multiple categories. You could run all available SAST 
     scanners, for example, by passing in SAST as the value for the CATEGORIES
     option. Values are case-insensitive. Multiple values should be comma-separated.
-    Defaults to "SAST", unless you use the SCANNERS option in which case the
-    default value for CATEGORIES is ignored. To run all scanners across all
-    categories, use the value "all" for CATEGORIES.
+    To select all categories, use the value "all" for CATEGORIES. Defaults to 'all'.
+
+    If you want to limit your scan to a subset of available scanners, provide a 
+    specific list of scanners, comma-separated, in the SCANNERS option. Scanner 
+    names passed into the SCANNERS option should match the scanner names returned 
+    by the "scanners" command. To select all scanners across selected categories,
+    use the value 'all' for SCANNERS. Defaults to 'all'.
 
     You can specify both SCANNERS and CATEGORIES at the same time. This will run
-    all scanners provided in both options.
+    only those scanners that match both options. For example, if you specify the
+    SCA category and 'all' for SCANNERS then all scanners in the SCA category will 
+    run. If you specify 'SAST' and 'opengrep,depscan' then only opengrep will run
+    (because depscan is an SCA scanner, not a SAST one).
 
     By default, findings are displayed as high, moderate, and low. This is the
     'security' severity format. Findings can also be displayed as errors, warnings,
@@ -77,201 +77,122 @@ module.exports = {
     '$ radar scan --output=scan.sarif ' + '(save findings in a file)'.grey,
     '$ radar scan -o scan.sarif /my/repo/dir ' + '(short versions of options)'.grey,
     '$ radar scan -s depscan,opengrep ' + '(use only given scanners)'.grey,
-    '$ radar scan -c sca,sast ' + '(use only scanners from given categories)'.grey,
-    '$ radar scan -f security ' + '(displays findings as high, medium, and low)'.grey,
-    '$ radar scan -e warning,note ' + '(treat warnings and notes as errors)'.grey
+    '$ radar scan -c sca,sast ' + '(use all scanners from given categories)'.grey,
+    '$ radar scan -c sca,sast -s all ' + '(use all scanners from given categories)'.grey,
+    '$ radar scan -c sast -s opengrep ' + '(use only the opengrep scanner)'.grey,
+    '$ radar scan -f security ' + '(displays findings as high, moderate, and low)'.grey,
+    '$ radar scan -f sarif ' + '(displays findings as error, warning, and note)'.grey,
+    '$ radar scan -e moderate,low ' + '(treat lower severities as high)'.grey,
+    '$ radar scan -f sarif -e warning,note ' + '(treat lower severities as errors)'.grey
   ],
   run: async (toolbox, args) => {
-    const { log, scanners: availableScanners, telemetry } = toolbox
+    const { log, scanners: availableScanners, categories: availableCategories, telemetry } = toolbox
+
+    // Set defaults for args and options.
+    args.TARGET ??= process.cwd()
+    args.FORMAT ??= 'security'
+    args.CATEGORIES ??= 'all'
+    args.SCANNERS ??= 'all'
+
+    // Normalize and/or rewrite args and options.
+    args.TARGET = path.resolve(path.normalize(args.TARGET))
+    if (args.CATEGORIES.split(',').includes('all')) args.CATEGORIES = availableCategories.join(',')
+    if (args.SCANNERS.split(',').includes('all')) args.SCANNERS = availableScanners.map(s => s.name).join(',')
 
