Add Code Flows to finding's description for SARIF test results (DefectDojo#6719)

fhoeborn · web-flow · commit c48f43878f26 · 2022-08-18T10:50:22.000+02:00
* Adjusted description of SARIF findings to include Codeflow as well

* Fixed some bugs

* Added code snipppets, handled case if no column is provided and adjusted unit tests

* Removed unneeded import

* Adjusted flake8 findings
diff --git a/dojo/tools/sarif/parser.py b/dojo/tools/sarif/parser.py
@@ -192,6 +192,28 @@ def get_snippet(result):
     return snippet
 
 
+def get_codeFlowsDescription(codeFlows):
+    for codeFlow in codeFlows:
+        if 'threadFlows' not in codeFlow:
+            continue
+        for threadFlow in codeFlow['threadFlows']:
+            if 'locations' not in threadFlow:
+                continue
+
+            description = '**Code flow:**\n'
+            for location in threadFlow['locations']:
+                physicalLocation = location['location']['physicalLocation']
+                region = physicalLocation['region']
+                description += '\t' + physicalLocation['artifactLocation']['uri'] + ':' + str(region['startLine'])
+                if 'startColumn' in region:
+                    description += ':' + str(region['startColumn'])
+                if 'snippet' in region:
+                    description += '\t-\t' + region['snippet']['text']
+                description += '\n'
+
+    return description
+
+
 def get_description(result, rule):
     description = ''
     message = ''
@@ -213,6 +235,9 @@ def get_description(result, rule):
             if fullDescription != message and fullDescription != shortDescription:
                 description += '**Rule full description:** {}\n'.format(fullDescription)
 
+    if 'codeFlows' in result:
+        description += get_codeFlowsDescription(result['codeFlows'])
+
     if description.endswith('\n'):
         description = description[:-1]
 
diff --git a/unittests/tools/test_sarif_parser.py b/unittests/tools/test_sarif_parser.py
@@ -42,7 +42,11 @@ def test_example2_report(self):
 ```add_core(ptr, offset, val);
     return;```
 **Rule short description:** A variable was used without being initialized.
-**Rule full description:** A variable was used without being initialized. This can result in runtime errors such as null reference exceptions."""
+**Rule full description:** A variable was used without being initialized. This can result in runtime errors such as null reference exceptions.
+**Code flow:**
+\tcollections/list.h:15\t-\tint *ptr;
+\tcollections/list.h:15\t-\toffset = (y + z) * q + 1;
+\tcollections/list.h:25\t-\tadd_core(ptr, offset, val)"""
         self.assertEqual(description, item.description)
         self.assertEqual(datetime.datetime(2016, 7, 16, 14, 19, 1, tzinfo=datetime.timezone.utc), item.date)
         for finding in findings:
