From 28f80d367951770fa1eae4de5dbec98ed0d52d65 Mon Sep 17 00:00:00 2001
From: Yaakov Lerer <coby.lerer@outlook.com>
Date: Tue, 21 Jul 2020 13:16:19 +1000
Subject: [PATCH 1/7] enrich issues

---
 convert-action.js | 83 +++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 80 insertions(+), 3 deletions(-)

diff --git a/convert-action.js b/convert-action.js
index fd86cc5..b99248a 100644
--- a/convert-action.js
+++ b/convert-action.js
@@ -20,6 +20,69 @@ const sevIntToStr = (sevInt => {
     }
 })
 
+const addRuleToRules = (issue,rules) => {
+    if (rules.filter(rule => rule.id===issue.CWEId).length>0) {
+        return null;
+    }
+    /*
+     {
+              "id": "no-unused-vars",
+              "shortDescription": {
+                "text": "disallow unused variables"
+              },
+              "helpUri": "https://eslint.org/docs/rules/no-unused-vars",
+              "properties": {
+                "category": "Variables"
+              }
+            }
+    */
+    let rule = {
+        id: issue.CWEId,
+        shortDescription: {
+            text: issue.IssueType
+        },
+        helpUri: "https://cwe.mitre.org/data/definitions/"+issue.CWEId+".html",
+        properties: {
+            category: issue.IssueTypeId
+        }
+    }
+
+    return rule;
+}
+
+/*
+ {
+    "Title": "java.sql.Statement.executeQuery",
+    "IssueId": "1016",
+    "GOB": "B",
+    "Severity": "4",
+    "IssueTypeId": "taint",
+    "IssueType": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
+    "CWEId": "89",
+    "VCId": "89.005",
+    "DisplayText": "\u003cspan\u003eThis database query contains a SQL injection flaw.  The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input.  An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sqlQuery. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry.\u003c/span\u003e \u003cspan\u003eAvoid dynamically constructing SQL queries.  Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query.  Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible.\u003c/span\u003e \u003cspan\u003eReferences: \u003ca href\u003d\"https://cwe.mitre.org/data/definitions/89.html\"\u003eCWE\u003c/a\u003e \u003ca href\u003d\"https://www.owasp.org/index.php/SQL_injection\"\u003eOWASP\u003c/a\u003e \u003ca href\u003d\"https://webappsec.pbworks.com/SQL-Injection\"\u003eWASC\u003c/a\u003e\u003c/span\u003e",
+    "Files": {
+        "SourceFile": {
+        "File": "com/veracode/verademo/controller/UserController.java",
+        "Line": "166",
+        "FunctionName": "processLogin",
+        "QualifiedFunctionName": "com.veracode.verademo.controller.UserController.processLogin",
+        "FunctionPrototype": "java.lang.String processLogin(java.lang.String, java.lang.String, java.lang.String, java.lang.String, org.springframework.ui.Model, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)",
+        "Scope": "com.veracode.verademo.controller.UserController"
+        }
+    },
+    "FlawMatch": {
+        "ProcedureHash": "844194490",
+        "PrototypeHash": "839857025",
+        "FlawHash": "3392777041",
+        "FlawHashCount": "1",
+        "FlawHashOrdinal": "1",
+        "CauseHash": "1176028798",
+        "CauseHashCount": "1",
+        "CauseHashOrdinal": "1"
+    }
+    },
+*/
 const convertPipelineResultFileToSarifFile = (inputFileName,outputFileName) => {
     var results = {};
 
@@ -32,8 +95,17 @@ const convertPipelineResultFileToSarifFile = (inputFileName,outputFileName) => {
         let issues = results.results.TestResults.Issues.Issue;
         console.log('Issues count: '+issues.length);
 
+        let rules=[];
+
         // convert to SARIF json
         let sarifResults = issues.map(issue => {
+            // append rule to ruleset - if not already there
+            let rule = addRuleToRules(issue,rules);
+            if (rule!==null){
+                rules.push(rule);
+            }
+
+            // construct flaw location
             let issueFileLocation = issue.Files.SourceFile;
             let location = {
                 physicalLocation: {
@@ -45,17 +117,21 @@ const convertPipelineResultFileToSarifFile = (inputFileName,outputFileName) => {
                     }
                 }
             }
+            // get the severity number to name
             let serStr = sevIntToStr(issue.Severity);
+            // construct the issue
             let resultItem = {
                 level: serStr,
                 message: {
-                    text: issue.Title + ' - '+issue.IssueType,
+                    text: issue.Title + ' - '+issue.DisplayText,
                 },
-                locations: [location]
+                locations: [location],
+                ruleId: issue.CWEId
             }
             return resultItem;
         })
 
