Use common ToolMetadata for all reporters and default-enable vuln & malware in SARIF

Signed-off-by: Omkar Phansopkar <omkarphansopkar@gmail.com>
2025-12-10 00:22:08 -06:00 · 2025-04-01 21:10:45 +05:30 · 2025-04-01 21:10:45 +05:30 · d7f7a6c72e
commit d7f7a6c72e
parent 976c5317ac
13 changed files with 98 additions and 124 deletions
--- a/pkg/reporter/common.go
+++ b/pkg/reporter/common.go
@ -0,0 +1,8 @@
 package reporter
 type ToolMetadata struct {
 	Name           string
 	Version        string
 	InformationURI string
 	VendorName     string
 }
--- a/pkg/reporter/defect_dojo.go
+++ b/pkg/reporter/defect_dojo.go
@ -26,14 +26,8 @@ type DefectDojoProduct struct {
 	Created       time.Time `json:"created"`
 }
 type DefectDojoToolMetadata struct {
 	Name           string
 	Version        string
 	InformationURI string
 }
 type DefectDojoReporterConfig struct {
-	Tool               DefectDojoToolMetadata
+	Tool               ToolMetadata
 	IncludeVulns       bool
 	IncludeMalware     bool
 	ProductID          int
@ -55,11 +49,7 @@ func NewDefectDojoReporter(config DefectDojoReporterConfig) (Reporter, error) {
 	builder, err := newSarifBuilder(
 		sarifBuilderConfig{
-			Tool: sarifBuilderToolMetadata{
+			Tool:           config.Tool,
 				Name:           config.Tool.Name,
 				Version:        config.Tool.Version,
 				InformationURI: config.Tool.InformationURI,
 			},
 			IncludeVulns:   config.IncludeVulns,
 			IncludeMalware: config.IncludeMalware,
 		},
--- a/pkg/reporter/gitlab.go
+++ b/pkg/reporter/gitlab.go
@ -35,10 +35,8 @@ const (
 )
 type GitLabReporterConfig struct {
-	Path           string // Report path, value of --report-gitlab
+	Path string // Report path, value of --report-gitlab
-	ToolName       string
+	Tool ToolMetadata
 	ToolVersion    string // Tool version, value from version.go
 	ToolVendorName string
 }
 // gitLabVendor represents vendor information
@ -316,11 +314,11 @@ func (r *gitLabReporter) AddAnalyzerEvent(event *analyzer.AnalyzerEvent) {}
 func (r *gitLabReporter) AddPolicyEvent(event *policy.PolicyEvent) {}
 func (r *gitLabReporter) Finish() error {
-	vendor := gitLabVendor{Name: r.config.ToolVendorName}
+	vendor := gitLabVendor{Name: r.config.Tool.VendorName}
 	scanner := gitLabScanner{
-		ID:      r.config.ToolName,
+		ID:      r.config.Tool.Name,
-		Name:    r.config.ToolName,
+		Name:    r.config.Tool.Name,
-		Version: r.config.ToolVersion,
+		Version: r.config.Tool.Version,
 		Vendor:  vendor,
 	}
--- a/pkg/reporter/gitlab_test.go
+++ b/pkg/reporter/gitlab_test.go
@ -18,10 +18,13 @@ import (
 func getGitLabReporter(reportPath string) (*gitLabReporter, error) {
 	return NewGitLabReporter(GitLabReporterConfig{
-		Path:           reportPath,
+		Path: reportPath,
-		ToolVersion:    "1.0.0",
+		Tool: ToolMetadata{
-		ToolName:       "vet",
+			Name:           "vet",
-		ToolVendorName: "safedep",
+			Version:        "latest",
 			InformationURI: "https://github.com/safedep/vet",
 			VendorName:     "safedep",
 		},
 	})
 }
--- a/pkg/reporter/json_report.go
+++ b/pkg/reporter/json_report.go
@ -21,9 +21,8 @@ import (
 )
 type JsonReportingConfig struct {
-	Path        string
+	Path string
-	ToolName    string
+	Tool ToolMetadata
 	ToolVersion string
 }
 // Json reporter is built on top of summary reporter to
@ -199,8 +198,8 @@ func (r *jsonReportGenerator) Finish() error {
 func (r *jsonReportGenerator) buildSpecReport() (*schema.Report, error) {
 	report := schema.Report{
 		Meta: &schema.ReportMeta{
-			ToolName:    r.config.ToolName,
+			ToolName:    r.config.Tool.Name,
-			ToolVersion: r.config.ToolVersion,
+			ToolVersion: r.config.Tool.Version,
 			CreatedAt:   time.Now().UTC().Format(time.RFC3339),
 		},
