nuclei/v2/pkg/reporting/exporters/sarif/sarif.go

package sarif

import (
	"crypto/sha1"
	"encoding/hex"
	"os"
	"path/filepath"
	"strings"
	"sync"

	"github.com/owenrumney/go-sarif/sarif"
	"github.com/pkg/errors"

	"github.com/projectdiscovery/nuclei/v2/pkg/model/types/severity"
	"github.com/projectdiscovery/nuclei/v2/pkg/output"
	"github.com/projectdiscovery/nuclei/v2/pkg/reporting/format"
	"github.com/projectdiscovery/nuclei/v2/pkg/utils"
)

// Exporter is an exporter for nuclei sarif output format.
type Exporter struct {
	sarif *sarif.Report
	run   *sarif.Run
	mutex *sync.Mutex

	home    string
	options *Options
}

// Options contains the configuration options for sarif exporter client
type Options struct {
	// File is the file to export found sarif result to
	File string `yaml:"file"`
}

// New creates a new sarif exporter integration client based on options.
func New(options *Options) (*Exporter, error) {
	report, err := sarif.New(sarif.Version210)
	if err != nil {
		return nil, errors.Wrap(err, "could not create sarif exporter")
	}

	home, err := os.UserHomeDir()
	if err != nil {
		return nil, errors.Wrap(err, "could not get home dir")
	}
	templatePath := filepath.Join(home, "nuclei-templates")

	run := sarif.NewRun("nuclei", "https://github.com/projectdiscovery/nuclei")
	return &Exporter{options: options, home: templatePath, sarif: report, run: run, mutex: &sync.Mutex{}}, nil
}

// Export exports a passed result event to sarif structure
func (exporter *Exporter) Export(event *output.ResultEvent) error {
	templatePath := strings.TrimPrefix(event.TemplatePath, exporter.home)

	h := sha1.New()
	_, _ = h.Write([]byte(event.Host))
	templateID := event.TemplateID + "-" + hex.EncodeToString(h.Sum(nil))

	fullDescription := format.MarkdownDescription(event)
	sarifSeverity := getSarifSeverity(event)

	var ruleName string
	if utils.IsNotBlank(event.Info.Name) {
		ruleName = event.Info.Name
	}

	var templateURL string
	if strings.HasPrefix(event.TemplatePath, exporter.home) {
		templateURL = "https://github.com/projectdiscovery/nuclei-templates/blob/master" + templatePath
	} else {
		templateURL = "https://github.com/projectdiscovery/nuclei-templates"
	}

	var ruleDescription string
	if utils.IsNotBlank(event.Info.Description) {
		ruleDescription = event.Info.Description
	}

	exporter.mutex.Lock()
	defer exporter.mutex.Unlock()

	_ = exporter.run.AddRule(templateID).
		WithDescription(ruleName).
		WithHelp(fullDescription).
		WithHelpURI(templateURL).
		WithFullDescription(sarif.NewMultiformatMessageString(ruleDescription))

	result := exporter.run.AddResult(templateID).
		WithMessage(sarif.NewMessage().WithText(event.Host)).
		WithLevel(sarifSeverity)

	// Also write file match metadata to file
	if event.Type == "file" && (event.FileToIndexPosition != nil && len(event.FileToIndexPosition) > 0) {
		for file, line := range event.FileToIndexPosition {
			result.WithLocation(sarif.NewLocation().WithMessage(sarif.NewMessage().WithText(ruleName)).WithPhysicalLocation(
				sarif.NewPhysicalLocation().
					WithArtifactLocation(sarif.NewArtifactLocation().WithUri(file)).
					WithRegion(sarif.NewRegion().WithStartColumn(1).WithStartLine(line).WithEndLine(line).WithEndColumn(32)),
			))
		}
	} else {
		result.WithLocation(sarif.NewLocation().WithMessage(sarif.NewMessage().WithText(event.Host)).WithPhysicalLocation(
			sarif.NewPhysicalLocation().
				WithArtifactLocation(sarif.NewArtifactLocation().WithUri("README.md")).
				WithRegion(sarif.NewRegion().WithStartColumn(1).WithStartLine(1).WithEndLine(1).WithEndColumn(1)),
		))
	}
	return nil
}

// getSarifSeverity returns the sarif severity
func getSarifSeverity(event *output.ResultEvent) string {
	switch event.Info.SeverityHolder.Severity {
	case severity.Info:
		return "note"
	case severity.Low, severity.Medium:
		return "warning"
	case severity.High, severity.Critical:
		return "error"
	default:
		return "note"
	}
}