-    // Set defaults.
-    args.TARGET = path.normalize(args.TARGET ?? process.cwd())
-    args.FORMAT = args.FORMAT ?? 'security'
+    // Validate args and options.
+    if (!fs.existsSync(args.TARGET)) throw new Error(`Path not found: ${args.TARGET}`)
     if (args.FORMAT !== 'sarif' && args.FORMAT !== 'security') throw new Error('FORMAT must be one of \'sarif\' or \'security\'')
-    if (args.CATEGORIES && !['all', 'sca', 'sast', 'dast'].includes(args.CATEGORIES.toLowerCase())) throw new Error(`CATEGORIES must be one of 'all', 'SCA', 'SAST', or 'DAST'`)
-    if (!args.SCANNERS && !args.CATEGORIES) args.CATEGORIES = 'sast'
-    if (!args.SCANNERS && (args.CATEGORIES === 'all')) args.CATEGORIES = ''
     if (args.SCANNERS) {
-      const unknownScanners = args.SCANNERS.split(',').filter(name => !availableScanners.find(scanner => scanner.name === name))
+      const unknownScanners = args.SCANNERS.split(',').filter(name => !availableScanners.find(s => s.name === name))
       if (unknownScanners.length > 1) throw new Error(`Unknown scanners: ${unknownScanners.join(', ')}`)
       else if (unknownScanners.length === 1) throw new Error(`Unknown scanner: ${unknownScanners[0]}`)
     }
-
-    // Set scan parameters.
-    const target = path.resolve(args.TARGET) // target to scan
+    if (args.ESCALATE) args.ESCALATE.split(',').map(severity => {
+      if (args.FORMAT === 'security' && severity !== 'moderate' && severity !== 'low') throw new Error(`Severity to escalate must be 'moderate' or 'low'`)
+      if (args.FORMAT === 'sarif' && severity !== 'warning' && severity !== 'note') throw new Error(`Severity to escalate must be 'warning' or 'note'`)
+    })
+
+    // Derive scan parameters.
+    const target = args.TARGET // target to scan
+    const categories = args.CATEGORIES.toUpperCase().split(',').filter(c => availableCategories.includes(c))
+    const scanners = availableScanners
+        .filter(s => args.SCANNERS.split(',').includes(s.name))
+        .filter(s => categories.filter(c => s.categories.includes(c)).length > 0)
+    const escalations = args.ESCALATE?.split(',').map(severity => {
+      if (severity === 'moderate') return 'warning'
+      if (severity === 'low') return 'note'
+      return severity
+    })
     const assets = path.join(__dirname, '..', '..', 'scanners') // scanner assets
-    const outdir = fs.mkdtempSync(path.join(os.tmpdir(), 'radar-')) // output directory
+    const tmpdir = fs.mkdtempSync(path.join(os.tmpdir(), 'radar-')) // temporary output directory
     const outfile = args.OUTPUT ? path.resolve(args.OUTPUT) : undefined // output file, if any
 
-    // Select scanners to use.
-    const scanners = availableScanners
-
-      // Filter by scanner names given by the user:
-      .filter(scanner => {
-        if (!args.SCANNERS) return true
-        return args.SCANNERS.split(',').includes(scanner.name)
-      })
-
-      // Filter by scanner categories given by the user:
-      .filter(scanner => {
-        if (!args.CATEGORIES) return true
-        for (const category of args.CATEGORIES.toUpperCase().split(',')) {
-          if (scanner.categories.includes(category)) return true
-        }
-        return false
-      })
-
-    // At least one scanner must be selected in order to have a successful scan.
-    if (scanners.length === 0) throw new Error('No available scanners selected.')
+    // Validate scan parameters.
+    if (!categories.length) throw new Error(`CATEGORIES must be one or more of '${availableCategories.join("', '")}', or 'all'`)
+    if (!scanners.length) throw new Error('No available scanners selected.')
 
     // Send telemetry: scan started.
     let scanID = undefined
     const isTelemetryEnabled = telemetry.enabled()
     if (isTelemetryEnabled) {
       // TODO: Should pass scanID to the server; not read it from the server.
-      const response = await telemetry.send(`scans/started`, {}, { scanners: scanners.map((scanner) => scanner.name) })
+      const response = await telemetry.send(`scans/started`, {}, { scanners: scanners.map((s) => s.name) })
       const data = await response.json()
       scanID = data.scan_id
     }
 
     // Run scanners.
-    let isScanCompleted = true
-    let runLog = ''
     log(`Running ${scanners.length} of ${availableScanners.length} scanners:`)
-    for (const scanner of scanners) {
-      let label = scanner.name
-      const spinner = new Spinner()
-      if (!args.QUIET) spinner.start(label)
-
-      const t = performance.now()
-      const interval = setInterval(() => {
-        const t2 = performance.now()
-        label = `${scanner.name} [${humanize.duration(t2 - t)}]`
-        if (!args.QUIET) spinner.update(label)
-      }, 1000) // 1000 milliseconds = 1 second
+    let results = { /* log, sarif */ }
+    try {
+      // This will run all scanners and return the combined stdout log and SARIF object.
+      results = await runner.run({ scanners, target, assets, outdir: tmpdir, quiet: args.QUIET, log })
+    }
+    catch (error) {
+      log(`\n${error}`)
+      if (!args.QUIET) log('Scan NOT completed!')
+      if (telemetry.enabled()) telemetry.send(`scans/:scanID/failed`, { scanID })
+      fs.rmSync(tmpdir, { recursive: true, force: true }) // Clean up.
+      return 0x10 // exit code
+    }
 
