github.com/ouraigua/jenkins-library@v0.0.0-20231028010029-fbeaf2f3aa9b/pkg/format/sarif.go (about) 1 package format 2 3 const AUDIT_REQUIREMENT_GROUP_1_INDEX = 1 4 const AUDIT_REQUIREMENT_GROUP_2_INDEX = 2 5 const AUDIT_REQUIREMENT_GROUP_3_INDEX = 3 6 const AUDIT_REQUIREMENT_GROUP_1_DESC = "Audit All" 7 const AUDIT_REQUIREMENT_GROUP_2_DESC = "Spot Check" 8 const AUDIT_REQUIREMENT_GROUP_3_DESC = "Optional" 9 10 // SARIF format related JSON structs 11 type SARIF struct { 12 Schema string `json:"$schema" default:"https://docs.oasis-open.org/sarif/sarif/v2.1.0/cos02/schemas/sarif-schema-2.1.0.json"` 13 Version string `json:"version" default:"2.1.0"` 14 Runs []Runs `json:"runs"` 15 } 16 17 // Runs of a Tool and related Results 18 type Runs struct { 19 Results []Results `json:"results"` 20 Tool Tool `json:"tool"` 21 Invocations []Invocation `json:"invocations,omitempty"` 22 OriginalUriBaseIds *OriginalUriBaseIds `json:"originalUriBaseIds,omitempty"` 23 Artifacts []Artifact `json:"artifacts,omitempty"` 24 AutomationDetails *AutomationDetails `json:"automationDetails,omitempty"` 25 ColumnKind string `json:"columnKind,omitempty" default:"utf16CodeUnits"` 26 ThreadFlowLocations []Locations `json:"threadFlowLocations,omitempty"` 27 Taxonomies []Taxonomies `json:"taxonomies,omitempty"` 28 Conversion *Conversion `json:"conversion,omitempty"` 29 } 30 31 // Results these structs are relevant to the Results object 32 type Results struct { 33 RuleID string `json:"ruleId"` 34 RuleIndex int `json:"ruleIndex,omitempty"` 35 Kind string `json:"kind,omitempty"` 36 Level string `json:"level,omitempty"` 37 Message *Message `json:"message,omitempty"` 38 AnalysisTarget *ArtifactLocation `json:"analysisTarget,omitempty"` 39 Locations []Location `json:"locations,omitempty"` 40 CodeFlows []CodeFlow `json:"codeFlows,omitempty"` 41 RelatedLocations []RelatedLocation `json:"relatedLocations,omitempty"` 42 PartialFingerprints PartialFingerprints `json:"partialFingerprints,omitempty"` 43 Properties *SarifProperties `json:"properties,omitempty"` 44 } 45 46 // Message to detail the finding 47 type Message struct { 48 Text string `json:"text,omitempty"` 49 } 50 51 // Location of the finding 52 type Location struct { 53 PhysicalLocation PhysicalLocation `json:"physicalLocation"` 54 Message *Message `json:"message,omitempty"` 55 } 56 57 // PhysicalLocation 58 type PhysicalLocation struct { 59 ArtifactLocation ArtifactLocation `json:"artifactLocation"` 60 Region Region `json:"region"` 61 ContextRegion *ContextRegion `json:"contextRegion,omitempty"` 62 LogicalLocations []LogicalLocation `json:"logicalLocations,omitempty"` 63 } 64 65 // ArtifactLocation describing the path of the artifact 66 type ArtifactLocation struct { 67 URI string `json:"uri"` 68 URIBaseId string `json:"uriBaseId,omitempty"` 69 Index int `json:"index,omitempty"` 70 } 71 72 // Region where the finding was detected 73 type Region struct { 74 StartLine int `json:"startLine,omitempty"` 75 StartColumn int `json:"startColumn,omitempty"` 76 EndLine int `json:"endLine,omitempty"` 77 EndColumn int `json:"endColumn,omitempty"` 78 ByteOffset int `json:"byteOffset,omitempty"` 79 ByteLength int `json:"byteLength,omitempty"` 80 Snippet *SnippetSarif `json:"snippet,omitempty"` 81 } 82 83 // LogicalLocation of the finding 84 type LogicalLocation struct { 85 FullyQualifiedName string `json:"fullyQualifiedName"` 86 } 87 88 // PartialFingerprints 89 type PartialFingerprints struct { 90 FortifyInstanceID string `json:"fortifyInstanceID,omitempty"` 91 CheckmarxSimilarityID string `json:"checkmarxSimilarityID,omitempty"` 92 PrimaryLocationLineHash string `json:"primaryLocationLineHash,omitempty"` 93 PackageURLPlusCVEHash string `json:"packageUrlPlusCveHash,omitempty"` 94 } 95 96 // SarifProperties adding additional information/context to the finding 97 type SarifProperties struct { 98 // common 99 RuleGUID string `json:"ruleGUID,omitempty"` 100 InstanceID string `json:"instanceID,omitempty"` 101 Audited bool `json:"audited"` 102 ToolSeverity string `json:"toolSeverity"` 103 ToolSeverityIndex int `json:"toolSeverityIndex"` 104 ToolState string `json:"toolState"` 105 ToolStateIndex int `json:"toolStateIndex"` 106 ToolAuditMessage string `json:"toolAuditMessage"` 107 UnifiedAuditState string `json:"unifiedAuditState,omitempty"` 108 UnifiedSeverity string `json:"unifiedSeverity,omitempty"` 109 UnifiedCriticality float32 `json:"unifiedCriticality,omitempty"` 110 UnifiedAuditUser string `json:"unifiedAuditUser,omitempty"` 111 AuditRequirement string `json:"auditRequirement"` 112 AuditRequirementIndex int `json:"auditRequirementIndex"` 113 114 // specific 115 InstanceSeverity string `json:"instanceSeverity"` 116 Confidence string `json:"confidence"` 117 FortifyCategory string `json:"fortifyCategory"` 118 CheckmarxSimilarityID string `json:"checkmarxSimilarityID"` 119 } 120 121 // Tool these structs are relevant to the Tool object 122 type Tool struct { 123 Driver Driver `json:"driver"` 124 Extensions []Driver `json:"extensions,omitempty"` 125 } 126 127 // Driver meta information for the scan and tool context 128 type Driver struct { 129 Name string `json:"name"` 130 Version string `json:"version,omitempty"` 131 GUID string `json:"guid,omitempty"` 132 InformationUri string `json:"informationUri,omitempty"` 133 Rules []SarifRule `json:"rules,omitempty"` 134 SupportedTaxonomies []SupportedTaxonomies `json:"supportedTaxonomies,omitempty"` 135 } 136 137 // SarifRule related rule use to identify the finding 138 type SarifRule struct { 139 ID string `json:"id"` 140 GUID string `json:"guid,omitempty"` 141 Name string `json:"name,omitempty"` 142 ShortDescription *Message `json:"shortDescription,omitempty"` 143 FullDescription *Message `json:"fullDescription,omitempty"` 144 DefaultConfiguration *DefaultConfiguration `json:"defaultConfiguration,omitempty"` 145 HelpURI string `json:"helpUri,omitempty"` 146 Help *Help `json:"help,omitempty"` 147 Relationships []Relationships `json:"relationships,omitempty"` 148 Properties *SarifRuleProperties `json:"properties,omitempty"` 149 } 150 151 // Help provides additional guidance to resolve the finding 152 type Help struct { 153 Text string `json:"text,omitempty"` 154 Markdown string `json:"markdown,omitempty"` 155 } 156 157 // SnippetSarif holds the code snippet where the finding appears 158 type SnippetSarif struct { 159 Text string `json:"text"` 160 } 161 162 // ContextRegion provides the context for the finding 163 type ContextRegion struct { 164 StartLine int `json:"startLine,omitempty"` 165 EndLine int `json:"endLine,omitempty"` 166 Snippet *SnippetSarif `json:"snippet,omitempty"` 167 } 168 169 // CodeFlow 170 type CodeFlow struct { 171 ThreadFlows []ThreadFlow `json:"threadFlows"` 172 } 173 174 // ThreadFlow 175 type ThreadFlow struct { 176 Locations []Locations `json:"locations"` 177 } 178 179 // Locations 180 type Locations struct { 181 Location *Location `json:"location,omitempty"` 182 Kinds []string `json:"kinds,omitempty"` 183 Index int `json:"index,omitempty"` 184 } 185 186 // RelatedLocation 187 type RelatedLocation struct { 188 ID int `json:"id"` 189 PhysicalLocation RelatedPhysicalLocation `json:"physicalLocation"` 190 } 191 192 // RelatedPhysicalLocation 193 type RelatedPhysicalLocation struct { 194 ArtifactLocation ArtifactLocation `json:"artifactLocation"` 195 Region RelatedRegion `json:"region"` 196 } 197 198 // RelatedRegion 199 type RelatedRegion struct { 200 StartLine int `json:"startLine,omitempty"` 201 StartColumn int `json:"startColumn,omitempty"` 202 } 203 204 // SupportedTaxonomies 205 type SupportedTaxonomies struct { 206 Name string `json:"name"` 207 Index int `json:"index"` 208 Guid string `json:"guid"` 209 } 210 211 // DefaultConfiguration 212 type DefaultConfiguration struct { 213 Properties DefaultProperties `json:"properties,omitempty"` 214 Level string `json:"level,omitempty"` //This exists in the template, but not sure how it is populated. TODO. 215 Enabled bool `json:"enabled,omitempty"` 216 Rank float64 `json:"rank,omitempty"` 217 } 218 219 // DefaultProperties 220 type DefaultProperties struct { 221 DefaultSeverity string `json:"defaultSeverity,omitempty"` 222 } 223 224 // Relationships 225 type Relationships struct { 226 Target Target `json:"target"` 227 Kinds []string `json:"kinds"` 228 } 229 230 // Target 231 type Target struct { 232 Id string `json:"id"` 233 ToolComponent ToolComponent `json:"toolComponent"` 234 } 235 236 // ToolComponent 237 type ToolComponent struct { 238 Name string `json:"name"` 239 Guid string `json:"guid"` 240 } 241 242 // SarifRuleProperties 243 type SarifRuleProperties struct { 244 Accuracy string `json:"accuracy,omitempty"` 245 Impact string `json:"impact,omitempty"` 246 Probability string `json:"probability,omitempty"` 247 Tags []string `json:"tags,omitempty"` 248 Precision string `json:"precision,omitempty"` 249 SecuritySeverity string `json:"security-severity,omitempty"` //used by GHAS to defined the tag (low,medium,high) 250 } 251 252 // Invocation These structs are relevant to the Invocation object 253 type Invocation struct { 254 CommandLine string `json:"commandLine,omitempty"` 255 StartTimeUtc string `json:"startTimeUtc,omitempty"` 256 ToolExecutionNotifications []ToolExecutionNotifications `json:"toolExecutionNotifications,omitempty"` 257 ExecutionSuccessful bool `json:"executionSuccessful"` 258 Machine string `json:"machine,omitempty"` 259 Account string `json:"account,omitempty"` 260 Properties *InvocationProperties `json:"properties,omitempty"` 261 } 262 263 // ToolExecutionNotifications 264 type ToolExecutionNotifications struct { 265 Message Message `json:"message"` 266 Descriptor Descriptor `json:"descriptor"` 267 } 268 269 // Descriptor 270 type Descriptor struct { 271 Id string `json:"id"` 272 } 273 274 // InvocationProperties 275 type InvocationProperties struct { 276 Platform string `json:"platform"` 277 } 278 279 // OriginalUriBaseIds These structs are relevant to the originalUriBaseIds object 280 type OriginalUriBaseIds struct { 281 SrcRoot SrcRoot `json:"%SRCROOT%"` 282 } 283 284 // SrcRoot 285 type SrcRoot struct { 286 Uri string `json:"uri"` 287 } 288 289 // Artifact These structs are relevant to the artifacts object 290 type Artifact struct { 291 Location SarifLocation `json:"location"` 292 Length int `json:"length,omitempty"` 293 MimeType string `json:"mimeType,omitempty"` 294 Encoding string `json:"encoding,omitempty"` 295 } 296 297 // SarifLocation 298 type SarifLocation struct { 299 Uri string `json:"uri"` 300 UriBaseId string `json:"uriBaseId"` 301 } 302 303 // AutomationDetails These structs are relevant to the automationDetails object 304 type AutomationDetails struct { 305 Id string `json:"id"` 306 } 307 308 // These structs are relevant to the threadFlowLocations object 309 310 // Taxonomies These structs are relevant to the taxonomies object 311 type Taxonomies struct { 312 GUID string `json:"guid,omitempty"` 313 Name string `json:"name"` 314 Organization string `json:"organization"` 315 ShortDescription Message `json:"shortDescription"` 316 Taxa []Taxa `json:"taxa"` 317 } 318 319 // Taxa 320 type Taxa struct { 321 Id string `json:"id"` 322 } 323 324 // Conversion object 325 type Conversion struct { 326 Tool Tool `json:"tool,omitempty"` 327 Invocation Invocation `json:"invocation,omitempty"` 328 }