Add new sarif formatter

[zendern]

Working through adding what is needed to do #239.

This pull request makes the following changes:

• Adds a new formatter... thats it nothing to crazy

It relates to the following issue #s:

• Fixes Add SARIF support #239

cc @bhamail / @DarthHater

---

How im testing this?

Currently using the https://github.com/sonatype-nexus-community/intentionally-vulnerable-golang-project project. And running my local build against nancy with the -o sarif output option and then dumping to a file and doing some magic incantations necessary for github to be happy. (the action will take care of this later)

go list -json -m all | ../nancy/nancy sleuth -o sarif > analysis-data.sarif
gzip -c analysis-data.sarif | base64 |tr -d '\n' | pbcopy

And then this curl command to send the results to my forked repo above

curl --location --request POST 'https://api.github.com/repos/zendern/intentionally-vulnerable-golang-project/code-scanning/sarifs' \
--header 'Accept: application/vnd.github.v3+json' \
--header 'Authorization: token <your github token>' \
--header 'Content-Type: application/json' \
--data-raw '{
"tool_name": "Sonatype Nancy",
"commit_sha": "d027c0472f6ef91aa9ce50674536c2787ca9863b",
"ref": "refs/heads/master",
"sarif": "<paste in big chunk of sarif here>"
}'

If you want to stitch the above together to check it out on your own repo you should be able to by changing the url in the curl above.

---

So whats it look like??

So you can poke around here.

https://github.com/zendern/intentionally-vulnerable-golang-project/security/code-scanning?query=tool%3Anancy

List screen

Github alert types can only be of one of the 4 types. [none, note, warning and error]. I have implemented it as follows :

• CVSS score > 7 == error (Critical and High)
• Anything less than that == warning (Medium and Low)

Following the lead here

nancy/internal/audit/auditlogtextformatter.go

Lines 124 to 135 in 30fb76a

	func scoreAssessment(score decimal.Decimal) string {
	if score.GreaterThanOrEqual(nine) {
	return "Critical"
	}
	if score.GreaterThanOrEqual(seven) {
	return "High"
	}
	if score.GreaterThanOrEqual(four) {
	return "Medium"
	}
	return "Low"
	}

Outstanding question on this would be should Low == Note as far as github code scanning goes or does Warning still make sense to use??

Vulnerability details page

Looks wise we can probably maybe do better. Markdown support is available in some fields but does have the caveat of once you throw a newline in there Github collapses it and will make you expand before you get them sweet sweet details.

Also something to note since we do not have full (is transitive deps/actually in go.mod/Gopkg.lock file) I am just pinning the line number of the issue to the first line in the corresponding go.mod/Gopkg.lock file to indicate its a dependency issue. Does this seem reasonable??

What's left outstanding?

• Implement the stubbed out tests
• Determine if levels are setup appropriately for CVVS Score -> Github Severity
• Probably some formatting
• Test it out using github action

[luigigubello]

This PR is amazing! It works so fine, I have already written a draft Github Action, please merge it 🚀 (thanks for this PR 🙏 )

name: Sonatype Nancy alpha

on:
  push:
    branches: [ master ]
  pull_request:
    branches: [ master ]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
    - name: Check out code into the Go module directory
      uses: actions/checkout@v2

    - name: Set up Go 1.x in order to write go.list file
      uses: actions/setup-go@v2
      with:
        go-version: ^1.15
        
    - name: Configure git for private modules
      env:
        ACTOR: ${{ github.actor }}
        TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
      run: git config --global url."https://${ACTOR}:${TOKEN}@github.com".insteadOf "https://github.com"

    # Generate result.sarif
    - name: Nancy by Zendern
      run: |
        echo $(cd /tmp && git clone --branch sarif-output https://github.com/zendern/nancy.git && cd nancy && go get ./... && go build -o nancy .)
        echo $(go list -json -m all | nancy sleuth -o sarif > results.sarif)

    - name: Upload SARIF file
      uses: github/codeql-action/upload-sarif@v1
      with:
        sarif_file: results.sarif

[sonatypecla]

Thanks for the contribution! Unfortunately we can't verify if the committer(s), Tobi Fuhrimann [email protected], signed the CLA because they have not associated their commits with their GitHub user. Please follow these instructions to associate your commits with your GitHub user. Then sign the Sonatype Contributor License Agreement and this Pull Request will be revalidated.

[sonarcloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
3 Code Smells

No Coverage information
No Duplication information