 		Packages:  make([]*schema.PackageReport, 0),
--- a/pkg/reporter/json_report_test.go
+++ b/pkg/reporter/json_report_test.go
@ -99,9 +99,13 @@ func TestJsonRepoGenerator(t *testing.T) {
 	for _, test := range cases {
 		t.Run(test.name, func(t *testing.T) {
 			r, err := NewJsonReportGenerator(JsonReportingConfig{
-				Path:        tmpFile.Name(),
+				Path: tmpFile.Name(),
-				ToolName:    "vet",
+				Tool: ToolMetadata{
-				ToolVersion: "latest",
+					Name:           "vet",
 					Version:        "latest",
 					InformationURI: "https://github.com/safedep/vet",
 					VendorName:     "safedep",
 				},
 			})
 			assert.Nil(t, err)
--- a/pkg/reporter/markdown_summary.go
+++ b/pkg/reporter/markdown_summary.go
@ -28,13 +28,8 @@ const (
 	markdownSummaryReportTitle = "vet Summary Report"
 )
 type MarkdownSummaryToolMetadata struct {
 	Name    string
 	Version string
 }
 type MarkdownSummaryReporterConfig struct {
-	ToolMetadata           MarkdownSummaryToolMetadata
+	Tool                   ToolMetadata
 	Path                   string
 	ReportTitle            string
 	IncludeMalwareAnalysis bool
@ -84,9 +79,8 @@ func NewMarkdownSummaryReporter(config MarkdownSummaryReporterConfig) (Reporter,
 	tmpFile.Close()
 	jsonReporter, err := NewJsonReportGenerator(JsonReportingConfig{
-		Path:        tmpFile.Name(),
+		Path: tmpFile.Name(),
-		ToolName:    config.ToolMetadata.Name,
+		Tool: config.Tool,
 		ToolVersion: config.ToolMetadata.Version,
 	})
 	if err != nil {
 		return nil, err
--- a/pkg/reporter/sarif.go
+++ b/pkg/reporter/sarif.go
@ -20,14 +20,8 @@ import (
 // We will not publish all package information. JSON
 // report should be used for that purpose.
 type SarifToolMetadata struct {
 	Name           string
 	Version        string
 	InformationURI string
 }
 type SarifReporterConfig struct {
-	Tool           SarifToolMetadata
+	Tool           ToolMetadata
 	IncludeVulns   bool
 	IncludeMalware bool
 	Path           string
@ -41,11 +35,7 @@ type sarifReporter struct {
 func NewSarifReporter(config SarifReporterConfig) (Reporter, error) {
 	builder, err := newSarifBuilder(
 		sarifBuilderConfig{
-			Tool: sarifBuilderToolMetadata{
+			Tool:           config.Tool,
 				Name:           config.Tool.Name,
 				Version:        config.Tool.Version,
 				InformationURI: config.Tool.InformationURI,
 			},
 			IncludeVulns:   config.IncludeVulns,
 			IncludeMalware: config.IncludeMalware,
 		},
--- a/pkg/reporter/sarif_builder.go
+++ b/pkg/reporter/sarif_builder.go
@ -13,14 +13,8 @@ import (
 	"github.com/safedep/vet/pkg/reporter/markdown"
 )
 type sarifBuilderToolMetadata struct {
 	Name           string
 	Version        string
 	InformationURI string
 }
 type sarifBuilderConfig struct {
-	Tool           sarifBuilderToolMetadata
+	Tool           ToolMetadata
 	IncludeVulns   bool
 	IncludeMalware bool
 }
@ -112,7 +106,6 @@ func (b *sarifBuilder) recordFilterMatchEvent(event *analyzer.AnalyzerEvent) {
 	b.violationsCache[uniqueInstance] = true
 	result := sarif.NewRuleResult(event.Filter.GetName())
 	result.WithLevel(sarifErrorLevel)
 	result.WithMessage(b.buildFilterResultMessageMarkdown(event))
@ -196,7 +189,12 @@ func (b *sarifBuilder) recordVulnerabilities(pkg *models.Package) {
 		result := sarif.NewRuleResult(vulnId)
 		result.WithLevel(sarifErrorLevel)
-		result.WithMessage(sarif.NewMessage().WithText(utils.SafelyGetValue(vuln.Summary)))
+
 		vulnerabilitySummary := utils.SafelyGetValue(vuln.Summary)
 		if utils.IsEmptyString(vulnerabilitySummary) {
 			vulnerabilitySummary = fmt.Sprintf("Vulnerability in %s (%s)", pkg.GetName(), pkg.Ecosystem)
 		}
 		result.WithMessage(sarif.NewMessage().WithText(vulnerabilitySummary))
 		pLocation := sarif.NewPhysicalLocation().
