in codecatalyst-runner/pkg/workflows/report_processor.go [78:109]
func sarifReportHandler(severityThreshold VulnerabilitySeverity) reportHandler {
return func(reader io.Reader, report *Report) error {
decoder := json.NewDecoder(reader)
sarifReport := new(sarif.Report)
if err := decoder.Decode(sarifReport); err != nil {
log.Debug().Err(err).Msgf("Skipping non-sarif report")
return nil
}
if strings.HasPrefix(path.Base(sarifReport.Schema), "sarif") {
for _, run := range sarifReport.Runs {
for _, r := range run.Results {
// only consider results with empty 'kind' or 'kind' of 'fail'
if r.Kind == nil || *r.Kind == "" || *r.Kind == "fail" {
severity := levelToSeverity(r.Level)
log.Debug().Msgf("Got result with severity %s (threshold=%s)", severity, severityThreshold)
if severityExceedsThreshold(severityThreshold, severity) && len(r.Suppressions) == 0 {
report.Result = ResultFailed
}
report.Vulnerabilities = append(report.Vulnerabilities, Vulnerability{
Severity: severity,
RuleID: safeString(r.RuleID),
Message: safeString(r.Message.Text),
Locations: convertLocations(r.Locations),
Suppressions: convertSuppressions(r.Suppressions),
})
}
}
}
}
return nil
}
}