Skip to content

Commit d040f07

Browse files
mmorel-35mmorel-35
authored
Handle gosec version in SARIF report
1 parent 51f7411 commit d040f07

22 files changed

+151
-96
lines changed

cmd/gosec/main.go

+8-6
Original file line numberDiff line numberDiff line change
@@ -216,23 +216,23 @@ func getPrintedFormat(format string, verbose string) string {
216216
return fileFormat
217217
}
218218

219-
func printReport(format string, color bool, rootPaths []string, issues []*gosec.Issue, metrics *gosec.Metrics, errors map[string][]gosec.Error) error {
219+
func printReport(format string, color bool, rootPaths []string, reportInfo *gosec.ReportInfo) error {
220220

221-
err := report.CreateReport(os.Stdout, format, color, rootPaths, issues, metrics, errors)
221+
err := report.CreateReport(os.Stdout, format, color, rootPaths, reportInfo)
222222
if err != nil {
223223
return err
224224
}
225225
return nil
226226
}
227227

228-
func saveReport(filename, format string, rootPaths []string, issues []*gosec.Issue, metrics *gosec.Metrics, errors map[string][]gosec.Error) error {
228+
func saveReport(filename, format string, rootPaths []string, reportInfo *gosec.ReportInfo) error {
229229

230230
outfile, err := os.Create(filename)
231231
if err != nil {
232232
return err
233233
}
234234
defer outfile.Close() // #nosec G307
235-
err = report.CreateReport(outfile, format, false, rootPaths, issues, metrics, errors)
235+
err = report.CreateReport(outfile, format, false, rootPaths, reportInfo)
236236
if err != nil {
237237
return err
238238
}
@@ -383,14 +383,16 @@ func main() {
383383
// Create output report
384384
rootPaths := getRootPaths(flag.Args())
385385

386+
reportInfo := gosec.NewReportInfo(issues, metrics, errors).WithVersion(Version)
387+
386388
if *flagOutput == "" || *flagStdOut {
387389
var fileFormat = getPrintedFormat(*flagOutput, *flagVerbose)
388-
if err := printReport(fileFormat, *flagColor, rootPaths, issues, metrics, errors); err != nil {
390+
if err := printReport(fileFormat, *flagColor, rootPaths, reportInfo); err != nil {
389391
logger.Fatal((err))
390392
}
391393
}
392394
if *flagOutput != "" {
393-
if err := saveReport(*flagOutput, *flagFormat, rootPaths, issues, metrics, errors); err != nil {
395+
if err := saveReport(*flagOutput, *flagFormat, rootPaths, reportInfo); err != nil {
394396
logger.Fatal(err)
395397
}
396398
}

go.mod

+2-1
Original file line numberDiff line numberDiff line change
@@ -3,13 +3,14 @@ module github.com/securego/gosec/v2
33
require (
44
github.com/google/uuid v1.1.1
55
github.com/gookit/color v1.4.2
6+
github.com/lib/pq v1.9.0
67
github.com/mozilla/tls-observatory v0.0.0-20210209181001-cf43108d6880
78
github.com/nbutton23/zxcvbn-go v0.0.0-20210217022336-fa2cb2858354
89
github.com/onsi/ginkgo v1.16.1
910
github.com/onsi/gomega v1.11.0
1011
golang.org/x/mod v0.4.1 // indirect
1112
golang.org/x/net v0.0.0-20210226172049-e18ecbb05110 // indirect
12-
golang.org/x/text v0.3.5 // indirect
13+
golang.org/x/text v0.3.5
1314
golang.org/x/tools v0.1.0
1415
gopkg.in/yaml.v2 v2.4.0
1516
)

renovate.json

+6-6
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
2-
"extends": [
3-
"config:semverAllMonthly",
4-
":enableVulnerabilityAlertsWithLabel(vulnerablity)",
5-
":docker"
6-
]
7-
}
2+
"extends": [
3+
"config:semverAllMonthly",
4+
":enableVulnerabilityAlertsWithLabel(vulnerablity)",
5+
":docker"
6+
]
7+
}