 			WithArtifactLocation(sarif.NewSimpleArtifactLocation(pkg.Manifest.GetDisplayPath()))
@ -217,7 +215,12 @@ func (b *sarifBuilder) recordMalware(pkg *models.Package) {
 		inference := utils.SafelyGetValue(malwareAnalysis.Report.GetInference())
 		result := sarif.NewRuleResult(malwareAnalysis.AnalysisId)
 		result.WithLevel(sarifErrorLevel)
-		result.WithMessage(sarif.NewMessage().WithText(inference.GetSummary()))
+
 		malwareSummary := inference.GetSummary()
 		if utils.IsEmptyString(malwareSummary) {
 			malwareSummary = fmt.Sprintf("Malicious code in %s (%s)", pkg.GetName(), pkg.Ecosystem)
 		}
 		result.WithMessage(sarif.NewMessage().WithText(malwareSummary))
 		pLocation := sarif.NewPhysicalLocation().
 			WithArtifactLocation(sarif.NewSimpleArtifactLocation(pkg.Manifest.GetDisplayPath()))
--- a/pkg/reporter/sarif_builder_test.go
+++ b/pkg/reporter/sarif_builder_test.go
@ -117,6 +117,13 @@ var events []analyzer.AnalyzerEvent = []analyzer.AnalyzerEvent{
 	},
 }
 var toolMetadata = ToolMetadata{
 	Name:           "vet",
 	Version:        "latest",
 	InformationURI: "https://github.com/safedep/vet",
 	VendorName:     "safedep",
 }
 func TestSarifBuilderReport(t *testing.T) {
 	tmpFile, err := os.CreateTemp("", "sarif-builder-test")
 	assert.Nil(t, err)
@ -125,11 +132,7 @@ func TestSarifBuilderReport(t *testing.T) {
 	builder, err := newSarifBuilder(
 		sarifBuilderConfig{
-			Tool: sarifBuilderToolMetadata{
+			Tool: toolMetadata,
 				Name:           "tool-name",
 				Version:        "tool-version",
 				InformationURI: "https://github.com/safedep/vet",
 			},
 		})
 	assert.Nil(t, err)
@ -155,11 +158,7 @@ func TestSarifReportBuilderMarkdown(t *testing.T) {
 	builder, err := newSarifBuilder(
 		sarifBuilderConfig{
-			Tool: sarifBuilderToolMetadata{
+			Tool: toolMetadata,
 				Name:           "tool-name",
 				Version:        "tool-version",
 				InformationURI: "https://github.com/safedep/vet",
 			},
 		})
 	assert.Nil(t, err)
--- a/pkg/reporter/sync.go
+++ b/pkg/reporter/sync.go
@ -46,8 +46,7 @@ type SyncReporterConfig struct {
 	WorkerCount int
 	// Tool details
-	ToolName    string
+	Tool ToolMetadata
 	ToolVersion string
 }
 type syncSession struct {
@ -161,8 +160,8 @@ func NewSyncReporter(config SyncReporterConfig, callbacks SyncReporterCallbacks)
 		toolServiceClient := controltowerv1grpc.NewToolServiceClient(config.ClientConnection)
 		toolSessionRes, err := toolServiceClient.CreateToolSession(context.Background(),
 			&controltowerv1.CreateToolSessionRequest{
-				ToolName:       config.ToolName,
+				ToolName:       config.Tool.Name,
-				ToolVersion:    config.ToolVersion,
+				ToolVersion:    config.Tool.Version,
 				ProjectName:    config.ProjectName,
 				ProjectVersion: &config.ProjectVersion,
 				ProjectSource:  &source,
@ -214,8 +213,8 @@ func (s *syncReporter) AddManifest(manifest *models.PackageManifest) {
 		toolServiceClient := controltowerv1grpc.NewToolServiceClient(s.client)
 		toolSessionRes, err := toolServiceClient.CreateToolSession(context.Background(),
 			&controltowerv1.CreateToolSessionRequest{
