diff --git a/src/main/java/com/jfrog/ide/idea/inspections/JFrogSecurityWarning.java b/src/main/java/com/jfrog/ide/idea/inspections/JFrogSecurityWarning.java index ace09f18..17f47aff 100644 --- a/src/main/java/com/jfrog/ide/idea/inspections/JFrogSecurityWarning.java +++ b/src/main/java/com/jfrog/ide/idea/inspections/JFrogSecurityWarning.java @@ -52,22 +52,30 @@ public JFrogSecurityWarning( this.codeFlows = codeFlows; } - public JFrogSecurityWarning(SarifResult result, SourceCodeScanType reporter) { + public JFrogSecurityWarning(SarifResult result, SourceCodeScanType reporter, Rule rule) { this(getFirstRegion(result).getStartLine() - 1, getFirstRegion(result).getStartColumn() - 1, getFirstRegion(result).getEndLine() - 1, getFirstRegion(result).getEndColumn() - 1, result.getMessage().getText(), - !result.getLocations().isEmpty() ? uriToPath(result.getLocations().get(0).getPhysicalLocation().getArtifactLocation().getUri()) : "", + getFilePath(result), result.getRuleId(), getFirstRegion(result).getSnippet().getText(), reporter, - !result.getKind().equals("pass"), + isWarningApplicable(result,rule), Severity.fromSarif(result.getSeverity()), convertCodeFlowsToFindingInfo(result.getCodeFlows()) ); } + private static boolean isWarningApplicable(SarifResult result,Rule rule){ + return !result.getKind().equals("pass") && (rule.getRuleProperties().map(properties -> properties.getApplicability().equals("applicable")).orElse(true)); + } + + private static String getFilePath(SarifResult result){ + return !result.getLocations().isEmpty() ? uriToPath(result.getLocations().get(0).getPhysicalLocation().getArtifactLocation().getUri()) : ""; + } + private static FindingInfo[][] convertCodeFlowsToFindingInfo(List codeFlows) { if (codeFlows == null || codeFlows.isEmpty()) { return null; @@ -114,3 +122,4 @@ private static String uriToPath(String path) { return Paths.get(URI.create(path)).toString(); } } + diff --git a/src/main/java/com/jfrog/ide/idea/scan/ScanBinaryExecutor.java b/src/main/java/com/jfrog/ide/idea/scan/ScanBinaryExecutor.java index 0908c6b2..8bc206fe 100644 --- a/src/main/java/com/jfrog/ide/idea/scan/ScanBinaryExecutor.java +++ b/src/main/java/com/jfrog/ide/idea/scan/ScanBinaryExecutor.java @@ -58,7 +58,7 @@ public abstract class ScanBinaryExecutor { private static final int USER_NOT_ENTITLED = 31; private static final int NOT_SUPPORTED = 13; private static final String SCANNER_BINARY_NAME = "analyzerManager"; - private static final String SCANNER_BINARY_VERSION = "1.6.3"; + private static final String SCANNER_BINARY_VERSION = "1.8.14"; private static final String BINARY_DOWNLOAD_URL = "xsc-gen-exe-analyzer-manager-local/v1/" + SCANNER_BINARY_VERSION; private static final String DOWNLOAD_SCANNER_NAME = "analyzerManager.zip"; private static final String MINIMAL_XRAY_VERSION_SUPPORTED_FOR_ENTITLEMENT = "3.66.0"; @@ -257,10 +257,11 @@ protected boolean isPackageTypeSupported(PackageManagerType type) { return type != null && supportedPackageTypes.contains(type); } - protected List parseOutputSarif(Path outputFile) throws IOException { + protected List parseOutputSarif(Path outputFile) throws IOException,IndexOutOfBoundsException { Output output = getOutputObj(outputFile); List warnings = new ArrayList<>(); - output.getRuns().forEach(run -> run.getResults().stream().filter(SarifResult::isNotSuppressed).forEach(result -> warnings.add(new JFrogSecurityWarning(result, scanType)))); + + output.getRuns().forEach(run -> run.getResults().stream().filter(SarifResult::isNotSuppressed).forEach(result -> warnings.add(new JFrogSecurityWarning(result, scanType, run.getRuleFromRunById(result.getRuleId()))))); Optional run = output.getRuns().stream().findFirst(); if (run.isPresent()) { diff --git a/src/main/java/com/jfrog/ide/idea/scan/data/Driver.java b/src/main/java/com/jfrog/ide/idea/scan/data/Driver.java index 74a1dcf7..ed3e33cd 100644 --- a/src/main/java/com/jfrog/ide/idea/scan/data/Driver.java +++ b/src/main/java/com/jfrog/ide/idea/scan/data/Driver.java @@ -48,4 +48,12 @@ public boolean equals(Object