From ef4f36423ae30785b793980df0b89082ee88fd0d Mon Sep 17 00:00:00 2001 From: Carlos Holguera Date: Wed, 15 May 2024 18:28:12 +0200 Subject: [PATCH] Add SARIF Taxonomy Support (#727) * add sarif support --- .github/workflows/docgenerator.yml | 4 ++ tools/generate_masvs_sarif.py | 64 ++++++++++++++++++++++++++++++ 2 files changed, 68 insertions(+) create mode 100644 tools/generate_masvs_sarif.py diff --git a/.github/workflows/docgenerator.yml b/.github/workflows/docgenerator.yml index b25cc3edf..6f2321bf3 100644 --- a/.github/workflows/docgenerator.yml +++ b/.github/workflows/docgenerator.yml @@ -34,6 +34,9 @@ jobs: - name: Generate CycloneDX JSON run: python3 ./tools/generate_masvs_cyclonedx.py + - name: Generate SARIF + run: python3 ./tools/generate_masvs_sarif.py + - name: Upload Artifacts uses: actions/upload-artifact@v3 with: @@ -61,5 +64,6 @@ jobs: OWASP_MASVS.epub OWASP_MASVS.yaml OWASP_MASVS.cdx.json + OWASP_MASVS.sarif env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/tools/generate_masvs_sarif.py b/tools/generate_masvs_sarif.py new file mode 100644 index 000000000..afcb06905 --- /dev/null +++ b/tools/generate_masvs_sarif.py @@ -0,0 +1,64 @@ +import yaml +import json +from datetime import datetime + +MASVS_SARIF_GUID = "77cf1749-d61e-4cfe-98f7-a217e3b5448c" + +# Re-examining the YAML content for structure +masvs_parsed = yaml.safe_load(open("OWASP_MASVS.yaml")) +version = masvs_parsed["metadata"]["version"] +if version.startswith("v"): + version = version[1:] +current_date_str = datetime.now().strftime("%Y-%m-%d") + +# Creating a new SARIF template for the corrected conversion +sarif_corrected_template = { + "$schema": "http://json.schemastore.org/sarif-2.1.0", + "version": "2.1.0", + "runs": [{ + "tool": { + "driver": { + "name": "OWASP MASVS", + "fullName": "OWASP Mobile Application Security Verification Standard (MASVS)", + "version": version, + "releaseDateUtc": current_date_str, + "organization": "OWASP", + "informationUri": "https://mas.owasp.org/MASVS/", + "downloadUri": "https://github.com/OWASP/owasp-masvs/releases" + } + }, + "taxonomies": [{ + "name": "OWASP MASVS", + "guid": MASVS_SARIF_GUID, + "isComprehensive": True, + "taxa": [] + }] + }] +} + +# Counter to ensure we capture the total number of controls +total_controls_count = 0 + +# Iterating through groups and their controls +for group in masvs_parsed.get("groups", []): + for control in group.get("controls", []): + total_controls_count += 1 + taxa_element = { + "id": control["id"], + "name": control.get("id", ""), + "shortDescription": { + "text": control.get("statement", "") + }, + "fullDescription": { + "text": control.get("description", "") + } + } + sarif_corrected_template["runs"][0]["taxonomies"][0]["taxa"].append(taxa_element) + +# Verify the total number of taxa elements matches the total number of controls +total_taxa_count = len(sarif_corrected_template["runs"][0]["taxonomies"][0]["taxa"]) + +# Save the correctly populated SARIF output +sarif_corrected_output_path = 'OWASP_MASVS.sarif' +with open(sarif_corrected_output_path, 'w') as file: + json.dump(sarif_corrected_template, file, indent=2)