Review rule name and description mappings in Kics
Problem to solve
#349141 (closed) highlighted some issues related to how Kics is mapping the description
field of upstream rules to the converted gl-sast-report.json
.
Using the All variables should contain a valid type.
rule as an example:
This is how the rule is represented upstream
This is a finding in the `gl-sast-report.json` produced by the analyser
{ "id": "2fb7fb451f7b13438914cf4c305a332cd48f82a46bc7caef9361bbd233ea577d", "category": "sast", "message": "All variables should contain a valid type.", "description": "'type' is undefined or null", "cve": "kics_id:fc5109bf-01fd-49fb-8bde-4492b543c34a:1:0", "severity": "Info", "scanner": { "id": "kics", "name": "kics" }, "location": { "file": "variables.tf", "start_line": 1 }, "identifiers": [ { "type": "kics_id", "name": "Variable Without Type", "value": "fc5109bf-01fd-49fb-8bde-4492b543c34a", "url": "https://www.terraform.io/docs/language/values/variables.html#input-variable-documentation" } ] }
This is how it looks in the repo-level vulnerability report
This is the vulnerability detail page of the repo-level vulnerability report
This is the pipeline security report
Proposal
Review the mapping logic to determine if changes are required. On first glance, it might make sense to perform the following mapping:
SARIF | GL SAST |
---|---|
rule.Name | Name |
rule.FullDescription | Description |
result.Message.Text | Somewhere in Details (or omitted entirely since it doesn't provide much value on top of the name and description) |
The Details property doesn't seem to be used by groupstatic analysis analysers. There are examples in Gemnasium, though I'm unsure if it's suitable for our use cases. Once set, it's rendered as part of the Evidence section of the vulnerability details page. See this pipeline security report as an example.
Note that the message
field is now deprecated too. It looks like we dropped it in favour of name
and description
.
And since the mapping occurs in the shared report
package, we're in for some fun times updating QA expectations again.
Implementation Plan
-
Update KICS gl-sast-report.json
vulnerability[].name
to sarif reportrun[].tool.driver.rules[].shortDescription.text
-
Delete KICS specific name override in sarif.go -
Release new version of report -
Upgrade KICS to use the new report
-
-
Update KICS gl-sast-report.json
vulnerability[].description
to sarif reportrun[].tool.driver.rules[].fullDescription.text
andrun[].results[].message.text
.-
Add a KICS specific description to report with tests -
Release new version of report -
Upgrade KICS to use the new report
-