README
¶
sarif
Utilities for sarif that leverage generated code for sarif-spec.
Why?
Other packages are not well maintained and don't leverage generated code.
This means that updates to the specification are not often backported into the packages.
How to use
V2.1.0
For v2.1.0:
package main
import (
"log"
schemav1 "github.com/smithy-security/pkg/sarif/spec/gen/sarif-schema/v2-1-0"
)
//go:embed testdata/gosec_v2.1.0.json
var reportV2_1_0 []byte
func main() {
report := schemav1.SchemaJson{}
if err := report.UnmarshalJSON(reportV2_1_0); err != nil {
log.Fatalf("report unmarshalling failed: %v", err)
}
}
V2.2.0
For v2.2.0:
package main
import (
"log"
schemav2 "github.com/smithy-security/pkg/sarif/spec/gen/sarif-schema/v2-2-0"
)
//go:embed testdata/gosec_v2.2.0.json
var reportV2_2_0 []byte
func main() {
report := schemav2.SchemaJson{}
if err := report.UnmarshalJSON(reportV2_2_0); err != nil {
log.Fatalf("report unmarshalling failed: %v", err)
}
}
Generate code
To generate the code from the jsonschema specs, please run:
make generate-schemas
Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func LocationParser ¶ added in v0.0.7
LocationParser uses the location of the result to generate bytes
Types ¶
type FieldParser ¶ added in v0.0.7
FieldParser is a function that takes a SARIF result and returns one field from it as a byte slice or nil if that value is empty
func CweParserFunc ¶ added in v0.0.7
func CweParserFunc( taxasByCWEID map[string]sarif.ReportingDescriptor, ruleToTools map[string]sarif.ReportingDescriptor, ) FieldParser
CweParserFunc returns a field parser that resolves the CWE of a result and returns the CWE ID as bytes of a lowercase string
type SarifTransformer ¶
type SarifTransformer struct {
// contains filtered or unexported fields
}
func NewTransformer ¶
func NewTransformer( scanResult *sarif.SchemaJson, findingsEcosystem string, clock clockwork.Clock, guidProvider StableUUIDProvider, richDescription bool, dataSource *ocsffindinginfo.DataSource, workspacePath string, ) (*SarifTransformer, error)
func (*SarifTransformer) ToOCSF ¶
func (s *SarifTransformer) ToOCSF(ctx context.Context) ([]*ocsf.VulnerabilityFinding, error)
type StableUUIDBuilder ¶ added in v0.0.7
type StableUUIDBuilder struct {
// contains filtered or unexported fields
}
StableUUIDBuilder is used to define the fields that will be used to generate a stable UUID5 for a SARIF result. The field extractors can be added to it and used to generate a instance of the StableUUIDProvider that has an immutable sequence of fields that will be used to generate the UUID. The sequence of the field extractors added to the builder will make a difference in the resulting UUID
func NewStableUUIDBuilder ¶ added in v0.0.7
func NewStableUUIDBuilder() StableUUIDBuilder
NewStableUUIDBuilder returns an initialised version of the StableUUIDBuilder
func (StableUUIDBuilder) Build ¶ added in v0.0.7
func (s StableUUIDBuilder) Build() StableUUIDProvider
Build creates an immutable instance of the StableUUIDProvider that can be used to generate GUIDs from Sarif results that are missing their own
func (StableUUIDBuilder) WithParser ¶ added in v0.0.7
func (s StableUUIDBuilder) WithParser(f FieldParser) StableUUIDBuilder
WithParser adds the field parser to the existing list of parsers and returns a new instance of the StableUUIDBuilder
type StableUUIDProvider ¶ added in v0.0.7
StableUUIDProvider implementations should take an instance of a SARIF result extract various fields from it and uses them to provide a UUID5 ID to the result that is stable across scans for the same finding
func NewBasicStableUUIDProvider ¶ added in v0.0.7
func NewBasicStableUUIDProvider() (StableUUIDProvider, error)
NewBasicStableUUIDProvider returns an instance of the StableUUIDBuilder set up with all the basic helpers
Source Files
Directories