@eurekadevsecops/radar 1.8.0 → 1.8.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@eurekadevsecops/radar",
-  "version": "1.8.0",
+  "version": "1.8.2",
   "description": "Radar is an open-source orchestrator of security scanners.",
   "homepage": "https://www.eurekadevsecops.com/radar",
   "keywords": [

package/src/commands/scan.js

@@ -180,7 +180,7 @@ module.exports = {
     SARIF.transforms.normalize(results.sarif, target, metadata, git.root(target))
 
     // Write findings to the destination SARIF file.
-    if (outfile) fs.writeFileSync(outfile, JSON.stringify(results.sarif))
+    if (outfile) fs.writeFileSync(outfile, JSON.stringify(results.sarif, null, 2))
 
     // Send telemetry: scan results.
     if (telemetry.enabled && scanID) {

package/src/util/sarif/transforms/normalize.js

@@ -3,34 +3,30 @@ module.exports = (sarif, dir, git, root) => {
   // Normalize findings.
   for (const run of sarif.runs) {
 
+    // Subfolder within the repo root where the scan took place:
+    const subfolder = path.relative(root, dir)
+
     // Record the source repo location and the relative target subfolder within the repo.
-    run.originalUriBaseIds = {
-     SOURCE: {
-        uri: git.repo.url.https,
-        description: {
-          text: "Source origin for the target being scanned (ie. git repo URL)."
-        }
-     },
-      TARGET: {
-        uri: `${path.relative(root, dir)}`,
-        uriBaseId: "SOURCE",
-        description: {
-          text: "Scan target (subfolder) within the source repo or folder."
-        }
+    run.properties = {
+      repository: {
+        type: 'git',
+        url: git.repo.url.https
       }
     }
+    if (subfolder) run.properties.includedirs = [ `${subfolder}` ]
 
-    // Make all physical locations for the result relative to the scan directory.
+    // Make all physical locations for the result relative to the repo root directory.
+    // (or if the root is not available then to the scan directory)
     if (!run.results) continue
     for (const result of run.results) {
       for (const location of result.locations) {
         if (location.physicalLocation?.artifactLocation?.uri?.startsWith('/app')) {
-          let file = path.relative('/app', location.physicalLocation.artifactLocation.uri)
+          let file = path.join(subfolder, path.relative('/app', location.physicalLocation.artifactLocation.uri))
           if (result?.message?.text) result.message.text = result.message.text.replace(location.physicalLocation.artifactLocation.uri, file)
           location.physicalLocation.artifactLocation.uri = file
         }
         else if (location.physicalLocation?.artifactLocation?.uri?.startsWith('/')) {
-          let file = path.relative('/', location.physicalLocation.artifactLocation.uri)
+          let file = path.join(subfolder, path.relative('/', location.physicalLocation.artifactLocation.uri))
           if (result?.message?.text) result.message.text = result.message.text.replace(location.physicalLocation.artifactLocation.uri, file)
           location.physicalLocation.artifactLocation.uri = file
         }

package/scan.sarif

@@ -1 +0,0 @@
-{"version":"2.1.0","$schema":"https://json.schemastore.org/sarif-2.1.0.json","runs":[{"tool":{"driver":{"name":"abcgitleaks","semanticVersion":"v8.0.0","informationUri":"https://github.com/gitleaks/gitleaks","properties":{"officialName":"gitleaks"},"rules":[]}},"results":[],"originalUriBaseIds":{"SOURCE":{"uri":"https://github.com/EurekaDevSecOps/radarctl.git","description":{"text":"Source origin for the target being scanned (ie. git repo URL)."}},"TARGET":{"uri":"","uriBaseId":"SOURCE","description":{"text":"Scan target (subfolder) within the source repo or folder."}}}},{"tool":{"driver":{"name":"abcgrype","informationUri":"https://github.com/anchore/grype","properties":{"officialName":"grype"},"rules":[{"id":"GHSA-pfrx-2q88-qq97-got","name":"JavascriptMatcherExactDirectMatch","shortDescription":{"text":"GHSA-pfrx-2q88-qq97 medium vulnerability for got package"},"fullDescription":{"text":"Got allows a redirect to a UNIX socket"},"helpUri":"https://github.com/anchore/grype","help":{"text":"Vulnerability GHSA-pfrx-2q88-qq97\nSeverity: medium\nPackage: got\nVersion: 9.6.0\nFix Version: 11.8.5\nType: npm\nLocation: /package-lock.json\nData Namespace: github:language:javascript\nLink: [GHSA-pfrx-2q88-qq97](https://github.com/advisories/GHSA-pfrx-2q88-qq97)","markdown":"**Vulnerability GHSA-pfrx-2q88-qq97**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| medium  | got  | 9.6.0  | 11.8.5  | npm  | /package-lock.json  | github:language:javascript  | [GHSA-pfrx-2q88-qq97](https://github.com/advisories/GHSA-pfrx-2q88-qq97)  |\n"},"properties":{"purls":["pkg:npm/got@9.6.0"],"security-severity":"5.3"}}]}},"results":[{"ruleId":"GHSA-pfrx-2q88-qq97-got","level":"warning","message":{"text":"A medium vulnerability in npm package: got, version 9.6.0 was found at: package-lock.json"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"package-lock.json"},"region":{"startLine":1,"startColumn":1,"endLine":1,"endColumn":1}}}],"partialFingerprints":{"primaryLocationLineHash":"677706e2c84cd6dfb855b123e8a34db12a8f4eeb5df5b8ab253aa5299b80da0b:1"}}],"originalUriBaseIds":{"SOURCE":{"uri":"https://github.com/EurekaDevSecOps/radarctl.git","description":{"text":"Source origin for the target being scanned (ie. git repo URL)."}},"TARGET":{"uri":"","uriBaseId":"SOURCE","description":{"text":"Scan target (subfolder) within the source repo or folder."}}}},{"tool":{"driver":{"name":"abcopengrep","semanticVersion":"1.5.0","properties":{"officialName":"Opengrep OSS"},"rules":[]}},"invocations":[{"executionSuccessful":true,"toolExecutionNotifications":[]}],"results":[],"originalUriBaseIds":{"SOURCE":{"uri":"https://github.com/EurekaDevSecOps/radarctl.git","description":{"text":"Source origin for the target being scanned (ie. git repo URL)."}},"TARGET":{"uri":"","uriBaseId":"SOURCE","description":{"text":"Scan target (subfolder) within the source repo or folder."}}}}]}