feat(whitesourceExecuteStep) Unified audit format of vulnerabilities in SARIF file for whitesource (#4465)

* Unified audit state for whitesource step

* reverted unrelated to pr changes

* go fmt

* Fixed tests and formating

* fixed format issue in whitesource/reporting.go

---------

Co-authored-by: sumeet patil <[email protected]>

Author: andrew-kireev

cmd/whitesourceExecuteScan.go

@@ -46,6 +46,7 @@ type whitesource interface {
 	GetProjectVulnerabilityReport(projectToken string, format string) ([]byte, error)
 	GetProjectAlerts(projectToken string) ([]ws.Alert, error)
 	GetProjectAlertsByType(projectToken, alertType string) ([]ws.Alert, error)
+	GetProjectIgnoredAlertsByType(projectToken string, alertType string) ([]ws.Alert, error)
 	GetProjectLibraryLocations(projectToken string) ([]ws.Library, error)
 	GetProjectHierarchy(projectToken string, includeInHouse bool) ([]ws.Library, error)
 }
@@ -511,6 +512,14 @@ func checkPolicyViolations(ctx context.Context, config *ScanOptions, scan *ws.Sc
 		if err != nil {
 			return piperutils.Path{}, fmt.Errorf("failed to retrieve project policy alerts from WhiteSource: %w", err)
 		}
+
+		ignoredAlerts, err := sys.GetProjectIgnoredAlertsByType(project.Token, "REJECTED_BY_POLICY_RESOURCE")
+		if err != nil {
+			return piperutils.Path{}, fmt.Errorf("failed to retrieve project policy ignored alerts from WhiteSource: %w", err)
+		}
+
+		alerts = append(alerts, ignoredAlerts...)
+
 		policyViolationCount += len(alerts)
 		allAlerts = append(allAlerts, alerts...)
 	}
@@ -802,6 +811,13 @@ func checkProjectSecurityViolations(config *ScanOptions, cvssSeverityLimit float
 		return 0, alerts, assessedAlerts, fmt.Errorf("failed to retrieve project alerts from WhiteSource: %w", err)
 	}
 
+	ignoredAlerts, err := sys.GetProjectIgnoredAlertsByType(project.Token, "SECURITY_VULNERABILITY")
+	if err != nil {
+		return 0, alerts, assessedAlerts, fmt.Errorf("failed to retrieve project ignored alerts from WhiteSource: %w", err)
+	}
+
+	alerts = append(alerts, ignoredAlerts...)
+
 	// filter alerts related to existing assessments
 	filteredAlerts := []ws.Alert{}
 	if assessments != nil && len(*assessments) > 0 {
@@ -887,6 +903,14 @@ func aggregateVersionWideVulnerabilities(config *ScanOptions, utils whitesourceU
 			if err != nil {
 				return errors.Wrapf(err, "failed to get project alerts by type")
 			}
+
+			ignoredAlerts, err := sys.GetProjectIgnoredAlertsByType(project.Token, "SECURITY_VULNERABILITY")
+			if err != nil {
+				return errors.Wrapf(err, "failed to get project ignored alerts by type")
+			}
+
+			alerts = append(alerts, ignoredAlerts...)
+
 			log.Entry().Infof("Found project: %s with %v vulnerabilities.", project.Name, len(alerts))
 			versionWideAlerts = append(versionWideAlerts, alerts...)
 		}

cmd/whitesourceExecuteScan_test.go

@@ -1,6 +1,3 @@
-//go:build unit
-// +build unit
-
 package cmd
 
 import (

pkg/whitesource/reporting.go

@@ -211,6 +211,8 @@ func CreateSarifResultFile(scan *Scan, alerts *[]Alert) *format.SARIF {
 		partialFingerprints := new(format.PartialFingerprints)
 		partialFingerprints.PackageURLPlusCVEHash = base64.URLEncoding.EncodeToString([]byte(fmt.Sprintf("%v+%v", alert.Library.ToPackageUrl().ToString(), alert.Vulnerability.Name)))
 		result.PartialFingerprints = *partialFingerprints
+		result.Properties = getAuditInformation(alert)
+
 		//append the result
 		sarif.Runs[0].Results = append(sarif.Runs[0].Results, result)
 
@@ -268,6 +270,37 @@ func CreateSarifResultFile(scan *Scan, alerts *[]Alert) *format.SARIF {
 	return &sarif
 }
 
+func getAuditInformation(alert Alert) *format.SarifProperties {
+	unifiedAuditState := "new"
+	auditMessage := ""
+	isAudited := false
+
+	// unified audit state
+	switch alert.Status {
+	case "OPEN":
+		unifiedAuditState = "new"
+	case "IGNORE":
+		unifiedAuditState = "notRelevant"
+		auditMessage = alert.Comments
+	}
+
+	if alert.Assessment != nil {
+		unifiedAuditState = string(alert.Assessment.Status)
+		auditMessage = string(alert.Assessment.Analysis)
+	}
+
+	if unifiedAuditState == string(format.Relevant) ||
+		unifiedAuditState == string(format.NotRelevant) {
+		isAudited = true
+	}
+
+	return &format.SarifProperties{
+		Audited:           isAudited,
+		ToolAuditMessage:  auditMessage,
+		UnifiedAuditState: unifiedAuditState,
+	}
+}
+
 func transformToLevel(cvss2severity, cvss3severity string) string {
 	cvssseverity := consolidateSeverities(cvss2severity, cvss3severity)
 	switch cvssseverity {