// Close closes the exporter after operation
func (exporter *Exporter) Close() error {
	exporter.mutex.Lock()
	defer exporter.mutex.Unlock()

	exporter.sarif.AddRun(exporter.run)
	if len(exporter.run.Results) == 0 {
		return nil // do not write when no results
	}
	file, err := os.Create(exporter.options.File)
	if err != nil {
		return errors.Wrap(err, "could not create sarif output file")
	}
	defer file.Close()
	return exporter.sarif.Write(file)
}
Work on sarif integration start 2021-06-05 18:01:08 +05:30			`package sarif`

			`import (`
Improvements to sarif report 2021-06-05 23:00:59 +05:30			`"crypto/sha1"`
			`"encoding/hex"`
Work on sarif integration start 2021-06-05 18:01:08 +05:30			`"os"`
Replacing "path." methods to "filepath." in order to make the code OS independent 2021-08-23 14:53:37 +03:00			`"path/filepath"`
Improved output format 2021-06-05 20:06:23 +05:30			`"strings"`
Work on sarif integration start 2021-06-05 18:01:08 +05:30			`"sync"`

			`"github.com/owenrumney/go-sarif/sarif"`
			`"github.com/pkg/errors"`
RES-84 # Improve Nuclei CLI interface * fixed issues reported by the linter 2021-07-19 21:04:08 +03:00
YAML Unmarshal error in reporting template #995 2021-09-03 16:48:39 +03:00			`"github.com/projectdiscovery/nuclei/v2/pkg/model/types/severity"`
Work on sarif integration start 2021-06-05 18:01:08 +05:30			`"github.com/projectdiscovery/nuclei/v2/pkg/output"`
			`"github.com/projectdiscovery/nuclei/v2/pkg/reporting/format"`
RES-84 # Improve Nuclei CLI interface * fixed issues reported by the linter 2021-07-19 21:04:08 +03:00			`"github.com/projectdiscovery/nuclei/v2/pkg/utils"`
Work on sarif integration start 2021-06-05 18:01:08 +05:30			`)`

Misc 2021-06-05 20:08:52 +05:30			`// Exporter is an exporter for nuclei sarif output format.`
Work on sarif integration start 2021-06-05 18:01:08 +05:30			`type Exporter struct {`
			`sarif *sarif.Report`
			`run *sarif.Run`
			`mutex *sync.Mutex`

Lint issues fixes 2021-06-14 17:14:16 +05:30			`home string`
			`options *Options`
Work on sarif integration start 2021-06-05 18:01:08 +05:30			`}`

			`// Options contains the configuration options for sarif exporter client`
			`type Options struct {`
			`// File is the file to export found sarif result to`
			File string `yaml:"file"`
			`}`

disk cleanups 2021-09-19 16:26:47 +05:30			`// New creates a new sarif exporter integration client based on options.`
Work on sarif integration start 2021-06-05 18:01:08 +05:30			`func New(options Options) (Exporter, error) {`
			`report, err := sarif.New(sarif.Version210)`
			`if err != nil {`
			`return nil, errors.Wrap(err, "could not create sarif exporter")`
			`}`
Improvements to sarif report 2021-06-05 23:00:59 +05:30
Improved output format 2021-06-05 20:06:23 +05:30			`home, err := os.UserHomeDir()`
			`if err != nil {`
			`return nil, errors.Wrap(err, "could not get home dir")`
			`}`
Replacing "path." methods to "filepath." in order to make the code OS independent 2021-08-23 14:53:37 +03:00			`templatePath := filepath.Join(home, "nuclei-templates")`
Improved output format 2021-06-05 20:06:23 +05:30
Work on sarif integration start 2021-06-05 18:01:08 +05:30			`run := sarif.NewRun("nuclei", "https://github.com/projectdiscovery/nuclei")`
Print first line of running action if any 2021-06-05 23:09:08 +05:30			`return &Exporter{options: options, home: templatePath, sarif: report, run: run, mutex: &sync.Mutex{}}, nil`
Work on sarif integration start 2021-06-05 18:01:08 +05:30			`}`

Misc 2021-06-05 20:08:52 +05:30			`// Export exports a passed result event to sarif structure`
refactor: renamed misleading receiver names 2021-12-07 18:01:34 +02:00			`func (exporter Exporter) Export(event output.ResultEvent) error {`
			`templatePath := strings.TrimPrefix(event.TemplatePath, exporter.home)`
Improved output format 2021-06-05 20:06:23 +05:30
Improvements to sarif report 2021-06-05 23:00:59 +05:30			`h := sha1.New()`
Fixed lint errors 2021-08-24 13:35:01 +05:30			`_, _ = h.Write([]byte(event.Host))`
Improvements to sarif report 2021-06-05 23:00:59 +05:30			`templateID := event.TemplateID + "-" + hex.EncodeToString(h.Sum(nil))`

