feat: refactor and add more properties in report

cerberauth · Oct 7, 2024 · 93741f2 · 93741f2
1 parent d48e9d9
commit 93741f2
Show file tree

Hide file tree

Showing 77 changed files with 1,416 additions and 772 deletions.
diff --git a/api/curl.go b/api/curl.go
@@ -53,11 +53,11 @@ func (h *Handler) ScanURL(ctx *gin.Context) {
 		return
 	}
 
-	if reporter.HasVulnerability() {
-		analyticsx.TrackEvent(ctx, serverApiUrlTracer, "Vulnerability Found", nil)
+	if reporter.HasIssue() {
+		analyticsx.TrackEvent(ctx, serverApiUrlTracer, "Issue Found", nil)
 	}
 
 	ctx.JSON(http.StatusOK, HTTPResponseReports{
-		Reports: reporter.GetReports(),
+		Reports: reporter.GetScanReports(),
 	})
 }
diff --git a/api/graphql.go b/api/graphql.go
@@ -49,11 +49,11 @@ func (h *Handler) ScanGraphQL(ctx *gin.Context) {
 		return
 	}
 
-	if reporter.HasVulnerability() {
-		analyticsx.TrackEvent(ctx, serverApiGraphQLTracer, "Vulnerability Found", nil)
+	if reporter.HasIssue() {
+		analyticsx.TrackEvent(ctx, serverApiGraphQLTracer, "Issue Found", nil)
 	}
 
 	ctx.JSON(http.StatusOK, HTTPResponseReports{
-		Reports: reporter.GetReports(),
+		Reports: reporter.GetScanReports(),
 	})
 }
diff --git a/api/openapi.go b/api/openapi.go
@@ -19,7 +19,7 @@ type NewOpenAPIScanRequest struct {
 	Schema          string `json:"schema" binding:"required"`
 	SecuritySchemes map[string]struct {
 		Value string `json:"value" binding:"required"`
-	} `json:"security_schemes"`
+	} `json:"securitySchemes"`
 
 	Opts *ScanOptions `json:"options"`
 }
@@ -76,12 +76,12 @@ func (h *Handler) ScanOpenAPI(ctx *gin.Context) {
 		return
 	}
 
-	if reporter.HasVulnerability() {
-		analyticsx.TrackEvent(ctx, serverApiOpenAPITracer, "Vulnerability Found", nil)
+	if reporter.HasIssue() {
+		analyticsx.TrackEvent(ctx, serverApiOpenAPITracer, "Issue Found", nil)
 	}
 
 	response := HTTPResponseReports{
-		Reports: reporter.GetReports(),
+		Reports: reporter.GetScanReports(),
 	}
 	_, err = json.Marshal(response)
 	if err != nil {

diff --git a/api/response.go b/api/response.go
@@ -5,5 +5,5 @@ import (
 )
 
 type HTTPResponseReports struct {
-	Reports []*report.Report `json:"reports"`
+	Reports []*report.ScanReport `json:"reports"`
 }
diff --git a/api/response_test.go b/api/response_test.go
@@ -19,7 +19,7 @@ func TestMarshalHTTPResponseReports(t *testing.T) {
 	sr.EndTime = time.Date(2020, 1, 1, 0, 0, 0, 0, time.UTC)
 
 	hrr := api.HTTPResponseReports{
-		Reports: []*report.Report{sr},
+		Reports: []*report.ScanReport{sr},
 	}
 
 	b, err := json.Marshal(hrr)

diff --git a/cmd/scan/curl.go b/cmd/scan/curl.go
@@ -68,7 +68,7 @@ func NewCURLScanCmd() (scanCmd *cobra.Command) {
 			}
 
 			internalCmd.TrackScanReport(ctx, tracer, reporter)
-			err = internalCmd.PrintOrExportReport(internalCmd.GetOutputFormat(), internalCmd.GetOutputTransport(), reporter)
+			err = internalCmd.PrintOrExportReport(internalCmd.GetReportFormat(), internalCmd.GetReportTransport(), reporter)
 			if err != nil {
 				analyticsx.TrackError(ctx, tracer, err)
 				log.Fatal(err)

diff --git a/cmd/scan/graphql.go b/cmd/scan/graphql.go
@@ -60,7 +60,7 @@ func NewGraphQLScanCmd() (scanCmd *cobra.Command) {
 			}
 