+        // construct the full SARIF content
         let sarifFileJSONContent = {
             $schema : "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
             version : "2.1.0",
@@ -63,7 +139,8 @@ const convertPipelineResultFileToSarifFile = (inputFileName,outputFileName) => {
                 {
                     tool : {
                         driver : {
-                            name : "Veracode Pipeline Scanner"
+                            name : "Veracode Pipeline Scanner",
+                            rules: rules
                         }
                     },
                     results: sarifResults

From 0e6f9fece89aeca93ac19c0ca94323ab80f61783 Mon Sep 17 00:00:00 2001
From: Yaakov Lerer <coby.lerer@outlook.com>
Date: Tue, 21 Jul 2020 13:53:21 +1000
Subject: [PATCH 2/7] clean env

---
 .dockerignore     | 2 --
 Dockerfile        | 8 --------
 convert-action.js | 8 ++++++--
 entrypoint.sh     | 5 -----
 4 files changed, 6 insertions(+), 17 deletions(-)
 delete mode 100644 .dockerignore
 delete mode 100644 Dockerfile
 delete mode 100644 entrypoint.sh

diff --git a/.dockerignore b/.dockerignore
deleted file mode 100644
index 93f1361..0000000
--- a/.dockerignore
+++ /dev/null
@@ -1,2 +0,0 @@
-node_modules
-npm-debug.log
diff --git a/Dockerfile b/Dockerfile
deleted file mode 100644
index 4f2c867..0000000
--- a/Dockerfile
+++ /dev/null
@@ -1,8 +0,0 @@
-# Container image that runs your code
-FROM node:12.18-slim
-
-# Copies your code file from your action repository to the filesystem path `/` of the container
-COPY entrypoint.sh /entrypoint.sh
-
-# Code file to execute when the docker container starts up (`entrypoint.sh`)
-ENTRYPOINT ["/entrypoint.sh"]
\ No newline at end of file
diff --git a/convert-action.js b/convert-action.js
index b99248a..a6ac715 100644
--- a/convert-action.js
+++ b/convert-action.js
@@ -39,11 +39,14 @@ const addRuleToRules = (issue,rules) => {
     let rule = {
         id: issue.CWEId,
         shortDescription: {
-            text: issue.IssueType
+            text: "CWE-"+issue.CWEId+": "+issue.IssueType
         },
         helpUri: "https://cwe.mitre.org/data/definitions/"+issue.CWEId+".html",
         properties: {
             category: issue.IssueTypeId
+        },
+        messageStrings: {
+            default: issue.IssueType 
         }
     }
 
@@ -126,7 +129,8 @@ const convertPipelineResultFileToSarifFile = (inputFileName,outputFileName) => {
                     text: issue.Title + ' - '+issue.DisplayText,
                 },
                 locations: [location],
-                ruleId: issue.CWEId
+                ruleId: issue.CWEId,
+                ruleMessageId: "default"
             }
             return resultItem;
         })
diff --git a/entrypoint.sh b/entrypoint.sh
deleted file mode 100644
index 7636076..0000000
--- a/entrypoint.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/sh -l
-
-echo "Hello $1"
-time=$(date)
-echo "::set-output name=time::$time"

From 543fd9074fd22ac4e09667acfddaf10a0ec1c6a2 Mon Sep 17 00:00:00 2001
From: Yaakov Lerer <coby.lerer@outlook.com>
Date: Tue, 21 Jul 2020 13:58:12 +1000
Subject: [PATCH 3/7] smell better

---
 convert-action.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/convert-action.js b/convert-action.js
index a6ac715..9846d8b 100644
--- a/convert-action.js
+++ b/convert-action.js
@@ -21,7 +21,7 @@ const sevIntToStr = (sevInt => {
 })
 
 const addRuleToRules = (issue,rules) => {
-    if (rules.filter(rule => rule.id===issue.CWEId).length>0) {
+    if (rules.filter(ruleItem => ruleItem.id===issue.CWEId).length>0) {
         return null;
     }
     /*

From 8975db6accbd8a217df0f260d202d3ba220841d8 Mon Sep 17 00:00:00 2001
From: Yaakov Lerer <coby.lerer@outlook.com>
Date: Tue, 21 Jul 2020 14:11:56 +1000
Subject: [PATCH 4/7] remove rulemessage

