fix: add PURLs in SARIF report (#2254)

Signed-off-by: George Liontos <[email protected]>
anchore · Dec 4, 2024 · 851a5e0 · 851a5e0
1 parent 40a948d
commit 851a5e0
Show file tree

Hide file tree

Showing 8 changed files with 31 additions and 16 deletions.
diff --git a/grype/presenter/cyclonedx/test-fixtures/snapshot/TestCycloneDxPresenterDir.golden b/grype/presenter/cyclonedx/test-fixtures/snapshot/TestCycloneDxPresenterDir.golden
@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:7295371c-8562-415c-be23-210d114e68bc",
+  "serialNumber": "urn:uuid:7fd309b5-5ffd-4d2f-9b24-b040c0bb5af7",
   "version": 1,
   "metadata": {
-    "timestamp": "2024-06-14T16:07:19-04:00",
+    "timestamp": "2024-12-04T15:30:43+02:00",
     "tools": {
       "components": [
         {
@@ -52,7 +52,7 @@
       ]
     },
     {
-      "bom-ref": "7bb53d560434bc7f",
+      "bom-ref": "pkg:deb/[email protected]?package-id=7bb53d560434bc7f",
       "type": "library",
       "name": "package-2",
       "version": "2.2.2",
@@ -69,6 +69,7 @@
         }
       ],
       "cpe": "cpe:2.3:a:anchore:engine:2.2.2:*:*:python:*:*:*:*",
+      "purl": "pkg:deb/[email protected]",
       "properties": [
         {
           "name": "syft:package:type",
@@ -83,7 +84,7 @@
   ],
   "vulnerabilities": [
     {
-      "bom-ref": "urn:uuid:4287f379-8a42-49f0-8abc-b618cfbec513",
+      "bom-ref": "urn:uuid:a4b38bae-8a6e-4dd2-bdea-53e9cf590c12",
       "id": "CVE-1999-0001",
       "source": {},
       "references": [
@@ -109,7 +110,7 @@
       ]
     },
     {
-      "bom-ref": "urn:uuid:afc64b43-24cb-4f55-a948-dfd9c6920061",
+      "bom-ref": "urn:uuid:829dc942-6d41-4d7d-ad5d-41c9b6b12b62",
       "id": "CVE-1999-0002",
       "source": {},
       "references": [
@@ -130,7 +131,7 @@
       "advisories": [],
       "affects": [
         {
-          "ref": "7bb53d560434bc7f"
+          "ref": "pkg:deb/[email protected]?package-id=7bb53d560434bc7f"
         }
       ]
     }

diff --git a/grype/presenter/cyclonedx/test-fixtures/snapshot/TestCycloneDxPresenterImage.golden b/grype/presenter/cyclonedx/test-fixtures/snapshot/TestCycloneDxPresenterImage.golden
@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:d5ea5aa8-ad1d-42c9-aecd-2268354ba41e",
+  "serialNumber": "urn:uuid:596cd775-e2a5-4932-a807-d1abfe4d804c",
   "version": 1,
   "metadata": {
-    "timestamp": "2024-06-14T16:07:15-04:00",
+    "timestamp": "2024-12-04T15:30:43+02:00",
     "tools": {
       "components": [
         {
@@ -52,7 +52,7 @@
       ]
     },
     {
-      "bom-ref": "7bb53d560434bc7f",
+      "bom-ref": "pkg:deb/[email protected]?package-id=7bb53d560434bc7f",
       "type": "library",
       "name": "package-2",
       "version": "2.2.2",
@@ -69,6 +69,7 @@
         }
       ],
       "cpe": "cpe:2.3:a:anchore:engine:2.2.2:*:*:python:*:*:*:*",
+      "purl": "pkg:deb/[email protected]",
       "properties": [
         {
           "name": "syft:package:type",
@@ -83,7 +84,7 @@
   ],
   "vulnerabilities": [
     {
-      "bom-ref": "urn:uuid:a0e2f18d-c2d0-4099-ba11-20fdb4745a19",
+      "bom-ref": "urn:uuid:2fe19024-858a-4864-9a9b-b52f105e992c",
       "id": "CVE-1999-0001",
       "source": {},
       "references": [
@@ -109,7 +110,7 @@
       ]
     },
     {
-      "bom-ref": "urn:uuid:3c0d9460-1919-43aa-ae5a-d60f269bac64",
+      "bom-ref": "urn:uuid:1082956b-2ee6-48e4-9d92-183d492a3be8",
       "id": "CVE-1999-0002",
       "source": {},
       "references": [
@@ -130,7 +131,7 @@
       "advisories": [],
       "affects": [
         {
-          "ref": "7bb53d560434bc7f"
+          "ref": "pkg:deb/[email protected]?package-id=7bb53d560434bc7f"
         }
       ]
     }