report.go

+24
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
package gosec
2+
3+
// ReportInfo this is report information
4+
type ReportInfo struct {
5+
Errors map[string][]Error `json:"Golang errors"`
6+
Issues []*Issue
7+
Stats *Metrics
8+
GosecVersion string
9+
}
10+
11+
// NewReportInfo instantiate a ReportInfo
12+
func NewReportInfo(issues []*Issue, metrics *Metrics, errors map[string][]Error) *ReportInfo {
13+
return &ReportInfo{
14+
Errors: errors,
15+
Issues: issues,
16+
Stats: metrics,
17+
}
18+
}
19+
20+
// WithVersion defines the version of gosec used to generate the report
21+
func (r *ReportInfo) WithVersion(version string) *ReportInfo {
22+
r.GosecVersion = version
23+
return r
24+
}

report/core/types.go

-12
This file was deleted.

report/csv/writer.go

+3-2
Original file line numberDiff line numberDiff line change
@@ -2,12 +2,13 @@ package csv
22

33
import (
44
"encoding/csv"
5-
"github.com/securego/gosec/v2/report/core"
65
"io"
6+
7+
"github.com/securego/gosec/v2"
78
)
89

910
//WriteReport write a report in csv format to the output writer
10-
func WriteReport(w io.Writer, data *core.ReportInfo) error {
11+
func WriteReport(w io.Writer, data *gosec.ReportInfo) error {
1112
out := csv.NewWriter(w)
1213
defer out.Flush()
1314
for _, issue := range data.Issues {

report/formatter.go

+3-8
Original file line numberDiff line numberDiff line change
@@ -15,8 +15,9 @@
1515
package report
1616

1717
import (
18+
"io"
19+
1820
"github.com/securego/gosec/v2"
19-
"github.com/securego/gosec/v2/report/core"
2021
"github.com/securego/gosec/v2/report/csv"
2122
"github.com/securego/gosec/v2/report/golint"
2223
"github.com/securego/gosec/v2/report/html"
@@ -26,7 +27,6 @@ import (
2627
"github.com/securego/gosec/v2/report/sonar"
2728
"github.com/securego/gosec/v2/report/text"
2829
"github.com/securego/gosec/v2/report/yaml"
29-
"io"
3030
)
3131

3232
// Format enumerates the output format for reported issues
@@ -51,12 +51,7 @@ const (
5151

5252
// CreateReport generates a report based for the supplied issues and metrics given
5353
// the specified format. The formats currently accepted are: json, yaml, csv, junit-xml, html, sonarqube, golint and text.
54-
func CreateReport(w io.Writer, format string, enableColor bool, rootPaths []string, issues []*gosec.Issue, metrics *gosec.Metrics, errors map[string][]gosec.Error) error {
55-
data := &core.ReportInfo{
56-
Errors: errors,
57-
Issues: issues,
58-
Stats: metrics,
59-
}
54+
func CreateReport(w io.Writer, format string, enableColor bool, rootPaths []string, data *gosec.ReportInfo) error {
6055
var err error
6156
switch format {
6257
case "json":

report/formatter_test.go

+27-18
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,6 @@ import (
1010
. "github.com/onsi/gomega"
1111
"github.com/securego/gosec/v2"
1212
"github.com/securego/gosec/v2/cwe"
13-
"github.com/securego/gosec/v2/report/core"
1413
"github.com/securego/gosec/v2/report/junit"
1514
"github.com/securego/gosec/v2/report/sonar"
1615
"gopkg.in/yaml.v2"
@@ -37,10 +36,10 @@ func createIssue(ruleID string, weakness *cwe.Weakness) gosec.Issue {
3736
}
3837
}
3938

40-
func createReportInfo(rule string, weakness *cwe.Weakness) core.ReportInfo {
39+
func createReportInfo(rule string, weakness *cwe.Weakness) gosec.ReportInfo {
4140
issue := createIssue(rule, weakness)
4241
metrics := gosec.Metrics{}
43-
return core.ReportInfo{
42+
return gosec.ReportInfo{
4443
Errors: map[string][]gosec.Error{},
4544
Issues: []*gosec.Issue{
4645
&issue,
@@ -61,7 +60,7 @@ var _ = Describe("Formatter", func() {
6160
})
6261
Context("when converting to Sonarqube issues", func() {
6362
It("it should parse the report info", func() {
64-
data := &core.ReportInfo{
63+
data := &gosec.ReportInfo{
6564
Errors: map[string][]gosec.Error{},
6665
Issues: []*gosec.Issue{
6766
{
@@ -109,7 +108,7 @@ var _ = Describe("Formatter", func() {
109108
})
110109

