From aec328a720528639acaab30754d9015fd24cd7e3 Mon Sep 17 00:00:00 2001 From: Sebastian Obregoso Date: Thu, 4 Jul 2024 17:54:58 +0200 Subject: [PATCH 1/3] remove duplicated sourcode findings --- guarddog/analyzer/analyzer.py | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/guarddog/analyzer/analyzer.py b/guarddog/analyzer/analyzer.py index c2ca1a10..871d2c4a 100644 --- a/guarddog/analyzer/analyzer.py +++ b/guarddog/analyzer/analyzer.py @@ -240,11 +240,16 @@ def _format_semgrep_response(self, response, rule=None, targetpath=None): location = file_path + ":" + str(line) code = self.trim_code_snippet(code_snippet) - results[rule_name].append({ + finding = { 'location': location, 'code': code, 'message': result["extra"]["message"] - }) + } + + rule_results = results[rule_name] + if finding in rule_results: + continue + results[rule_name].append(finding) return results From 95556ce942399e3ba162904092a593b0a14e743d Mon Sep 17 00:00:00 2001 From: Sebastian Obregoso Date: Wed, 10 Jul 2024 19:03:31 +0200 Subject: [PATCH 2/3] Adding docs --- README.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/README.md b/README.md index 220d700b..6b69554f 100644 --- a/README.md +++ b/README.md @@ -148,6 +148,16 @@ Metadata heuristics: +## Custom Rules + +Guarddog allows to implement custom sourcecode rules. +Sourcecode rules live under the [guarddog/analyzer/sourcecode](guarddog/analyzer/sourcecode) directory, and supported formats are [Semgrep](https://github.com/semgrep/semgrep) or [Yara](https://github.com/VirusTotal/yara). + +* Semgrep rules are language-dependent, and Guarddog will import all `.yml` rules where the language matches the ecosystem selected by the user in CLI. +* Yara rules on the other hand are language agnostic, therefore all matching `.yar` rules present will be imported. + +Is possible then to write your own rule and drop it into that directory, Guarddog will allow you to select it or exclude it as any built-in rule as well as appending the findings to its output. + ## Running GuardDog in a GitHub Action The easiest way to integrate GuardDog in your CI pipeline is to leverage the SARIF output format, and upload it to GitHub's [code scanning](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning) feature. From 5be1bd14c44223d85b15f2572edd8982394bcf85 Mon Sep 17 00:00:00 2001 From: Sebastian Obregoso Date: Wed, 10 Jul 2024 19:07:52 +0200 Subject: [PATCH 3/3] Revert "Adding docs" This reverts commit 95556ce942399e3ba162904092a593b0a14e743d. --- README.md | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/README.md b/README.md index 6b69554f..220d700b 100644 --- a/README.md +++ b/README.md @@ -148,16 +148,6 @@ Metadata heuristics: -## Custom Rules - -Guarddog allows to implement custom sourcecode rules. -Sourcecode rules live under the [guarddog/analyzer/sourcecode](guarddog/analyzer/sourcecode) directory, and supported formats are [Semgrep](https://github.com/semgrep/semgrep) or [Yara](https://github.com/VirusTotal/yara). - -* Semgrep rules are language-dependent, and Guarddog will import all `.yml` rules where the language matches the ecosystem selected by the user in CLI. -* Yara rules on the other hand are language agnostic, therefore all matching `.yar` rules present will be imported. - -Is possible then to write your own rule and drop it into that directory, Guarddog will allow you to select it or exclude it as any built-in rule as well as appending the findings to its output. - ## Running GuardDog in a GitHub Action The easiest way to integrate GuardDog in your CI pipeline is to leverage the SARIF output format, and upload it to GitHub's [code scanning](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning) feature.