From a9bce1686597b3d0cfa00fe343ec6ec4beb4994b Mon Sep 17 00:00:00 2001 From: joshua-ostrom Date: Thu, 18 May 2023 14:38:11 -0400 Subject: [PATCH] Spec fixes, rubocop --- lib/salus/plugin_manager.rb | 5 +++-- lib/salus/report.rb | 5 +++-- lib/salus/scanners/brakeman.rb | 1 + lib/sarif/base_sarif.rb | 4 ++-- .../success_with_exceptions/salus-sarif.yaml | 12 +++++++++++- spec/fixtures/sorted_results/sorted_sarif.json | 4 ++-- spec/lib/sarif/brakeman_sarif_spec.rb | 2 +- spec/lib/sarif/osv/maven_osv_sarif_spec.rb | 2 +- spec/lib/sarif/pattern_search_sarif_spec.rb | 2 +- spec/lib/sarif/semgrep_sarif_spec.rb | 2 +- spec/lib/sarif/trufflehog_sarif_spec.rb | 6 +++--- 11 files changed, 29 insertions(+), 16 deletions(-) diff --git a/lib/salus/plugin_manager.rb b/lib/salus/plugin_manager.rb index a56b80d5..466a9528 100644 --- a/lib/salus/plugin_manager.rb +++ b/lib/salus/plugin_manager.rb @@ -19,10 +19,11 @@ def register_listener(listener) end def apply_filter(filter_family, filter_method, *data) + result = data&.first @@filters[filter_family]&.each do |f| - data = f.__send__(filter_method, *data) if f.respond_to?(filter_method) + result = f.__send__(filter_method, *data) if f.respond_to?(filter_method) end - data + result end def send_event(event_name, *data) diff --git a/lib/salus/report.rb b/lib/salus/report.rb index 41d4eca1..77512f22 100644 --- a/lib/salus/report.rb +++ b/lib/salus/report.rb @@ -64,7 +64,7 @@ def apply_report_hash_filters(report_hash) Salus::PluginManager.apply_filter(:salus_report, :filter_report_hash, report_hash) end - def apply_report_sarif_filters(sarif_json, config) + def apply_report_sarif_filters(sarif_json, config = nil) Salus::PluginManager.apply_filter(:salus_report, :filter_report_sarif, sarif_json, config) end @@ -210,6 +210,7 @@ def to_sarif(config = {}) sarif_json = JSON.pretty_generate(sorted_sarif) Sarif::SarifReport.validate_sarif(apply_report_sarif_filters(sarif_json, config)) rescue StandardError => e + puts "Failure in validing SARIF" bugsnag_notify(e.class.to_s + " " + e.message + "\nBuild Info:" + @builds.to_s) end @@ -410,7 +411,7 @@ def report_body_hash(config, data) return body_hash unless config['post']['salus_report_param_name'] compress_sarif = config.dig('post', 'salus_report_options', 'gzip-base64') - data = compress(data) if compress_sarif + data = compress(JSON.pretty_generate(data)) if ["true", true].include?(compress_sarif) body_hash[config['post']['salus_report_param_name']] = data body_hash diff --git a/lib/salus/scanners/brakeman.rb b/lib/salus/scanners/brakeman.rb index b4b8760e..95383ca7 100644 --- a/lib/salus/scanners/brakeman.rb +++ b/lib/salus/scanners/brakeman.rb @@ -115,6 +115,7 @@ def ignore_list return [] unless user_supplied_ignore? return [] unless File.exist?(@config['ignore']) + data = JSON.parse(File.read(@config['ignore'])) return [] unless data.key?('ignored_warnings') diff --git a/lib/sarif/base_sarif.rb b/lib/sarif/base_sarif.rb index 3d9bd476..c6ca7609 100644 --- a/lib/sarif/base_sarif.rb +++ b/lib/sarif/base_sarif.rb @@ -185,7 +185,7 @@ def build_runs_object(supported) def remap_rule_ids(run) rules = run['tool'][:driver]['rules'] run['results'].each do |r| - r['ruleIndex'] = rules.index { |rule| rule[:id] == r[:ruleId] } + r[:ruleIndex] = rules.index { |rule| rule[:id] == r[:ruleId] } end run end @@ -324,4 +324,4 @@ def self.snippet_possibly_in_diff?(snippet, scanner, lines_added) adapter_cls.snippet_possibly_in_git_diff?