From 74d6b7b2cce3ddf2e165c1d83385c902eb6b4165 Mon Sep 17 00:00:00 2001 From: jperezde Date: Thu, 21 Nov 2024 13:10:19 +0100 Subject: [PATCH] snyk-sast: added stats for Snyk scans Solves: https://issues.redhat.com/browse/OSH-769 Adding the stats to snyk scans in the result's SARIF file of successful scans. --- .../0.3/sast-snyk-check-oci-ta.yaml | 20 ++++++++++++++++++- task/sast-snyk-check/0.3/MIGRATION.md | 1 + task/sast-snyk-check/0.3/sast-snyk-check.yaml | 20 ++++++++++++++++++- 3 files changed, 39 insertions(+), 2 deletions(-) diff --git a/task/sast-snyk-check-oci-ta/0.3/sast-snyk-check-oci-ta.yaml b/task/sast-snyk-check-oci-ta/0.3/sast-snyk-check-oci-ta.yaml index 654c12373a..8a7799d795 100644 --- a/task/sast-snyk-check-oci-ta/0.3/sast-snyk-check-oci-ta.yaml +++ b/task/sast-snyk-check-oci-ta/0.3/sast-snyk-check-oci-ta.yaml @@ -215,7 +215,25 @@ spec: (set -x && csgrep --mode=evtstat filtered_sast_snyk_check_out.json) fi - csgrep --mode=sarif filtered_sast_snyk_check_out.json >sast_snyk_check_out.sarif + # Generation of scan stats + + total_files=$(jq '[.runs[0].properties.coverage[].files] | add' "${SOURCE_CODE_DIR}"/sast_snyk_check_out.json) + supported_files=$(jq '[.runs[0].properties.coverage[] | select(.type == "SUPPORTED") | .files] | add' "${SOURCE_CODE_DIR}"/sast_snyk_check_out.json) + + # We make sure the values are 0 if no supported/total files are found + total_files=${total_files:-0} + supported_files=${supported_files:-0} + + coverage_ratio=0 + if ((total_files > 0)); then + coverage_ratio=$((supported_files * 100 / total_files)) + fi + + # embed stats in results file and convert to SARIF + csgrep --mode=sarif --set-scan-prop snyk-scanned-files-coverage:"${coverage_ratio}" \ + --set-scan-prop snyk-scanned-files-success:"${supported_files}" \ + --set-scan-prop snyk-scanned-files-total:"${total_files}" \ + filtered_sast_snyk_check_out.json >sast_snyk_check_out.sarif TEST_OUTPUT= parse_test_output "$(context.task.name)" sarif sast_snyk_check_out.sarif || true diff --git a/task/sast-snyk-check/0.3/MIGRATION.md b/task/sast-snyk-check/0.3/MIGRATION.md index aff3fb726e..366637c525 100644 --- a/task/sast-snyk-check/0.3/MIGRATION.md +++ b/task/sast-snyk-check/0.3/MIGRATION.md @@ -7,6 +7,7 @@ Version 0.3: - There are no default arguments as "--all-projects --exclude=test*,vendor,deps" are ignored by Snyk Code - SARIF produced by Snyk Code is not included in the CI log. - The `KFP_GIT_URL` parameter has been introduced to indicate the repository to filter false positives. If this variable is left empty, the results won't be filtered. At the same time, we can store all excluded findings in a file using the `RECORD_EXCLUDED` parameter and specify a name of project with the `PROJECT_NAME` to use specific filters. +- The stats of the snyk scan are embedded into the result's SARIF file ## Action from users diff --git a/task/sast-snyk-check/0.3/sast-snyk-check.yaml b/task/sast-snyk-check/0.3/sast-snyk-check.yaml index 28e9dbedc8..d26c2e1542 100644 --- a/task/sast-snyk-check/0.3/sast-snyk-check.yaml +++ b/task/sast-snyk-check/0.3/sast-snyk-check.yaml @@ -193,7 +193,25 @@ spec: (set -x && csgrep --mode=evtstat filtered_sast_snyk_check_out.json) fi - csgrep --mode=sarif filtered_sast_snyk_check_out.json > sast_snyk_check_out.sarif + # Generation of scan stats + + total_files=$(jq '[.runs[0].properties.coverage[].files] | add' "${SOURCE_CODE_DIR}"/sast_snyk_check_out.json) + supported_files=$(jq '[.runs[0].properties.coverage[] | select(.type == "SUPPORTED") | .files] | add' "${SOURCE_CODE_DIR}"/sast_snyk_check_out.json) + + # We make sure the values are 0 if no supported/total files are found + total_files=${total_files:-0} + supported_files=${supported_files:-0} + + coverage_ratio=0 + if (( total_files > 0 )); then + coverage_ratio=$((supported_files * 100 / total_files)) + fi + + # embed stats in results file and convert to SARIF + csgrep --mode=sarif --set-scan-prop snyk-scanned-files-coverage:"${coverage_ratio}" \ + --set-scan-prop snyk-scanned-files-success:"${supported_files}" \ + --set-scan-prop snyk-scanned-files-total:"${total_files}" \ + filtered_sast_snyk_check_out.json > sast_snyk_check_out.sarif TEST_OUTPUT= parse_test_output "$(context.task.name)" sarif sast_snyk_check_out.sarif || true