111110
It("it should parse the report info with files in subfolders", func() {
112-
data := &core.ReportInfo{
111+
data := &gosec.ReportInfo{
113112
Errors: map[string][]gosec.Error{},
114113
Issues: []*gosec.Issue{
115114
{
@@ -156,7 +155,7 @@ var _ = Describe("Formatter", func() {
156155
Expect(*issues).To(Equal(*want))
157156
})
158157
It("it should not parse the report info for files from other projects", func() {
159-
data := &core.ReportInfo{
158+
data := &gosec.ReportInfo{
160159
Errors: map[string][]gosec.Error{},
161160
Issues: []*gosec.Issue{
162161
{
@@ -188,7 +187,7 @@ var _ = Describe("Formatter", func() {
188187
})
189188

190189
It("it should parse the report info for multiple projects projects", func() {
191-
data := &core.ReportInfo{
190+
data := &gosec.ReportInfo{
192191
Errors: map[string][]gosec.Error{},
193192
Issues: []*gosec.Issue{
194193
{
@@ -264,7 +263,7 @@ var _ = Describe("Formatter", func() {
264263
It("preserves order of issues", func() {
265264
issues := []*gosec.Issue{createIssueWithFileWhat("i1", "1"), createIssueWithFileWhat("i2", "2"), createIssueWithFileWhat("i3", "1")}
266265

267-
junitReport := junit.GenerateReport(&core.ReportInfo{Issues: issues})
266+
junitReport := junit.GenerateReport(&gosec.ReportInfo{Issues: issues})
268267

269268
testSuite := junitReport.Testsuites[0]
270269

@@ -290,7 +289,8 @@ var _ = Describe("Formatter", func() {
290289
error := map[string][]gosec.Error{}
291290

292291
buf := new(bytes.Buffer)
293-
err := CreateReport(buf, "csv", false, []string{}, []*gosec.Issue{&issue}, &gosec.Metrics{}, error)
292+
reportInfo := gosec.NewReportInfo([]*gosec.Issue{&issue}, &gosec.Metrics{}, error)
293+
err := CreateReport(buf, "csv", false, []string{}, reportInfo)
294294
Expect(err).ShouldNot(HaveOccurred())
295295
pattern := "/home/src/project/test.go,1,test,HIGH,HIGH,1: testcode,CWE-%s\n"
296296
expect := fmt.Sprintf(pattern, cwe.ID)
@@ -304,7 +304,8 @@ var _ = Describe("Formatter", func() {
304304
error := map[string][]gosec.Error{}
305305

