Merge pull request #2 from veracode/pr/1

Pr/1

Readme.md

@@ -4,7 +4,7 @@ This action take the Veracode pipeline scan json result file as an input and tra
 
 Add the `-jo true` to your Pipeline Scan command to generate the JSON result file. See, [details for the other pipeline scan attributes](https://help.veracode.com/reader/tS9CaFwL4_lbIEWWomsJoA/zjaZE08bAYZVPBWWbgmZvw)</br>
 
-If your github account allows code scanning, you can then upload the `sarif` file to show the scan findings 
+If your github account allows code scanning, you can then upload the `sarif` file to show the scan findings
 
 See - [Veracode pipeline scan example in github action](https://help.veracode.com/reader/tS9CaFwL4_lbIEWWomsJoA/MVXQBY1PzfrTXGd6V~ZgxA)
 
@@ -24,12 +24,12 @@ See - [Veracode pipeline scan example in github action](https://help.veracode.co
 
 ```
 - name: Convert pipeline scan output to SARIF format
-  id: convert   
-  uses: Veracode/[email protected].0
+  id: convert
+  uses: Veracode/[email protected].1
   with:
     pipeline-results-json: results.json
     output-results-sarif: veracode-results.sarif
-    
+
 - name: upload sarif file to repository
   uses: github/codeql-action/upload-sarif@v1
   with: # Path to SARIF file relative to the root of the repository

convert-action.js

@@ -20,6 +20,69 @@ const sevIntToStr = (sevInt => {
     }
 })
 
+const addRuleToRules = (issue,rules) => {
+    if (rules.filter(ruleItem => ruleItem.id===issue.CWEId).length>0) {
+        return null;
+    }
+    /*
+     {
+              "id": "no-unused-vars",
+              "shortDescription": {
+                "text": "disallow unused variables"
+              },
+              "helpUri": "https://eslint.org/docs/rules/no-unused-vars",
+              "properties": {
+                "category": "Variables"
+              }
+            }
+    */
+    let rule = {
+        id: issue.CWEId,
+        shortDescription: {
+            text: "CWE-"+issue.CWEId+": "+issue.IssueType
+        },
+        helpUri: "https://cwe.mitre.org/data/definitions/"+issue.CWEId+".html",
+        properties: {
+            category: issue.IssueTypeId
+        }
+    }
+
+    return rule;
+}
+
+/*
+ {
+    "Title": "java.sql.Statement.executeQuery",
+    "IssueId": "1016",
+    "GOB": "B",
+    "Severity": "4",
+    "IssueTypeId": "taint",
+    "IssueType": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
+    "CWEId": "89",
+    "VCId": "89.005",
+    "DisplayText": "\u003cspan\u003eThis database query contains a SQL injection flaw.  The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input.  An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sqlQuery. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry.\u003c/span\u003e \u003cspan\u003eAvoid dynamically constructing SQL queries.  Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query.  Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible.\u003c/span\u003e \u003cspan\u003eReferences: \u003ca href\u003d\"https://cwe.mitre.org/data/definitions/89.html\"\u003eCWE\u003c/a\u003e \u003ca href\u003d\"https://www.owasp.org/index.php/SQL_injection\"\u003eOWASP\u003c/a\u003e \u003ca href\u003d\"https://webappsec.pbworks.com/SQL-Injection\"\u003eWASC\u003c/a\u003e\u003c/span\u003e",
+    "Files": {
+        "SourceFile": {
+        "File": "com/veracode/verademo/controller/UserController.java",
+        "Line": "166",
+        "FunctionName": "processLogin",
+        "QualifiedFunctionName": "com.veracode.verademo.controller.UserController.processLogin",
+        "FunctionPrototype": "java.lang.String processLogin(java.lang.String, java.lang.String, java.lang.String, java.lang.String, org.springframework.ui.Model, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)",
+        "Scope": "com.veracode.verademo.controller.UserController"
+        }
+    },
+    "FlawMatch": {
+        "ProcedureHash": "844194490",
+        "PrototypeHash": "839857025",
+        "FlawHash": "3392777041",
+        "FlawHashCount": "1",
+        "FlawHashOrdinal": "1",
+        "CauseHash": "1176028798",
+        "CauseHashCount": "1",
+        "CauseHashOrdinal": "1"
+    }
+    },
+*/
 const convertPipelineResultFileToSarifFile = (inputFileName,outputFileName) => {
     var results = {};
 
@@ -32,8 +95,17 @@ const convertPipelineResultFileToSarifFile = (inputFileName,outputFileName) => {
         let issues = results.results.TestResults.Issues.Issue;
         console.log('Issues count: '+issues.length);
 
+        let rules=[];
+
         // convert to SARIF json
         let sarifResults = issues.map(issue => {
+            // append rule to ruleset - if not already there
+            let rule = addRuleToRules(issue,rules);
+            if (rule!==null){
+                rules.push(rule);
+            }
+
+            // construct flaw location
             let issueFileLocation = issue.Files.SourceFile;
             let location = {
                 physicalLocation: {
@@ -45,25 +117,30 @@ const convertPipelineResultFileToSarifFile = (inputFileName,outputFileName) => {
                     }
                 }
             }
+            // get the severity number to name
             let serStr = sevIntToStr(issue.Severity);
+            // construct the issue
             let resultItem = {
                 level: serStr,
                 message: {
-                    text: issue.Title + ' - '+issue.IssueType,
+                    text: issue.DisplayText,
                 },
-                locations: [location]
+                locations: [location],
+                ruleId: issue.CWEId
             }
             return resultItem;
         })
 
+        // construct the full SARIF content
         let sarifFileJSONContent = {
             $schema : "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
             version : "2.1.0",
             runs : [
                 {
                     tool : {
                         driver : {
-                            name : "Veracode Pipeline Scanner"
+                            name : "Veracode Pipeline Scanner",
+                            rules: rules
                         }
                     },
                     results: sarifResults