other) { return (Objects.equals(this.name, rhs.name) && (CollectionUtils.isEqualCollection(this.rules, rhs.rules))); } + public Rule getRuleById(String ruleId) throws IndexOutOfBoundsException { + return rules.stream() + .filter(rule -> rule.getId().equals(ruleId)) + .findFirst() + .orElseThrow(() -> new IndexOutOfBoundsException("Rule not found")); + } + + } diff --git a/src/main/java/com/jfrog/ide/idea/scan/data/Rule.java b/src/main/java/com/jfrog/ide/idea/scan/data/Rule.java index c0088b0d..31d83609 100644 --- a/src/main/java/com/jfrog/ide/idea/scan/data/Rule.java +++ b/src/main/java/com/jfrog/ide/idea/scan/data/Rule.java @@ -1,8 +1,8 @@ package com.jfrog.ide.idea.scan.data; import com.fasterxml.jackson.annotation.JsonProperty; - import java.util.Objects; +import java.util.Optional; public class Rule { @@ -15,6 +15,9 @@ public class Rule { @JsonProperty("fullDescription") private Message fullDescription; + @JsonProperty("properties") + private RuleProperties properties; + public String getId() { return id; } @@ -43,11 +46,16 @@ public void setFullDescription(Message fullDescription) { this.fullDescription = fullDescription; } + public Optional getRuleProperties() { + return Optional.ofNullable(properties); + } + @Override public int hashCode() { return Objects.hash(id); } + @Override public boolean equals(Object other) { if (other == this) { @@ -60,3 +68,5 @@ public boolean equals(Object other) { return Objects.equals(this.id, rhs.id); } } + + diff --git a/src/main/java/com/jfrog/ide/idea/scan/data/RuleProperties.java b/src/main/java/com/jfrog/ide/idea/scan/data/RuleProperties.java new file mode 100644 index 00000000..cae90d1d --- /dev/null +++ b/src/main/java/com/jfrog/ide/idea/scan/data/RuleProperties.java @@ -0,0 +1,15 @@ +package com.jfrog.ide.idea.scan.data; + +import com.fasterxml.jackson.annotation.JsonProperty; +import lombok.Getter; + +@Getter +public class RuleProperties { + + @JsonProperty("conclusion") + private String conclusion; + + @JsonProperty("applicability") + private String applicability; + +} diff --git a/src/main/java/com/jfrog/ide/idea/scan/data/Run.java b/src/main/java/com/jfrog/ide/idea/scan/data/Run.java index 53e36272..71b32e76 100644 --- a/src/main/java/com/jfrog/ide/idea/scan/data/Run.java +++ b/src/main/java/com/jfrog/ide/idea/scan/data/Run.java @@ -39,6 +39,10 @@ public List getResults() { return results; } + public Rule getRuleFromRunById(String ruleId) { + return this.getTool().getDriver().getRuleById(ruleId); + } + public void setResults(List results) { this.results = results; } diff --git a/src/test/java/com/jfrog/ide/idea/scan/ScanBinaryExecutorTest.java b/src/test/java/com/jfrog/ide/idea/scan/ScanBinaryExecutorTest.java index 16481044..5b170789 100644 --- a/src/test/java/com/jfrog/ide/idea/scan/ScanBinaryExecutorTest.java +++ b/src/test/java/com/jfrog/ide/idea/scan/ScanBinaryExecutorTest.java @@ -15,15 +15,16 @@ import java.util.List; import static com.jfrog.ide.common.utils.Utils.createYAMLMapper; +import static org.junit.Assert.assertThrows; /** * @author tala **/ public class ScanBinaryExecutorTest extends TestCase { private final ScanBinaryExecutor scanner = new ApplicabilityScannerExecutor(new NullLog()); + private final Path FAULTY_OUTPUT = new File("src/test/resources/sourceCode/faulty_output.sarif").toPath(); private final Path SIMPLE_OUTPUT = new File("src/test/resources/sourceCode/simple_output.sarif").toPath(); - private final Path NOT_APPLIC_OUTPUT = new File("src/test/resources/sourceCode/not_applic_output.sarif").toPath(); - + private final Path APPLIC_KIND_PASS_AND_FAIL_OUTPUT = new File("src/test/resources/sourceCode/applicable_kind_pass_output.sarif").toPath(); public void testInputBuilder() throws IOException { ScanConfig.Builder inputFileBuilder = new ScanConfig.Builder(); Path inputPath = null; @@ -70,21 +71,34 @@ public void testSarifParser() throws IOException { assertEquals(73, parsedOutput.get(1).getColEnd()); } - public void testSarifParserNotApplicResults() throws IOException { - List parsedOutput = scanner.parseOutputSarif(NOT_APPLIC_OUTPUT); - assertEquals(4, parsedOutput.size()); - // 2 known applicable results (code evidence returned) + public void testSarifParserWithMissingRole() throws IndexOutOfBoundsException { + assertThrows(IndexOutOfBoundsException.class,() -> scanner.parseOutputSarif(FAULTY_OUTPUT)); + } + + public void testSarifParserApplicResultsWithKindPassAndFail() throws IOException { + List parsedOutput = scanner.parseOutputSarif(APPLIC_KIND_PASS_AND_FAIL_OUTPUT); + assertEquals(6, parsedOutput.size()); + //Not Applicable with kind pass assertEquals("applic_CVE-2022-25878", parsedOutput.get(0).getRuleID()); - assertTrue(parsedOutput.get(0).isApplicable()); - assertEquals("CVE-2022-25978", parsedOutput.get(1).getRuleID()); + assertFalse(parsedOutput.get(0).isApplicable()); + //Applicable with kind pass + assertEquals("applic_CVE-2022-25978", parsedOutput.get(1).getRuleID()); assertTrue(parsedOutput.get(1).isApplicable()); - // 2 known no-applicable results (have a scanner but no code evidence returned) + //Not applicable with kind pass and no properties assertEquals("applic_CVE-2021-25878", parsedOutput.get(2).getRuleID()); assertFalse(parsedOutput.get(2).isApplicable()); + //Applicable with kind fail assertEquals("applic_CVE-2022-29019", parsedOutput.get(3).getRuleID()); - assertFalse(parsedOutput.get(3).isApplicable()); + assertTrue(parsedOutput.get(3).isApplicable()); + //Not applicable as its not_covered + assertEquals("applic_CVE-2022-29004", parsedOutput.get(4).getRuleID()); + assertFalse(parsedOutput.get(4).isApplicable()); + //Not applicable as its undetermined + assertEquals("applic_CVE-2022-29014", parsedOutput.get(5).getRuleID()); + assertFalse(parsedOutput.get(5).isApplicable()); } + public void testGetBinaryDownloadURL() { final String externalRepoName = "test-releases-repo"; final String expectedExternalRepoUrl = "test-releases-repo/artifactory/xsc-gen-exe-analyzer-manager-local/"; diff --git a/src/test/resources/sourceCode/applicable_kind_pass_output.sarif b/src/test/resources/sourceCode/applicable_kind_pass_output.sarif new file mode 100644 index 00000000..e32d5554 --- /dev/null +++ b/src/test/resources/sourceCode/applicable_kind_pass_output.sarif @@ -0,0 +1,178 @@ +{ + "runs": [ + { + "tool": { + "driver": { + "name": "JFrog Applicability Scanner", + "rules": [ + { + "id": "applic_CVE-2022-25878", + "properties": { + "conclusion": "positive", + "applicability": "not_applicable" + }, + "fullDescription": { + "text": "The scanner checks whether the vulnerable function `pem.Decode` is called.", + "markdown": "The scanner checks whether the vulnerable function `pem.Decode` is called." + }, + "shortDescription": { + "text": "Scanner for applic_CVE-2022-25878" + } + }, + { + "id": "applic_CVE-2022-25978", + "properties": { + "conclusion": "negative", + "applicability": "applicable" + }, + "fullDescription": { + "text": "The scanner checks whether the vulnerable function `org.apache.xmlbeans.XmlObject.Factory.parse` is called or an interface that extends `org.apache.xmlbeans.XmlObject` is used.", + "markdown": "The scanner checks whether the vulnerable function `org.apache.xmlbeans.XmlObject.Factory.parse` is called or an interface that extends `org.apache.xmlbeans.XmlObject` is used." + }, + "shortDescription": { + "text": "Scanner for applic_CVE-2022-25978" + } + }, + { + "id": "applic_CVE-2021-25878", + "fullDescription": { + "text": "The scanner checks whether the vulnerable function `pem.Decode` is called.", + "markdown": "The scanner checks whether the vulnerable function `pem.Decode` is called." + }, + "shortDescription": { + "text": "Scanner for applic_CVE-2021-25878" + } + }, + { + "id": "applic_CVE-2022-29019", + "fullDescription": { + "text": "The scanner checks whether the vulnerable function `org.apache.xmlbeans.XmlObject.Factory.parse` is called or an interface that extends `org.apache.xmlbeans.XmlObject` is used.", + "markdown": "The scanner checks whether the vulnerable function `org.apache.xmlbeans.XmlObject.Factory.parse` is called or an interface that