3 * Copyright (C) 2009-2023 SonarSource SA
4 * mailto:info AT sonarsource DOT com
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 3 of the License, or (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
16 * You should have received a copy of the GNU Lesser General Public License
17 * along with this program; if not, write to the Free Software Foundation,
18 * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
20 package org.sonar.scanner.externalissue.sarif;
22 import java.nio.file.Path;
23 import java.util.Arrays;
24 import java.util.Collections;
25 import java.util.HashMap;
26 import java.util.List;
29 import java.util.stream.Collectors;
30 import org.slf4j.Logger;
31 import org.slf4j.LoggerFactory;
32 import org.sonar.api.CoreProperties;
33 import org.sonar.api.batch.sensor.SensorContext;
34 import org.sonar.api.batch.sensor.SensorDescriptor;
35 import org.sonar.api.config.Configuration;
36 import org.sonar.api.config.PropertyDefinition;
37 import org.sonar.api.resources.Qualifiers;
38 import org.sonar.api.scanner.ScannerSide;
39 import org.sonar.api.scanner.sensor.ProjectSensor;
40 import org.sonar.core.sarif.Sarif210;
41 import org.sonar.core.sarif.SarifSerializer;
44 public class SarifIssuesImportSensor implements ProjectSensor {
46 private static final Logger LOG = LoggerFactory.getLogger(SarifIssuesImportSensor.class);
47 static final String SARIF_REPORT_PATHS_PROPERTY_KEY = "sonar.sarifReportPaths";
49 private final SarifSerializer sarifSerializer;
50 private final Sarif210Importer sarifImporter;
51 private final Configuration config;
53 public SarifIssuesImportSensor(SarifSerializer sarifSerializer, Sarif210Importer sarifImporter, Configuration config) {
54 this.sarifSerializer = sarifSerializer;
55 this.sarifImporter = sarifImporter;
59 public static List<PropertyDefinition> properties() {
60 return Collections.singletonList(
61 PropertyDefinition.builder(SARIF_REPORT_PATHS_PROPERTY_KEY)
62 .name("SARIF report paths")
63 .description("List of comma-separated paths (absolute or relative) containing a SARIF report with issues created by external rule engines.")
64 .category(CoreProperties.CATEGORY_EXTERNAL_ISSUES)
65 .onQualifiers(Qualifiers.PROJECT)
70 public void describe(SensorDescriptor descriptor) {
71 descriptor.name("Import external issues report from SARIF file.")
72 .onlyWhenConfiguration(c -> c.hasKey(SARIF_REPORT_PATHS_PROPERTY_KEY));
76 public void execute(SensorContext context) {
77 Set<String> reportPaths = loadReportPaths();
78 Map<String, SarifImportResults> filePathToImportResults = new HashMap<>();
80 for (String reportPath : reportPaths) {
82 SarifImportResults sarifImportResults = processReport(context, reportPath);
83 filePathToImportResults.put(reportPath, sarifImportResults);
84 } catch (Exception exception) {
85 LOG.warn("Failed to process SARIF report from file '{}', error: '{}'", reportPath, exception.getMessage());
88 filePathToImportResults.forEach(SarifIssuesImportSensor::displayResults);
91 private Set<String> loadReportPaths() {
92 return Arrays.stream(config.getStringArray(SARIF_REPORT_PATHS_PROPERTY_KEY)).collect(Collectors.toSet());
95 private SarifImportResults processReport(SensorContext context, String reportPath) {
96 LOG.debug("Importing SARIF issues from '{}'", reportPath);
97 Path reportFilePath = context.fileSystem().resolvePath(reportPath).toPath();
98 Sarif210 sarifReport = sarifSerializer.deserialize(reportFilePath);
99 return sarifImporter.importSarif(sarifReport);
102 private static void displayResults(String filePath, SarifImportResults sarifImportResults) {
103 if (sarifImportResults.getFailedRuns() > 0 && sarifImportResults.getSuccessFullyImportedRuns() > 0) {
104 LOG.warn("File {}: {} run(s) could not be imported (see warning above) and {} run(s) successfully imported ({} vulnerabilities in total).",
105 filePath, sarifImportResults.getFailedRuns(), sarifImportResults.getSuccessFullyImportedRuns(), sarifImportResults.getSuccessFullyImportedIssues());
107 } else if (sarifImportResults.getFailedRuns() > 0) {
108 LOG.warn("File {}: {} run(s) could not be imported (see warning above).",
109 filePath, sarifImportResults.getFailedRuns());
111 LOG.info("File {}: {} run(s) successfully imported ({} vulnerabilities in total).",
112 filePath, sarifImportResults.getSuccessFullyImportedRuns(), sarifImportResults.getSuccessFullyImportedIssues());