@fabasoad/sarif-to-slack 0.1.1 → 0.2.1

package/src/model/SarifModelPerRun.ts

@@ -0,0 +1,114 @@
+import type { Result, Run } from 'sarif';
+import { tryGetRulePropertyByResult } from '../utils/SarifUtils'
+import { SecurityLevel, SecuritySeverity } from './types'
+import Logger from '../Logger'
+import { Map as ImmutableMap } from 'immutable'
+import {
+  sortSecurityLevelMap,
+  sortSecuritySeverityMap
+} from '../utils/SortUtils';
+
+export class SarifModelPerRun {
+  public readonly toolName: string
+
+  private readonly _securitySeverityMap: ImmutableMap<SecuritySeverity, number>
+  private readonly _securityLevelMap: ImmutableMap<SecurityLevel, number>
+
+  constructor(run: Run) {
+    this.toolName = run.tool.driver.name
+
+    this._securitySeverityMap = ImmutableMap<SecuritySeverity, number>().asMutable()
+    this._securityLevelMap = ImmutableMap<SecurityLevel, number>().asMutable()
+
+    this.buildSecuritySeverityMap(run)
+    this.buildSecurityLevelMap(run)
+  }
+
+  private identifySecuritySeverity(score?: number): SecuritySeverity {
+    if (score === undefined) {
+      return SecuritySeverity.Unknown
+    }
+
+    if (score >= 9 && score <= 10) {
+      return SecuritySeverity.Critical
+    }
+
+    if (score >= 7) {
+      return SecuritySeverity.High
+    }
+
+    if (score >= 4) {
+      return SecuritySeverity.Medium
+    }
+
+    if (score >= 0.1) {
+      return SecuritySeverity.Low
+    }
+
+    if (score == 0) {
+      return SecuritySeverity.None
+    }
+
+    Logger.warn(`Unsupported "${score}" security severity. Saving as "Unknown".`)
+    return SecuritySeverity.Unknown
+  }
+
+  private identifySecurityLevel(level?: string): SecurityLevel {
+    if (level === undefined) {
+      return SecurityLevel.Unknown
+    }
+
+    if (level.toLowerCase() === 'error') {
+      return SecurityLevel.Error
+    }
+
+    if (level.toLowerCase() === 'warning') {
+      return SecurityLevel.Warning
+    }
+
+    if (level.toLowerCase() === 'note') {
+      return SecurityLevel.Note
+    }
+
+    Logger.warn(`Unsupported ${level} security level. Saving as "Unknown".`)
+    return SecurityLevel.Unknown
+  }
+
+  private buildSecuritySeverityMap(run: Run): void {
+    const results: Result[] = run.results ?? []
+    for (const result of results) {
+      const severity: SecuritySeverity = this.identifySecuritySeverity(
+        tryGetRulePropertyByResult(run, result, 'security-severity')
+      )
+      const count: number = this._securitySeverityMap.get(severity) || 0
+      this._securitySeverityMap.set(severity, count + 1)
+    }
+  }
+
+  private tryGetSecurityLevel(run: Run, result: Result): string | undefined {
+    if (result.level) {
+      return result.level
+    }
+
+    return tryGetRulePropertyByResult(run, result, 'problem.severity')
+  }
+
+  private buildSecurityLevelMap(run: Run): void {
+    const results: Result[] = run.results ?? []
+    for (const result of results) {
+      const level: SecurityLevel = this.identifySecurityLevel(
+        this.tryGetSecurityLevel(run, result)
+      )
+      const count: number = this._securityLevelMap.get(level) || 0
+      this._securityLevelMap.set(level, count + 1)
+    }
+  }
+
+  public get securitySeverityMap(): ImmutableMap<SecuritySeverity, number> {
+    return sortSecuritySeverityMap(this._securitySeverityMap)
+  }
+
+  public get securityLevelMap(): ImmutableMap<SecurityLevel, number> {
+    return sortSecurityLevelMap(this._securityLevelMap)
+  }
+}

