Add sarif output for action integration

Author: GriffinMB

lib/mix/tasks/sobelow.ex

@@ -107,6 +107,11 @@ defmodule Mix.Tasks.Sobelow do
 
   @aliases [v: :verbose, r: :root, i: :ignore, d: :details, f: :format]
 
+  # For escript entry
+  def main(argv) do
+    run(argv)
+  end
+
   def run(argv) do
     {opts, _, _} = OptionParser.parse(argv, aliases: @aliases, switches: @switches)
 

lib/sobelow.ex

@@ -135,13 +135,16 @@ defmodule Sobelow do
 
   defp print_output() do
     details =
-      case format() do
+      case output_format() do
         "json" ->
           FindingLog.json(@v)
 
         "quiet" ->
           FindingLog.quiet()
 
+        "sarif" ->
+          FindingLog.sarif(@v)
+
         _ ->
           nil
       end
@@ -195,7 +198,7 @@ defmodule Sobelow do
     if is_nil(mod) do
       MixIO.error("A valid module was not selected.")
     else
-      apply(mod, :details, [])
+      apply(mod, :details, []) |> IO.ANSI.Docs.print([])
     end
   end
 
@@ -206,7 +209,7 @@ defmodule Sobelow do
   def log_finding(details, %Finding{} = finding) do
     if loggable?(finding.fingerprint, finding.confidence) do
       Fingerprint.put(finding.fingerprint)
-      FindingLog.add(details, finding.confidence)
+      FindingLog.add({details, finding}, finding.confidence)
     end
   end
 
@@ -217,7 +220,19 @@ defmodule Sobelow do
 
   def all_details() do
     @submodules
-    |> Enum.each(&apply(&1, :details, []))
+    |> Enum.map(&apply(&1, :details, []))
+    |> List.flatten()
+    |> Enum.each(&IO.ANSI.Docs.print(&1, []))
+  end
+
+  def rules() do
+    @submodules
+    |> Enum.flat_map(&apply(&1, :rules, []))
+  end
+
+  def finding_modules() do
+    @submodules
+    |> Enum.flat_map(&apply(&1, :finding_modules, []))
   end
 
   def save_config(conf_file) do
@@ -261,6 +276,13 @@ defmodule Sobelow do
   end
 
   def format() do
+    case get_env(:format) do
+      "sarif" -> "json"
+      format -> format
+    end
+  end
+
+  def output_format() do
     get_env(:format)
   end
 

lib/sobelow/ci.ex

@@ -26,6 +26,6 @@ defmodule Sobelow.CI do
   end
 
   def details() do
-    IO.ANSI.Docs.print(@moduledoc, [])
+    @moduledoc
   end
 end

lib/sobelow/ci/os.ex

@@ -1,6 +1,8 @@
 defmodule Sobelow.CI.OS do
+  @uid 1
+  @finding_type "CI.OS: Command Injection in `:os.cmd`"
+
   use Sobelow.Finding
-  @finding_type "Command Injection in `:os.cmd`"
 
   def run(fun, meta_file) do
     confidence = if !meta_file.is_controller?, do: :low

lib/sobelow/ci/system.ex

@@ -1,6 +1,8 @@
 defmodule Sobelow.CI.System do
+  @uid 2
+  @finding_type "CI.System: Command Injection in `System.cmd`"
+
   use Sobelow.Finding
-  @finding_type "Command Injection in `System.cmd`"
 
   def run(fun, meta_file) do
     confidence = if !meta_file.is_controller?, do: :low

lib/sobelow/config/csp.ex

@@ -28,9 +28,12 @@ defmodule Sobelow.Config.CSP do
       $ mix sobelow -i Config.CSP
   """
   alias Sobelow.Config
-  use Sobelow.Finding
+
+  @uid 3
   @finding_type "Config.CSP: Missing Content-Security-Policy"
 
