Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(COD-4173): Inline comments added #209

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(COD-4173): Inline comments added #209

wants to merge 1 commit into from

Conversation

baltoiteodor
Copy link

https://lacework.atlassian.net/browse/COD-4173

This PR adds inline comments to alerts we send regarding weaknesses. An example is here: https://github.com/lacework-dev/WebGoat/pull/107

This is a first iteration that parses the contents of the markdown output of sca compare as source of information for creating the review comments. Will later use the sarif output and enable comments for secrets as well.

@baltoiteodor
commit to start adding inline coms
0ea08e2 
trying syntax

trying syntax

trying syntax

parsing and printing url

parsing and printing line

parsing and printing SmartFixVersion

filepath parsing

logs to reviews and creation

trying a mapping between lines and positions

trying a mapping between lines and positions debug

trying a mapping between lines and positions debug

trying a mapping between lines and positions debug continue

trying a mapping between lines and positions debug continue

changing body of comments

grouping the vulnerabilities based on file and line

reformat

reformat

delete experimentations

reformat details

reformat details

reformat details

reformat details

retry a push for updates

retry more details

retry more details

retry more details

other CVE attempt

reformatting

reformatting

reformatting

reformatting
@lacework-code-security Lacework Code Security
Copy link

(Audit Mode) sca found potential 1 new issues

  • CVE-2024-0056 (sample-repo/proj.csproj: [email protected]) 🛑(high)

    More detailsPackage: [email protected] (direct)
    Vulnerability CVE-2024-0056 (severity: high, fixed in 4.8.6)
    SmartFix: 4.8.6 (Minimal version with no known vulnerabilities)
    Link: CVE-2024-0056

    Explanation: Why is this SmartFix recommended? 
        Sorted Version Graph for package pkg:nuget/[email protected]
      4.8.5 is vulnerable:
        high       CVE-2024-0056        FixVersion= 4.8.6
      4.8.6 is not vulnerable
    
    Fix recommendations for package pkg:nuget/[email protected]
      4.8.6 is the minimal version with no known vulnerabilities
      4.8.6 is the maximum version and it has no known vulnerabilities
    
    Stats: the Version Graph has 2 versions (nodes) and 1 CVEs (edges) (diameter=1)

@baltoiteodor baltoiteodor marked this pull request as ready for review December 20, 2024 11:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jeremydubreil jeremydubreil Awaiting requested review from jeremydubreil

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@baltoiteodor