(snippet, lines_added) end end -end \ No newline at end of file +end diff --git a/spec/fixtures/npm_audit/success_with_exceptions/salus-sarif.yaml b/spec/fixtures/npm_audit/success_with_exceptions/salus-sarif.yaml index 2a60ddca..a3cbcc5b 100644 --- a/spec/fixtures/npm_audit/success_with_exceptions/salus-sarif.yaml +++ b/spec/fixtures/npm_audit/success_with_exceptions/salus-sarif.yaml @@ -20,4 +20,14 @@ scanner_configs: advisory_id: "1091018", changed_by: "joshua.ostrom", notes: "See https://www.npmjs.com/advisories/48. We're not vulnerable to this because this is a regex dos and we have nothing that puts user input into it. The impact is also minimal.", - } \ No newline at end of file + } + - { + advisory_id: "1091686", + changed_by: "joshua.ostrom", + notes: "WAGMI", + } + - { + advisory_id: "1091710", + changed_by: "joshua.ostrom", + notes: "BTC $26.5K", + } diff --git a/spec/fixtures/sorted_results/sorted_sarif.json b/spec/fixtures/sorted_results/sorted_sarif.json index e876ce00..5c01847b 100644 --- a/spec/fixtures/sorted_results/sorted_sarif.json +++ b/spec/fixtures/sorted_results/sorted_sarif.json @@ -31,7 +31,7 @@ "text": "Useless equality test.. Pattern 1 == $X is required but not found." }, "ruleId": "Required Pattern Not Found", - "ruleIndex": 1 + "ruleIndex": 0 }, { "level": "error", @@ -53,7 +53,7 @@ "text": "Syntax error at line /home/spec/fixtures/semgrep/invalid/unparsable_py.py:3:\n `print(\"foo\"` was unexpected" }, "ruleId": "SAL002", - "ruleIndex": 0 + "ruleIndex": 1 } ], "tool": { diff --git a/spec/lib/sarif/brakeman_sarif_spec.rb b/spec/lib/sarif/brakeman_sarif_spec.rb index a1b7a10a..d505c140 100644 --- a/spec/lib/sarif/brakeman_sarif_spec.rb +++ b/spec/lib/sarif/brakeman_sarif_spec.rb @@ -186,7 +186,7 @@ # Check result info expect(result['ruleId']).to eq('13') - expect(result['ruleIndex']).to eq(0) + expect(result['ruleIndex']).to eq(2) expect(result['level']).to eq('error') expect(result['locations'][0]['physicalLocation']['region']['startLine']).to eq(3) snippet = result['locations'][0]['physicalLocation']['region']['snippet']['text'].to_s diff --git a/spec/lib/sarif/osv/maven_osv_sarif_spec.rb b/spec/lib/sarif/osv/maven_osv_sarif_spec.rb index 9a28b8f4..6f00fc25 100644 --- a/spec/lib/sarif/osv/maven_osv_sarif_spec.rb +++ b/spec/lib/sarif/osv/maven_osv_sarif_spec.rb @@ -91,7 +91,7 @@ def stub_req_with_valid_response "severity" => "HIGH" }, "ruleId" => "CVE-2018-15756", - "ruleIndex" => 5 + "ruleIndex" => 0 } ) diff --git a/spec/lib/sarif/pattern_search_sarif_spec.rb b/spec/lib/sarif/pattern_search_sarif_spec.rb index 22ff3ee0..176569df 100644 --- a/spec/lib/sarif/pattern_search_sarif_spec.rb +++ b/spec/lib/sarif/pattern_search_sarif_spec.rb @@ -44,7 +44,7 @@ expect(results).to include( { "ruleId": "Forbidden Pattern Found", - "ruleIndex": 0, + "ruleIndex": 1, "level": "error", "message": { "text": "not important string. Pattern Nerv is forbidden." diff --git a/spec/lib/sarif/semgrep_sarif_spec.rb b/spec/lib/sarif/semgrep_sarif_spec.rb index d2939a00..2a6828bb 100644 --- a/spec/lib/sarif/semgrep_sarif_spec.rb +++ b/spec/lib/sarif/semgrep_sarif_spec.rb @@ -146,7 +146,7 @@ expect(result).to include( { "ruleId" => "Required Pattern Not Found", - "ruleIndex" => 1, + "ruleIndex" => 0, "level" => "error", "message" => { "text" => "Useless equality test.. Pattern 1 == $X is required but not found." diff --git a/spec/lib/sarif/trufflehog_sarif_spec.rb b/spec/lib/sarif/trufflehog_sarif_spec.rb index b757bf84..34110920 100644 --- a/spec/lib/sarif/trufflehog_sarif_spec.rb +++ b/spec/lib/sarif/trufflehog_sarif_spec.rb @@ -27,7 +27,7 @@ } }], "message" => { "text" => "Leaked credential detected" }, "properties" => { "severity" => "high" }, - "ruleId" => "FlatIO-PLAIN", "ruleIndex" => 1 } + "ruleId" => "FlatIO-PLAIN", "ruleIndex" => 0 } expected_vul1 = { "level" => "error", "locations" => [{ "physicalLocation" => { "artifactLocation" => { "uri" => "url.txt", @@ -40,7 +40,7 @@ } }], "message" => { "text" => "Leaked credential detected" }, "properties" => { "severity" => "high" }, - "ruleId" => "JDBC-PLAIN", "ruleIndex" => 0 } + "ruleId" => "JDBC-PLAIN", "ruleIndex" => 1 } expected_vul2 = { "level" => "error", "locations" => [{ "physicalLocation" => { "artifactLocation" => { "uri" => "url.txt", @@ -53,7 +53,7 @@ } }], "message" => { "text" => "Leaked credential detected" }, "properties" => { "severity" => "high" }, - "ruleId" => "JDBC-PLAIN", "ruleIndex" => 0 } + "ruleId" => "JDBC-PLAIN", "ruleIndex" => 1 } expect(result.size).to eq(3) [expected_vul0, expected_vul1, expected_vul2].each { |v| expect(result).to include(v) } end