diff --git a/xray/formats/simplejsonapi.go b/xray/formats/simplejsonapi.go index 5a2aa1ff1..e547e09c8 100644 --- a/xray/formats/simplejsonapi.go +++ b/xray/formats/simplejsonapi.go @@ -101,7 +101,7 @@ type CveRow struct { } type Applicability struct { - Status bool `json:"status"` + Status string `json:"status"` ScannerDescription string `json:"scannerDescription,omitempty"` Evidence []Evidence `json:"evidence,omitempty"` } diff --git a/xray/utils/resultstable.go b/xray/utils/resultstable.go index 108e200f9..49b124791 100644 --- a/xray/utils/resultstable.go +++ b/xray/utils/resultstable.go @@ -89,8 +89,10 @@ func prepareViolations(violations []services.Violation, extendedResults *Extende case "security": cves := convertCves(violation.Cves) applicableValue := getApplicableCveValue(extendedResults, cves) - for _, cve := range cves { - cve.Applicability = getCveApplicability(cve, extendedResults.ApplicabilityScanResults) + if extendedResults.EntitledForJas { + for i := range cves { + cves[i].Applicability = getCveApplicability(cves[i], extendedResults.ApplicabilityScanResults) + } } currSeverity := GetSeverity(violation.Severity, applicableValue) jfrogResearchInfo := convertJfrogResearchInformation(violation.ExtendedInformation) @@ -209,8 +211,10 @@ func prepareVulnerabilities(vulnerabilities []services.Vulnerability, extendedRe } cves := convertCves(vulnerability.Cves) applicableValue := getApplicableCveValue(extendedResults, cves) - for _, cve := range cves { - cve.Applicability = getCveApplicability(cve, extendedResults.ApplicabilityScanResults) + if extendedResults.EntitledForJas { + for i := range cves { + cves[i].Applicability = getCveApplicability(cves[i], extendedResults.ApplicabilityScanResults) + } } currSeverity := GetSeverity(vulnerability.Severity, applicableValue) jfrogResearchInfo := convertJfrogResearchInformation(vulnerability.ExtendedInformation) @@ -928,37 +932,39 @@ func getApplicableCveValue(extendedResults *ExtendedScanResults, xrayCves []form return ApplicabilityUndetermined } -func getCveApplicability(cve formats.CveRow, applicabilityScanResults []*sarif.Run) (applicability *formats.Applicability) { - if len(applicabilityScanResults) == 0 { - return nil - } +func getCveApplicability(cve formats.CveRow, applicabilityScanResults []*sarif.Run) *formats.Applicability { + applicability := &formats.Applicability{Status: string(ApplicabilityUndetermined)} for _, applicabilityRun := range applicabilityScanResults { - description := "" - if relatedRule, _ := applicabilityRun.GetRuleById(CveToApplicabilityRuleId(cve.Id)); relatedRule != nil { - description = GetRuleFullDescription(relatedRule) - } - relatedResult, _ := applicabilityRun.GetResultByRuleId(CveToApplicabilityRuleId(cve.Id)) - if relatedResult == nil { + foundResult, _ := applicabilityRun.GetResultByRuleId(CveToApplicabilityRuleId(cve.Id)) + if foundResult == nil { continue } - // Set applicable details - applicability = &formats.Applicability{ - Status: isApplicableResult(relatedResult), - ScannerDescription: description, + applicability = &formats.Applicability{} + if isApplicableResult(foundResult) { + applicability.Status = string(Applicable) + } else { + applicability.Status = string(NotApplicable) } + + foundRule, _ := applicabilityRun.GetRuleById(CveToApplicabilityRuleId(cve.Id)) + if foundRule != nil { + applicability.ScannerDescription = GetRuleFullDescription(foundRule) + } + // Add new evidences from locations - for _, location := range relatedResult.Locations { + for _, location := range foundResult.Locations { applicability.Evidence = append(applicability.Evidence, formats.Evidence{ SourceCodeLocationRow: formats.SourceCodeLocationRow{ File: GetLocationFileName(location), LineColumn: GetStartLocationInFile(location), Snippet: GetLocationSnippet(location), }, - Reason: GetResultMsgText(relatedResult), + Reason: GetResultMsgText(foundResult), }) } + break } - return + return applicability } func printApplicableCveValue(applicableValue ApplicabilityStatus, isTable bool) string { diff --git a/xray/utils/resultstable_test.go b/xray/utils/resultstable_test.go index 8dad92cef..7ed50f24f 100644 --- a/xray/utils/resultstable_test.go +++ b/xray/utils/resultstable_test.go @@ -462,7 +462,7 @@ func TestGetApplicableCveValue(t *testing.T) { }, cves: []services.Cve{{Id: "testCve2"}}, expectedResult: Applicable, - expectedCves: []formats.CveRow{{Id: "testCve2", Applicability: &formats.Applicability{Status: true}}}, + expectedCves: []formats.CveRow{{Id: "testCve2", Applicability: &formats.Applicability{Status: string(Applicable)}}}, }, { scanResults: &ExtendedScanResults{ @@ -490,7 +490,7 @@ func TestGetApplicableCveValue(t *testing.T) { }, cves: []services.Cve{{Id: "testCve1"}, {Id: "testCve2"}}, expectedResult: NotApplicable, - expectedCves: []formats.CveRow{{Id: "testCve1", Applicability: &formats.Applicability{Status: false}}, {Id: "testCve2", Applicability: &formats.Applicability{Status: false}}}, + expectedCves: []formats.CveRow{{Id: "testCve1", Applicability: &formats.Applicability{Status: string(NotApplicable)}}, {Id: "testCve2", Applicability: &formats.Applicability{Status: string(NotApplicable)}}}, }, { scanResults: &ExtendedScanResults{ @@ -504,7 +504,7 @@ func TestGetApplicableCveValue(t *testing.T) { }, cves: []services.Cve{{Id: "testCve1"}, {Id: "testCve2"}}, expectedResult: Applicable, - expectedCves: []formats.CveRow{{Id: "testCve1", Applicability: &formats.Applicability{Status: false}}, {Id: "testCve2", Applicability: &formats.Applicability{Status: true}}}, + expectedCves: []formats.CveRow{{Id: "testCve1", Applicability: &formats.Applicability{Status: string(NotApplicable)}}, {Id: "testCve2", Applicability: &formats.Applicability{Status: string(Applicable)}}}, }, { scanResults: &ExtendedScanResults{ @@ -514,7 +514,7 @@ func TestGetApplicableCveValue(t *testing.T) { EntitledForJas: true}, cves: []services.Cve{{Id: "testCve1"}, {Id: "testCve2"}}, expectedResult: ApplicabilityUndetermined, - expectedCves: []formats.CveRow{{Id: "testCve1", Applicability: &formats.Applicability{Status: false}}, {Id: "testCve2"}}, + expectedCves: []formats.CveRow{{Id: "testCve1", Applicability: &formats.Applicability{Status: string(NotApplicable)}}, {Id: "testCve2"}}, }, }