-      try {
-        let cmd = scanner.cmd
+    // Transform scan findings: treat warnings and notes as errors, and normalize location paths.
+    if (escalations) results.sarif = SARIF.transforms.escalate(results.sarif, escalations)
+    SARIF.transforms.normalize(results.sarif, target)
 
-        /* eslint-disable no-template-curly-in-string */
-        cmd = cmd.replaceAll('${target}', target)
-        cmd = cmd.replaceAll('${assets}', path.join(assets, scanner.name))
-        cmd = cmd.replaceAll('${output}', outdir)
-        /* eslint-enable no-template-curly-in-string */
+    // Write findings to the destination SARIF file.
+    if (outfile) fs.writeFileSync(outfile, JSON.stringify(results.sarif))
 
-        const { stdout } = await exec(cmd)
-        runLog += stdout
+    // Analyze scan findings: count findings by severity level.
+    const summary = await SARIF.analysis.summarize(results.sarif, target)
 
-        if (!args.QUIET) spinner.success(label)
-      } catch (error) {
-        isScanCompleted = false
-        if (!args.QUIET) spinner.error(label)
-        log(`\n${error}`)
-        if (error.stdout) log(error.stdout)
-        if (error.stderr) log(error.stderr)
-      }
+    // Send telemetry.
+    if (isTelemetryEnabled && scanID) {
+      telemetry.send(`scans/:scanID/completed`, { scanID }, summary)
+      telemetry.sendSensitive(`scans/:scanID/results`, { scanID }, { findings: results.sarif, log: results.log })
+    }
 
-      clearInterval(interval)
+    // Display summarized findings.
+    if (!args.QUIET) {
+      log()
+      SARIF.visualizations.display_findings(summary, args.FORMAT, log)
+      if (outfile) log(`Findings exported to ${outfile}`)
+      SARIF.visualizations.display_totals(summary, args.FORMAT, log)
     }
 
-    // Process scan findings.
+    // Determine the correct exit code.
     let exitCode = 0
-    if (isScanCompleted) {
-      const consolidated = path.join(outdir, 'scan.sarif')
-
-      // Merge all output SARIF files into one.
-      const all = []
-      for (const scanner of scanners) {
-        all.push(path.join(outdir, `${scanner.name}.sarif`))
-      }
-      await sariftools.merge(all, consolidated)
-
-      // Display findings on stdout or write them to destination SARIF file.
-      let sarif = fs.readFileSync(consolidated, 'utf8')
-
-      // Convert the SARIF file into a JS object.
-      try {
-        sarif = JSON.parse(sarif)
-      } catch (error) {
-        log(`\n${error}`)
-      }
-
-      // Treat warnings and notes as errors.
-      if (args.ERRORS) {
-        const levels = args.ERRORS.split(',')
-
-        for (const run of sarif.runs) {
-          if (!run.results) continue
-          for (const result of run.results) {
-            if (levels.includes(result.level)) {
-              result.level = 'error'
-              continue
-            }
-
-            for (const rule of run.tool.driver.rules) {
-              if (rule.id === result.ruleId) {
-                const level = rule.defaultConfiguration.level
-                if (levels.includes(level)) {
-                  rule.defaultConfiguration.level = 'error'
-                }
-                break
-              }
-            }
-          }
-        }
-      }
-
-      // Write findings to the destination SARIF file.
-      if (outfile) {
-        fs.writeFileSync(outfile, JSON.stringify(sarif))
-      }
-
-      // Count findings by severity level.
-      const summary = await sariftools.summarize(sarif, target)
-
-      // Send telemetry.
-      if (isTelemetryEnabled && scanID) {
-        // Scan completed.
-        telemetry.send(`scans/:scanID/completed`, { scanID }, {
-          findings: {
-            total: summary.errors.length + summary.warnings.length + summary.notes.length,
-            critical: 0,
-            high: summary.errors.length,
-            med: summary.warnings.length,
-            low: summary.notes.length
-          }
-        })
-
-        // Send sensitive telemetry: scan log and scan findings.
-        telemetry.sendSensitive(`scans/:scanID/log`, { scanID }, runLog)
-        telemetry.sendSensitive(`scans/:scanID/findings`, { scanID }, { findings: sarif })
-      }
-
-      // Display summarized findings.
-      if (!args.QUIET) {
-        log()
-        sariftools.display_findings(summary, args.FORMAT, log)
-        if (outfile) log(`Findings exported to ${outfile}`)
-        sariftools.display_totals(summary, args.FORMAT, log)
-      }
-
-      // Determine the correct exit code.
-      if (!summary.errors.length && !summary.warnings.length && !summary.notes.length) {
-        exitCode = 0
-      } else {
-        exitCode = 0x8
-        if (summary.errors.length > 0) exitCode |= 0x1
-        if (summary.warnings.length > 0) exitCode |= 0x2
-        if (summary.notes.length > 0) exitCode |= 0x4
-      }
+    if (!summary.errors.length && !summary.warnings.length && !summary.notes.length) {
+      exitCode = 0
     } else {
-      exitCode = 0x10
-      if (!args.QUIET) log('Scan NOT completed!')
-      if (telemetry.enabled()) telemetry.send(`scans/:scanID/failed`, { scanID })
+      exitCode = 0x8
+      if (summary.errors.length > 0) exitCode |= 0x1
+      if (summary.warnings.length > 0) exitCode |= 0x2
+      if (summary.notes.length > 0) exitCode |= 0x4
     }
 
