smithy-security · northdpole · Jan 2, 2024 · Dec 28, 2023 · Dec 28, 2023 · Dec 28, 2023
diff --git a/api/proto/v1/issue.pb.go b/api/proto/v1/issue.pb.go
diff --git a/api/proto/v1/issue.proto b/api/proto/v1/issue.proto
@@ -62,6 +62,9 @@ message Issue {
   string uuid = 10;
   // optional field that allows us to also encode a bill of materials in an issue
   optional string cyclone_d_x_s_b_o_m = 11;
+
+  // optional string that allows producers to communicate relevant code/request segments
+  optional string context_segment = 12;
 }
 
 /* Represents an issue that has been enriched with metadata from the enrichment service */

diff --git a/components/producers/golang-gosec/BUILD b/components/producers/golang-gosec/BUILD
@@ -12,6 +12,7 @@ go_binary(
     deps = [
         "//api/proto/v1",
         "//components/producers",
+        "//pkg/context",
     ],
 )
 
@@ -24,6 +25,8 @@ go_test(
     deps = [
         "//api/proto/v1",
         "//components/producers",
+        "//pkg/context",
+        "//pkg/testutil",
         "//third_party/go/github.com/stretchr/testify",
     ],
 )

diff --git a/components/producers/golang-gosec/main.go b/components/producers/golang-gosec/main.go
@@ -5,6 +5,7 @@ import (
 	"log"
 
 	v1 "github.com/ocurity/dracon/api/proto/v1"
+	"github.com/ocurity/dracon/pkg/context"
 
 	"github.com/ocurity/dracon/components/producers"
 )
@@ -24,8 +25,10 @@ func main() {
 		log.Fatal(err)
 	}
 
-	issues := parseIssues(&results)
-
+	issues, err := parseIssues(&results)
+	if err != nil {
+		log.Fatal(err)
+	}
 	if err := producers.WriteDraconOut(
 		"gosec",
 		issues,
@@ -34,20 +37,26 @@ func main() {
 	}
 }
 
-func parseIssues(out *GoSecOut) []*v1.Issue {
+func parseIssues(out *GoSecOut) ([]*v1.Issue, error) {
 	issues := []*v1.Issue{}
 	for _, r := range out.Issues {
-		issues = append(issues, &v1.Issue{
+		iss := &v1.Issue{
 			Target:      fmt.Sprintf("%s:%v", r.File, r.Line),
 			Type:        r.RuleID,
 			Title:       r.Details,
 			Severity:    v1.Severity(v1.Severity_value[fmt.Sprintf("SEVERITY_%s", r.Severity)]),
 			Cvss:        0.0,
 			Confidence:  v1.Confidence(v1.Confidence_value[fmt.Sprintf("CONFIDENCE_%s", r.Confidence)]),
 			Description: r.Code,
-		})
+		}
+		code, err := context.ExtractCode(iss)
+		if err != nil {
+			return nil, err
+		}
+		iss.ContextSegment = &code
+		issues = append(issues, iss)
 	}
-	return issues
+	return issues, nil
 }
 
 // GoSecOut represents the output of a GoSec run.

diff --git a/components/producers/golang-gosec/main_test.go b/components/producers/golang-gosec/main_test.go
@@ -2,24 +2,40 @@ package main
 
 import (
 	"encoding/json"
+	"fmt"
+	"os"
 	"testing"
 
 	v1 "github.com/ocurity/dracon/api/proto/v1"
+	"github.com/ocurity/dracon/pkg/testutil"
 
 	"github.com/stretchr/testify/assert"
 )
 
-const exampleOutput = `
+var code = `func GetProducts(ctx context.Context, db *sql.DB, category string) ([]Product, error) {
+	rows, err := db.QueryContext(ctx, "SELECT * FROM product WHERE category='"+category+"'")
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var products []Product
+	for rows.Next() {
+		var product Product
+		if err := rows.Scan(&product.Id, &product.Name, &product.Category, &product.Price); err != nil {
+			return nil, err
+		}`
+
+var gosecout = `
 {
 	"Issues": [
 		{
 			"severity": "MEDIUM",
 			"confidence": "HIGH",
 			"rule_id": "G304",
 			"details": "Potential file inclusion via variable",
-			"file": "/tmp/source/foo.go",
+			"file": "%s",
 			"code": "ioutil.ReadFile(path)",
-			"line": "33",
+			"line": "2",
 			"column": "44"
 		}
 	],
@@ -32,20 +48,28 @@ const exampleOutput = `
 }`
 
 func TestParseIssues(t *testing.T) {
+
+	f, err := testutil.CreateFile("gosec_tests_vuln_code", code)
+	if err != nil {
+		t.Error(err)
+	}
+	defer os.Remove(f.Name())
+	exampleOutput := fmt.Sprintf(gosecout, f.Name())
 	var results GoSecOut
-	err := json.Unmarshal([]byte(exampleOutput), &results)
+	err = json.Unmarshal([]byte(exampleOutput), &results)
 	assert.Nil(t, err)
 
