Merge pull request #826 from coinbase/severity_cleanup

3.2.5 Ensure Semgrep and pattern search include severity in SARIF

lib/salus.rb

@@ -17,7 +17,7 @@
 require 'salus/scanner_types'
 
 module Salus
- VERSION = '3.2.4'.freeze
+ VERSION = '3.2.5'.freeze
  DEFAULT_REPO_PATH = './repo'.freeze # This is inside the docker container at /home/repo.
  DEFAULT_REPORT_FILTER = 'all'.freeze
  NONE_REPORT_FILTER = 'none'.freeze

lib/sarif/pattern_search_sarif.rb

@@ -88,7 +88,8 @@ def parse_issue(issue)
  uri: url_info[0],
  help_url: PATTERN_SEARCH_URI,
  code: issue[:hit],
- properties: { severity: "HIGH" }
+ properties: { severity: "HIGH" },
+ messageStrings: { "severity": { "text": "HIGH" } }
  }
  end
 

lib/sarif/semgrep_sarif.rb

@@ -99,7 +99,8 @@ def parse_hit(hit)
  code: code,
  rule: "Pattern: #{hit[:pattern]}\nMessage: #{hit[:msg]}",
  properties: { 'severity': hit[:severity] },
- messageStrings: { "cwe": { "text": cwes.to_s } }
+ messageStrings: { "cwe": { "text": cwes.to_s },
+ "severity": { "text": hit[:severity].to_s } }
  }
  rescue StandardError => e
  bugsnag_notify(e.message)

spec/fixtures/integration/expected_report.json

@@ -1,5 +1,5 @@
 {
- "version": "3.2.4",
+ "version": "3.2.5",
  "passed": true,
  "running_time": 0.0,
  "scans": {

spec/fixtures/processor/local_uri/expected_report.json

@@ -254,5 +254,5 @@
  }
  }
  },
- "version": "3.2.4"
+ "version": "3.2.5"
 }

spec/fixtures/processor/multiple_endpoints/expected_report.json

@@ -1,5 +1,5 @@
 {
- "version": "3.2.4",
+ "version": "3.2.5",
  "passed": true,
  "running_time": 0.0,
  "scans": {