 			internalCmd.TrackScanReport(ctx, tracer, reporter)
-			err = internalCmd.PrintOrExportReport(internalCmd.GetOutputFormat(), internalCmd.GetOutputTransport(), reporter)
+			err = internalCmd.PrintOrExportReport(internalCmd.GetReportFormat(), internalCmd.GetReportTransport(), reporter)
 			if err != nil {
 				analyticsx.TrackError(ctx, tracer, err)
 				log.Fatal(err)

diff --git a/cmd/scan/openapi.go b/cmd/scan/openapi.go
@@ -102,7 +102,7 @@ func NewOpenAPIScanCmd() (scanCmd *cobra.Command) {
 			}
 
 			internalCmd.TrackScanReport(ctx, tracer, reporter)
-			if err = internalCmd.PrintOrExportReport(internalCmd.GetOutputFormat(), internalCmd.GetOutputTransport(), reporter); err != nil {
+			if err = internalCmd.PrintOrExportReport(internalCmd.GetReportFormat(), internalCmd.GetReportTransport(), reporter); err != nil {
 				analyticsx.TrackError(ctx, tracer, err)
 				log.Fatal(err)
 			}

diff --git a/internal/cmd/analytics.go b/internal/cmd/analytics.go
@@ -11,8 +11,8 @@ import (
 
 func TrackScanReport(ctx context.Context, tracer trace.Tracer, reporter *report.Reporter) {
 	analyticsx.TrackEvent(ctx, tracer, "Scan Report", []attribute.KeyValue{
-		attribute.Int("vulnerabilityCount", len(reporter.GetVulnerabilityReports())),
-		attribute.Bool("hasVulnerability", reporter.HasVulnerability()),
-		attribute.Bool("hasHighRiskSeverityVulnerability", reporter.HasHighRiskOrHigherSeverityVulnerability()),
+		attribute.Int("issuesCount", len(reporter.GetIssueReports())),
+		attribute.Bool("hasIssue", reporter.HasIssue()),
+		attribute.Bool("hasHighRiskSeverityIssue", reporter.HasHighRiskOrHigherSeverityIssue()),
 	})
 }
diff --git a/internal/cmd/args.go b/internal/cmd/args.go
@@ -11,10 +11,10 @@ var (
 	includeScans []string
 	excludeScans []string
 
-	outputFormat    string
-	outputTransport string
-	outputPath      string
-	outputURL       string
+	reportFormat    string
+	reportTransport string
+	reportFile      string
+	reportURL       string
 
 	noProgress        bool
 	severityThreshold float64
@@ -34,10 +34,10 @@ func AddCommonArgs(cmd *cobra.Command) {
 	cmd.Flags().StringArrayVarP(&includeScans, "scans", "", includeScans, "Include specific scans")
 	cmd.Flags().StringArrayVarP(&excludeScans, "exclude-scans", "e", excludeScans, "Exclude specific scans")
 
-	cmd.Flags().StringVarP(&outputFormat, "format", "", "table", "Output format (table, json, yaml)")
-	cmd.Flags().StringVarP(&outputTransport, "output-transport", "", "file", "The transport to use for output (e.g. file, http)")
-	cmd.Flags().StringVarP(&outputPath, "output-path", "", "", "The file to write the output to")
-	cmd.Flags().StringVarP(&outputURL, "output-url", "", "", "The URL to send the output to")
+	cmd.Flags().StringVarP(&reportFormat, "report-format", "", "table", "Report format (table, json, yaml)")
+	cmd.Flags().StringVarP(&reportTransport, "report-transport", "", "file", "The transport to use for report (e.g. file, http)")
+	cmd.Flags().StringVarP(&reportFile, "report-file", "", "", "The file to write the report to")
+	cmd.Flags().StringVarP(&reportURL, "report-url", "", "", "The URL to send the report to")
 
 	cmd.Flags().BoolVarP(&noProgress, "no-progress", "", false, "Disable progress output")
 	cmd.Flags().Float64VarP(&severityThreshold, "severity-threshold", "", 1, "Threshold to trigger stderr output if at least one vulnerability CVSS is higher")
@@ -89,12 +89,12 @@ func GetExcludeScans() []string {
 	return filteredScans
 }
 
-func GetOutputFormat() string {
-	return outputFormat
+func GetReportFormat() string {
+	return reportFormat
 }
 