-	issues := parseIssues(&results)
-
+	issues, err := parseIssues(&results)
+	assert.Nil(t, err)
 	expectedIssue := &v1.Issue{
-		Target:      "/tmp/source/foo.go:33",
-		Type:        "G304",
-		Title:       "Potential file inclusion via variable",
-		Severity:    v1.Severity_SEVERITY_MEDIUM,
-		Cvss:        0.0,
-		Confidence:  v1.Confidence_CONFIDENCE_HIGH,
-		Description: "ioutil.ReadFile(path)",
+		Target:         fmt.Sprintf("%s:2", f.Name()),
+		Type:           "G304",
+		Title:          "Potential file inclusion via variable",
+		Severity:       v1.Severity_SEVERITY_MEDIUM,
+		Cvss:           0.0,
+		Confidence:     v1.Confidence_CONFIDENCE_HIGH,
+		Description:    "ioutil.ReadFile(path)",
+		ContextSegment: &code,
 	}
 
 	assert.Equal(t, []*v1.Issue{expectedIssue}, issues)

diff --git a/components/producers/kics/BUILD b/components/producers/kics/BUILD
@@ -14,6 +14,7 @@ go_binary(
         "//api/proto/v1",
         "//components/producers",
         "//components/producers/kics/types",
+        "//pkg/context",
         "//pkg/sarif",
     ],
 )
@@ -30,6 +31,8 @@ go_test(
         "//components/producers/kics/types",
         "//pkg/sarif",
         "//third_party/go/github.com/stretchr/testify",
+        "//pkg/testutil",
+        "//pkg/context",
     ],
 )
 

diff --git a/components/producers/kics/main.go b/components/producers/kics/main.go
@@ -9,6 +9,7 @@ import (
 	v1 "github.com/ocurity/dracon/api/proto/v1"
 	"github.com/ocurity/dracon/components/producers"
 	"github.com/ocurity/dracon/components/producers/kics/types"
+	"github.com/ocurity/dracon/pkg/context"
 	"github.com/ocurity/dracon/pkg/sarif"
 )
 
@@ -48,14 +49,18 @@ func main() {
 		if err := producers.ParseJSON(inFile, &results); err != nil {
 			log.Fatal(err)
 		}
-		if err := producers.WriteDraconOut("KICS", parseOut(results)); err != nil {
+		res, err := parseOut(results)
+		if err != nil {
+			log.Fatal(err)
+		}
+		if err := producers.WriteDraconOut("KICS", res); err != nil {
 			log.Fatal(err)
 		}
 
 	}
 }
 
-func parseOut(results types.KICSOut) []*v1.Issue {
+func parseOut(results types.KICSOut) ([]*v1.Issue, error) {
 	issues := []*v1.Issue{}
 	for _, query := range results.Queries {
 		queryCopy := query
@@ -64,8 +69,7 @@ func parseOut(results types.KICSOut) []*v1.Issue {
 		for _, file := range query.Files {
 			queryCopy.Files = []types.KICSFile{file}
 			description, _ := json.Marshal(queryCopy)
-
-			issues = append(issues, &v1.Issue{
+			iss := &v1.Issue{
 				Target:     fmt.Sprintf("%s:%d", file.FileName, file.Line),
 				Type:       file.IssueType,
 				Severity:   KICSSeverityToDracon(query.Severity),
@@ -75,11 +79,17 @@ func parseOut(results types.KICSOut) []*v1.Issue {
 					file.ResourceType,
 					file.ResourceName),
 				Description: string(description),
-			})
+			}
+			cs, err := context.ExtractCode(iss)
+			if err != nil {
+				return nil, err
+			}
+			iss.ContextSegment = &cs
+			issues = append(issues, iss)
 
 		}
 	}
-	return issues
+	return issues, nil
 }
 
 // KICSSeverityToDracon maps KCIS Severity Strings to dracon struct.