extends `org.apache.xmlbeans.XmlObject` is used." + }, + "shortDescription": { + "text": "Scanner for applic_CVE-2022-29019" + } + }, + { + "id": "applic_CVE-2022-29004", + "fullDescription": { + "text": "The scanner checks whether the vulnerable function `org.apache.xmlbeans.XmlObject.Factory.parse` is called or an interface that extends `org.apache.xmlbeans.XmlObject` is used.", + "markdown": "The scanner checks whether the vulnerable function `org.apache.xmlbeans.XmlObject.Factory.parse` is called or an interface that extends `org.apache.xmlbeans.XmlObject` is used." + }, + "shortDescription": { + "text": "Scanner for applic_CVE-2022-29004" + }, "properties": { + "conclusion": "positive", + "applicability": "not_covered" + } + }, + { + "id": "applic_CVE-2022-29014", + "fullDescription": { + "text": "The scanner checks whether the vulnerable function `org.apache.xmlbeans.XmlObject.Factory.parse` is called or an interface that extends `org.apache.xmlbeans.XmlObject` is used.", + "markdown": "The scanner checks whether the vulnerable function `org.apache.xmlbeans.XmlObject.Factory.parse` is called or an interface that extends `org.apache.xmlbeans.XmlObject` is used." + }, + "shortDescription": { + "text": "Scanner for applic_CVE-2022-29014" + }, "properties": { + "conclusion": "positive", + "applicability": "undetermined" + } + } + ], + "version": "APPLIC_SCANNERv0.2.0" + } + }, + "invocations": [ + { + "executionSuccessful": true, + "arguments": [ + "scan" + ], + "workingDirectory": { + "uri": "" + } + } + ], + "results": [ + { + "message": { + "text": "The vulnerable function protobufjs.load is called" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///examples/applic-demo/index.js" + }, + "region": { + "endColumn": 17, + "endLine": 20, + "snippet": { + "text": "protobuf.parse(p)" + }, + "startColumn": 0, + "startLine": 20 + } + } + } + ], + "ruleId": "applic_CVE-2022-25878" + }, + { + "message": { + "text": "The vulnerable function protobufjs.parse is called." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///examples/applic-demo/index.js" + }, + "region": { + "endColumn": 73, + "endLine": 22, + "snippet": { + "text": "protobuf.load(\"/path/to/untrusted.proto\", function(err, root) { return })" + }, + "startColumn": 0, + "startLine": 18 + } + } + } + ], + "ruleId": "applic_CVE-2022-25978" + }, + { + "message": { + "text": "The scanner checks whether the vulnerable function `ansi-regex` is called." + }, + "kind": "pass", + "ruleId": "applic_CVE-2021-25878" + }, + { + "message": { + "text": "The scanner checks whether the vulnerable function `ansi-regex` is called." + }, + "kind": "fail", + "ruleId": "applic_CVE-2022-29019" + }, + { + "message": { + "text": "The scanner checks whether the vulnerable function `call-all-ansi` is called." + }, + "kind": "pass", + "ruleId": "applic_CVE-2022-29004" + }, + {"message": { + "text": "The scanner checks whether the vulnerable function `not-call-all-ansi` is called." + }, + "kind": "pass", + "ruleId": "applic_CVE-2022-29014" + } + ] + } + ], + "version": "2.1.0", + "$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/cos02/schemas/sarif-schema-2.1.0.json" +} \ No newline at end of file diff --git a/src/test/resources/sourceCode/faulty_output.sarif b/src/test/resources/sourceCode/faulty_output.sarif new file mode 100644 index 00000000..c6753151 --- /dev/null +++ b/src/test/resources/sourceCode/faulty_output.sarif @@ -0,0 +1,184 @@ +{ + "runs": [ + { + "tool": { + "driver": { + "name": "JFrog Applicability Scanner", + "rules": [ + { + "id": "applic_CVE-2022-25878", + "properties": { + "conclusion": "positive", + "applicability": "not_applicable" + }, + "fullDescription": { + "text": "The scanner checks whether the vulnerable function `pem.Decode` is called.", + "markdown": "The scanner checks whether the vulnerable function `pem.Decode` is called." + }, + "shortDescription": { + "text": "Scanner for applic_CVE-2022-25878" + } + }, + { + "id": "applic_CVE-2022-25978", + "properties": { + "conclusion": "negative", + "applicability": "applicable" + }, + "fullDescription": { + "text": "The