     // Clean up.
-    fs.rmSync(outdir, { recursive: true, force: true })
+    fs.rmSync(tmpdir, { recursive: true, force: true })
 
     return exitCode
   }

package/src/plugins/scanners.js

@@ -4,9 +4,11 @@ const TOML = require('smol-toml')
 
 const data = fs.readFileSync(path.join(__dirname, '..', '..', 'scanners', 'scanners.toml'), 'utf8')
 const config = TOML.parse(data)
+const categories = Array.from(new Set(config.scanners.flatMap(scanner => scanner.categories)))
 
 module.exports = {
   toolbox: {
-    scanners: config.scanners
+    scanners: config.scanners,
+    categories
   }
 }

package/src/telemetry/index.js

@@ -47,8 +47,7 @@ const toURL = (path, params) => {
   if (path === `scans/started`) return `${EWA_URL}/scans/started`
   if (path === `scans/:scanID/completed`) return `${EWA_URL}/scans/${params.scanID}/completed`
   if (path === `scans/:scanID/failed`) return `${EWA_URL}/scans/${params.scanID}/completed`
-  if (path === `scans/:scanID/log`) return `${VDBE_URL}/scans/${params.scanID}/log`
-  if (path === `scans/:scanID/findings`) return `${VDBE_URL}/scans/${params.scanID}/findings`
+  if (path === `scans/:scanID/results`) return `${VDBE_URL}/scans/${params.scanID}/results`
   throw new Error(`Internal Error: Unknown telemetry event: ${path}`)
 }
 
@@ -58,14 +57,23 @@ const toContentType = (path) => {
 }
 
 const toBody = (path, body) => {
-  if (path === `scans/:scanID/log`) return body
   if (path === `scans/started`) body = { ...body, timestamp: DateTime.now().toISO(), profile_id: process.env.EUREKA_PROFILE }
-  if (path === `scans/:scanID/completed`) body = { ...body, timestamp: DateTime.now().toISO(), status: 'success', log: { sizeBytes: 0, warnings: 0, errors: 0, link: 'none' }, params: { id: '' }}
+  if (path === `scans/:scanID/completed`) body = { ...toFindings(body), timestamp: DateTime.now().toISO(), status: 'success', log: { sizeBytes: 0, warnings: 0, errors: 0, link: 'none' }, params: { id: '' }}
   if (path === `scans/:scanID/failed`) body = { ...body, timestamp: DateTime.now().toISO(), status: 'failure', findings: { total: 0, critical: 0, high: 0, med: 0, low: 0 }, log: { sizeBytes: 0, warnings: 0, errors: 0, link: 'none' }, params: { id: '' }}
-  if (path === `scans/:scanID/findings`) body = { ...body, profileId: process.env.EUREKA_PROFILE }
+  if (path === `scans/:scanID/results`) body = { findings: body.findings /* SARIF */, profileId: process.env.EUREKA_PROFILE, log: Buffer.from(body.log, 'utf8').toString('base64') }
   return JSON.stringify(body)
 }
 
