feat(cwe): add cwe into sarif report and KICS CLI results

e2e/testcases/e2e-cli-077_cwe_sarif_result.go

@@ -0,0 +1,27 @@
+package testcases
+
+// E2E-CLI-077 - KICS  scan
+// should perform a scan saving the reports in sarif format, completing the cwe field when it has values
+func init() { //nolint
+	testSample := TestCase{
+		Name: "should perform a scan saving the reports in sarif format, completing the cwe field when it has values [E2E-CLI-077]",
+		Args: args{
+			Args: []cmdArgs{
+				[]string{"scan", "-o", "/path/e2e/output",
+					"--output-name", "E2E_CLI_077_RESULT",
+					"-p", "\"/path/test/fixtures/test_sarif_cwe_report\"",
+					"--report-formats", "sarif",
+				},
+			},
+			ExpectedResult: []ResultsValidation{
+				{
+					ResultsFile:    "E2E_CLI_077_RESULT",
+					ResultsFormats: []string{"sarif"},
+				},
+			},
+		},
+		WantStatus: []int{50},
+	}
+
+	Tests = append(Tests, testSample)
+}

pkg/engine/vulnerability_builder.go

@@ -182,6 +182,7 @@ var DefaultVulnerabilityBuilder = func(ctx *QueryContext, tracker Tracker,
 		DescriptionID:    getStringFromMap("descriptionID", DefaultQueryDescriptionID, overrideKey, vObj, &logWithFields),
 		Severity:         severity,
 		Platform:         getStringFromMap("platform", "", overrideKey, vObj, &logWithFields),
+		CWE:              getStringFromMap("cwe", "", overrideKey, vObj, &logWithFields),
 		Line:             linesVulne.Line,
 		VulnLines:        linesVulne.VulnLines,
 		ResourceType:     PtrStringToString(mustMapKeyToString(vObj, "resourceType")),

pkg/model/model.go

@@ -139,6 +139,7 @@ type QueryMetadata struct {
 	Content   string
 	Metadata  map[string]interface{}
 	Platform  string
+	CWE       string
 	// special field for generic queries
 	// represents how many queries are aggregated into a single rego file
 	Aggregation  int
@@ -161,6 +162,7 @@ type Vulnerability struct {
 	Description      string      `json:"description"`
 	DescriptionID    string      `json:"descriptionID"`
 	Platform         string      `db:"platform" json:"platform"`
+	CWE              string      `db:"cwe" json:"cwe"`
 	Severity         Severity    `json:"severity"`
 	Line             int         `json:"line"`
 	VulnLines        *[]CodeLine `json:"vulnLines"`

pkg/model/summary.go

@@ -45,6 +45,7 @@ type QueryResult struct {
 	QueryURI                    string           `json:"query_url"`
 	Severity                    Severity         `json:"severity"`
 	Platform                    string           `json:"platform"`
+	CWE                         string           `json:"cwe,omitempty"`
 	CloudProvider               string           `json:"cloud_provider,omitempty"`
 	Category                    string           `json:"category"`
 	Experimental                bool             `json:"experimental"`
@@ -200,6 +201,7 @@ func CreateSummary(counters Counters, vulnerabilities []Vulnerability,
 				Severity:      item.Severity,
 				QueryURI:      item.QueryURI,
 				Platform:      item.Platform,
+				CWE:           item.CWE,
 				Experimental:  item.Experimental,
 				CloudProvider: strings.ToUpper(item.CloudProvider),
 				Category:      item.Category,

pkg/printer/printer.go

@@ -142,6 +142,10 @@ func PrintResult(summary *model.Summary, failedQueries map[string]error, printer
 			}
 			fmt.Printf("%s %s\n", printer.Bold("Platform:"), summary.Queries[idx].Platform)
 
+			if summary.Queries[idx].CWE != "" {
+				fmt.Printf("%s %s\n", printer.Bold("CWE:"), summary.Queries[idx].CWE)
+			}
+
 			queryCloudProvider := summary.Queries[idx].CloudProvider
 			if queryCloudProvider != "" {
 				queryCloudProvider = strings.ToLower(queryCloudProvider) + "/"

pkg/report/model/cyclonedx.go

@@ -268,5 +268,6 @@ func BuildCycloneDxReport(summary *model.Summary, filePaths map[string]string) *
 
 		bom.Components.Components = append(bom.Components.Components, component)
 	}
+
 	return bom
 }

pkg/report/model/sarif.go

@@ -296,8 +296,11 @@ func (sr *sarifReport) BuildSarifIssue(issue *model.QueryResult) {
 				ResultRuleIndex: ruleIndex,
 				ResultKind:      kind,
 				ResultMessage: sarifMessage{
-					Text:              issue.Files[idx].KeyActualValue,
-					MessageProperties: sarifProperties{"platform": issue.Platform},
+					Text: issue.Files[idx].KeyActualValue,
+					MessageProperties: sarifProperties{
+						"platform": issue.Platform,
+						"cwe":      issue.CWE,
+					},
 				},
 				ResultLocations: []sarifLocation{
 					{

