Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SONARGO-40 Vulnerability imported through external report Golangci lint should be set to Security in Software Quality #32

Closed
wants to merge 5 commits into from
Closed

SONARGO-40 Vulnerability imported through external report Golangci lint should be set to Security in Software Quality #32

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
3bd7660
SONARGO-40 Vulnerability imported through external report Golangci li…
mstachniuk Dec 10, 2024
d5c35fe
Fix code smell
mstachniuk Dec 10, 2024
a99b300
Avoid setting Impact for SonarQube Cloud
mstachniuk Dec 11, 2024
ba01903
Code review remarks
mstachniuk Dec 11, 2024
3ca91c3
Fix slang version
mstachniuk Dec 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion settings.gradle
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,8 @@ pluginManagement {
}

dependencyResolutionManagement {
def slangDependenciesVersion = '1.17.0.6351'
//TODO change to released version before merge
def slangDependenciesVersion = '1.18.0.6372'
def analyzerCommonsVersion = '2.16.0.3141'
def pluginApiVersion = '10.10.0.2391'
def sonarqubeVersion = '10.0.0.68432'
Expand Down
16 changes: 14 additions & 2 deletions sonar-go-plugin/src/main/java/org/sonar/go/externalreport/GolangCILintReportSensor.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,11 +17,13 @@
package org.sonar.go.externalreport;

import java.io.File;
import java.util.List;
import java.util.Locale;
import java.util.function.Consumer;
import javax.annotation.Nullable;
import org.sonar.api.batch.rule.Severity;
import org.sonar.api.batch.sensor.SensorContext;
import org.sonar.api.issue.impact.SoftwareQuality;
import org.sonar.api.notifications.AnalysisWarnings;
import org.sonar.api.rule.RuleKey;
import org.sonar.api.rules.RuleType;
Expand All @@ -47,6 +49,8 @@ public Consumer<File> reportConsumer(SensorContext context) {

private static class GolangCILintCheckstyleFormatImporter extends CheckstyleFormatImporter {

private static final String GOSEC = "gosec";

public GolangCILintCheckstyleFormatImporter(SensorContext context, String linterKey) {
super(context, linterKey);
}
Expand All @@ -63,21 +67,29 @@ public GolangCILintCheckstyleFormatImporter(SensorContext context, String linter
*/
@Override
protected RuleType ruleType(@Nullable String severity, String source) {
if ("gosec".equals(source)) {
if (GOSEC.equals(source)) {
return RuleType.VULNERABILITY;
}
return super.ruleType(severity, source);
}

@Override
protected RuleKey createRuleKey(String source, RuleType ruleType, Severity ruleSeverity) {
if ("gosec".equals(source)) {
if (GOSEC.equals(source)) {
// gosec issues are exclusively "major vulnerability", keeping "gosec" as rule key.
return RuleKey.of(linterKey, source);
}
String ruleKey = String.format("%s.%s.%s", source, ruleType.toString().toLowerCase(Locale.ROOT),
ruleSeverity.toString().toLowerCase(Locale.ROOT));
return RuleKey.of(linterKey, ruleKey);
}

@Override
protected List<Impact> impacts(String severity, String source) {
if (GOSEC.equals(source)) {
return List.of(new Impact(SoftwareQuality.SECURITY, org.sonar.api.issue.impact.Severity.MEDIUM));
}
return List.of(new Impact(SoftwareQuality.MAINTAINABILITY, org.sonar.api.issue.impact.Severity.MEDIUM));
}
}
}
4 changes: 4 additions & 0 deletions sonar-go-plugin/src/test/java/org/sonar/go/externalreport/GolangCILintReportSensorTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,10 +27,12 @@
import org.sonar.api.batch.sensor.internal.DefaultSensorDescriptor;
import org.sonar.api.batch.sensor.internal.SensorContextTester;
import org.sonar.api.batch.sensor.issue.ExternalIssue;
import org.sonar.api.issue.impact.SoftwareQuality;
import org.sonar.api.rules.RuleType;
import org.sonarsource.slang.testing.ThreadLocalLogTester;

import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.entry;
import static org.sonar.go.externalreport.ExternalLinterSensorHelper.REPORT_BASE_PATH;

class GolangCILintReportSensorTest {
Expand Down Expand Up @@ -69,6 +71,7 @@ void issues_with_sonarqube() throws IOException {
assertThat(first.severity()).isEqualTo(Severity.MAJOR);
assertThat(first.ruleKey().repository()).isEqualTo("external_golangci-lint");
assertThat(first.ruleKey().rule()).isEqualTo("deadcode.bug.major");
assertThat(first.impacts()).contains(entry(SoftwareQuality.MAINTAINABILITY, org.sonar.api.issue.impact.Severity.MEDIUM));
assertThat(first.primaryLocation().message()).isEqualTo("`three` is unused");
assertThat(first.primaryLocation().textRange().start().line()).isEqualTo(3);

Expand All @@ -77,6 +80,7 @@ void issues_with_sonarqube() throws IOException {
assertThat(second.severity()).isEqualTo(Severity.MAJOR);
assertThat(second.ruleKey().repository()).isEqualTo("external_golangci-lint");
assertThat(second.ruleKey().rule()).isEqualTo("gosec");
assertThat(second.impacts()).contains(entry(SoftwareQuality.SECURITY, org.sonar.api.issue.impact.Severity.MEDIUM));
assertThat(second.primaryLocation().message()).isEqualTo("G402: TLS InsecureSkipVerify set true.");
assertThat(second.primaryLocation().inputComponent().key()).isEqualTo("module:main.go");
assertThat(second.primaryLocation().textRange().start().line()).isEqualTo(4);
Expand Down
Loading