Sarif genesis (#1)

* genesis

* fix typo

* fix newline & go version

Author: tarunKoyalwar

README.md

@@ -0,0 +1,11 @@
+# sarif
+
+sarif is golang implementation of Static Analysis Results Interchange Format (SARIF) .  SARIF is a standard data model and serialization format for static analysis results.  
+
+To view any SARIF file visit [sarif-web-component](https://microsoft.github.io/sarif-web-component/)
+
+# References
+
+[sarif-specification](https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html)
+
+[sarif-tutorials](https://github.com/microsoft/sarif-tutorials)

example/main.go

@@ -0,0 +1,126 @@
+package main
+
+import (
+	"log"
+	"os"
+
+	"github.com/projectdiscovery/sarif"
+)
+
+func main() {
+	// create new sarif report
+	report := sarif.NewReport()
+	// Extra metadata can be added to any type of sarif
+	extrametadata := map[string]string{
+		"payload":         "'sleep(10)--",
+		"Severity Rating": "10",
+	}
+
+	// to create new tool/template/plugin
+	rule1 := sarif.ReportingDescriptor{
+		Id:   "template1",
+		Name: "SQL Injection CVE-2022-xx",
+		ShortDescription: &sarif.MultiformatMessageString{
+			Text: "SQL Injection Vulnerability due to Dependency",
+		},
+		FullDescription: &sarif.MultiformatMessageString{
+			Text: "Full Description of Vulnerability with references",
+		},
+		Properties: extrametadata,
+	}
+
+	// register details of the static analysis tool
+	report.RegisterTool(sarif.ToolComponent{
+		Name:         "vulnscanner",
+		Organization: "ProjectDiscovery",
+		Product:      "Scanners",
+		ShortDescription: &sarif.MultiformatMessageString{
+			Text: "Vulnerability Scanner",
+		},
+		FullDescription: &sarif.MultiformatMessageString{
+			Text: "Template Based Vulnerability Scanner",
+		},
+		FullName:        "vulnscanner v2.1.1",
+		SemanticVersion: "v2.1.1",
+		DownloadURI:     "https://github.com/projectdiscovery/xxx",
+		Rules:           []sarif.ReportingDescriptor{rule1},
+		// The order of rules/templates/plugins is important here
+		// this index is referenced when a result/vulnerability is found
+	})
+
+	// Output of static analysis tool
+	outfiles := sarif.ArtifactLocation{
+		Uri: "file:///var/log/xxx.log",
+		Description: &sarif.Message{
+			Text: "Generated using vulnscanner",
+		},
+	}
+
+	// to register tool invocation and env
+	report.RegisterToolInvocation(sarif.Invocation{
+		CommandLine:         "vulnscanner",
+		Arguments:           []string{"-sC", "-sV"},
+		ResponseFiles:       []sarif.ArtifactLocation{outfiles},
+		ExecutionSuccessful: true,
+		WorkingDirectory: sarif.ArtifactLocation{
+			Uri: "file:///opt",
+		},
+		EnvironmentVariables: map[string]string{
+			"GOPROXY": "direct",
+		},
+	})
+
+	// locations of a particular target can be linked to result
+	// using sarif.Location
+	location := sarif.Location{
+		Message: &sarif.Message{
+			Text: "status.projectdiscovery.io",
+		},
+		PhysicalLocation: sarif.PhysicalLocation{
+			Address: sarif.Address{
+				Name:               "Address of Location",
+				FullyQualifiedName: "Name of Address",
+				Kind:               "parameter",
+			},
+			ArtifactLocation: sarif.ArtifactLocation{
+				Uri: "https://projectdiscovery.com/api/user=admin'",
+				Description: &sarif.Message{
+					Text: "https://projectdiscovery.com/api/user=admin'",
+				},
+			},
+		},
+	}
+
+	// Register results with severity etc
+	report.RegisterResult(sarif.Result{
+		RuleId:    "template1",
+		RuleIndex: 0,
+		Level:     sarif.Error,
+		Kind:      sarif.Open,
+		AnalysisTarget: sarif.ArtifactLocation{
+			Uri: "https://projectdiscovery.io",
+		},
+		Message: &sarif.Message{
+			Text: "SQL Injection",
+		},
+		Rule: sarif.ReportingDescriptorReference{
+			Id: "template1",
+			ToolComponent: sarif.ToolComponent{
+				Name:             "SQL Injection in xxx",
+				ShortDescription: rule1.MessageStrings,
+			},
+		},
+		Locations: []sarif.Location{location},
+	})
+
+	bin, err := report.Export()
+	if err != nil {
+		log.Fatalf("failed to export report")
+	}
+
+	if err = os.WriteFile("sql_report.sarif", bin, 0644); err != nil {
+		log.Fatalf("failed to write file generated.sarif %v", err)
+	}
+
+	log.Printf("Report sql_report.sarif created")
+}

go.mod

@@ -0,0 +1,3 @@
+module github.com/projectdiscovery/sarif
+
+go 1.18

sarif.go

@@ -0,0 +1,75 @@
+package sarif
+
+import (
+	"encoding/json"
+	"os"
+)
+
+// Report encapsulates SarifLog Object and generates .sarif Report
+type Report struct {
+	Sarif *SarifLog // SarifLog Object
+	run   Run       // Describes a single run of an analysis tool
+}
+
+// RegisterTool registers tool details
+func (r *Report) RegisterTool(driver ToolComponent) {
+	r.run.Tool.Driver = driver
+}
+
+// RegisterToolExtension registers tool plugins/extensions/templates
+func (r *Report) RegisterToolExtension(extensions []ToolComponent) {
+	r.run.Tool.Extensions = extensions
+}
+
+// RegisterToolInvocation registers runtime enviornment when tool was run
+func (r *Report) RegisterToolInvocation(invocation Invocation) {
+	r.run.Invocations = append(r.run.Invocations, invocation)
+}
+
+// RegisterResult registers result
+func (r *Report) RegisterResult(result Result) {
+	r.run.Result = append(r.run.Result, result)
+}
+
+// Export
+func (r *Report) Export() ([]byte, error) {
+	r.Sarif.Runs = append(r.Sarif.Runs, r.run)
+	bin, err := json.MarshalIndent(r.Sarif, "", "\t")
+	return bin, err
+}
+
+// NewReport Creates New Report Instance
+func NewReport() *Report {
+	sf := SarifLog{
+		Version: "2.1.0",
+		Schema:  "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+		Runs:    []Run{},
+	}
+
+	sarifExporter := Report{
+		Sarif: &sf,
+	}
+	run := Run{
+		Invocations: []Invocation{},
+		Result:      []Result{},
+	}
+	sarifExporter.run = run
+
+	return &sarifExporter
+}
+
+func OpenReport(filename string) (*Report, error) {
+	var sarifObject SarifLog
+
+	bin, err := os.ReadFile(filename)
+	if err != nil {
+		return nil, err
+	}
+	if err = json.Unmarshal(bin, &sarifObject); err != nil {
+		return nil, err
+	}
+	report := Report{
+		Sarif: &sarifObject,
+	}
+	return &report, nil
+}