pkg/report/model/sarif_test.go

@@ -89,7 +89,7 @@ var sarifTests = []sarifTest{
 							ResultRuleID:    "1",
 							ResultRuleIndex: 0,
 							ResultKind:      "fail",
-							ResultMessage:   sarifMessage{Text: "test", MessageProperties: sarifProperties{"platform": ""}},
+							ResultMessage:   sarifMessage{Text: "test", MessageProperties: sarifProperties{"platform": "", "cwe": ""}},
 							ResultLocations: []sarifLocation{
 								{
 									PhysicalLocation: sarifPhysicalLocation{
@@ -195,7 +195,7 @@ var sarifTests = []sarifTest{
 							ResultKind:      "fail",
 							ResultMessage: sarifMessage{
 								Text:              "test",
-								MessageProperties: sarifProperties{"platform": ""},
+								MessageProperties: sarifProperties{"platform": "", "cwe": ""},
 							},
 							ResultLocations: []sarifLocation{
 								{
@@ -212,7 +212,7 @@ var sarifTests = []sarifTest{
 							ResultKind:      "fail",
 							ResultMessage: sarifMessage{
 								Text:              "test",
-								MessageProperties: sarifProperties{"platform": ""},
+								MessageProperties: sarifProperties{"platform": "", "cwe": ""},
 							},
 							ResultLocations: []sarifLocation{
 								{
@@ -229,7 +229,7 @@ var sarifTests = []sarifTest{
 							ResultKind:      "informational",
 							ResultMessage: sarifMessage{
 								Text:              "test",
-								MessageProperties: sarifProperties{"platform": ""},
+								MessageProperties: sarifProperties{"platform": "", "cwe": ""},
 							},
 							ResultLocations: []sarifLocation{
 								{

test/fixtures/test_sarif_cwe_report/run_block_injection/metadata.json

@@ -0,0 +1,12 @@
+{
+  "id": "20f14e1a-a899-4e79-9f09-b6a84cd4649b",
+  "queryName": "Run Block Injection",
+  "severity": "HIGH",
+  "category": "Insecure Configurations",
+  "descriptionText": "GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event.",
+  "descriptionUrl": "https://securitylab.github.com/research/github-actions-untrusted-input/",
+  "platform": "CICD",
+  "descriptionID": "02044a75",
+  "cloudProvider": "common",
+  "cwe": "1234"
+}

