sartography
/
github-actions-library
mirror of https://github.com/sartography/github-actions-library.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

move expected test result to tests dir

This commit is contained in:
burnettk 2024-08-15 08:50:22 -04:00
parent 9c5d1405ef
commit 11e961b3d0
No known key found for this signature in database
2 changed files with 171 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

99
wait-for-ecr-scan-and-get-sarif/aws_scan_findings_to_sarif.py
View File

@ -0,0 +1,99 @@
import json
import argparse
def convert_to_sarif(ecr_response):
sarif_report = {
"version": "2.1.0",
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
"runs": [
{
"tool": {
"driver": {
"name": "AWS ECR",
"informationUri": "https://aws.amazon.com/ecr/",
"rules": []
}
},
"results": []
}
]
}
findings = ecr_response["imageScanFindings"]["findings"]
for finding in findings:
rule = {
"id": finding["name"],
"name": "OsPackageVulnerability",
"shortDescription": {
"text": finding["description"]
},
"fullDescription": {
"text": finding["description"]
},
"defaultConfiguration": {
"level": finding["severity"].lower()
},
"helpUri": finding["uri"],
"help": {
"text": f"Vulnerability {finding['name']}\nSeverity: {finding['severity']}\nPackage: {finding['attributes'][1]['value']}\nFixed Version: \nLink: [{finding['name']}]({finding['uri']})",
"markdown": f"**Vulnerability {finding['name']}**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|{finding['severity']}|{finding['attributes'][1]['value']}||[{finding['name']}]({finding['uri']})\n\n{finding['description']}"
},
"properties": {
"precision": "very-high",
"security-severity": finding["attributes"][3]["value"],
"tags": [
"vulnerability",
"security",
finding["severity"]
]
}
}
sarif_report["runs"][0]["tool"]["driver"]["rules"].append(rule)
result = {
"ruleId": finding["name"],
"ruleIndex": len(sarif_report["runs"][0]["tool"]["driver"]["rules"]) - 1,
"level": finding["severity"].lower(),
"message": {
"text": f"Package: {finding['attributes'][1]['value']}\nInstalled Version: {finding['attributes'][0]['value']}\nVulnerability {finding['name']}\nSeverity: {finding['severity']}\nFixed Version: \nLink: [{finding['name']}]({finding['uri']})"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": ecr_response["repositoryName"],
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1,
"startColumn": 1,
"endLine": 1,
"endColumn": 1
}
},
"message": {
"text": f"{ecr_response['repositoryName']}: {finding['attributes'][1]['value']}@{finding['attributes'][0]['value']}"
}
}
]
}
sarif_report["runs"][0]["results"].append(result)
return sarif_report
def main():
parser = argparse.ArgumentParser(description="Convert ECR scan findings to SARIF format.")
parser.add_argument("--input_file", required=True, help="The input JSON file with ECR scan findings.")
parser.add_argument("--output_file", required=True, help="The output SARIF file.")
args = parser.parse_args()
with open(args.input_file, "r") as f:
ecr_response = json.load(f)
sarif_report = convert_to_sarif(ecr_response)
with open(args.output_file, "w") as f:
json.dump(sarif_report, f, indent=2)
if __name__ == "__main__":
main()

72
wait-for-ecr-scan-and-get-sarif/tests/expected_unit_test_output.sarif Normal file
View File

@ -0,0 +1,72 @@
{
"version": "2.1.0",
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
"runs": [
{
"tool": {
"driver": {
"name": "AWS ECR",
"informationUri": "https://aws.amazon.com/ecr/",
"rules": [
{
"id": "CVE-2019-5188",
"name": "OsPackageVulnerability",
"shortDescription": {
"text": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability."
},
"fullDescription": {
"text": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability."
},
"defaultConfiguration": {
"level": "medium"
},
"helpUri": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5188",
"help": {
"text": "Vulnerability CVE-2019-5188\nSeverity: MEDIUM\nPackage: e2fsprogs\nFixed Version: \nLink: [CVE-2019-5188](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5188)",
"markdown": "**Vulnerability CVE-2019-5188**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|e2fsprogs||[CVE-2019-5188](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5188)\n\nA code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability."
},
"properties": {
"precision": "very-high",
"security-severity": "4.6",
"tags": [
"vulnerability",
"security",
"MEDIUM"
]
}
}
]
}
},
"results": [
{
"ruleId": "CVE-2019-5188",
"ruleIndex": 0,
"level": "medium",
"message": {
"text": "Package: e2fsprogs\nInstalled Version: 1.44.1-1ubuntu1.1\nVulnerability CVE-2019-5188\nSeverity: MEDIUM\nFixed Version: \nLink: [CVE-2019-5188](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5188)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "sample-repo",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1,
"startColumn": 1,
"endLine": 1,
"endColumn": 1
}
},
"message": {
"text": "sample-repo: e2fsprogs@1.44.1-1ubuntu1.1"
}
}
]
}
]
}
]
}