---
 convert-action.js | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/convert-action.js b/convert-action.js
index 9846d8b..2040299 100644
--- a/convert-action.js
+++ b/convert-action.js
@@ -44,9 +44,6 @@ const addRuleToRules = (issue,rules) => {
         helpUri: "https://cwe.mitre.org/data/definitions/"+issue.CWEId+".html",
         properties: {
             category: issue.IssueTypeId
-        },
-        messageStrings: {
-            default: issue.IssueType 
         }
     }
 
@@ -129,8 +126,7 @@ const convertPipelineResultFileToSarifFile = (inputFileName,outputFileName) => {
                     text: issue.Title + ' - '+issue.DisplayText,
                 },
                 locations: [location],
-                ruleId: issue.CWEId,
-                ruleMessageId: "default"
+                ruleId: issue.CWEId
             }
             return resultItem;
         })

From 6712081c0c2d2f49bec26b21c206c71995404cd3 Mon Sep 17 00:00:00 2001
From: Coby Lerer <coby_lerer@hotmail.com>
Date: Tue, 21 Jul 2020 14:14:11 +1000
Subject: [PATCH 5/7] Update Readme.md

---
 Readme.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Readme.md b/Readme.md
index ade71c8..f69bd85 100644
--- a/Readme.md
+++ b/Readme.md
@@ -27,7 +27,7 @@ See - [Veracode pipeline scan example in github action](https://help.veracode.co
 ```
 - name: Convert pipeline scan output to SARIF format
   id: convert   
-  uses: Lerer/veracode-pipeline-scan-results-to-sarif@v1.0.2
+  uses: Lerer/veracode-pipeline-scan-results-to-sarif@v1.0.3
   with:
     pipeline-results-json: results.json
     output-results-sarif: veracode-results.sarif

From 809455fbca6c06cbb88362ce3cd6728de4926abe Mon Sep 17 00:00:00 2001
From: Yaakov Lerer <coby.lerer@outlook.com>
Date: Tue, 21 Jul 2020 14:22:01 +1000
Subject: [PATCH 6/7] remove unused display text

---
 convert-action.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/convert-action.js b/convert-action.js
index 2040299..8f48cde 100644
--- a/convert-action.js
+++ b/convert-action.js
@@ -123,7 +123,7 @@ const convertPipelineResultFileToSarifFile = (inputFileName,outputFileName) => {
             let resultItem = {
                 level: serStr,
                 message: {
-                    text: issue.Title + ' - '+issue.DisplayText,
+                    text: issue.DisplayText,
                 },
                 locations: [location],
                 ruleId: issue.CWEId

From 6742fc4607b3654899e62f6d11010b74352d98c3 Mon Sep 17 00:00:00 2001
From: Ryan Lloyd <githubrlloyd@users.noreply.github.com>
Date: Tue, 21 Jul 2020 07:45:26 -0400
Subject: [PATCH 7/7] Update Readme.md

---
 Readme.md | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/Readme.md b/Readme.md
index f69bd85..2cab4e2 100644
--- a/Readme.md
+++ b/Readme.md
@@ -1,12 +1,10 @@
 # Veracode Pipeline scan results to SARIF - Github Action
 
-[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=Lerer_veracode-pipeline-scan-results-to-sarif&metric=alert_status)](https://sonarcloud.io/dashboard?id=Lerer_veracode-pipeline-scan-results-to-sarif)
-
 This action take the Veracode pipeline scan json result file as an input and transform it to a SARIF format. <br>
 
 Add the `-jo true` to your Pipeline Scan command to generate the JSON result file. See, [details for the other pipeline scan attributes](https://help.veracode.com/reader/tS9CaFwL4_lbIEWWomsJoA/zjaZE08bAYZVPBWWbgmZvw)</br>
 
-If your github account allows code scanning, you can then upload the `sarif` file to show the scan findings 
+If your github account allows code scanning, you can then upload the `sarif` file to show the scan findings
 
 See - [Veracode pipeline scan example in github action](https://help.veracode.com/reader/tS9CaFwL4_lbIEWWomsJoA/MVXQBY1PzfrTXGd6V~ZgxA)
 
@@ -27,11 +25,11 @@ See - [Veracode pipeline scan example in github action](https://help.veracode.co
 ```
 - name: Convert pipeline scan output to SARIF format
   id: convert   
-  uses: Lerer/veracode-pipeline-scan-results-to-sarif@v1.0.3
+  uses: Veracode/veracode-pipeline-scan-results-to-sarif@v0.1.1
   with:
     pipeline-results-json: results.json
     output-results-sarif: veracode-results.sarif
-    
+
 - name: upload sarif file to repository
   uses: github/codeql-action/upload-sarif@v1
   with: # Path to SARIF file relative to the root of the repository