Add detection of unselected first party modules

checks/perform_checks.go

@@ -13,6 +13,7 @@ func PerformChecks(r *report.Report) {
 	fatalErrors(r)
 	detectUnwantedFiles(r)
 	nestedArchives(r)
+	unselectedFirstParty(r)
 	unselectedJavaScriptModules(r)
 	missingPrecompiledFiles(r)
 	unexpectedSourceCode(r)
@@ -52,7 +53,6 @@ func PerformChecks(r *report.Report) {
 // * There were apparent external-facing application components that had not been selected as entry points for analysis. This could result in the reduced scan coverage.
 // * Consider an application profile for each supported version of the application in production so the security team can see the risk of each specific version.
 // * Be sure to include all the components that make up the application within the upload. Do not omit any second or third-party libraries from the upload.
-// * Under-selection of first party modules affects results quality. Ensure the correct entry points have been selected as recommended and refer to this article: https://community.veracode.com/s/article/What-are-Modules-and-how-do-my-results-change-based-on-what-I-select.
 // * It was observed that there were several sandboxes with names that suggest the team uses a sandbox for each significant version of the application. Further there were sandboxes with names that suggest different components of the application were being scanned in each e.g. "TODO", "TODO". The security team will expect the policy scan to contain all the components of the application to get a complete picture of all the risk. Since we can only promote one sandbox at a time to the policy level there is a concern that what is promoted to the policy level is not the entire application.
 // * There were apparent external-facing application components (“TODO”, “TODO”) that had not been selected as entry points for analysis. This could result in the reduced scan coverage.
 // * Support Issue: The image \"X\" contains statically linked standard libraries. Proceeding with these libraries included will degrade the performance of the analysis and quality of the results. Disable static linking by omitting -static and -static-libstdc++ GCC options.",

checks/unselected_first_party.go

@@ -0,0 +1,36 @@
+package checks
+
+import (
+	"fmt"
+	"github.com/antfie/scan_health/v2/report"
+	"github.com/antfie/scan_health/v2/utils"
+)
+
+// Test cases
+// ==========
+// https://analysiscenter.veracode.com/auth/index.jsp#AnalyzeAppModuleList:71832:671347:27229752:27200622:27216272::::1670856
+
+func unselectedFirstParty(r *report.Report) {
+	var foundModules []string
+
+	for _, module := range r.Modules {
+		if !module.IsDependency && !module.IsIgnored && !module.IsSelected && !module.IsThirdParty {
+			if !utils.IsStringInStringArray(module.Name, foundModules) {
+				foundModules = append(foundModules, module.Name)
+			}
+		}
+	}
+
+	if len(foundModules) == 0 {
+		return
+	}
+
+	message := fmt.Sprintf("A potential first-party module was not selected for analysis: \"%s\".", foundModules[0])
+
+	if len(foundModules) > 1 {
+		message = fmt.Sprintf("%d potential first-party modules were not selected for analysis: %s.", len(foundModules), utils.Top5StringList(foundModules))
+	}
+
+	r.ReportIssue(message, report.IssueSeverityMedium)
+	r.MakeRecommendation("Under-selection of first party modules affects results quality. Ensure the correct entry points have been selected as recommended and refer to this article: https://community.veracode.com/s/article/What-are-Modules-and-how-do-my-results-change-based-on-what-I-select.")
+}