-
Notifications
You must be signed in to change notification settings - Fork 179
Expand file tree
/
Copy pathparser.js
More file actions
87 lines (75 loc) · 2.83 KB
/
parser.js
File metadata and controls
87 lines (75 loc) · 2.83 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
// SPDX-FileCopyrightText: the secureCodeBox authors
//
// SPDX-License-Identifier: Apache-2.0
const severityMap = new Map([
["info", "INFORMATIONAL"],
["warning", "MEDIUM"],
["error", "HIGH"],
]);
export async function parse(fileContent) {
const report = JSON.parse(fileContent);
if (!report || !report.results) {
return [];
}
return report.results.flatMap((result) => {
// Assemble location as path to file and line range
const location =
result.path + ":" + result.start.line + "-" + result.end.line;
// Name of the finding is the rule ID from semgrep
const name = result.check_id;
// Description is either the message from result.extra.message, or a placeholder message
const description =
result.extra.message ||
"(No description provided in semgrep rule - when using a custom rule, set the 'message' key)";
// Category of the finding - use either result.extra.metadata.category, or a placeholder
const category = result.extra.metadata.category || "semgrep-result";
// severity of the issue: translate semgrep severity levels (INFO, WARNING, ERROR) to those of SCB (INFORMATIONAL, LOW, MEDIUM, HIGH)
const severity = severityMap.has(result.extra.severity.toLowerCase())
? severityMap.get(result.extra.severity.toLowerCase())
: "INFORMATIONAL";
const cwe = result.extra.metadata?.cwe;
const cweReference = cwe ? String(cwe).substring(4, 6) : null;
const references = [
// Map metadata references to an array of URL reference objects
...(result.extra.metadata?.references?.map((link) => ({
type: "URL",
value: link,
})) || []),
// If a CWE reference exists, add CWE and URL reference objects for it
...(cweReference
? [
{
type: "CWE",
value: `CWE-${cweReference}`,
},
{
type: "URL",
value: `https://cwe.mitre.org/data/definitions/${cweReference}.html`,
},
]
: []),
];
const attributes = {
// Common weakness enumeration, if available
cwe: result.extra.metadata.cwe || null,
// OWASP category, if available
owasp_category: result.extra.metadata.owasp || null,
// References given in the rule
references: references.length > 0 ? references : null,
// Link to the semgrep rule
rule_source: result.extra.metadata.source || null,
// Which line of code matched?
// TODO: Do we actually want to record this? There are also secret-detector rules for semgrep,
// so maybe you don't actually want the plaintext match to be recorded unencrypted in some S3 bucket?
// "matching_lines": result.extra.lines,
};
return {
name,
location,
description,
category,
severity,
attributes,
};
});
}