test/fixtures/test_sarif_cwe_report/run_block_injection/query.rego

@@ -0,0 +1,186 @@
+package Cx
+
+import data.generic.common as common_lib
+
+CxPolicy[result] {
+
+	input.document[i].on["pull_request_target"]
+	run := input.document[i].jobs[j].steps[k].run
+
+	patterns := [
+    "github.head_ref",
+    "github.event.pull_request.body",
+    "github.event.pull_request.head.label",
+    "github.event.pull_request.head.ref",
+    "github.event.pull_request.head.repo.default_branch",
+    "github.event.pull_request.head.repo.description",
+    "github.event.pull_request.head.repo.homepage",
+    "github.event.pull_request.title"
+	]
+
+	matched = containsPatterns(run, patterns)
+
+	result := {
+		"documentId": input.document[i].id,
+		"searchKey": sprintf("run={{%s}}", [run]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "Run block does not contain dangerous input controlled by user.",
+		"keyActualValue": "Run block contains dangerous input controlled by user.",
+		"searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "run"],[]),
+		"searchValue": matched[m]
+	}
+}
+
+CxPolicy[result] {
+
+	input.document[i].on["issues"]
+	run := input.document[i].jobs[j].steps[k].run
+
+	patterns := [
+    "github.event.issue.body",
+	"github.event.issue.title"
+	]
+
+	matched = containsPatterns(run, patterns)
+
+	result := {
+		"documentId": input.document[i].id,
+		"searchKey": sprintf("run={{%s}}", [run]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "Run block does not contain dangerous input controlled by user.",
+		"keyActualValue": "Run block contains dangerous input controlled by user.",
+		"searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "run"],[]),
+		"searchValue": matched[m]
+	}
+}
+
+CxPolicy[result] {
+
+	input.document[i].on["issue_comment"]
+	run := input.document[i].jobs[j].steps[k].run
+
+	patterns := [
+    "github.event.comment.body",
+	"github.event.issue.body",
+	"github.event.issue.title"
+	]
+
+	matched = containsPatterns(run, patterns)
+
+	result := {
+		"documentId": input.document[i].id,
+		"searchKey": sprintf("run={{%s}}", [run]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "Run block does not contain dangerous input controlled by user.",
+		"keyActualValue": "Run block contains dangerous input controlled by user.",
+		"searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "run"],[]),
+		"searchValue": matched[m]
+	}
+}
+
+CxPolicy[result] {
+
+	input.document[i].on["discussion"]
+	run := input.document[i].jobs[j].steps[k].run
+
+	patterns := [
+    "github.event.discussion.body",
+	"github.event.discussion.title"
+	]
+
+	matched = containsPatterns(run, patterns)
+
+	result := {
+		"documentId": input.document[i].id,
+		"searchKey": sprintf("run={{%s}}", [run]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "Run block does not contain dangerous input controlled by user.",
+		"keyActualValue": "Run block contains dangerous input controlled by user.",
+		"searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "run"],[]),
+		"searchValue": matched[m]
+	}
+}
+
+CxPolicy[result] {
+
+	input.document[i].on["discussion_comment"]
+	run := input.document[i].jobs[j].steps[k].run
+
+	patterns := [
+    "github.event.comment.body",
+	"github.event.discussion.body",
+	"github.event.discussion.title"
+	]
+
+	matched = containsPatterns(run, patterns)
+
+	result := {
+		"documentId": input.document[i].id,
+		"searchKey": sprintf("run={{%s}}", [run]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "Run block does not contain dangerous input controlled by user.",
+		"keyActualValue": "Run block contains dangerous input controlled by user.",
+		"searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "run"],[]),
+		"searchValue": matched[m]
+	}
+}
+
+CxPolicy[result] {
+
+	input.document[i].on["workflow_run"]
+	run := input.document[i].jobs[j].steps[k].run
+
+	patterns := [
+    "github.event.workflow.path",
+	"github.event.workflow_run.head_branch",
+	"github.event.workflow_run.head_commit.author.email",
+	"github.event.workflow_run.head_commit.author.name",
+	"github.event.workflow_run.head_commit.message",
+	"github.event.workflow_run.head_repository.description"
+	]
+
+	matched = containsPatterns(run, patterns)
+
+	result := {
+		"documentId": input.document[i].id,
+		"searchKey": sprintf("run={{%s}}", [run]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "Run block does not contain dangerous input controlled by user.",
+		"keyActualValue": "Run block contains dangerous input controlled by user.",
+		"searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "run"],[]),
+		"searchValue": matched[m]
+	}
+}
+
+CxPolicy[result] {
+
+	input.document[i].on["author"]
+	run := input.document[i].jobs[j].steps[k].run
+
+	patterns := [
+    "github.*.authors.name",
+	"github.*.authors.email"
+	]
+
+	matched = containsPatterns(run, patterns)
+
+	result := {
+		"documentId": input.document[i].id,
+		"searchKey": sprintf("run={{%s}}", [run]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "Run block does not contain dangerous input controlled by user.",
+		"keyActualValue": "Run block contains dangerous input controlled by user.",
+		"searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "run"],[]),
+		"searchValue": matched[m]
+	}
+}
+
+
+
+containsPatterns(str, patterns) = matched {
+    matched := {pattern |
+        pattern := patterns[_]
+        regex.match(pattern, str)
+    }
+}
+

test/fixtures/test_sarif_cwe_report/run_block_injection/test/negative.yaml

@@ -0,0 +1,29 @@
+name: check-go-coverage
+
+on:
+  pull_request_target:
+    branches: [master]
+
+jobs:
+  coverage:
+    name: Check Go coverage
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Source
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: Set up Go 1.20.x
+        uses: actions/setup-go@v4
+        with:
+          go-version: 1.20.x
+      - name: Run test metrics script
+        id: testcov
+        run: |
+          make test-coverage-report | tee test-results
+          echo "coverage=$(cat test-results | grep "Total coverage: " test-results | cut -d ":" -f 2 | bc)" >> $GITHUB_ENV
+      - name: Checks if Go coverage is at least 80%
+        if: env.coverage < 80
+        run: |
+          echo "Go coverage is lower than 80%: ${{ env.coverage }}%"
+          exit 1

test/fixtures/test_sarif_cwe_report/run_block_injection/test/negative2.yaml

@@ -0,0 +1,15 @@
+name: Issue Workflow
+
+on:
+  issues:
+    types:
+      - opened
+
+jobs:
+  process_issue:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Greet the New Issue
+        run: |
+          # Echo a simple sentence
+          echo "Hello, a new issue has been opened!"

test/fixtures/test_sarif_cwe_report/run_block_injection/test/negative3.yaml

@@ -0,0 +1,14 @@
+name: Discussion Workflow
+
+on:
+  discussion:
+    types:
+      - created
+
+jobs:
+  process_discussion:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Greet the New Discussion
+        run: |
+          echo "Hello, a new discussion has been created!"