+const toFindings = (summary) => ({
+  findings: {
+    total: summary.errors.length + summary.warnings.length + summary.notes.length,
+    critical: 0,
+    high: summary.errors.length,
+    med: summary.warnings.length,
+    low: summary.notes.length
+  }
+})
+
 module.exports = {
   enabled,
   send,

package/src/util/runner.js

@@ -0,0 +1,75 @@
+const fs = require('node:fs')
+const util = require('node:util')
+const exec = util.promisify(require('node:child_process').exec)
+const path = require('node:path')
+const { performance } = require('node:perf_hooks')
+const { default: Spinner } = require('tiny-spinner')
+const humanize = require('./humanize')
+const SARIF = require('./sarif')
+
+const runAll = async ({ scanners, target, assets, outdir, quiet, log }) => {
+  // Results will include the stdout log and the final combined SARIF object.
+  const results = { log: '' }
+
+  // Run all scanners. This will produce one output SARIF file per scanner.
+  for (const scanner of scanners) {
+    results.log += await runScanner({ scanner, target, assets, outdir, quiet, log, display: {
+      begin: () => scanner.name,
+      progress: (label, duration) => `${scanner.name} [${humanize.duration(duration)}]`,
+      success: (label) => label,
+      error: (label) => label
+    }})
+  }
+
+  // Merge all output SARIF files into one and load it into a JS object.
+  const consolidated = path.join(outdir, 'scan.sarif')
+  await SARIF.transforms.merge(consolidated, scanners.map(s => path.join(outdir, `${s.name}.sarif`)))
+  results.sarif = JSON.parse(fs.readFileSync(consolidated, 'utf8'))
+
+  return results
+}
+
+const runScanner = async ({ scanner, target, assets, outdir, quiet, log, display }) => {
+  let label = display.begin()
+  const spinner = new Spinner()
+  if (!quiet) spinner.start(label)
+
+  const t = performance.now()
+  const interval = setInterval(() => {
+    const t2 = performance.now()
+    label = display.progress(label, t2 - t)
+    if (!quiet) spinner.update(label)
+  }, 1000) // 1000 milliseconds = 1 second
+
+  let runLog = ''
+  try {
+    let cmd = scanner.cmd
+
+    /* eslint-disable no-template-curly-in-string */
+    cmd = cmd.replaceAll('${target}', target)
+    cmd = cmd.replaceAll('${assets}', path.join(assets, scanner.name))
+    cmd = cmd.replaceAll('${output}', outdir)
+    /* eslint-enable no-template-curly-in-string */
+
+    const { stdout } = await exec(cmd)
+    runLog = stdout
+
+    if (!quiet) spinner.success(display.success(label))
+  } catch (error) {
+    if (!quiet) spinner.error(display.error(label))
+
+    let message = `${error}`
+    if (error.stdout) message += error.stdout
+    if (error.stderr) message += error.stderr
+    throw new Error(message)
+  }
+  finally {
+    clearInterval(interval)
+  }
+
+  return runLog
+}
+
+module.exports = {
+  run: runAll
+}

package/src/util/sarif/analysis/load.js

@@ -0,0 +1,4 @@
+module.exports = (file) => {
+  // Load the given SARIF file into a JS object.
+  return JSON.parse(fs.readFileSync(file, 'utf8'))
+}

package/src/util/sarif/{summarize.js → analysis/summarize.js}

@@ -5,15 +5,11 @@ module.exports = (sarif, dir) => {
   for (const run of sarif.runs) {
     if (!run.results) continue
     for (const result of run.results) {
-      let file = path.relative('/app', result.locations[0].physicalLocation.artifactLocation.uri)
-      file = path.join(dir, file)
-      file = path.relative(process.cwd(), file)
-
       const finding = {
         tool: run.tool.driver.name,
         message: result.message.text,
         artifact: {
-          name: file,
+          name: result.locations[0].physicalLocation.artifactLocation.uri,
           line: result.locations[0].physicalLocation.region.startLine
         }
       }

package/src/util/sarif/index.js

@@ -1,6 +1,15 @@
 module.exports = {
-  merge: require('./merge'),
-  summarize: require('./summarize'),
-  display_findings: require('./display_findings'),
-  display_totals: require('./display_totals')
+  transforms: {
+    escalate: require('./transforms/escalate'),
+    merge: require('./transforms/merge'),
+    normalize: require('./transforms/normalize')
+  },
+  analysis: {
+    load: require('./analysis/load'),
+    summarize: require('./analysis/summarize')
+  },
+  visualizations: {
+    display_findings: require('./visualizations/display_findings'),
+    display_totals: require('./visualizations/display_totals')
+  }
 }

