added test for ecr scan with cvss findings w/ burnettk

sartography · Aug 20, 2024 · 96aedec · 96aedec
1 parent d9b9888
commit 96aedec
Show file tree

Hide file tree

Showing 6 changed files with 4,325 additions and 598 deletions.
diff --git a/.github/workflows/test_ecr_scan.yml b/.github/workflows/test_ecr_scan.yml
@@ -33,28 +33,28 @@ jobs:
         run: |
           pip install -r wait-for-ecr-scan-and-get-sarif/requirements.txt
 
-      # - name: Run the Python script to convert ECR scan to SARIF
-      #   shell: bash
-      #   run: |
-      #     python wait-for-ecr-scan-and-get-sarif/pylib/aws_scan_findings_to_sarif.py \
-      #       --input_file wait-for-ecr-scan-and-get-sarif/tests/ecr-scan-result-ubuntu.json \
-      #       --output_file report.sarif
+      - name: Run the Python script to convert ECR scan to SARIF
+        shell: bash
+        run: |
+          python wait-for-ecr-scan-and-get-sarif/pylib/aws_scan_findings_to_sarif.py \
+            --input_file wait-for-ecr-scan-and-get-sarif/tests/ecr-scan-result-ubuntu.json \
+            --output_file report.sarif
       # - name: Run the Python script to convert ECR scan to SARIF
       #   shell: bash
       #   run: |
       #     python wait-for-ecr-scan-and-get-sarif/pylib/aws_scan_findings_to_sarif.py \
       #       --input_file wait-for-ecr-scan-and-get-sarif/tests/ecr-scan-result-no-findings.json \
       #       --output_file report.sarif
-      #
-      # - name: Upload SARIF report as artifact
-      #   uses: actions/upload-artifact@v4
-      #   with:
-      #     name: sarif-report
-      #     path: report.sarif
+
+      - name: Upload SARIF report as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: sarif-report
+          path: report.sarif
 
       - name: Upload SARIF file
         uses: github/codeql-action/upload-sarif@v3
         with:
-          # sarif_file: report.sarif
-          sarif_file: "wait-for-ecr-scan-and-get-sarif/tests/bad-ecr-repot.sarif"
+          sarif_file: report.sarif
+          # sarif_file: "wait-for-ecr-scan-and-get-sarif/tests/bad-ecr-repot.sarif"
           category: security
diff --git a/wait-for-ecr-scan-and-get-sarif/pylib/aws_scan_findings_to_sarif.py b/wait-for-ecr-scan-and-get-sarif/pylib/aws_scan_findings_to_sarif.py
@@ -94,7 +94,7 @@ def process_findings(findings, is_enhanced=False):
                 if len(cvss) > 0:
                     base_score = cvss[0]["baseScore"]
                     if base_score is not None:
-                        properties["security-severity"] = base_score
+                        properties["security-severity"] = str(base_score)
                         properties["precision"] = "very-high"
 
                 rule = {
@@ -142,7 +142,7 @@ def process_findings(findings, is_enhanced=False):
                     None,
                 )
                 if base_score is not None:
-                    properties["security-severity"] = base_score
+                    properties["security-severity"] = str(base_score)
                     properties["precision"] = "very-high"
 
                 rule = {

diff --git a/wait-for-ecr-scan-and-get-sarif/test_aws_scan_findings_to_sarif.py b/wait-for-ecr-scan-and-get-sarif/test_aws_scan_findings_to_sarif.py
@@ -6,6 +6,12 @@
 from pylib.aws_scan_findings_to_sarif import convert_to_sarif
 
 
+# these tests take response json from the AWS scan result API and run our code
+# to convert them to sarif. the test then compares that result to a known good
+# sarif output that we created manually and committed to this repo.
+# so basically a regression test.
+
+
 def test_convert_to_sarif_minimal_ecr_scan():
     base_dir = os.path.dirname(os.path.abspath(__file__))
     sample_file_path = os.path.join(base_dir, "tests/ecr-scan-result-minimal.json")
@@ -52,3 +58,21 @@ def test_convert_to_sarif_when_no_findings():
 
     sarif_report = convert_to_sarif(ecr_response)
     assert sarif_report == expected_response
+
+
+def test_convert_to_sarif_with_cvss():
+    base_dir = os.path.dirname(os.path.abspath(__file__))
+    sample_file_path = os.path.join(
+        base_dir, "tests/ecr-scan-result-with-cvss-scores.json"
+    )
+    with open(sample_file_path, "r") as f:
+        ecr_response = json.load(f)
+
+    expected_output_file_path = os.path.join(
+        base_dir, "tests/ecr-scan-result-with-cvss-scores-expected-sarif.json"
+    )
+    with open(expected_output_file_path, "r") as f:
+        expected_response = json.load(f)
+
+    sarif_report = convert_to_sarif(ecr_response)
+    assert sarif_report == expected_response