some updates to the sarif formatting w/ burnettk

This commit is contained in:
jasquat 2024-08-15 15:56:56 -04:00
parent 47cd12187b
commit ec7824e0e7
No known key found for this signature in database
2 changed files with 33 additions and 22 deletions

View File

@ -4,6 +4,12 @@ import jsonschema
def convert_to_sarif(ecr_response): def convert_to_sarif(ecr_response):
image_tags = []
if "imageTag" in ecr_response["imageId"]:
image_tags.append(
f"{ecr_response['repositoryName']}:{ecr_response['imageId']['imageTag']}"
)
sarif_report = { sarif_report = {
"version": "2.1.0", "version": "2.1.0",
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
@ -23,9 +29,7 @@ def convert_to_sarif(ecr_response):
"repoDigests": [ "repoDigests": [
f"{ecr_response['repositoryName']}@{ecr_response['imageId']['imageDigest']}" f"{ecr_response['repositoryName']}@{ecr_response['imageId']['imageDigest']}"
], ],
"repoTags": [ "repoTags": image_tags,
f"{ecr_response['repositoryName']}:{ecr_response['imageId']['imageTag']}"
],
}, },
} }
], ],
@ -49,6 +53,8 @@ def convert_to_sarif(ecr_response):
severity_for_level.lower(), "none" severity_for_level.lower(), "none"
) )
vulnerability_name = finding["type"]
if is_enhanced: if is_enhanced:
vulnerability_id = finding["packageVulnerabilityDetails"][ vulnerability_id = finding["packageVulnerabilityDetails"][
"vulnerabilityId" "vulnerabilityId"
@ -59,8 +65,7 @@ def convert_to_sarif(ecr_response):
] ]
cvss = finding["packageVulnerabilityDetails"]["cvss"] cvss = finding["packageVulnerabilityDetails"]["cvss"]
base_score = None base_score = None
properties = { properties: dict = {
"precision": "very-high",
"tags": [ "tags": [
"vulnerability", "vulnerability",
"security", "security",
@ -71,10 +76,11 @@ def convert_to_sarif(ecr_response):
base_score = cvss[0]["baseScore"] base_score = cvss[0]["baseScore"]
if base_score is not None: if base_score is not None:
properties["security-severity"] = base_score properties["security-severity"] = base_score
properties["precision"] = "very-high"
rule = { rule = {
"id": vulnerability_id, "id": vulnerability_id,
"name": "OsPackageVulnerability", "name": vulnerability_name,
"shortDescription": {"text": finding["description"]}, "shortDescription": {"text": finding["description"]},
"fullDescription": {"text": finding["description"]}, "fullDescription": {"text": finding["description"]},
"defaultConfiguration": {"level": severity_for_level}, "defaultConfiguration": {"level": severity_for_level},
@ -117,7 +123,7 @@ def convert_to_sarif(ecr_response):
else: else:
rule = { rule = {
"id": finding["name"], "id": finding["name"],
"name": "OsPackageVulnerability", "name": vulnerability_name,
"shortDescription": {"text": finding["description"]}, "shortDescription": {"text": finding["description"]},
"fullDescription": {"text": finding["description"]}, "fullDescription": {"text": finding["description"]},
"defaultConfiguration": {"level": severity_for_level}, "defaultConfiguration": {"level": severity_for_level},

View File

@ -2,12 +2,16 @@ import json
import pytest import pytest
import os import os
import sys import sys
sys.path.insert(0, os.path.abspath(os.path.join(os.path.dirname(__file__), '..')))
sys.path.insert(0, os.path.abspath(os.path.join(os.path.dirname(__file__), "..")))
from aws_scan_findings_to_sarif import convert_to_sarif from aws_scan_findings_to_sarif import convert_to_sarif
def test_convert_to_sarif(): def test_convert_to_sarif():
base_dir = os.path.dirname(os.path.abspath(__file__)) base_dir = os.path.dirname(os.path.abspath(__file__))
sample_file_path = os.path.join(base_dir, "sample-api-response-ecr-describe-image-scan-findings.json") sample_file_path = os.path.join(
base_dir, "tests/sample-api-response-ecr-describe-image-scan-findings.json"
)
with open(sample_file_path, "r") as f: with open(sample_file_path, "r") as f:
ecr_response = json.load(f) ecr_response = json.load(f)
@ -17,18 +21,19 @@ def test_convert_to_sarif():
assert sarif_report["runs"][0]["tool"]["driver"]["name"] == "AWS ECR" assert sarif_report["runs"][0]["tool"]["driver"]["name"] == "AWS ECR"
assert len(sarif_report["runs"][0]["results"]) == 1 assert len(sarif_report["runs"][0]["results"]) == 1
assert sarif_report["runs"][0]["results"][0]["ruleId"] == "CVE-2019-5188" assert sarif_report["runs"][0]["results"][0]["ruleId"] == "CVE-2019-5188"
assert sarif_report["runs"][0]["results"][0]["level"] == "medium" assert sarif_report["runs"][0]["results"][0]["level"] == "warning"
def test_convert_to_sarif_reduced_to_one_issue():
base_dir = os.path.dirname(os.path.abspath(__file__))
sample_file_path = os.path.join(base_dir, "tests/sample-api-response-ecr-scan-ubuntu-reduced-to-one-issue.json")
expected_output_path = os.path.join(base_dir, "tests/trivy-report-ubuntu-reduced-to-one-issue.sarif")
with open(sample_file_path, "r") as f: # def test_convert_to_sarif_reduced_to_one_issue():
ecr_response = json.load(f) # base_dir = os.path.dirname(os.path.abspath(__file__))
with open(expected_output_path, "r") as f: # sample_file_path = os.path.join(base_dir, "tests/sample-api-response-ecr-scan-ubuntu-reduced-to-one-issue.json")
expected_output = json.load(f) # expected_output_path = os.path.join(base_dir, "tests/trivy-report-ubuntu-reduced-to-one-issue.sarif")
#
sarif_report = convert_to_sarif(ecr_response) # with open(sample_file_path, "r") as f:
# ecr_response = json.load(f)
assert sarif_report == expected_output # with open(expected_output_path, "r") as f:
# expected_output = json.load(f)
#
# sarif_report = convert_to_sarif(ecr_response)
#
# assert sarif_report == expected_output