+  use Sobelow.Finding
+
   def run(router) do
     meta_file = Parse.ast(router) |> Parse.get_meta_funs()
     finding = Finding.init(@finding_type, Utils.normalize_path(router))
@@ -100,6 +103,7 @@ defmodule Sobelow.Config.CSP do
       finding
       | vuln_source: :put_secure_browser_headers,
         vuln_line_no: Parse.get_fun_line(plug),
+        vuln_col_no: Parse.get_fun_column(plug),
         fun_source: pipeline,
         fun_name: pipeline_name,
         confidence: confidence

lib/sobelow/config/csrf.ex

@@ -18,9 +18,12 @@ defmodule Sobelow.Config.CSRF do
       $ mix sobelow -i Config.CSRF
   """
   alias Sobelow.Config
-  use Sobelow.Finding
+
+  @uid 5
   @finding_type "Config.CSRF: Missing CSRF Protections"
 
+  use Sobelow.Finding
+
   def run(router) do
     finding = Finding.init(@finding_type, Utils.normalize_path(router))
 
@@ -38,6 +41,7 @@ defmodule Sobelow.Config.CSRF do
       finding
       | vuln_source: pipeline_name,
         vuln_line_no: Parse.get_fun_line(pipeline),
+        vuln_col_no: Parse.get_fun_column(pipeline),
         fun_source: pipeline,
         fun_name: pipeline_name,
         confidence: :high

lib/sobelow/config/csrf_route.ex

@@ -24,10 +24,13 @@ defmodule Sobelow.Config.CSRFRoute do
   """
 
   alias Sobelow.Parse
+
+  @uid 4
+  @finding_type "Config.CSRFRoute: CSRF via Action Reuse"
+
   use Sobelow.Finding
 
   @state_changing_methods [:post, :put, :patch, :delete]
-  @finding_type "Config.CSRFRoute: CSRF via Action Reuse"
 
   def run(router) do
     finding = Finding.init(@finding_type, Utils.normalize_path(router))
@@ -65,6 +68,7 @@ defmodule Sobelow.Config.CSRFRoute do
       finding
       | vuln_source: fun,
         vuln_line_no: Parse.get_fun_line(fun),
+        vuln_col_no: Parse.get_fun_column(fun),
         fun_name: get_action(fun),
         confidence: :high
     }

lib/sobelow/config/cswh.ex

@@ -13,9 +13,11 @@ defmodule Sobelow.Config.CSWH do
 
       $ mix sobelow -i Config.CSWH
   """
-  use Sobelow.Finding
+  @uid 6
   @finding_type "Config.CSWH: Cross-Site Websocket Hijacking"
 
+  use Sobelow.Finding
+
   def run(endpoint) do
     Parse.ast(endpoint)
     |> Parse.get_funs_of_type(:socket)
@@ -58,6 +60,7 @@ defmodule Sobelow.Config.CSWH do
         finding
         | vuln_source: :highlight_all,
           vuln_line_no: Parse.get_fun_line(socket),
+          vuln_col_no: Parse.get_fun_column(socket),
           fun_source: socket
       }
       |> Finding.fetch_fingerprint()

lib/sobelow/config/headers.ex

@@ -16,9 +16,12 @@ defmodule Sobelow.Config.Headers do
       $ mix sobelow -i Config.Headers
   """
   alias Sobelow.Config
-  use Sobelow.Finding
+
+  @uid 7
   @finding_type "Config.Headers: Missing Secure Browser Headers"
 
+  use Sobelow.Finding
+
   def run(router) do
     finding = Finding.init(@finding_type, Utils.normalize_path(router))
 
@@ -36,6 +39,7 @@ defmodule Sobelow.Config.Headers do
       finding
       | vuln_source: pipeline_name,
         vuln_line_no: Parse.get_fun_line(pipeline),
+        vuln_col_no: Parse.get_fun_column(pipeline),
         fun_source: pipeline,
         fun_name: pipeline_name,
         confidence: :high

lib/sobelow/config/hsts.ex

@@ -11,9 +11,12 @@ defmodule Sobelow.Config.HSTS do
       $ mix sobelow -i Config.HSTS
   """
   alias Sobelow.Config
-  use Sobelow.Finding
+
+  @uid 8
   @finding_type "Config.HSTS: HSTS Not Enabled"
 
