Skip to content

Commit

Permalink
Added code to add snippet in cxflow SARIF report its configurable. (#…
Browse files Browse the repository at this point in the history 
…1389)

Co-authored-by: Satyam Chaurasia <[email protected]>
  • Loading branch information
@satyamchaurasiapersistent @satyamchaurasia
satyamchaurasiapersistent and satyamchaurasia authored Oct 3, 2024
1 parent ec35c21 commit 3615662
Show file tree
Hide file tree
Showing 3 changed files with 49 additions and 7 deletions.
18 changes: 18 additions & 0 deletions docs/Configuration.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@
* [GitHub](#github)
* [GitLab](#gitlab)
* [Azure DevOps](#azure)
* [Sarif](#sarif)
* [Bitbucket (Cloud and Server)](#bitbucket)
* [JSON Config Override](#json)
* [BugTrackers](#bugtrackers)
Expand Down Expand Up @@ -944,6 +945,23 @@ azure:
| `zero-vulnerability-summary` | false | if true, will not comment in PR decoration any details for scans as vulnerabilities are zero. |
**Note**: A service account is required with access to the repositories that are scanned, pull requests that are commented on, and Azure WorkItems that are created/updated.


### <a name="sarif">Sarif</a>
```yaml
sarif:
hassnippet: true
```

| Configuration | Default | Description |
|------------------------|---------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `hassnippet` |false | In Checkmarx CX-Flow, when the hasSnippet flag is set to true, the tool displays relevant code snippets under the "Region" section of the UI. These snippets provide a portion of the code where potential vulnerabilities are detected, giving developers context to better understand the issue. This feature helps in identifying the exact location of security concerns, streamlining the remediation process by offering precise, actionable insights directly within the code. |

**Note**: Command line parameter for snippet is `--sarif.hassnippet=true`





### <a name="bitbucket">Bitbucket (Cloud and Server)</a>
```yaml
bitbucket:
Expand Down
7 changes: 7 additions & 0 deletions src/main/java/com/checkmarx/flow/config/SarifProperties.java
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
package com.checkmarx.flow.config;

import lombok.Getter;
import lombok.Setter;
import org.checkerframework.checker.index.qual.SearchIndexBottom;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.stereotype.Component;
import org.springframework.validation.annotation.Validated;
Expand All @@ -21,6 +24,10 @@ public class SarifProperties {
private String sarifSchema="https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json";
private String sarifVersion = "2.1.0";
private String semanticVersion = "1.0.0";

@Getter
@Setter
private boolean hasSnippet = false;
private Map<String, String> severityMap = new HashMap<>();
private Map<String, String> securitySeverityMap = new HashMap<>();

Expand Down
31 changes: 24 additions & 7 deletions src/main/java/com/checkmarx/flow/custom/SarifIssueTracker.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -218,19 +218,33 @@ private void generateSastResults(ScanResults results, List<SarifVulnerability> r
1 : (Integer.valueOf(Optional.ofNullable(node.get("column")).orElse("1"))); /* Sarif format does not support 0 as column number */
Integer len = (Integer.valueOf(Optional.ofNullable(node.get("length")).orElse("1")) == 0) ?
1 : (Integer.valueOf(Optional.ofNullable(node.get("length")).orElse("1"))); /* Sarif format does not support 0 as column number */
Region regioObj;
if(properties.isHasSnippet()){
regioObj= Region.builder()
.startLine(line)
.endLine(line)
.startColumn(col)
.endColumn(col+len)
.snippet(StringUtils.isEmpty(node.get("snippet")) ? "Code Snippet" : node.get("snippet"))
.build();
}else{
regioObj= Region.builder()
.startLine(line)
.endLine(line)
.startColumn(col)
.endColumn(col+len)
.build();
}


locations.add(Location.builder()
.physicalLocation(PhysicalLocation.builder()
.artifactLocation(ArtifactLocation.builder()
.uri(node.get("file"))
.uriBaseId("%SRCROOT%")
//.index(pathNodeId-1)
.build())
.region(Region.builder()
.startLine(line)
.endLine(line)
.startColumn(col)
.endColumn(col+len)
.index(pathNodeId-1)
.build())
.region(regioObj)
.build())
.message(Message.builder()
.text(StringUtils.isEmpty(node.get("snippet")) ? "Code Snippet" : node.get("snippet")).build())
Expand All @@ -250,6 +264,7 @@ private void generateSastResults(ScanResults results, List<SarifVulnerability> r
List<ThreadFlow> threadFlows = Lists.newArrayList();
threadFlows.add(ThreadFlow.builder()
.locations(threadFlowLocations).build());

List<CodeFlow> codeFlows = Lists.newArrayList();
codeFlows.add(CodeFlow.builder()
.threadFlows(threadFlows).build());
Expand Down Expand Up @@ -452,6 +467,8 @@ public static class Region {
public Integer startColumn;
@JsonProperty("endColumn")
public Integer endColumn;
@JsonProperty("snippet")
public String snippet;
}

@Data
Expand Down

0 comments on commit 3615662

Please sign in to comment.