-func GetOutputTransport() string {
-	return outputTransport
+func GetReportTransport() string {
+	return reportTransport
 }
 
 func GetNoProgress() bool {

diff --git a/internal/cmd/args_test.go b/internal/cmd/args_test.go
@@ -67,10 +67,10 @@ func TestAddCommonArgs(t *testing.T) {
 				"--cookie=sessionid=12345",
 				"--scans=scan1",
 				"--scans=scan2",
-				"--format=json",
-				"--output-transport=http",
-				"--output-path=/tmp/output",
-				"--output-url=http://example.com/output",
+				"--report-format=json",
+				"--report-transport=http",
+				"--report-file=/tmp/output",
+				"--report-url=http://example.com/output",
 				"--no-progress",
 				"--severity-threshold=5",
 			},
@@ -117,8 +117,8 @@ func TestAddCommonArgs(t *testing.T) {
 			assert.Equal(t, tt.expected.cookies, cmd.GetCookies())
 			assert.Equal(t, tt.expected.includeScans, cmd.GetIncludeScans())
 			assert.Equal(t, tt.expected.excludeScans, cmd.GetExcludeScans())
-			assert.Equal(t, tt.expected.outputFormat, cmd.GetOutputFormat())
-			assert.Equal(t, tt.expected.outputTransport, cmd.GetOutputTransport())
+			assert.Equal(t, tt.expected.outputFormat, cmd.GetReportFormat())
+			assert.Equal(t, tt.expected.outputTransport, cmd.GetReportTransport())
 			assert.Equal(t, tt.expected.noProgress, cmd.GetNoProgress())
 			assert.Equal(t, tt.expected.severityThreshold, cmd.GetSeverityThreshold())
 		})

diff --git a/internal/cmd/printtable/fingerprint_table.go b/internal/cmd/printtable/fingerprint_table.go
@@ -9,7 +9,7 @@ import (
 )
 
 func FingerprintScanReport(reporter *report.Reporter) {
-	report := reporter.GetReportByID(fingerprint.DiscoverFingerPrintScanID)
+	report := reporter.GetScanReportByID(fingerprint.DiscoverFingerPrintScanID)
 	if report == nil || !report.HasData() {
 		return
 	}

diff --git a/internal/cmd/printtable/report_table.go b/internal/cmd/printtable/report_table.go
@@ -2,28 +2,27 @@ package printtable
 
 import (
 	"fmt"
-	"net/url"
 	"sort"
 
 	"github.com/cerberauth/vulnapi/report"
 	"github.com/olekukonko/tablewriter"
 )
 
-type ScanVulnerabilityReport struct {
+type ScanIssueReport struct {
 	OperationMethod string `json:"method"`
 	OperationPath   string `json:"path"`
 
-	Vuln *report.VulnerabilityReport `json:"vuln"`
+	Issue *report.IssueReport `json:"issue"`
 }
 
-type SortByPathAndSeverity []*ScanVulnerabilityReport
+type SortByPathAndSeverity []*ScanIssueReport
 
 func (a SortByPathAndSeverity) Len() int      { return len(a) }
 func (a SortByPathAndSeverity) Swap(i, j int) { a[i], a[j] = a[j], a[i] }
 func (a SortByPathAndSeverity) Less(i, j int) bool {
 	if a[i].OperationPath == a[j].OperationPath {
 		if a[i].OperationMethod == a[j].OperationMethod {
-			return a[i].Vuln.Issue.CVSS.Score > a[j].Vuln.Issue.CVSS.Score
+			return a[i].Issue.CVSS.Score > a[j].Issue.CVSS.Score
 		}
 
 		return a[i].OperationMethod < a[j].OperationMethod
@@ -32,38 +31,33 @@ func (a SortByPathAndSeverity) Less(i, j int) bool {
 	return a[i].OperationPath < a[j].OperationPath
 }
 
-func NewScanVulnerabilityReports(r *report.Report) []*ScanVulnerabilityReport {
-	vulnReports := r.GetFailedVulnerabilityReports()
-	vulns := make([]*ScanVulnerabilityReport, 0, len(vulnReports))
-	for _, vulnReport := range vulnReports {
-		url, urlErr := url.Parse(r.Operation.URL)
-		if urlErr != nil {
-			continue
-		}
-
-		vulns = append(vulns, &ScanVulnerabilityReport{
-			OperationMethod: r.Operation.Method,
-			OperationPath:   url.Path,
+func NewScanIssueReports(r *report.ScanReport) []*ScanIssueReport {
+	reports := r.GetFailedIssueReports()
+	issues := make([]*ScanIssueReport, 0, len(reports))
+	for _, ir := range reports {
+		issues = append(issues, &ScanIssueReport{
+			OperationMethod: ir.Operation.Method,
+			OperationPath:   ir.Operation.URL.Path,
 