scanner checks whether the vulnerable function `org.apache.xmlbeans.XmlObject.Factory.parse` is called or an interface that extends `org.apache.xmlbeans.XmlObject` is used.", + "markdown": "The scanner checks whether the vulnerable function `org.apache.xmlbeans.XmlObject.Factory.parse` is called or an interface that extends `org.apache.xmlbeans.XmlObject` is used." + }, + "shortDescription": { + "text": "Scanner for applic_CVE-2022-25978" + } + }, + { + "id": "applic_CVE-2021-25878", + "fullDescription": { + "text": "The scanner checks whether the vulnerable function `pem.Decode` is called.", + "markdown": "The scanner checks whether the vulnerable function `pem.Decode` is called." + }, + "shortDescription": { + "text": "Scanner for applic_CVE-2021-25878" + } + }, + { + "id": "applic_CVE-2022-29019", + "fullDescription": { + "text": "The scanner checks whether the vulnerable function `org.apache.xmlbeans.XmlObject.Factory.parse` is called or an interface that extends `org.apache.xmlbeans.XmlObject` is used.", + "markdown": "The scanner checks whether the vulnerable function `org.apache.xmlbeans.XmlObject.Factory.parse` is called or an interface that extends `org.apache.xmlbeans.XmlObject` is used." + }, + "shortDescription": { + "text": "Scanner for applic_CVE-2022-29019" + } + }, + { + "id": "applic_CVE-2022-29004", + "fullDescription": { + "text": "The scanner checks whether the vulnerable function `org.apache.xmlbeans.XmlObject.Factory.parse` is called or an interface that extends `org.apache.xmlbeans.XmlObject` is used.", + "markdown": "The scanner checks whether the vulnerable function `org.apache.xmlbeans.XmlObject.Factory.parse` is called or an interface that extends `org.apache.xmlbeans.XmlObject` is used." + }, + "shortDescription": { + "text": "Scanner for applic_CVE-2022-29004" + }, "properties": { + "conclusion": "positive", + "applicability": "not_covered" + } + }, + { + "id": "applic_CVE-2022-29014", + "fullDescription": { + "text": "The scanner checks whether the vulnerable function `org.apache.xmlbeans.XmlObject.Factory.parse` is called or an interface that extends `org.apache.xmlbeans.XmlObject` is used.", + "markdown": "The scanner checks whether the vulnerable function `org.apache.xmlbeans.XmlObject.Factory.parse` is called or an interface that extends `org.apache.xmlbeans.XmlObject` is used." + }, + "shortDescription": { + "text": "Scanner for applic_CVE-2022-29014" + }, "properties": { + "conclusion": "positive", + "applicability": "undetermined" + } + } + ], + "version": "APPLIC_SCANNERv0.2.0" + } + }, + "invocations": [ + { + "executionSuccessful": true, + "arguments": [ + "scan" + ], + "workingDirectory": { + "uri": "" + } + } + ], + "results": [ + { + "message": { + "text": "The vulnerable function protobufjs.load is called" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///examples/applic-demo/index.js" + }, + "region": { + "endColumn": 17, + "endLine": 20, + "snippet": { + "text": "protobuf.parse(p)" + }, + "startColumn": 0, + "startLine": 20 + } + } + } + ], + "ruleId": "applic_CVE-2022-25878" + }, + { + "message": { + "text": "The vulnerable function protobufjs.parse is called." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///examples/applic-demo/index.js" + }, + "region": { + "endColumn": 73, + "endLine": 22, + "snippet": { + "text": "protobuf.load(\"/path/to/untrusted.proto\", function(err, root) { return })" + }, + "startColumn": 0, + "startLine": 18 + } + } + } + ], + "ruleId": "applic_CVE-2022-25978" + }, + { + "message": { + "text": "The scanner checks whether the vulnerable function `ansi-regex` is called." + }, + "kind": "pass", + "ruleId": "applic_CVE-2021-25878" + }, + { + "message": { + "text": "The scanner checks whether the vulnerable function `ansi-regex` is called." + }, + "kind": "fail", + "ruleId": "applic_CVE-2022-29019" + }, + { + "message": { + "text": "The scanner checks whether the vulnerable function `call-all-ansi` is