pkg/whitesource/reporting_test.go

@@ -336,3 +336,69 @@ func TestVulnerabilityScore(t *testing.T) {
 		assert.Equalf(t, test.expected, vulnerabilityScore(test.alert), "run %v failed", i)
 	}
 }
+
+func TestGetAuditInformation(t *testing.T) {
+	tt := []struct {
+		name     string
+		alert    Alert
+		expected *format.SarifProperties
+	}{
+		{
+			name: "New not audited alert",
+			alert: Alert{
+				Status: "OPEN",
+			},
+			expected: &format.SarifProperties{
+				Audited:           false,
+				ToolAuditMessage:  "",
+				UnifiedAuditState: "new",
+			},
+		},
+		{
+			name: "Audited alert",
+			alert: Alert{
+				Status:   "IGNORE",
+				Comments: "Not relevant alert",
+			},
+			expected: &format.SarifProperties{
+				Audited:           true,
+				ToolAuditMessage:  "Not relevant alert",
+				UnifiedAuditState: "notRelevant",
+			},
+		},
+		{
+			name: "Alert with incorrect status",
+			alert: Alert{
+				Status:   "Not correct",
+				Comments: "Some comment",
+			},
+			expected: &format.SarifProperties{
+				Audited:           false,
+				ToolAuditMessage:  "",
+				UnifiedAuditState: "new",
+			},
+		},
+		{
+			name: "Audited alert",
+			alert: Alert{
+				Assessment: &format.Assessment{
+					Status:   format.NotRelevant,
+					Analysis: format.FixedByDevTeam,
+				},
+				Status:   "OPEN",
+				Comments: "New alert",
+			},
+			expected: &format.SarifProperties{
+				Audited:           true,
+				ToolAuditMessage:  string(format.FixedByDevTeam),
+				UnifiedAuditState: "notRelevant",
+			},
+		},
+	}
+
+	for _, test := range tt {
+		t.Run(test.name, func(t *testing.T) {
+			assert.Equal(t, getAuditInformation(test.alert), test.expected)
+		})
+	}
+}

pkg/whitesource/sytemMock.go

@@ -15,13 +15,18 @@ type SystemMock struct {
 	Products            []Product
 	Projects            []Project
 	Alerts              []Alert
+	IgnoredAlerts       []Alert
 	AlertType           string
 	AlertError          error
 	Libraries           []Library
 	RiskReport          []byte
 	VulnerabilityReport []byte
 }
 
+func (m *SystemMock) GetProjectIgnoredAlertsByType(projectToken string, alertType string) ([]Alert, error) {
+	return m.IgnoredAlerts, nil
+}
+
 // GetProductByName mimics retrieving a Product by name. It returns an error of no Product is stored in the mock.
 func (m *SystemMock) GetProductByName(productName string) (Product, error) {
 	for _, product := range m.Products {

pkg/whitesource/whitesource.go

@@ -58,6 +58,7 @@ type Alert struct {
 	CreationDate     string        `json:"date,omitempty"`
 	ModifiedDate     string        `json:"modifiedDate,omitempty"`
 	Status           string        `json:"status,omitempty"`
+	Comments         string        `json:"comments,omitempty"`
 }
 
 // DependencyType returns type of dependency: direct/transitive
@@ -664,6 +665,34 @@ func (s *System) GetProjectAlertsByType(projectToken, alertType string) ([]Alert
 	return wsResponse.Alerts, nil
 }
 
+// GetProjectIgnoredAlertsByType returns all ignored alerts of a certain type for a given project
+func (s *System) GetProjectIgnoredAlertsByType(projectToken string, alertType string) ([]Alert, error) {
+	wsResponse := struct {
+		Alerts []Alert `json:"alerts"`
+	}{
+		Alerts: []Alert{},
+	}
+
+	req := Request{
+		RequestType:  "getProjectIgnoredAlerts",
+		ProjectToken: projectToken,
+	}
+
+	err := s.sendRequestAndDecodeJSON(req, &wsResponse)
+	if err != nil {
+		return nil, err
+	}
+
+	alerts := make([]Alert, 0)
+	for _, alert := range wsResponse.Alerts {
+		if alert.Type == alertType {
+			alerts = append(alerts, alert)
+		}
+	}
+
+	return alerts, nil
+}
+
 // GetProjectLibraryLocations
 func (s *System) GetProjectLibraryLocations(projectToken string) ([]Library, error) {
 	wsResponse := struct {
@@ -721,8 +750,7 @@ func (s *System) sendRequestAndDecodeJSONRecursive(req Request, result interface
 				return err
 			}
 		}
-		return fmt.Errorf("invalid request, error code %v, message '%s'",
-			errorResponse.ErrorCode, errorResponse.ErrorMessage)
+		return fmt.Errorf("invalid request, error code %v, message '%s'", errorResponse.ErrorCode, errorResponse.ErrorMessage)
 	}
 
 	if result != nil {