			`fullDescription := format.MarkdownDescription(event)`
Improved output format 2021-06-05 20:06:23 +05:30			`sarifSeverity := getSarifSeverity(event)`

			`var ruleName string`
RES-84 # Improve Nuclei CLI interface (WIP) * removed the generic isEmpty implementation 2021-08-03 14:51:34 +03:00			`if utils.IsNotBlank(event.Info.Name) {`
RES-84 # Improve Nuclei CLI interface (WIP) * Merge from parent # Conflicts: # v2/cmd/nuclei/main.go # v2/internal/runner/config.go # v2/internal/runner/templates.go # v2/internal/runner/update.go # v2/pkg/templates/compile.go # v2/pkg/templates/compile_test.go # v2/pkg/types/types.go 2021-07-12 17:20:01 +03:00			`ruleName = event.Info.Name`
Improved output format 2021-06-05 20:06:23 +05:30			`}`
Work on sarif integration start 2021-06-05 18:01:08 +05:30
Improved output format 2021-06-05 20:06:23 +05:30			`var templateURL string`
refactor: renamed misleading receiver names 2021-12-07 18:01:34 +02:00			`if strings.HasPrefix(event.TemplatePath, exporter.home) {`
Improved output format 2021-06-05 20:06:23 +05:30			`templateURL = "https://github.com/projectdiscovery/nuclei-templates/blob/master" + templatePath`
Enrich file output sarif with correct file metadata 2021-06-06 15:52:13 +05:30			`} else {`
			`templateURL = "https://github.com/projectdiscovery/nuclei-templates"`
Improved output format 2021-06-05 20:06:23 +05:30			`}`
Work on sarif integration start 2021-06-05 18:01:08 +05:30
			`var ruleDescription string`
RES-84 # Improve Nuclei CLI interface (WIP) * removed the generic isEmpty implementation 2021-08-03 14:51:34 +03:00			`if utils.IsNotBlank(event.Info.Description) {`
RES-84 # Improve Nuclei CLI interface (WIP) * Merge from parent # Conflicts: # v2/cmd/nuclei/main.go # v2/internal/runner/config.go # v2/internal/runner/templates.go # v2/internal/runner/update.go # v2/pkg/templates/compile.go # v2/pkg/templates/compile_test.go # v2/pkg/types/types.go 2021-07-12 17:20:01 +03:00			`ruleDescription = event.Info.Description`
Work on sarif integration start 2021-06-05 18:01:08 +05:30			`}`

refactor: renamed misleading receiver names 2021-12-07 18:01:34 +02:00			`exporter.mutex.Lock()`
			`defer exporter.mutex.Unlock()`
Misc 2021-06-05 20:08:52 +05:30
refactor: renamed misleading receiver names 2021-12-07 18:01:34 +02:00			`_ = exporter.run.AddRule(templateID).`
Work on sarif integration start 2021-06-05 18:01:08 +05:30			`WithDescription(ruleName).`
Improvements to sarif report 2021-06-05 23:00:59 +05:30			`WithHelp(fullDescription).`
Improved output format 2021-06-05 20:06:23 +05:30			`WithHelpURI(templateURL).`
Improvements to sarif report 2021-06-05 23:00:59 +05:30			`WithFullDescription(sarif.NewMultiformatMessageString(ruleDescription))`
refactor: renamed misleading receiver names 2021-12-07 18:01:34 +02:00
			`result := exporter.run.AddResult(templateID).`
Improvements to sarif report 2021-06-05 23:00:59 +05:30			`WithMessage(sarif.NewMessage().WithText(event.Host)).`
Enrich file output sarif with correct file metadata 2021-06-06 15:52:13 +05:30			`WithLevel(sarifSeverity)`

