#!/usr/bin/env python import argparse import json import sarif_cli.traverse as S import re import sys import collections parser = argparse.ArgumentParser(description='summary of results') parser.add_argument('file', metavar='sarif-file', type=str, help='input file, - for stdin') parser.add_argument('-s', '--list-source', metavar='srcroot', type=str, help='list source snippets using srcroot as sarif SRCROOT') parser.add_argument('-r', '--related-locations', action="store_true", help='list related locations like "hides [parameter](1)"') parser.add_argument('-e', '--endpoints-only', action="store_true", help='only list source and sink, dropping the path. Identical, successive source/sink pairs are combined') # TODO mutually exclusive options parser.add_argument('-c', '--csv', action="store_true", help='output csv instead of human-readable summary') args = parser.parse_args() with open(args.file, 'r') if args.file != '-' else sys.stdin as fp: sarif_struct = json.load(fp) if args.csv: cw = S.get_csv_writer() if not S.is_sarif_struct(sarif_struct): if args.csv: S.write_csv(cw, "ERROR", "invalid json contents %s", args.file) else: S.msg("ERROR: invalid json contents in %s\n" % (args.file)) S.dbg("invalid json contents in %s\n" % (args.file)) sys.exit(0) # No failure, just a warning for runi in S.indices(sarif_struct, 'runs'): num_results = len(S.get(sarif_struct, 'runs', runi, 'results')) if num_results == 0: continue # for resi in S.indices(sarif_struct, 'runs', runi, 'results'): result = S.get(sarif_struct, 'runs', runi, 'results', resi) if 'locations' in result: # Non-path problems # TODO: just pull out the uri, not the artifact message, artifact, region = S.get_location_message_info(result) if region == S.WholeFile: l1, c1, l2, c2 = -1, -1, -1, -1 else: l1, c1, l2, c2 = S.lineinfo(region) filepath = "%s:%d:%d:%d:%d" % (artifact['uri'], l1, c1, l2, c2) if args.csv: S.write_csv(cw, "result", artifact['uri'], l1, c1, l2, c2, message) else: S.msg("RESULT: %s: %s\n" % (filepath, message)) if region != S.WholeFile and args.list_source: lines = S.load_lines(args.list_source, artifact['uri'], l1, l2) if args.csv: pass else: for line, line_num in zip(lines, range(l1, l2+1)): S.display_underlined(l1, c1, l2, c2, line, line_num) if args.related_locations: relatedLocations = result.get('relatedLocations', None) if type(relatedLocations) == list: # Linking is explicit in output, so no need to get id(s) from message string. for relo in relatedLocations: message, artifact, region = S.get_relatedlocation_message_info(relo) if artifact == S.NoFile: if args.csv: S.write_csv(cw, "result", "", -1, -1, -1, -1, message) else: S.msg("REFERENCE: %s: %s\n" % ("", message)) else: if region == S.WholeFile: l1, c1, l2, c2 = -1, -1, -1, -1 else: l1, c1, l2, c2 = S.lineinfo(region) filepath = "%s:%d:%d:%d:%d" % (artifact['uri'], l1, c1, l2, c2) if args.csv: S.write_csv(cw, "result", artifact['uri'], l1, c1, l2, c2, message) else: S.msg("REFERENCE: %s: %s\n" % (filepath, message)) if args.list_source: lines = S.load_lines(args.list_source, artifact['uri'], l1, l2) if args.csv: pass else: for line, line_num in zip(lines, range(l1, l2+1)): S.display_underlined(l1, c1, l2, c2, line, line_num) if 'codeFlows' in result: # Path problems last_codeFlow = None for codefi in S.indices(result, 'codeFlows'): codeFlow = S.get(result, 'codeFlows', codefi) if args.csv: S.write_csv(cw, "path", codefi) else: S.msg("PATH %d\n" % codefi) for threadi in S.indices(codeFlow, 'threadFlows'): threadFlow = S.get(codeFlow, 'threadFlows', threadi) if args.endpoints_only: # # Pick the range to list only the endpoints (source/sink) of a threadFlow. # t1 = S.indices(threadFlow, 'locations') location_range = [t1[0], t1[-1]] # # If the previous path had the same (source,sink) pair, # we don't need to repeat it. # if (last_codeFlow and ( S.get(last_codeFlow, 'threadFlows', threadi, 'locations', 0) == S.get(codeFlow, 'threadFlows', threadi, 'locations', 0)) and ( S.get(last_codeFlow, 'threadFlows', threadi, 'locations', -1) == S.get(codeFlow, 'threadFlows', threadi, 'locations', -1))): continue else: location_range = S.indices(threadFlow, 'locations') for loci in location_range: location = S.get(threadFlow, 'locations', loci, 'location') message, artifact, region = S.get_relatedlocation_message_info(location) if artifact == S.NoFile: if args.csv: S.write_csv(cw, "flow_step", loci, "", -1, -1, -1, -1, message) else: S.msg("FLOW STEP %d: %s: %s\n" % (loci, "", message)) else: if region == S.WholeFile: l1, c1, l2, c2 = -1, -1, -1, -1 else: l1, c1, l2, c2 = S.lineinfo(region) filepath = "%s:%d:%d:%d:%d" % (artifact['uri'], l1, c1, l2, c2) if args.csv: S.write_csv(cw, "flow_step", loci, artifact['uri'], l1, c1, l2, c2, message) else: S.msg("FLOW STEP %d: %s: %s\n" % (loci, filepath, message)) if args.list_source: lines = S.load_lines(args.list_source, artifact['uri'], l1, l2) if args.csv: pass else: for line, line_num in zip(lines, range(l1, l2+1)): S.display_underlined(l1, c1, l2, c2, line, line_num) last_codeFlow = codeFlow if args.csv: pass else: S.msg("\n")