diff --git a/grype/presenter/internal/test_helpers.go b/grype/presenter/internal/test_helpers.go
@@ -250,6 +250,7 @@ func generatePackages(t *testing.T) []syftPkg.Package {
 			Name:      "package-2",
 			Version:   "2.2.2",
 			Type:      syftPkg.DebPkg,
+			PURL:      "pkg:deb/[email protected]",
 			Locations: file.NewLocationSet(file.NewVirtualLocation("/foo/bar/somefile-2.txt", "somefile-2.txt")),
 			CPEs: []cpe.CPE{
 				{

diff --git a/grype/presenter/json/test-fixtures/snapshot/TestJsonDirsPresenter.golden b/grype/presenter/json/test-fixtures/snapshot/TestJsonDirsPresenter.golden
@@ -124,7 +124,7 @@
     "cpes": [
      "cpe:2.3:a:anchore:engine:2.2.2:*:*:python:*:*:*:*"
     ],
-    "purl": "",
+    "purl": "pkg:deb/[email protected]",
     "upstreams": []
    }
   }

diff --git a/grype/presenter/json/test-fixtures/snapshot/TestJsonImgsPresenter.golden b/grype/presenter/json/test-fixtures/snapshot/TestJsonImgsPresenter.golden
@@ -124,7 +124,7 @@
     "cpes": [
      "cpe:2.3:a:anchore:engine:2.2.2:*:*:python:*:*:*:*"
     ],
-    "purl": "",
+    "purl": "pkg:deb/[email protected]",
     "upstreams": []
    }
   }

diff --git a/grype/presenter/sarif/presenter.go b/grype/presenter/sarif/presenter.go
@@ -104,7 +104,7 @@ func (pres *Presenter) sarifRules() (out []*sarif.ReportingDescriptor) {
 				}
 			}
 
-			out = append(out, &sarif.ReportingDescriptor{
+			descriptor := sarif.ReportingDescriptor{
 				ID:      ruleID,
 				Name:    sp(ruleName(m)),
 				HelpURI: sp("https://github.com/anchore/grype"),
@@ -122,7 +122,13 @@ func (pres *Presenter) sarifRules() (out []*sarif.ReportingDescriptor) {
 					// https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#reportingdescriptor-object
 					"security-severity": pres.securitySeverityValue(m),
 				},
-			})
+			}
+
+			if len(m.Package.PURL) != 0 {
+				descriptor.Properties["purls"] = []string{m.Package.PURL}
+			}
+
+			out = append(out, &descriptor)
 		}
 	}
 	return out

diff --git a/grype/presenter/sarif/test-fixtures/snapshot/TestSarifPresenter_directory.golden b/grype/presenter/sarif/test-fixtures/snapshot/TestSarifPresenter_directory.golden
@@ -42,6 +42,9 @@
                 "markdown": "**Vulnerability CVE-1999-0002**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| critical  | package-2  | 2.2.2  |   | deb  | /some/path/somefile-2.txt  | source-2  | CVE-1999-0002  |\n"
               },
               "properties": {
+                "purls": [
+                  "pkg:deb/[email protected]"
+                ],
                 "security-severity": "1.0"
               }
             }

diff --git a/grype/presenter/sarif/test-fixtures/snapshot/TestSarifPresenter_image.golden b/grype/presenter/sarif/test-fixtures/snapshot/TestSarifPresenter_image.golden
@@ -42,6 +42,9 @@
                 "markdown": "**Vulnerability CVE-1999-0002**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| critical  | package-2  | 2.2.2  |   | deb  | somefile-2.txt  | source-2  | CVE-1999-0002  |\n"
               },
               "properties": {
+                "purls": [
+                  "pkg:deb/[email protected]"
+                ],
                 "security-severity": "1.0"
               }
             }