Return Rule ID in result JSON

Question

Return Rule ID in result JSON

anthturner opened this issue 3 years ago · 4 comments

What would you like to be added:

Add the rule ID from the scanner tool to the JSON output.

For example, if you look at the 'Hard-coded credential' entry in docs at https://docs.horusec.io/docs/cli/analysis-tools/open-source-horusec-engine/horusec-leaks/#potential-hard-coded-credential ...
There is a rule ID of HS-LEAKS-25 which should be included as a part of the JSON output.

The JSON output today looks like:

{
      "vulnerabilityID": "00000000-0000-0000-0000-000000000000",
      "analysisID": "cd12860e-f484-414b-8652-68584252c53d",
      "createdAt": "2022-01-19T19:10:05.048634-05:00",
      "vulnerabilities": {
        "vulnerabilityID": "b8c34379-b111-46bb-b70a-b4c83685e40b",
        "line": "61",
        "column": "17",
        "confidence": "MEDIUM",
        "file": "<<REDACTED>>",
        "code": "\"TemporaryURLSecretKey\": \"xxxxxxxxxxxxxxxxxxxxxxxx\",",
        "details": "Potential Hard-coded credential\nThe software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. For more information checkout the CWE-798 (https://cwe.mitre.org/data/definitions/798.html) advisory.",
        "securityTool": "HorusecEngine",
        "language": "Leaks",
        "severity": "CRITICAL",
        "type": "Vulnerability",
        "commitAuthor": "-",
        "commitEmail": "-",
        "commitHash": "-",
        "commitMessage": "-",
        "commitDate": "-",
        "vulnHash": "33eae5313b0c63372d36ee3e5351b08303e9696c65f9e36c77a67bee03e56186"
      }
    }

The "details" attribute is the closest here, but in many cases these detail texts include parts from the code, making them difficult to group by. There are no other fields which can be used to correlate error types (including vulnerabilityId which does not serve this purpose)

Why is this needed:

Programmatically providing more information for vulnerabilities can be done when using the JSON output by making the IDs consistent with the IDs in the docs.

Extra points for including something which can be converted into the anchor in the docs. For example, the sample noted above might have #potential-hard-coded-credential somewhere (or similar). This way, we can link the JSON report items directly to further information and samples!

Answer 1 · 2022-01-21T13:10:37.000Z

Hi @anthturner, thank for your suggestion. This is a good suggestion. Its very simple to implement btw, basically we need to replace json:"-" for json:"rule_id" on Vulnerability struct definition. If you would like to contribute to this issue, I would be happy to help. Otherwise we will implement it soon.

Extra points for including something which can be converted into the anchor in the docs. For example, the sample noted above might have #potential-hard-coded-credential somewhere (or similar). This way, we can link the JSON report items directly to further information and samples!

This is a very good suggestion too. Maybe we can add a new field on vulnerability object like "tags", and put some names that could be easily searched.

Answer 2 · 2022-01-23T21:27:02.000Z

PR is put in at ZupIT/horusec-devkit#152

(just the field, not the tags 😄 )

Answer 3 · 2022-01-24T17:20:11.000Z

ZupIT/horusec-devkit#152 was merged. We will generate a new release for devkit with this implementation. I'll keep this issue open until there. Thanks for your contribution @anthturner

Answer 4 · 2022-02-16T15:53:22.000Z

#967 and ZupIT/horusec-devkit#152 closes this