feat: Improve DSL function UX #1295 Added support for letting people know if: * the DSL expression does not return a boolean value * an invalid custom function signature was provided and then display all available function signatures * an invalid function was provided and then display the correct signature Unified the DSL function names to use snake case. The old signatures are also kept for backward compatibility. 2021-12-07 17:34:36 +02:00			`// Also write file match metadata to file`
Misc 2021-06-06 17:38:39 +05:30			`if event.Type == "file" && (event.FileToIndexPosition != nil && len(event.FileToIndexPosition) > 0) {`
Enrich file output sarif with correct file metadata 2021-06-06 15:52:13 +05:30			`for file, line := range event.FileToIndexPosition {`
Add name as rule help 2021-06-06 16:12:54 +05:30			`result.WithLocation(sarif.NewLocation().WithMessage(sarif.NewMessage().WithText(ruleName)).WithPhysicalLocation(`
Enrich file output sarif with correct file metadata 2021-06-06 15:52:13 +05:30			`sarif.NewPhysicalLocation().`
			`WithArtifactLocation(sarif.NewArtifactLocation().WithUri(file)).`
Misc 2021-06-06 16:04:06 +05:30			`WithRegion(sarif.NewRegion().WithStartColumn(1).WithStartLine(line).WithEndLine(line).WithEndColumn(32)),`
Enrich file output sarif with correct file metadata 2021-06-06 15:52:13 +05:30			`))`
			`}`
			`} else {`
			`result.WithLocation(sarif.NewLocation().WithMessage(sarif.NewMessage().WithText(event.Host)).WithPhysicalLocation(`
Work on sarif integration start 2021-06-05 18:01:08 +05:30			`sarif.NewPhysicalLocation().`
Temporary fix for sarif github location issue 2021-06-05 23:42:37 +05:30			`WithArtifactLocation(sarif.NewArtifactLocation().WithUri("README.md")).`
Work on sarif integration start 2021-06-05 18:01:08 +05:30			`WithRegion(sarif.NewRegion().WithStartColumn(1).WithStartLine(1).WithEndLine(1).WithEndColumn(1)),`
			`))`
Enrich file output sarif with correct file metadata 2021-06-06 15:52:13 +05:30			`}`
Work on sarif integration start 2021-06-05 18:01:08 +05:30			`return nil`
			`}`

Improved output format 2021-06-05 20:06:23 +05:30			`// getSarifSeverity returns the sarif severity`
			`func getSarifSeverity(event *output.ResultEvent) string {`
RES-84 # Improve Nuclei CLI interface (WIP) * Rename of Info.Severity -> Info.SeverityHolder, Info.Author -> Info.Authors to reflect the underlying data * extended the IsEmpty(interface{}) to handle maps 2021-07-13 11:12:03 +03:00			`switch event.Info.SeverityHolder.Severity {`
RES-84 # Improve Nuclei CLI interface (WIP) * moved the Severity "enum" back to Nuclei (1 unit test failing) 2021-07-16 17:28:13 +03:00			`case severity.Info:`
Print first line of running action if any 2021-06-05 23:09:08 +05:30			`return "note"`
RES-84 # Improve Nuclei CLI interface (WIP) * moved the Severity "enum" back to Nuclei (1 unit test failing) 2021-07-16 17:28:13 +03:00			`case severity.Low, severity.Medium:`
Improved output format 2021-06-05 20:06:23 +05:30			`return "warning"`
RES-84 # Improve Nuclei CLI interface (WIP) * moved the Severity "enum" back to Nuclei (1 unit test failing) 2021-07-16 17:28:13 +03:00			`case severity.High, severity.Critical:`
Improved output format 2021-06-05 20:06:23 +05:30			`return "error"`
			`default:`
Print first line of running action if any 2021-06-05 23:09:08 +05:30			`return "note"`
Improved output format 2021-06-05 20:06:23 +05:30			`}`
			`}`

Work on sarif integration start 2021-06-05 18:01:08 +05:30			`// Close closes the exporter after operation`
refactor: renamed misleading receiver names 2021-12-07 18:01:34 +02:00			`func (exporter *Exporter) Close() error {`
			`exporter.mutex.Lock()`
			`defer exporter.mutex.Unlock()`
Misc 2021-06-05 20:08:52 +05:30
refactor: renamed misleading receiver names 2021-12-07 18:01:34 +02:00			`exporter.sarif.AddRun(exporter.run)`
			`if len(exporter.run.Results) == 0 {`
Improvements to sarif report 2021-06-05 23:00:59 +05:30			`return nil // do not write when no results`
			`}`
refactor: renamed misleading receiver names 2021-12-07 18:01:34 +02:00			`file, err := os.Create(exporter.options.File)`
Work on sarif integration start 2021-06-05 18:01:08 +05:30			`if err != nil {`
			`return errors.Wrap(err, "could not create sarif output file")`
			`}`
			`defer file.Close()`
refactor: renamed misleading receiver names 2021-12-07 18:01:34 +02:00			`return exporter.sarif.Write(file)`
Work on sarif integration start 2021-06-05 18:01:08 +05:30			`}`