Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update SARIF format #534

Merged
merged 38 commits into from
Sep 20, 2023
Merged

Update SARIF format #534

merged 38 commits into from
Sep 20, 2023

Conversation

another-rex
Copy link
Collaborator

@another-rex another-rex commented Sep 14, 2023
edited
Loading

Fixes #216 with a new format that separates out individual vulnerabilities.

Each vulnerability is now it's own rule violation. The aliased vulnerabilities are grouped together as one rule violation, with an ID picked in this priority (CVE -> [Eco Specific] -> GHSA).

@codecov-commenter
Copy link

codecov-commenter commented Sep 14, 2023
edited
Loading

Codecov Report

Merging #534 (941f031) into main (a659b3b) will increase coverage by 1.31%.
The diff coverage is 91.24%.

@@            Coverage Diff             @@
##             main     #534      +/-   ##
==========================================
+ Coverage   77.05%   78.36%   +1.31%     
==========================================
  Files          76       77       +1     
  Lines        5129     5251     +122     
==========================================
+ Hits         3952     4115     +163     
+ Misses       1011      971      -40     
+ Partials      166      165       -1
Files Changed Coverage Δ
cmd/osv-reporter/main.go 4.02% <0.00%> (ø)
internal/output/result.go 83.33% <83.33%> (ø)
internal/output/sarif.go 90.76% <94.50%> (+4.10%) ⬆️
cmd/osv-scanner/main.go 79.03% <100.00%> (ø)
internal/output/githubannotation.go 86.95% <100.00%> (+86.95%) ⬆️
internal/output/identifiers.go 100.00% <100.00%> (ø)
pkg/models/results.go 82.22% <100.00%> (+1.26%) ⬆️

... and 2 files with indirect coverage changes

oliverchang
oliverchang reviewed Sep 14, 2023
View reviewed changes
cmd/osv-scanner/main_test.go Outdated
"name": "osv-scanner",
"rules": [
{
"id": "GHSA-whgm-jr23-g3j9",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we have an end-to-end test here that includes CVE, Ecosystem ID examples etc?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a bigger test with CVE's and multiple ecosystems, not as an end-to-end test but a unit test since it makes the path resolution easier. It already found some problems with CVEs not actually being the display ID, which should be fixed now.

Do you still want a bigger end-to-end test as well?

@another-rex another-rex merged commit 26c9dfd into google:main Sep 20, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@oliverchang oliverchang oliverchang approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add support for SARIF output
3 participants
@another-rex @codecov-commenter @oliverchang