2116e702df
New sarif-formatter.mjs converts scan envelope to OASIS SARIF 2.1.0 standard. Maps severity to SARIF levels, findings to results with locations and rules. scan-orchestrator accepts --format sarif|json (default: json). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
129 lines
3.3 KiB
JavaScript
129 lines
3.3 KiB
JavaScript
// sarif-formatter.mjs — Converts scan-orchestrator envelope to SARIF 2.1.0
|
|
// OASIS SARIF standard: https://docs.oasis-open.org/sarif/sarif/v2.1.0/
|
|
// Zero external dependencies.
|
|
|
|
const SARIF_SCHEMA = 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json';
|
|
const SARIF_VERSION = '2.1.0';
|
|
const TOOL_NAME = 'llm-security';
|
|
const TOOL_URI = 'https://git.fromaitochitta.com/open/claude-code-llm-security';
|
|
|
|
/**
|
|
* Map finding severity to SARIF level.
|
|
* @param {string} severity - critical|high|medium|low|info
|
|
* @returns {string} SARIF level: error|warning|note
|
|
*/
|
|
function toLevel(severity) {
|
|
switch (severity) {
|
|
case 'critical':
|
|
case 'high':
|
|
return 'error';
|
|
case 'medium':
|
|
return 'warning';
|
|
case 'low':
|
|
case 'info':
|
|
default:
|
|
return 'note';
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Build SARIF rules array from unique finding scanner+title combos.
|
|
* @param {object[]} findings
|
|
* @returns {{ rules: object[], ruleIndex: Map<string, number> }}
|
|
*/
|
|
function buildRules(findings) {
|
|
const ruleIndex = new Map();
|
|
const rules = [];
|
|
|
|
for (const f of findings) {
|
|
const ruleId = `${f.scanner}/${f.title.replace(/\s+/g, '-').toLowerCase()}`;
|
|
if (!ruleIndex.has(ruleId)) {
|
|
ruleIndex.set(ruleId, rules.length);
|
|
rules.push({
|
|
id: ruleId,
|
|
name: f.title,
|
|
shortDescription: { text: f.title },
|
|
fullDescription: { text: f.description || f.title },
|
|
defaultConfiguration: { level: toLevel(f.severity) },
|
|
properties: {
|
|
tags: f.owasp ? [f.owasp] : [],
|
|
},
|
|
});
|
|
}
|
|
}
|
|
|
|
return { rules, ruleIndex };
|
|
}
|
|
|
|
/**
|
|
* Convert scan-orchestrator envelope JSON to SARIF 2.1.0 format.
|
|
* @param {object} envelopeData - The full scan-orchestrator output
|
|
* @param {string} [version='6.0.0'] - Tool version
|
|
* @returns {object} SARIF 2.1.0 JSON
|
|
*/
|
|
export function toSARIF(envelopeData, version = '6.0.0') {
|
|
// Collect all findings from all scanners
|
|
const allFindings = [];
|
|
if (envelopeData.scanners) {
|
|
for (const scannerResult of Object.values(envelopeData.scanners)) {
|
|
if (scannerResult.findings) {
|
|
allFindings.push(...scannerResult.findings);
|
|
}
|
|
}
|
|
}
|
|
|
|
const { rules, ruleIndex } = buildRules(allFindings);
|
|
|
|
// Build SARIF results
|
|
const results = allFindings.map(f => {
|
|
const ruleId = `${f.scanner}/${f.title.replace(/\s+/g, '-').toLowerCase()}`;
|
|
const result = {
|
|
ruleId,
|
|
ruleIndex: ruleIndex.get(ruleId),
|
|
level: toLevel(f.severity),
|
|
message: { text: f.description || f.title },
|
|
properties: {},
|
|
};
|
|
|
|
// Add OWASP tags
|
|
if (f.owasp) {
|
|
result.properties.tags = [f.owasp];
|
|
}
|
|
|
|
// Add recommendation
|
|
if (f.recommendation) {
|
|
result.properties.recommendation = f.recommendation;
|
|
}
|
|
|
|
// Add location if file is present
|
|
if (f.file) {
|
|
const location = {
|
|
physicalLocation: {
|
|
artifactLocation: { uri: f.file },
|
|
},
|
|
};
|
|
if (f.line) {
|
|
location.physicalLocation.region = { startLine: f.line };
|
|
}
|
|
result.locations = [location];
|
|
}
|
|
|
|
return result;
|
|
});
|
|
|
|
return {
|
|
$schema: SARIF_SCHEMA,
|
|
version: SARIF_VERSION,
|
|
runs: [{
|
|
tool: {
|
|
driver: {
|
|
name: TOOL_NAME,
|
|
version,
|
|
informationUri: TOOL_URI,
|
|
rules,
|
|
},
|
|
},
|
|
results,
|
|
}],
|
|
};
|
|
}
|