package/src/model/SarifModelPerSarif.ts

@@ -0,0 +1,116 @@
+import type { SarifLog } from '../types'
+import { Map as ImmutableMap } from 'immutable'
+import { SarifModelPerRun } from './SarifModelPerRun'
+import { SecurityLevel, SecuritySeverity } from './types'
+import {
+  sortSecurityLevelMap,
+  sortSecuritySeverityMap
+} from '../utils/SortUtils';
+
+export type DataGroupedByRun<T> = {
+  toolName: string,
+  data: ImmutableMap<T, number>
+}
+
+export class SarifModelPerSarif {
+  private readonly sarifModelPerRunList: Array<SarifModelPerRun>;
+
+  constructor(sarif: SarifLog) {
+    this.sarifModelPerRunList = new Array<SarifModelPerRun>()
+    this.buildRunsList(sarif)
+  }
+
+  private buildRunsList(sarif: SarifLog): void {
+    for (const run of sarif.runs) {
+      this.sarifModelPerRunList.push(new SarifModelPerRun(run))
+    }
+  }
+
+  public groupByToolNameWithSecurityLevel(): Map<string, ImmutableMap<SecurityLevel, number>> {
+    const result = new Map<string, ImmutableMap<SecurityLevel, number>>()
+    for (const sarifModelPerRun of this.sarifModelPerRunList) {
+      if (!result.has(sarifModelPerRun.toolName)) {
+        result.set(sarifModelPerRun.toolName, ImmutableMap<SecurityLevel, number>().asMutable())
+      }
+      for (const [k, v] of sarifModelPerRun.securityLevelMap.entries()) {
+        const count: number = result.get(sarifModelPerRun.toolName)?.get(k) || 0
+        result.get(sarifModelPerRun.toolName)?.set(k, count + v)
+      }
+    }
+    // Sort
+    for (const [k, v] of result) {
+      result.set(k, sortSecurityLevelMap(v))
+    }
+    return result
+  }
+
+  public groupByRunWithSecurityLevel(): DataGroupedByRun<SecurityLevel>[] {
+    const result = new Array<DataGroupedByRun<SecurityLevel>>()
+    for (const sarifModelPerRun of this.sarifModelPerRunList) {
+      result.push({
+        toolName: sarifModelPerRun.toolName,
+        data: sarifModelPerRun.securityLevelMap,
+      })
+    }
+    return result
+  }
+
+  public groupByTotalWithSecurityLevel(): ImmutableMap<SecurityLevel, number> {
+    const result = ImmutableMap<SecurityLevel, number>().asMutable()
+    for (const sarifModelPerRun of this.sarifModelPerRunList) {
+      for (const [k, v] of sarifModelPerRun.securityLevelMap.entries()) {
+        const count: number = result.get(k) || 0
+        result.set(k, count + v)
+      }
+    }
+    return sortSecurityLevelMap(result)
+  }
+
+  public groupByToolNameWithSecuritySeverity(): Map<string, ImmutableMap<SecuritySeverity, number>> {
+    const result = new Map<string, ImmutableMap<SecuritySeverity, number>>()
+    for (const sarifModelPerRun of this.sarifModelPerRunList) {
+      if (!result.has(sarifModelPerRun.toolName)) {
+        result.set(sarifModelPerRun.toolName, ImmutableMap<SecuritySeverity, number>().asMutable())
+      }
+      for (const [k, v] of sarifModelPerRun.securitySeverityMap.entries()) {
+        const count: number = result.get(sarifModelPerRun.toolName)?.get(k) || 0
+        result.get(sarifModelPerRun.toolName)?.set(k, count + v)
+      }
+    }
+    // Sort
+    for (const [k, v] of result.entries()) {
+      result.set(k, sortSecuritySeverityMap(v))
+    }
+    return result
+  }
+
+  public groupByRunWithSecuritySeverity(): DataGroupedByRun<SecuritySeverity>[] {
+    const result = new Array<DataGroupedByRun<SecuritySeverity>>()
+    for (const sarifModelPerRun of this.sarifModelPerRunList) {
+      result.push({
+        toolName: sarifModelPerRun.toolName,
+        data: sarifModelPerRun.securitySeverityMap,
+      })
+    }
+    return result
+  }
+
+  public groupByTotalWithSecuritySeverity(): ImmutableMap<SecuritySeverity, number> {
+    const result = ImmutableMap<SecuritySeverity, number>().asMutable()
+    for (const sarifModelPerRun of this.sarifModelPerRunList) {
+      for (const [k, v] of sarifModelPerRun.securitySeverityMap.entries()) {
+        const count: number = result.get(k) || 0
+        result.set(k, count + v)
+      }
+    }
+    return sortSecuritySeverityMap(result)
+  }
+
+  public listToolNames(): Set<string> {
+    const toolNames = new Set<string>()
+    for (const sarifModelPerRun of this.sarifModelPerRunList) {
+      toolNames.add(sarifModelPerRun.toolName)
+    }
+    return toolNames
+  }
+}