spec/fixtures/processor/remote_uri/expected_report.json

@@ -254,5 +254,5 @@
  }
  }
  },
- "version": "3.2.4"
+ "version": "3.2.5"
 }

spec/fixtures/sarifs/diff/git_diff_yarn.txt

@@ -0,0 +1,36 @@
+diff --git a/yarn.lock b/yarn.lock
+index 06e7d3ba9ef..e3f8fbb5889 100644
+--- a/yarn.lock
++++ b/yarn.lock
+@@ -10599,10 +10599,10 @@ base64-arraybuffer@^0.2.0:
+ resolved "https://registry-npm.com/base64-arraybuffer/-/base64-arraybuffer-0.2.0.tgz#4b944fac0191aa5907afe2d8c999ccc57ce80f45"
+ integrity sha512-7emyCsu1/xiBXgQZrscw/8KPRT44I4Yq9Pe6EGs3aPRTsWuggML1/1DTuZUuIaJPIm1FTDUVXl4x/yW8s0kQDQ==
+
+-jspdf@2.5.1:
+- version "2.5.1"
+- resolved "https://registry.yarnpkg.com/jspdf/-/jspdf-2.5.1.tgz#00c85250abf5447a05f3b32ab9935ab4a56592cc"
+- integrity sha512-hXObxz7ZqoyhxET78+XR34Xu2qFGrJJ2I2bE5w4SM8eFaFEkW2xcGRVUss360fYelwRSid/jT078kbNvmoW0QA==
++jspdf@2.3.1:
++ version "2.3.1"
++ resolved "https://registry-npm.com/jspdf/-/jspdf-2.3.1.tgz#313d117234b546469694a1fd81a1e02411647576"
++ integrity sha512-1vp0USP1mQi1h7NKpwxjFgQkJ5ncZvtH858aLpycUc/M+r/RpWJT8PixAU7Cw/3fPd4fpC8eB/Bj42LnsR21YQ==
+ dependencies:
+- "@babel/runtime" "^7.14.0"
+ atob "^2.1.2"
+ btoa "^1.2.1"
+ fflate "^0.4.8"
+@@ -31897,12 +31889,12 @@ text-encoding@0.7.0:
+ resolved "https://registry-npm.com/text-encoding/-/text-encoding-0.7.0.tgz#f895e836e45990624086601798ea98e8f36ee643"
+ integrity sha512-oJQ3f1hrOnbRLOcwKz0Liq2IcrvDeZRHXhd9RgLrsT+DjWY/nty1Hi7v3dtkaEYbPYe0mUoOfzRrMwfXXwgPUA==
+
+-text-segmentation@^1.0.2, text-segmentation@^1.0.3:
+- version "1.0.3"
+- resolved "https://registry.yarnpkg.com/text-segmentation/-/text-segmentation-1.0.3.tgz#52a388159efffe746b24a63ba311b6ac9f2d7943"
+- integrity sha512-iOiPUo/BGnZ6+54OsWxZidGCsdU8YbE4PSpdPinp7DeMtUJNJBoJ/ouUSTJjHkh1KntHaltHl/gDs2FC4i5+Nw==
++text-segmentation@^1.0.2:
++ version "1.0.2"
++ resolved "https://registry-npm.com/text-segmentation/-/text-segmentation-1.0.2.tgz#1f828fa14aa101c114ded1bda35ba7dcc17c9858"
++ integrity sha512-uTqvLxdBrVnx/CFQOtnf8tfzSXFm+1Qxau7Xi54j4OPTZokuDOX8qncQzrg2G8ZicAMOM8TgzFAYTb+AqNO4Cw==
+ dependencies:
+- utrie "^1.0.2"
++ utrie "^1.0.1"

spec/fixtures/sorted_results/sorted_json.json

@@ -81,5 +81,5 @@
  }
  }
  },
- "version": "3.2.4"
+ "version": "3.2.5"
 }

spec/fixtures/sorted_results/sorted_yaml.yml

@@ -49,4 +49,4 @@
  col: 1
  line: 3
  :type: Syntax error
-:version: 3.2.4
+:version: 3.2.5

spec/lib/sarif/pattern_search_sarif_spec.rb

@@ -40,6 +40,7 @@
  report = adapter.build_runs_object(true)
  rules = report['tool'][:driver]['rules']
  results = report['results']
+
  expect(results).to include(
  {
  "ruleId": "Forbidden Pattern Found",
@@ -69,14 +70,15 @@
  }
  )
  doc = "https://github.com/coinbase/salus/blob/master/docs/scanners/pattern_search.md"
+
  expect(rules).to include(
  {
  "id": "Forbidden Pattern Found",
  "name": "Forbidden Pattern Found",
+ "messageStrings": { "severity": { "text": "HIGH" } },
  "fullDescription": {
  "text": "not important string. Pattern Nerv is forbidden."
  },
- "messageStrings": {},
  "helpUri": doc,
  "help": {
  "text": "More info: #{doc}",

spec/lib/sarif/semgrep_sarif_spec.rb

@@ -101,7 +101,8 @@
  "help" => { "markdown" => "[More info](https://github.com/coinbase/salus/blob/master/docs/scanners/semgrep.md).", "text" => "More info: https://github.com/coinbase/salus/blob/master/docs/scanners/semgrep.md" },
  "helpUri" => "https://github.com/coinbase/salus/blob/master/docs/scanners/semgrep.md",
  "id" => "semgrep-eqeq-test",
- "messageStrings" => { "cwe" => { "text" => "[\"CWE-676: Use of Potentially Dangerous Function\"]" } },
+ "messageStrings" => { "cwe" => { "text" => "[\"CWE-676: Use of Potentially Dangerous Function\"]" },
+ "severity" => { "text" => "WARNING" } },
  "name" => " / user.id == user.id is always true\n\trule_id: semgrep-eqeq-test Forbidden Pattern Found" }])
  # rubocop:enable Layout/LineLength
  end