move stuff wait-for-ecr-scan-and-get-sarif, add test

.github/workflows/unit_test.yml

@@ -0,0 +1,31 @@
+name: "Test AWS Scan Findings to SARIF"
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
+      - name: Set up Python 3.12
+        uses: actions/setup-python@v5.1.1
+        with:
+          python-version: 3.12
+
+      - name: Install dependencies
+        run: |
+          pip install -r wait-for-ecr-scan-and-get-sarif/requirements.txt
+          pip install pytest
+
+      - name: Run tests
+        run: |
+          pytest wait-for-ecr-scan-and-get-sarif/test_aws_scan_findings_to_sarif.py

wait-for-ecr-scan-and-get-sarif/action.yml

@@ -36,7 +36,7 @@ runs:
     - name: Run the Python script to wait for ECR scan and get SARIF
       shell: bash
       run: |
-        python wait-for-ecr-scan-and-get-sarif/main.py \
+        python wait-for-ecr-scan-and-get-sarif/aws_scan_findings_to_sarif.py \
           --repository_name ${{ inputs.repository_name }} \
           --image_tag ${{ inputs.image_tag }} \
           --aws_region ${{ inputs.aws_region }} \

wait-for-ecr-scan-and-get-sarif/main.py

@@ -1,100 +0,0 @@
-import json
-import time
-import argparse
-
-def convert_to_sarif(ecr_response):
-    sarif_report = {
-        "version": "2.1.0",
-        "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
-        "runs": [
-            {
-                "tool": {
-                    "driver": {
-                        "name": "AWS ECR",
-                        "informationUri": "https://aws.amazon.com/ecr/",
-                        "rules": []
-                    }
-                },
-                "results": []
-            }
-        ]
-    }
-
-    findings = ecr_response["imageScanFindings"]["findings"]
-    for finding in findings:
-        rule = {
-            "id": finding["name"],
-            "name": "OsPackageVulnerability",
-            "shortDescription": {
-                "text": finding["description"]
-            },
-            "fullDescription": {
-                "text": finding["description"]
-            },
-            "defaultConfiguration": {
-                "level": finding["severity"].lower()
-            },
-            "helpUri": finding["uri"],
-            "help": {
-                "text": f"Vulnerability {finding['name']}\nSeverity: {finding['severity']}\nPackage: {finding['attributes'][1]['value']}\nFixed Version: \nLink: [{finding['name']}]({finding['uri']})",
-                "markdown": f"**Vulnerability {finding['name']}**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|{finding['severity']}|{finding['attributes'][1]['value']}||[{finding['name']}]({finding['uri']})\n\n{finding['description']}"
-            },
-            "properties": {
-                "precision": "very-high",
-                "security-severity": finding["attributes"][3]["value"],
-                "tags": [
-                    "vulnerability",
-                    "security",
-                    finding["severity"]
-                ]
-            }
-        }
-        sarif_report["runs"][0]["tool"]["driver"]["rules"].append(rule)
-
-        result = {
-            "ruleId": finding["name"],
-            "ruleIndex": len(sarif_report["runs"][0]["tool"]["driver"]["rules"]) - 1,
-            "level": finding["severity"].lower(),
-            "message": {
-                "text": f"Package: {finding['attributes'][1]['value']}\nInstalled Version: {finding['attributes'][0]['value']}\nVulnerability {finding['name']}\nSeverity: {finding['severity']}\nFixed Version: \nLink: [{finding['name']}]({finding['uri']})"
-            },
-            "locations": [
-                {
-                    "physicalLocation": {
-                        "artifactLocation": {
-                            "uri": ecr_response["repositoryName"],
-                            "uriBaseId": "ROOTPATH"
-                        },
-                        "region": {
-                            "startLine": 1,
-                            "startColumn": 1,
-                            "endLine": 1,
-                            "endColumn": 1
-                        }
-                    },
-                    "message": {
-                        "text": f"{ecr_response['repositoryName']}: {finding['attributes'][1]['value']}@{finding['attributes'][0]['value']}"
-                    }
-                }
-            ]
-        }
-        sarif_report["runs"][0]["results"].append(result)
-
-    return sarif_report
-
-def main():
-    parser = argparse.ArgumentParser(description="Convert ECR scan findings to SARIF format.")
-    parser.add_argument("--input_file", required=True, help="The input JSON file with ECR scan findings.")
-    parser.add_argument("--output_file", required=True, help="The output SARIF file.")
-    args = parser.parse_args()
-
-    with open(args.input_file, "r") as f:
-        ecr_response = json.load(f)
-
-    sarif_report = convert_to_sarif(ecr_response)
-
-    with open(args.output_file, "w") as f:
-        json.dump(sarif_report, f, indent=2)
-
-if __name__ == "__main__":
-    main()

wait-for-ecr-scan-and-get-sarif/test_aws_scan_findings_to_sarif.py

@@ -0,0 +1,15 @@
+import json
+import pytest
+from aws_scan_findings_to_sarif import convert_to_sarif
+
+def test_convert_to_sarif():
+    with open("sample-api-response-ecr-describe-image-scan-findings.json", "r") as f:
+        ecr_response = json.load(f)
+
+    sarif_report = convert_to_sarif(ecr_response)
+
+    assert sarif_report["version"] == "2.1.0"
+    assert sarif_report["runs"][0]["tool"]["driver"]["name"] == "AWS ECR"
+    assert len(sarif_report["runs"][0]["results"]) == 1
+    assert sarif_report["runs"][0]["results"][0]["ruleId"] == "CVE-2019-5188"
+    assert sarif_report["runs"][0]["results"][0]["level"] == "medium"