-
Notifications
You must be signed in to change notification settings - Fork 6
/
scaparser.go
141 lines (120 loc) · 4.75 KB
/
scaparser.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
package vcodeapi
import (
"bytes"
"encoding/xml"
)
// SoftwareCompositionAnalysis represents the SCA section of the detailed report
type SoftwareCompositionAnalysis struct {
ComponentsViolatedPolicy string `xml:"components_violated_policy,attr"`
ThirdPartyComponents string `xml:"third_party_components,attr"`
ViolatePolicy string `xml:"violate_policy,attr"`
VulnerableComponents []Component `xml:"vulnerable_components"`
PublishedDate string
AppName string
}
// Component is a third-party library identifed by SCA
type Component struct {
AddedDate string `xml:"added_date,attr"`
ComponentAffectsPolicyCompliance string `xml:"component_affects_policy_compliance,attr"`
Description string `xml:"description,attr"`
FileName string `xml:"file_name,attr"`
Library string `xml:"library,attr"`
MaxCvssScore string `xml:"max_cvss_score,attr"`
New string `xml:"new,attr"`
Sha1 string `xml:"sha1,attr"`
Vendor string `xml:"vendor,attr"`
Version string `xml:"version,attr"`
FilePaths FilePaths `xml:"file_paths"`
Licenses Licenses `xml:"licenses"`
ViolatedPolicyRules ViolatedPolicyRules `xml:"violated_policy_rules"`
Vulnerabilities Vulnerabilities `xml:"vulnerabilities"`
}
// FilePaths is an array of filepaths
type FilePaths struct {
FilePath []FilePath `xml:"file_path"`
}
// FilePath is the filepath of the third-party component
type FilePath struct {
Value string `xml:"value,attr"`
}
//Licenses is an array of licenses
type Licenses struct {
License []License `xml:"license"`
}
// License is the license associated with a third-party component identified by SCA
type License struct {
LicenseURL string `xml:"license_url,attr"`
Name string `xml:"name,attr"`
RiskRating string `xml:"risk_rating,attr"`
SpdxID string `xml:"spdx_id,attr"`
}
// Vulnerabilities is an array of vulnerabilities
type Vulnerabilities struct {
Vulnerability []Vulnerability `xml:"vulnerability"`
}
// Vulnerability is a CVE associated with a third-party component identified by SCA
type Vulnerability struct {
CveID string `xml:"cve_id,attr"`
CveSummary string `xml:"cve_summary,attr"`
CvssScore string `xml:"cvss_score,attr"`
CweID string `xml:"cwe_id,attr"`
Mitigation string `xml:"mitigation,attr"`
Severity string `xml:"severity,attr"`
SeverityDesc string `xml:"severity_desc,attr"`
VulnerabilityAffectsPolicyCompliance string `xml:"vulnerability_affects_policy_compliance,attr"`
}
// ViolatedPolicyRules is an array of rules violating by the third-party component identifed by SCA
type ViolatedPolicyRules struct {
PolicyRule []PolicyRule `xml:"Policy_rule"`
}
//PolicyRule is a rule violated by a third-party component identifed by SCA
type PolicyRule struct {
Desc string `xml:" desc,attr"`
Type string `xml:" type,attr"`
Value string `xml:" value,attr" `
}
// ParseSCAReport parses the detailedreport.do API and returns a SoftwareCompositionAnalysis struct
func ParseSCAReport(credsFile, buildID string) (SoftwareCompositionAnalysis, error) {
var SCA SoftwareCompositionAnalysis
var detRep DetReport
detailedReportAPI, err := detailedReport(credsFile, buildID)
if err != nil {
return SCA, err
}
//Create the detailed report object
detailedReportDecoder := xml.NewDecoder(bytes.NewReader(detailedReportAPI))
for {
// Read tokens from the XML document in a stream.
t, _ := detailedReportDecoder.Token()
if t == nil {
break
}
// Inspect the type of the token just read
switch se := t.(type) {
case xml.StartElement:
if se.Name.Local == "detailedreport" {
detailedReportDecoder.DecodeElement(&detRep, &se)
}
}
}
//Create the SCA object
decoder := xml.NewDecoder(bytes.NewReader(detailedReportAPI))
for {
// Read tokens from the XML document in a stream.
t, _ := decoder.Token()
if t == nil {
break
}
// Inspect the type of the token just read
switch se := t.(type) {
case xml.StartElement:
if se.Name.Local == "software_composition_analysis" {
decoder.DecodeElement(&SCA, &se)
}
}
}
// Add info from detailed report to SCA object
SCA.PublishedDate = detRep.StaticAnalysis.PublishedDate
SCA.AppName = detRep.AppName
return SCA, nil
}