package/src/util/sarif/transforms/escalate.js

@@ -0,0 +1,22 @@
+module.exports = (sarif, escalations) => {
+  // Treat warnings and notes as errors.
+  for (const run of sarif.runs) {
+    if (!run.results) continue
+    for (const result of run.results) {
+      if (escalations.includes(result.level)) {
+        result.level = 'error'
+        continue
+      }
+
+      for (const rule of run.tool.driver.rules) {
+        if (rule.id === result.ruleId) {
+          if (escalations.includes(rule.defaultConfiguration?.level)) {
+            rule.defaultConfiguration.level = 'error'
+          }
+          break
+        }
+      }
+    }
+  }
+  return sarif
+}

package/src/util/sarif/{merge.js → transforms/merge.js}

@@ -13,7 +13,7 @@ module.exports = {
 
 const fs = require('node:fs')
 const path = require('node:path')
-module.exports = async (files, outfile) => {
+module.exports = async (outfile, files) => {
   const sarif = {
     version: '2.1.0',
     $schema: 'https://json.schemastore.org/sarif-2.1.0.json',

package/src/util/sarif/transforms/normalize.js

@@ -0,0 +1,20 @@
+const path = require('node:path')
+module.exports = (sarif, dir) => {
+  // Normalize findings.
+  for (const run of sarif.runs) {
+    if (!run.results) continue
+    for (const result of run.results) {
+
+      // Find paths in the finding description and make them relative to the scan directory.
+      if (result?.message?.text) result.message.text = result.message.text.replace('/app/', '')
+
+      // Make all physical locations for the result relative to the scan directory.
+      for (const location of result.locations) {
+        if (!location.physicalLocation?.artifactLocation?.uri?.startsWith('/app')) continue
+        let file = path.relative('/app', location.physicalLocation.artifactLocation.uri)
+        location.physicalLocation.artifactLocation.uri = file
+      }
+
+    }
+  }
+}

package/src/util/sarif/{display_findings.js → visualizations/display_findings.js}

@@ -1,4 +1,4 @@
-const levels = require('./levels')
+const levels = require('../../localization/levels')
 module.exports = async (summary, format, log) => {
   for (const finding of summary.notes) log(`${finding.artifact.name}:${finding.artifact.line}: ` + `${levels[format].single.note}`.bold + `${levels[format].single.suffix}:` + ` ${finding.tool}:` + ` ${finding.message}\n`)
   for (const finding of summary.warnings) log(`${finding.artifact.name}:${finding.artifact.line}: ` + `${levels[format].single.warning}`.bold.yellow + `${levels[format].single.suffix}:` + ` ${finding.tool}:` + ` ${finding.message}\n`)

package/src/util/sarif/{display_totals.js → visualizations/display_totals.js}

@@ -1,4 +1,4 @@
-const levels = require('./levels')
+const levels = require('../../localization/levels')
 module.exports = async (summary, format, log) => {
   const total = summary.errors.length + summary.warnings.length + summary.notes.length
   log(`${total} ${total === 1 ? levels[format].total.issue : levels[format].total.issues}: ${summary.errors.length} ` + `${levels[format].total.error}`.red.bold + `, ${summary.warnings.length} ` + `${levels[format].total.warning}`.yellow.bold + `, ${summary.notes.length} ` + `${levels[format].total.note}` + '.')