306306
buf := new(bytes.Buffer)
307-
err := CreateReport(buf, "xml", false, []string{}, []*gosec.Issue{&issue}, &gosec.Metrics{NumFiles: 0, NumLines: 0, NumNosec: 0, NumFound: 0}, error)
307+
reportInfo := gosec.NewReportInfo([]*gosec.Issue{&issue}, &gosec.Metrics{NumFiles: 0, NumLines: 0, NumNosec: 0, NumFound: 0}, error)
308+
err := CreateReport(buf, "xml", false, []string{}, reportInfo)
308309
Expect(err).ShouldNot(HaveOccurred())
309310
pattern := "Results:\n\n\n[/home/src/project/test.go:1] - %s (CWE-%s): test (Confidence: HIGH, Severity: HIGH)\n > 1: testcode\n\n\n\nSummary:\n Files: 0\n Lines: 0\n Nosec: 0\n Issues: 0\n\n"
310311
expect := fmt.Sprintf(pattern, rule, cwe.ID)
@@ -324,7 +325,8 @@ var _ = Describe("Formatter", func() {
324325
err := enc.Encode(data)
325326
Expect(err).ShouldNot(HaveOccurred())
326327
buf := new(bytes.Buffer)
327-
err = CreateReport(buf, "json", false, []string{}, []*gosec.Issue{&issue}, &gosec.Metrics{}, error)
328+
reportInfo := gosec.NewReportInfo([]*gosec.Issue{&issue}, &gosec.Metrics{}, error)
329+
err = CreateReport(buf, "json", false, []string{}, reportInfo)
328330
Expect(err).ShouldNot(HaveOccurred())
329331
result := stripString(buf.String())
330332
expectation := stripString(expect.String())
@@ -344,7 +346,8 @@ var _ = Describe("Formatter", func() {
344346
err := enc.Encode(data)
345347
Expect(err).ShouldNot(HaveOccurred())
346348
buf := new(bytes.Buffer)
347-
err = CreateReport(buf, "html", false, []string{}, []*gosec.Issue{&issue}, &gosec.Metrics{}, error)
349+
reportInfo := gosec.NewReportInfo([]*gosec.Issue{&issue}, &gosec.Metrics{}, error)
350+
err = CreateReport(buf, "html", false, []string{}, reportInfo)
348351
Expect(err).ShouldNot(HaveOccurred())
349352
result := stripString(buf.String())
350353
expectation := stripString(expect.String())
@@ -364,7 +367,8 @@ var _ = Describe("Formatter", func() {
364367
err := enc.Encode(data)
365368
Expect(err).ShouldNot(HaveOccurred())
366369
buf := new(bytes.Buffer)
367-
err = CreateReport(buf, "yaml", false, []string{}, []*gosec.Issue{&issue}, &gosec.Metrics{}, error)
370+
reportInfo := gosec.NewReportInfo([]*gosec.Issue{&issue}, &gosec.Metrics{}, error)
371+
err = CreateReport(buf, "yaml", false, []string{}, reportInfo)
368372
Expect(err).ShouldNot(HaveOccurred())
369373
result := stripString(buf.String())
370374
expectation := stripString(expect.String())
@@ -384,7 +388,8 @@ var _ = Describe("Formatter", func() {
384388
err := enc.Encode(data)
385389
Expect(err).ShouldNot(HaveOccurred())
386390
buf := new(bytes.Buffer)
387-
err = CreateReport(buf, "junit-xml", false, []string{}, []*gosec.Issue{&issue}, &gosec.Metrics{}, error)
391+
reportInfo := gosec.NewReportInfo([]*gosec.Issue{&issue}, &gosec.Metrics{}, error)
392+
err = CreateReport(buf, "junit-xml", false, []string{}, reportInfo)
388393
Expect(err).ShouldNot(HaveOccurred())
389394
expectation := stripString(fmt.Sprintf("[/home/src/project/test.go:1] - test (Confidence: 2, Severity: 2, CWE: %s)", cwe.ID))
390395
result := stripString(buf.String())
@@ -404,7 +409,8 @@ var _ = Describe("Formatter", func() {
404409
err := enc.Encode(data)
405410
Expect(err).ShouldNot(HaveOccurred())
406411
buf := new(bytes.Buffer)
407-
err = CreateReport(buf, "text", false, []string{}, []*gosec.Issue{&issue}, &gosec.Metrics{}, error)
412+
reportInfo := gosec.NewReportInfo([]*gosec.Issue{&issue}, &gosec.Metrics{}, error)
413+
err = CreateReport(buf, "text", false, []string{}, reportInfo)
408414
Expect(err).ShouldNot(HaveOccurred())
409415
expectation := stripString(fmt.Sprintf("[/home/src/project/test.go:1] - %s (CWE-%s): test (Confidence: HIGH, Severity: HIGH)", rule, cwe.ID))
410416
result := stripString(buf.String())
@@ -417,7 +423,8 @@ var _ = Describe("Formatter", func() {
417423
issue := createIssue(rule, cwe)
418424
error := map[string][]gosec.Error{}
419425
buf := new(bytes.Buffer)
420-
err := CreateReport(buf, "sonarqube", false, []string{"/home/src/project"}, []*gosec.Issue{&issue}, &gosec.Metrics{}, error)
426+
reportInfo := gosec.NewReportInfo([]*gosec.Issue{&issue}, &gosec.Metrics{}, error)
427+
err := CreateReport(buf, "sonarqube", false, []string{"/home/src/project"}, reportInfo)
421428
Expect(err).ShouldNot(HaveOccurred())
422429

