fix(sarif): Fix SARIF URIs to always be local to project (#889)

Resolves #888 Signed-off-by: Liam Galvin <[email protected]>
aquasecurity · Aug 19, 2022 · 946f5ee · 946f5ee
1 parent 336c3cf
commit 946f5ee
Show file tree

Hide file tree

Showing 8 changed files with 30 additions and 20 deletions.
diff --git a/pkg/formatters/checkstyle.go b/pkg/formatters/checkstyle.go
@@ -57,7 +57,7 @@ func outputCheckStyle(b ConfigurableFormatter, results scan.Results) error {
 
 		rng := res.Range()
 
-		path := b.Path(res)
+		path := b.Path(res, res.Metadata())
 
 		files[path] = append(
 			files[path],

diff --git a/pkg/formatters/csv.go b/pkg/formatters/csv.go
@@ -32,7 +32,7 @@ func outputCSV(b ConfigurableFormatter, results scan.Results) error {
 		}
 
 		rng := res.Range()
-		path := b.Path(res)
+		path := b.Path(res, res.Metadata())
 
 		records = append(records, []string{
 			path,

diff --git a/pkg/formatters/formatter.go b/pkg/formatters/formatter.go
@@ -6,6 +6,8 @@ import (
 	"os"
 	"sort"
 
+	"github.com/aquasecurity/defsec/pkg/types"
+
 	"github.com/aquasecurity/defsec/pkg/severity"
 
 	"github.com/aquasecurity/defsec/pkg/scan"
@@ -25,7 +27,7 @@ type ConfigurableFormatter interface {
 	GroupResults([]scan.Result) ([]GroupedResult, error)
 	IncludePassed() bool
 	IncludeIgnored() bool
-	Path(result scan.Result) string
+	Path(result scan.Result, metadata types.Metadata) string
 }
 
 type Base struct {
@@ -62,11 +64,11 @@ func NewBase() *Base {
 	}
 }
 
-func (b *Base) Path(result scan.Result) string {
+func (b *Base) Path(result scan.Result, metadata types.Metadata) string {
 	if b.relative {
-		return result.RelativePathTo(b.fsRoot, b.baseDir)
+		return result.RelativePathTo(b.fsRoot, b.baseDir, metadata)
 	}
-	return result.AbsolutePath(b.fsRoot)
+	return result.AbsolutePath(b.fsRoot, metadata)
 }
 
 func (b *Base) IncludePassed() bool {

diff --git a/pkg/formatters/json.go b/pkg/formatters/json.go
@@ -23,7 +23,7 @@ func outputJSON(b ConfigurableFormatter, results scan.Results) error {
 		}
 		flat := result.Flatten()
 		flat.Links = b.GetLinks(result)
-		flat.Location.Filename = b.Path(result)
+		flat.Location.Filename = b.Path(result, result.Metadata())
 		flatResults = append(flatResults, flat)
 	}
 	return jsonWriter.Encode(struct {

diff --git a/pkg/formatters/junit.go b/pkg/formatters/junit.go
@@ -68,7 +68,7 @@ func outputJUnit(b ConfigurableFormatter, results scan.Results) error {
 				continue
 			}
 		}
-		path := b.Path(res)
+		path := b.Path(res, res.Metadata())
 		output.TestCases = append(output.TestCases,
 			jUnitTestCase{
 				Classname: path,
@@ -120,7 +120,7 @@ func buildFailure(b ConfigurableFormatter, res scan.Result) *jUnitFailure {
 	if !res.Range().IsMultiLine() {
 		lineInfo = fmt.Sprintf("%d", res.Range().GetStartLine())
 	}
-	location := fmt.Sprintf("%s:%s", b.Path(res), lineInfo)
+	location := fmt.Sprintf("%s:%s", b.Path(res, res.Metadata()), lineInfo)
 
 	return &jUnitFailure{
 		Message: res.Description(),

diff --git a/pkg/formatters/sarif.go b/pkg/formatters/sarif.go
@@ -38,7 +38,9 @@ func outputSARIF(b ConfigurableFormatter, results scan.Results) error {
 			rule.WithHelpURI(links[0])
 		}
 
-		rng := res.Range()
+		metadata := res.Metadata().Root()
+
+		rng := metadata.Range()
 		message := sarif.NewTextMessage(res.Description())
 		region := sarif.NewSimpleRegion(rng.GetStartLine(), rng.GetEndLine())
 		var level string
@@ -53,7 +55,7 @@ func outputSARIF(b ConfigurableFormatter, results scan.Results) error {
 			level = "error"
 		}
 
-		path := b.Path(res)
+		path := b.Path(res, metadata)
 
 		location := sarif.NewPhysicalLocation().
 			WithArtifactLocation(sarif.NewSimpleArtifactLocation(path)).

diff --git a/pkg/scan/result.go b/pkg/scan/result.go
@@ -104,35 +104,33 @@ func (r Result) Traces() []string {
 	return r.traces
 }
 
-func (r *Result) AbsolutePath(fsRoot string) string {
+func (r *Result) AbsolutePath(fsRoot string, metadata defsecTypes.Metadata) string {
 	if strings.HasSuffix(fsRoot, ":") {
 		fsRoot += "/"
 	}
 
-	m := r.Metadata()
-	if m.IsUnmanaged() || m.Range() == nil {
+	if metadata.IsUnmanaged() || metadata.Range() == nil {
 		return ""
 	}
-	rng := m.Range()
+	rng := metadata.Range()
 	if rng.GetSourcePrefix() != "" && !strings.HasPrefix(rng.GetSourcePrefix(), ".") {
 		return rng.GetFilename()
 	}
 	return filepath.Join(fsRoot, rng.GetLocalFilename())
 }
 
-func (r *Result) RelativePathTo(fsRoot string, to string) string {
+func (r *Result) RelativePathTo(fsRoot, to string, metadata defsecTypes.Metadata) string {
 
-	absolute := r.AbsolutePath(fsRoot)
+	absolute := r.AbsolutePath(fsRoot, metadata)
 
 	if strings.HasSuffix(fsRoot, ":") {
 		fsRoot += "/"
 	}
 
-	m := r.Metadata()
-	if m.IsUnmanaged() || m.Range() == nil {
+	if metadata.IsUnmanaged() || metadata.Range() == nil {
 		return absolute
 	}
-	rng := m.Range()
+	rng := metadata.Range()
 	if rng.GetSourcePrefix() != "" && !strings.HasPrefix(rng.GetSourcePrefix(), ".") {
 		return absolute
 	}

diff --git a/pkg/types/metadata.go b/pkg/types/metadata.go
@@ -77,6 +77,14 @@ func (m Metadata) Parent() *Metadata {
 	return m.parent
 }
 
+func (m Metadata) Root() Metadata {
+	meta := &m
+	for meta.Parent() != nil {
+		meta = meta.Parent()
+	}
+	return *meta
+}
+
 func (m Metadata) IsMultiLine() bool {
 	return m.rnge.GetStartLine() < m.rnge.GetEndLine()
 }