package/src/model/types.ts

@@ -0,0 +1,31 @@
+export enum SecuritySeverity {
+  Unknown = 'Unknown',
+  None = 'None',
+  Low = 'Low',
+  Medium = 'Medium',
+  High = 'High',
+  Critical = 'Critical'
+}
+
+export const SecuritySeverityOrder: SecuritySeverity[] = [
+  SecuritySeverity.Critical,
+  SecuritySeverity.High,
+  SecuritySeverity.Medium,
+  SecuritySeverity.Low,
+  SecuritySeverity.None,
+  SecuritySeverity.Unknown
+]
+
+export enum SecurityLevel {
+  Unknown = 'Unknown',
+  Note = 'Note',
+  Warning = 'Warning',
+  Error = 'Error'
+}
+
+export const SecurityLevelOrder: SecurityLevel[] = [
+  SecurityLevel.Error,
+  SecurityLevel.Warning,
+  SecurityLevel.Note,
+  SecurityLevel.Unknown
+]

package/src/types.ts

@@ -4,7 +4,7 @@ import type { Log } from 'sarif'
  * Type representing a SARIF log.
  * @public
  */
-export type Sarif = Log
+export type SarifLog = Log
 
 /**
  * Interface for a Slack message that can be sent.
@@ -19,7 +19,7 @@ export interface SlackMessage {
   /**
    * The SARIF log associated with this Slack message.
    */
-  sarif: Sarif
+  sarif: SarifLog
 }
 
 /**
@@ -28,7 +28,8 @@ export interface SlackMessage {
  */
 export enum LogLevel {
   /**
-   * Represents the most verbose logging level, typically used for detailed debugging information.
+   * Represents the most verbose logging level, typically used for detailed
+   * debugging information.
    */
   Silly = 0,
   /**
@@ -36,23 +37,28 @@ export enum LogLevel {
    */
   Trace = 1,
   /**
-   * Represents a logging level for debugging information that is less verbose than silly.
+   * Represents a logging level for debugging information that is less verbose
+   * than silly.
    */
   Debug = 2,
   /**
-   * Represents a logging level for general informational messages that highlight the progress of the application.
+   * Represents a logging level for general informational messages that highlight
+   * the progress of the application.
    */
   Info = 3,
   /**
-   * Represents a logging level for potentially harmful situations that require attention.
+   * Represents a logging level for potentially harmful situations that require
+   * attention.
    */
   Warning = 4,
   /**
-   * Represents a logging level for error conditions that do not require immediate action but should be noted.
+   * Represents a logging level for error conditions that do not require immediate
+   * action but should be noted.
    */
   Error = 5,
   /**
-   * Represents a logging level for critical errors that require immediate attention and may cause the application to terminate.
+   * Represents a logging level for critical errors that require immediate attention
+   * and may cause the application to terminate.
    */
   Fatal = 6
 }
@@ -62,7 +68,7 @@ export enum LogLevel {
  * in the Slack message.
  * @public
  */
-export type IncludeAwareProps = {
+export type IncludeAwareOptions = {
   include: boolean
 }
 
@@ -71,10 +77,101 @@ export type IncludeAwareProps = {
  * in the Slack message, along with an optional value.
  * @public
  */
-export type IncludeAwareWithValueProps = IncludeAwareProps & {
+export type IncludeAwareWithValueOptions = IncludeAwareOptions & {
   value?: string
 }
 