423430
result := stripString(buf.String())
@@ -438,7 +445,8 @@ var _ = Describe("Formatter", func() {
438445
error := map[string][]gosec.Error{}
439446

440447
buf := new(bytes.Buffer)
441-
err := CreateReport(buf, "golint", false, []string{}, []*gosec.Issue{&issue}, &gosec.Metrics{}, error)
448+
reportInfo := gosec.NewReportInfo([]*gosec.Issue{&issue}, &gosec.Metrics{}, error)
449+
err := CreateReport(buf, "golint", false, []string{}, reportInfo)
442450
Expect(err).ShouldNot(HaveOccurred())
443451
pattern := "/home/src/project/test.go:1:1: [CWE-%s] test (Rule:%s, Severity:HIGH, Confidence:HIGH)\n"
444452
expect := fmt.Sprintf(pattern, cwe.ID, rule)
@@ -452,7 +460,8 @@ var _ = Describe("Formatter", func() {
452460
error := map[string][]gosec.Error{}
453461

454462
buf := new(bytes.Buffer)
455-
err := CreateReport(buf, "sarif", false, []string{}, []*gosec.Issue{&issue}, &gosec.Metrics{}, error)
463+
reportInfo := gosec.NewReportInfo([]*gosec.Issue{&issue}, &gosec.Metrics{}, error).WithVersion("v2.7.0")
464+
err := CreateReport(buf, "sarif", false, []string{}, reportInfo)
456465
Expect(err).ShouldNot(HaveOccurred())
457466

458467
result := stripString(buf.String())

report/golint/writer.go

+3-2
Original file line numberDiff line numberDiff line change
@@ -2,13 +2,14 @@ package golint
22

33
import (
44
"fmt"
5-
"github.com/securego/gosec/v2/report/core"
65
"io"
76
"strings"
7+
8+
"github.com/securego/gosec/v2"
89
)
910

1011
//WriteReport write a report in golint format to the output writer
11-
func WriteReport(w io.Writer, data *core.ReportInfo) error {
12+
func WriteReport(w io.Writer, data *gosec.ReportInfo) error {
1213
// Output Sample:
1314
// /tmp/main.go:11:14: [CWE-310] RSA keys should be at least 2048 bits (Rule:G403, Severity:MEDIUM, Confidence:HIGH)
1415

report/html/writer.go

+3-2
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,14 @@
11
package html
22

33
import (
4-
"github.com/securego/gosec/v2/report/core"
54
"html/template"
65
"io"
6+
7+
"github.com/securego/gosec/v2"
78
)
89

910
//WriteReport write a report in html format to the output writer
10-
func WriteReport(w io.Writer, data *core.ReportInfo) error {
11+
func WriteReport(w io.Writer, data *gosec.ReportInfo) error {
1112
t, e := template.New("gosec").Parse(templateContent)
1213
if e != nil {
1314
return e

report/json/writer.go

+3-2
Original file line numberDiff line numberDiff line change
@@ -2,12 +2,13 @@ package json
22

33
import (
44
"encoding/json"
5-
"github.com/securego/gosec/v2/report/core"
65
"io"
6+
7+
"github.com/securego/gosec/v2"
78
)
89

910
//WriteReport write a report in json format to the output writer
10-
func WriteReport(w io.Writer, data *core.ReportInfo) error {
11+
func WriteReport(w io.Writer, data *gosec.ReportInfo) error {
1112
raw, err := json.MarshalIndent(data, "", "\t")
1213
if err != nil {
1314
return err

report/junit/formatter.go

+1-2
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,6 @@ import (
55
"strconv"
66

77
"github.com/securego/gosec/v2"
8-
"github.com/securego/gosec/v2/report/core"
98
)
109

1110
func generatePlaintext(issue *gosec.Issue) string {
@@ -17,7 +16,7 @@ func generatePlaintext(issue *gosec.Issue) string {
1716
}
1817

1918
//GenerateReport Convert a gosec report to a JUnit Report
20-
func GenerateReport(data *core.ReportInfo) Report {
19+
func GenerateReport(data *gosec.ReportInfo) Report {
2120
var xmlReport Report
2221
testsuites := map[string]int{}
2322

0 commit comments

Comments
 (0)