sarif_test.go

@@ -0,0 +1,138 @@
+package sarif_test
+
+import (
+	"io/fs"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/projectdiscovery/sarif"
+)
+
+func Test_UnmarshalReport(t *testing.T) {
+	sarifFiles := []string{}
+
+	if err := filepath.WalkDir("static", func(path string, d fs.DirEntry, err error) error {
+		if !d.IsDir() {
+			if strings.HasSuffix(d.Name(), ".sarif") || strings.HasSuffix(d.Name(), ".sarif.json") {
+				sarifFiles = append(sarifFiles, path)
+			}
+		}
+		return nil
+	}); err != nil {
+		t.Fatal(err)
+	}
+
+	for _, v := range sarifFiles {
+		_, er := sarif.OpenReport(v)
+		if er != nil {
+			t.Logf("failed to read %v sarif report", v)
+			t.Error(er)
+		} else {
+			t.Logf("Unmarshall test successful: %v\n", v)
+		}
+	}
+}
+
+func Test_Report(t *testing.T) {
+	report := sarif.NewReport()
+
+	metadata := map[string]string{
+		"payload":         "'sleep(10)--",
+		"Severity Rating": "10",
+	}
+
+	// rule or template
+	rule1 := sarif.ReportingDescriptor{
+		Id:   "template1",
+		Name: "SQL Injection CVE-2022-xx",
+		ShortDescription: &sarif.MultiformatMessageString{
+			Text: "SQL Injection Vulnerability due to Dependency",
+		},
+		FullDescription: &sarif.MultiformatMessageString{
+			Text: "Full Description of Vulnerability with references",
+		},
+		Properties: metadata,
+	}
+
+	report.RegisterTool(sarif.ToolComponent{
+		Name:         "vulnscanner",
+		Organization: "ProjectDiscovery",
+		Product:      "Scanners",
+		ShortDescription: &sarif.MultiformatMessageString{
+			Text: "Vulnerability Scanner",
+		},
+		FullDescription: &sarif.MultiformatMessageString{
+			Text: "Template Based Vulnerability Scanner",
+		},
+		FullName:        "vulnscanner v2.1.1",
+		SemanticVersion: "v2.1.1",
+		DownloadURI:     "https://github.com/projectdiscovery/xxx",
+		Rules:           []sarif.ReportingDescriptor{rule1},
+	})
+
+	outfiles := sarif.ArtifactLocation{
+		Uri: "file:///etc/passwd",
+		Description: &sarif.Message{
+			Text: "Generated using vulnscanner",
+		},
+	}
+
+	report.RegisterToolInvocation(sarif.Invocation{
+		CommandLine:         "vulnscanner",
+		Arguments:           []string{"-sC", "-sV"},
+		ResponseFiles:       []sarif.ArtifactLocation{outfiles},
+		ExecutionSuccessful: true,
+		WorkingDirectory: sarif.ArtifactLocation{
+			Uri: "file:///opt",
+		},
+		EnvironmentVariables: map[string]string{
+			"GOPROXY": "direct",
+		},
+	})
+
+	loc := sarif.Location{
+		Message: &sarif.Message{
+			Text: "status.projectdiscovery.io",
+		},
+		PhysicalLocation: sarif.PhysicalLocation{
+			Address: sarif.Address{
+				Name:               "Address of Location",
+				FullyQualifiedName: "Name of Address",
+				Kind:               "parameter",
+			},
+			ArtifactLocation: sarif.ArtifactLocation{
+				Uri: "https://projectdiscovery.com/api/user=admin'",
+				Description: &sarif.Message{
+					Text: "https://projectdiscovery.com/api/user=admin'",
+				},
+			},
+		},
+	}
+
+	report.RegisterResult(sarif.Result{
+		RuleId:    "template1",
+		RuleIndex: 0,
+		Level:     sarif.Error,
+		Kind:      sarif.Review,
+		AnalysisTarget: sarif.ArtifactLocation{
+			Uri: "https://projectdiscovery.io",
+		},
+		Message: &sarif.Message{
+			Text: "SQL Injection",
+		},
+		Rule: sarif.ReportingDescriptorReference{
+			Id: "template1",
+			ToolComponent: sarif.ToolComponent{
+				Name:             "SQL Injection in xxx",
+				ShortDescription: rule1.MessageStrings,
+			},
+		},
+		Locations: []sarif.Location{loc},
+	})
+
+	if _, err := report.Export(); err != nil {
+		t.Fatalf("failed to export report")
+	}
+
+}