-			Vuln: vulnReport,
+			Issue: ir,
 		})
 	}
 
-	return vulns
+	return issues
 }
 
-func NewFullScanVulnerabilityReports(reports []*report.Report) []*ScanVulnerabilityReport {
-	vulns := make([]*ScanVulnerabilityReport, 0)
+func NewFullScanIssueReports(reports []*report.ScanReport) []*ScanIssueReport {
+	vulns := make([]*ScanIssueReport, 0)
 	for _, r := range reports {
-		vulns = append(vulns, NewScanVulnerabilityReports(r)...)
+		vulns = append(vulns, NewScanIssueReports(r)...)
 	}
 
 	sort.Sort(SortByPathAndSeverity(vulns))
 
 	return vulns
 }
 
-func severityTableColor(v *report.VulnerabilityReport) int {
+func severityTableColor(v *report.IssueReport) int {
 	switch {
 	case v.IsLowRiskSeverity() || v.IsInfoRiskSeverity():
 		return tablewriter.BgBlueColor
@@ -79,7 +73,7 @@ func severityTableColor(v *report.VulnerabilityReport) int {
 }
 
 func DisplayReportSummaryTable(r *report.Reporter) {
-	if r == nil || len(r.GetReports()) == 0 {
+	if r == nil || len(r.GetScanReports()) == 0 {
 		return
 	}
 
@@ -91,8 +85,8 @@ func DisplayReportSummaryTable(r *report.Reporter) {
 	tableColors[0] = tablewriter.Colors{tablewriter.Bold}
 	tableColors[1] = tablewriter.Colors{tablewriter.Bold}
 
-	for _, status := range report.VulnerabilityReportStatuses {
-		scansNumber := len(r.GetReportsByVulnerabilityStatus(status))
+	for _, status := range report.IssueReportStatuses {
+		scansNumber := len(r.GetReportsByIssueStatus(status))
 
 		row := []string{
 			status.String(),
@@ -107,27 +101,27 @@ func DisplayReportSummaryTable(r *report.Reporter) {
 }
 
 func DisplayReportTable(r *report.Reporter) {
-	if r == nil || !r.HasVulnerability() {
+	if r == nil || !r.HasIssue() {
 		return
 	}
 
-	headers := []string{"Operation", "Risk Level", "CVSS 4.0 Score", "OWASP", "Vulnerability"}
+	headers := []string{"Operation", "Risk Level", "CVSS 4.0 Score", "OWASP", "Issue"}
 	table := CreateTable(headers)
 
-	vulnerabilityReports := NewFullScanVulnerabilityReports(r.GetReports())
-	for _, vulnReport := range vulnerabilityReports {
+	IssueReports := NewFullScanIssueReports(r.GetScanReports())
+	for _, issueReport := range IssueReports {
 		row := []string{
-			fmt.Sprintf("%s %s", vulnReport.OperationMethod, vulnReport.OperationPath),
-			vulnReport.Vuln.SeverityLevelString(),
-			fmt.Sprintf("%.1f", vulnReport.Vuln.Issue.CVSS.Score),
-			string(vulnReport.Vuln.Classifications.OWASP),
-			vulnReport.Vuln.Name,
+			fmt.Sprintf("%s %s", issueReport.OperationMethod, issueReport.OperationPath),
+			issueReport.Issue.SeverityLevelString(),
+			fmt.Sprintf("%.1f", issueReport.Issue.CVSS.Score),
+			string(issueReport.Issue.Classifications.OWASP),
+			issueReport.Issue.Name,
 		}
 
 		tableColors := make([]tablewriter.Colors, len(headers))
 		for i := range tableColors {
 			if i == 1 {
-				tableColors[i] = tablewriter.Colors{tablewriter.Bold, severityTableColor(vulnReport.Vuln)}
+				tableColors[i] = tablewriter.Colors{tablewriter.Bold, severityTableColor(issueReport.Issue)}
 			} else {
 				tableColors[i] = tablewriter.Colors{}
 			}