+/**
+ * Enum representing the type of footer in a Slack message.
+ * @public
+ */
+export enum FooterType {
+  /**
+   * Represents a plain text footer. Text is not formatted and appears as-is.
+   */
+  PlainText = 'plain_text',
+  /**
+   * Represents a footer with Markdown formatting. Text can include formatting
+   * such as bold, italics, and links.
+   */
+  Markdown = 'mrkdwn'
+}
+
+/**
+ * Options for the footer of a Slack message. "type" is ignored if "value" is
+ * not defined.
+ * @public
+ */
+export type FooterOptions = IncludeAwareWithValueOptions & {
+  type?: FooterType
+}
+
+/**
+ * Enum representing how to group results.
+ * @public
+ */
+export enum GroupResultsBy {
+  /**
+   * Groups results by the tool name. Particularly, groups by the runs[].tool.driver.name
+   * property from the SARIF file(s).
+   */
+  ToolName = 0,
+  /**
+   * Groups results by the run. It provides the result from each run individually.
+   */
+  Run = 1,
+  /**
+   * Does not group results. It provides the result from all the runs from all
+   * the provided SARIF files.
+   */
+  Total = 2,
+}
+
+/**
+ * Enum representing how to calculate results.
+ * @public
+ */
+export enum CalculateResultsBy {
+  /**
+   * Calculates results by the security level of the findings: Error, Warning,
+   * Note and Unknown. At first, it tries to get the security level from runs[].results[].level
+   * property. If it is not defined, it tries to get the security level from the
+   * respective rule of each result, using the rules[].properties['problem.severity']
+   * property.
+   */
+  Level = 0,
+  /**
+   * Calculates results by the security severity of the findings: Critical, High,
+   * Medium, Low, None and Unknown. it tries to get the security severity from the
+   * respective rule of each result, using the rules[].properties['security-severity']
+   * property. This property contains CVSS score, which is then mapped to the
+   * security severity value.
+   */
+  Severity = 1,
+}
+
+/**
+ * Options for how to output the results in the Slack message.
+ * @public
+ */
+export type SarifToSlackOutput = {
+  groupBy: GroupResultsBy,
+  calculateBy: CalculateResultsBy,
+}
+
+/**
+ * Options for logging.
+ * @public
+ */
+export type LogOptions = {
+  level?: LogLevel,
+  /**
+   * More details here: https://github.com/fullstack-build/tslog?tab=readme-ov-file#pretty-templates-and-styles-color-settings
+   */
+  template?: string,
+  colored?: boolean,
+}
+
 /**
  * Options for the SarifToSlackService.
  * @public
@@ -86,9 +183,10 @@ export type SarifToSlackServiceOptions = {
   username?: string,
   iconUrl?: string,
   color?: string,
-  logLevel?: LogLevel | string,
-  header?: IncludeAwareWithValueProps,
-  footer?: IncludeAwareWithValueProps,
-  actor?: IncludeAwareWithValueProps,
-  run?: IncludeAwareProps,
+  log?: LogOptions,
+  header?: IncludeAwareWithValueOptions,
+  footer?: FooterOptions,
+  actor?: IncludeAwareWithValueOptions,
+  run?: IncludeAwareOptions,
+  output?: SarifToSlackOutput,
 }

package/src/utils/SarifUtils.ts

@@ -0,0 +1,44 @@
+import type { ReportingDescriptor, Result, Run } from "sarif";
+
+export function findRuleByResult(run: Run, result: Result): ReportingDescriptor | undefined {
+  const ruleData: { id?: string, index?: number } = {}
+
+  if (result.rule) {
+    if (result.rule?.index) {
+      ruleData.index = result.rule.index
+    }
+    if (result.rule?.id) {
+      ruleData.id = result.rule.id
+    }
+  }
+
+  if (!ruleData.index && result.ruleIndex) {
+    ruleData.index = result.ruleIndex
+  }
+
+  if (ruleData.index
+    && run.tool.driver?.rules
+    && ruleData.index < run.tool.driver.rules.length) {
+    return run.tool.driver.rules[ruleData.index]
+  }
+
+  // If failed to find rule by index then try to find by ruleId
+  if (result.ruleId && run.tool.driver?.rules) {
+    return run.tool.driver.rules.find(
+      (r: ReportingDescriptor): boolean => r.id === result.ruleId
+    )
+  }
+
+  return undefined
+}
+
+export type RuleProperty = 'security-severity' | 'problem.severity'
+
+export function tryGetRulePropertyByResult<T>(run: Run, result: Result, propertyName: RuleProperty): T | undefined {
+  const rule: ReportingDescriptor | undefined = findRuleByResult(run, result)
+  if (rule && rule.properties && propertyName in rule.properties) {
+    return rule.properties[propertyName] as T
+  }
+
+  return undefined
+}

package/src/utils/SortUtils.ts

@@ -0,0 +1,21 @@
+import { Map as ImmutableMap } from 'immutable'
+import {
+  SecurityLevel,
+  SecurityLevelOrder,
+  SecuritySeverity,
+  SecuritySeverityOrder
+} from '../model/types'
+
+export function sortSecurityLevelMap(map: ImmutableMap<SecurityLevel, number>): ImmutableMap<SecurityLevel, number> {
+  return map.sortBy(
+    (_: number, level: SecurityLevel): SecurityLevel => level,
+    (a: SecurityLevel, b: SecurityLevel): number => SecurityLevelOrder.indexOf(a) - SecurityLevelOrder.indexOf(b),
+  ).asImmutable()
+}
+
+export function sortSecuritySeverityMap(map: ImmutableMap<SecuritySeverity, number>): ImmutableMap<SecuritySeverity, number> {
+  return map.sortBy(
+    (_: number, severity: SecuritySeverity): SecuritySeverity => severity,
+    (a: SecuritySeverity, b: SecuritySeverity): number => SecuritySeverityOrder.indexOf(a) - SecuritySeverityOrder.indexOf(b),
+  ).asImmutable()
+}

package/src/version.ts

@@ -0,0 +1,3 @@
+// This file is autogenerated by scripts/save-version.sh
+// Do not edit it manually!
+export const LIB_VERSION = '0.2.1'