called." + }, + "kind": "pass", + "ruleId": "applic_CVE-2022-29004" + }, + {"message": { + "text": "The scanner checks whether the vulnerable function `not-call-all-ansi` is called." + }, + "kind": "pass", + "ruleId": "applic_CVE-2022-29014" + }, + {"message": { + "text": "The scanner checks whether the vulnerable function `not-call-all-ansi` is called." + }, + "kind": "pass", + "ruleId": "applic_CVE-2022-29614" + } + ] + } + ], + "version": "2.1.0", + "$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/cos02/schemas/sarif-schema-2.1.0.json" +} \ No newline at end of file diff --git a/src/test/resources/sourceCode/not_applic_output.sarif b/src/test/resources/sourceCode/not_applic_output.sarif deleted file mode 100644 index 38792e4d..00000000 --- a/src/test/resources/sourceCode/not_applic_output.sarif +++ /dev/null @@ -1,133 +0,0 @@ -{ - "runs": [ - { - "tool": { - "driver": { - "name": "JFrog Applicability Scanner", - "rules": [ - - { - "id": "applic_CVE-2022-25878", - "fullDescription": { - "text": "The scanner checks whether the vulnerable function `pem.Decode` is called.", - "markdown": "The scanner checks whether the vulnerable function `pem.Decode` is called." - }, - "shortDescription": { - "text": "Scanner for CVE-2020-28502" - } - }, - { - "id": "CVE-2022-25978", - "fullDescription": { - "text": "The scanner checks whether the vulnerable function `org.apache.xmlbeans.XmlObject.Factory.parse` is called or an interface that extends `org.apache.xmlbeans.XmlObject` is used.", - "markdown": "The scanner checks whether the vulnerable function `org.apache.xmlbeans.XmlObject.Factory.parse` is called or an interface that extends `org.apache.xmlbeans.XmlObject` is used." - }, - "shortDescription": { - "text": "Scanner for CVE-2020-5310" - } - }, - { - "id": "applic_CVE-2021-25878", - "fullDescription": { - "text": "The scanner checks whether the vulnerable function `pem.Decode` is called.", - "markdown": "The scanner checks whether the vulnerable function `pem.Decode` is called." - }, - "shortDescription": { - "text": "Scanner for CVE-2020-28502" - } - }, - { - "id": "applic_CVE-2022-29019", - "fullDescription": { - "text": "The scanner checks whether the vulnerable function `org.apache.xmlbeans.XmlObject.Factory.parse` is called or an interface that extends `org.apache.xmlbeans.XmlObject` is used.", - "markdown": "The scanner checks whether the vulnerable function `org.apache.xmlbeans.XmlObject.Factory.parse` is called or an interface that extends `org.apache.xmlbeans.XmlObject` is used." - }, - "shortDescription": { - "text": "Scanner for CVE-2020-5310" - } - } - - ], - "version": "APPLIC_SCANNERv0.2.0" - } - }, - "invocations": [ - { - "executionSuccessful": true, - "arguments": [ - "scan" - ], - "workingDirectory": { - "uri": "" - } - } - ], - "results": [ - { - "message": { - "text": "The vulnerable function protobufjs.load is called" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///examples/applic-demo/index.js" - }, - "region": { - "endColumn": 17, - "endLine": 20, - "snippet": { - "text": "protobuf.parse(p)" - }, - "startColumn": 0, - "startLine": 20 - } - } - } - ], - "ruleId": "applic_CVE-2022-25878" - }, - { - "message": { - "text": "The vulnerable function protobufjs.parse is called." - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///examples/applic-demo/index.js" - }, - "region": { - "endColumn": 73, - "endLine": 22, - "snippet": { - "text": "protobuf.load(\"/path/to/untrusted.proto\", function(err, root) { return })" - }, - "startColumn": 0, - "startLine": 18 - } - } - } - ], - "ruleId": "CVE-2022-25978" - }, - { - "message": { - "text": "The scanner checks whether the vulnerable function `ansi-regex` is called." - }, - "kind": "pass", - "ruleId": "applic_CVE-2021-25878" - }, - { - "message": { - "text": "The scanner checks whether the vulnerable function `ansi-regex` is called." - }, - "kind": "pass", - "ruleId": "applic_CVE-2022-29019" - } - ] - } - ], - "version": "2.1.0", - "$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/cos02/schemas/sarif-schema-2.1.0.json" -} \ No newline at end of file