+  use Sobelow.Finding
+
   def run(dir_path, configs) do
     Enum.each(configs, fn conf ->
       path = dir_path <> conf
@@ -41,6 +44,7 @@ defmodule Sobelow.Config.HSTS do
         fun_source: nil,
         vuln_source: reason,
         vuln_line_no: 0,
+        vuln_col_no: 0,
         confidence: :medium
       }
       |> Finding.fetch_fingerprint()

lib/sobelow/config/https.ex

@@ -13,9 +13,12 @@ defmodule Sobelow.Config.HTTPS do
       $ mix sobelow -i Config.HTTPS
   """
   alias Sobelow.Config
-  use Sobelow.Finding
+
+  @uid 9
   @finding_type "Config.HTTPS: HTTPS Not Enabled"
 
+  use Sobelow.Finding
+
   def run(dir_path, configs) do
     path = dir_path <> "prod.exs"
 
@@ -43,6 +46,7 @@ defmodule Sobelow.Config.HTTPS do
         fun_source: nil,
         vuln_source: reason,
         vuln_line_no: 0,
+        vuln_col_no: 0,
         confidence: :high
       }
       |> Finding.fetch_fingerprint()

lib/sobelow/config/secrets.ex

@@ -15,9 +15,12 @@ defmodule Sobelow.Config.Secrets do
       $ mix sobelow -i Config.Secrets
   """
   alias Sobelow.Config
-  use Sobelow.Finding
+
+  @uid 10
   @finding_type "Config.Secrets: Hardcoded Secret"
 
+  use Sobelow.Finding
+
   def run(dir_path, configs) do
     Enum.each(configs, fn conf ->
       path = dir_path <> conf
@@ -60,7 +63,7 @@ defmodule Sobelow.Config.Secrets do
   def is_env_var?(_), do: false
 
   defp add_finding(file, line_no, fun, key, val) do
-    vuln_line_no = get_vuln_line(file, line_no, val)
+    {vuln_line_no, vuln_line_col} = get_vuln_line(file, line_no, val)
 
     finding =
       %Finding{
@@ -69,6 +72,7 @@ defmodule Sobelow.Config.Secrets do
         fun_source: fun,
         vuln_source: :highlight_all,
         vuln_line_no: vuln_line_no,
+        vuln_col_no: vuln_line_col,
         confidence: :high
       }
       |> Finding.fetch_fingerprint()
@@ -117,7 +121,8 @@ defmodule Sobelow.Config.Secrets do
 
   defp get_vuln_line({:@, _, [{:sobelow_secret, _, _}]} = ast, acc) do
     line_no = Parse.get_fun_line(ast)
-    {ast, [line_no | acc]}
+    line_col = Parse.get_fun_column(ast)
+    {ast, [{line_no, line_col} | acc]}
   end
 
   defp get_vuln_line(ast, acc), do: {ast, acc}

lib/sobelow/dos/binary_to_atom.ex

@@ -11,10 +11,11 @@ defmodule Sobelow.DOS.BinToAtom do
 
       $ mix sobelow -i DOS.BinToAtom
   """
-  use Sobelow.Finding
-
+  @uid 11
   @finding_type "DOS.BinToAtom: Unsafe atom interpolation"
 
+  use Sobelow.Finding
+
   def run(fun, meta_file) do
     confidence = if !meta_file.is_controller?, do: :low
 

lib/sobelow/dos/list_to_atom.ex

@@ -11,9 +11,11 @@ defmodule Sobelow.DOS.ListToAtom do
 
       $ mix sobelow -i DOS.ListToAtom
   """
-  use Sobelow.Finding
+  @uid 12
   @finding_type "DOS.ListToAtom: Unsafe `List.to_atom`"
 
+  use Sobelow.Finding
+
   def run(fun, meta_file) do
     confidence = if !meta_file.is_controller?, do: :low
 

lib/sobelow/dos/string_to_atom.ex

@@ -11,9 +11,11 @@ defmodule Sobelow.DOS.StringToAtom do
 
       $ mix sobelow -i DOS.StringToAtom
   """
-  use Sobelow.Finding
+  @uid 13
   @finding_type "DOS.StringToAtom: Unsafe `String.to_atom`"
 
+  use Sobelow.Finding
+
   def run(fun, meta_file) do
     confidence = if !meta_file.is_controller?, do: :low