package/scan.sarif

@@ -1 +0,0 @@
-{"version":"2.1.0","$schema":"https://json.schemastore.org/sarif-2.1.0.json","runs":[{"tool":{"driver":{"name":"gitleaks","semanticVersion":"v8.0.0","informationUri":"https://github.com/gitleaks/gitleaks","properties":{"officialName":"gitleaks"},"rules":[{"id":"generic-api-key","shortDescription":{"text":"Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}},{"id":"private-key","shortDescription":{"text":"Identified a Private Key, which may compromise cryptographic security and sensitive data encryption."}}]}},"results":[{"message":{"text":"generic-api-key has detected secret for file /app/app/services/key_service.ts."},"ruleId":"generic-api-key","locations":[{"physicalLocation":{"artifactLocation":{"uri":"/app/app/services/key_service.ts"},"region":{"startLine":10,"startColumn":44,"endLine":10,"endColumn":75,"snippet":{"text":"private_pkcs8.pem"}}}}],"properties":{"tags":[]}},{"message":{"text":"private-key has detected secret for file /app/keys/vdbe.private.pem."},"ruleId":"private-key","locations":[{"physicalLocation":{"artifactLocation":{"uri":"/app/keys/vdbe.private.pem"},"region":{"startLine":1,"startColumn":1,"endLine":28,"endColumn":26,"snippet":{"text":"-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDT5JLxkpJH2pkv\ntTmZgEduEHGVO8sv4xLpcBCKgSpVh9apBZnJJgDOl77m7zv2VDycjTQLq4dMk/CT\nBWt50kx+e/jHCP8f64UxbDPMxgDgrYj6YaAoho9coJeu6nG+6h2PNFXM941CrA9V\nddEc9K9piYXSLlr2bHBKeLeuH87Qpmx3bEr8jAXdA51zss2ZsUw5qRH6oWMcqWhC\n5CevbWmFXdoo2W8XfGAwpV2D251uUt6oS4qwU5VT/byR65lewxq3YqPvRpQa5plo\n3aTVypyaqy4l5T2jfLiywXpAuhVPzso4EeDx2Jtfvhh03Is59DFQkQwuXS9caqyY\nDtndupYZAgMBAAECggEADU+dn4laoSLtXp7e2HLDifmEeSCBeiekp39/uoO0uhzH\ncmTErWsyv8eumWlL9gSCrj78lwMWg8wDX+kGQGfioEt/bFl3VXUBMAKhGmsR4Qtl\nwHzjh8g0N1hrTvSxYpHoe3eJMFAY0qhmajL1iQEiB9o4yuRYmIRlZXhB6bFb16WP\nflFcGS/KKxXleco8aEZIu2+X3hXwS2/lDD1sIQua65qXhHZMpB4TfgR2B5r87P9Y\nv5Ilb53nDMWbWDCA8ZifG2fjl29X4bujlJy/fu6Y5UVZB5EIQymKDnnWvemZUFrw\nRtjrJJ9mhM8ON2bYI2LHTMhBixpa3OM3jLQc2FeGRQKBgQDzbv6M4zp8foDU+Ji9\nYlhe0wt6t1EMJQrTgS0h0gbm9ekVLXHDm/hMAUQss6YorXY4Iih/e9HEvNf1byx9\nsfVlkNHrlsNklMmG/jGhzs7xpMOgyq8uzzuY9o/gIFzT3LiuTnk23poGNtDAwNVV\nkaxWOiDtpKFiiFbhRW/pos01PwKBgQDe1MPmW7wnwKD34ee/GaTZpQZ4wH8jdTa1\nVM5xOQKGVyZ5zTc5ao7cR0KYN22ycCI/PwIWWaufDWAYuunRfJP1sWqKf4ENQd5P\nxh66uv3qxETOJ4jk2D8O8fysHLyQu8KvS5TvH/UzNiLRHVv9vfyywmWHOpVP5C1i\nvSiC4yqmpwKBgEEtZ7Q7Jq6shDwBb4vNaBHDeeBacrXIuTRV8sqKXFS8ZLLJ3xrb\niMh40lMRqpxbjTqMUsGHWmvNkBjjskrZOfX+p2XnkNs+RxMAvjMvlxL15XcIrYzf\n6XoUEgOVRqVnBH+O/T9mrGCbjpr9RmFJxpWzrJtUJ+2kyXY5TDSG5WCrAoGAaaFc\nmCemYwXKiJdbP1jNr6quDbHa0xkubPkdv8hxrPNFNvoUErCztjJFnFiyNKM5aNfa\ninPJimVRx4dbbcXrcc2/npXgvEMcOp7FVGluEsslfsB5AVqNUe1ehMw+izGmkWh3\n2n9Awh0Ili6fvAJC9w52CIu52hxlc2gN+zXqswMCgYEA7WfWRh+Rz/3RPlsDBuIu\nu78M6hZ5Uj2SneTtYhXOahMuSGQY4vVd8Z23PBudLVNjNvw05532cVJQvDLGrPeg\nMgig/vMURbQIN5TXVtL7vgyi4QXQgCdHET8YEJrPleyttv/lOJv3ZBUfzKtb9/2s\nK47YjsOczOFh0NbeYPXDZrY=\n-----END PRIVATE KEY-----"}}}}],"properties":{"tags":[]}}]}]}