-				ToolName:       s.config.ToolName,
+				ToolName:       s.config.Tool.Name,
-				ToolVersion:    s.config.ToolVersion,
+				ToolVersion:    s.config.Tool.Version,
 				ProjectName:    projectName,
 				ProjectVersion: &projectVersion,
 				ProjectSource:  &source,
--- a/query.go
+++ b/query.go
@ -93,8 +93,8 @@ func newQueryCommand() *cobra.Command {
 	cmd.Flags().IntVarP(&queryDefectDojoProductID, "defect-dojo-product-id", "", -1, "DefectDojo Product ID")
 	cmd.Flags().StringVarP(&querySarifReportPath, "report-sarif", "", "",
 		"Generate SARIF report to file")
-	cmd.Flags().BoolVarP(&querySarifIncludeVulns, "report-sarif-vulns", "", false, "Include vulnerabilities in SARIF report")
+	cmd.Flags().BoolVarP(&querySarifIncludeVulns, "report-sarif-vulns", "", true, "Include vulnerabilities in SARIF report (Enabled by default)")
-	cmd.Flags().BoolVarP(&querySarifIncludeMalware, "report-sarif-malware", "", false, "Include malware in SARIF report")
+	cmd.Flags().BoolVarP(&querySarifIncludeMalware, "report-sarif-malware", "", true, "Include malware in SARIF report (Enabled by default)")
 	// Add validations that should trigger a fail fast condition
 	cmd.PreRun = func(cmd *cobra.Command, args []string) {
@ -116,6 +116,13 @@ func startQuery() {
 }
 func internalStartQuery() error {
 	toolMetadata := reporter.ToolMetadata{
 		Name:           vetName,
 		Version:        version,
 		InformationURI: vetInformationURI,
 		VendorName:     vetVendorName,
 	}
 	readerList := []readers.PackageManifestReader{}
 	analyzers := []analyzer.Analyzer{}
 	reporters := []reporter.Reporter{}
@ -196,10 +203,7 @@ func internalStartQuery() error {
 	if !utils.IsEmptyString(queryMarkdownSummaryReportPath) {
 		rp, err := reporter.NewMarkdownSummaryReporter(reporter.MarkdownSummaryReporterConfig{
-			ToolMetadata: reporter.MarkdownSummaryToolMetadata{
+			Tool: toolMetadata,
 				Name:    vetName,
 				Version: version,
 			},
 			Path: queryMarkdownSummaryReportPath,
 		})
 		if err != nil {
@ -211,9 +215,8 @@ func internalStartQuery() error {
 	if !utils.IsEmptyString(queryJsonReportPath) {
 		rp, err := reporter.NewJsonReportGenerator(reporter.JsonReportingConfig{
-			Path:        queryJsonReportPath,
+			Path: queryJsonReportPath,
-			ToolName:    vetName,
+			Tool: toolMetadata,
 			ToolVersion: version,
 		})
 		if err != nil {
 			return err
@ -244,11 +247,7 @@ func internalStartQuery() error {
 	if !utils.IsEmptyString(querySarifReportPath) {
 		rp, err := reporter.NewSarifReporter(reporter.SarifReporterConfig{
-			Tool: reporter.SarifToolMetadata{
+			Tool:           toolMetadata,
 				Name:           vetName,
 				Version:        version,
 				InformationURI: vetInformationURI,
 			},
 			IncludeVulns:   querySarifIncludeVulns,
 			IncludeMalware: querySarifIncludeMalware,
 			Path:           querySarifReportPath,
@ -268,11 +267,7 @@ func internalStartQuery() error {
 		engagementName := fmt.Sprintf("vet-report-%s", time.Now().Format("2006-01-02"))
 		rp, err := reporter.NewDefectDojoReporter(reporter.DefectDojoReporterConfig{
-			Tool: reporter.DefectDojoToolMetadata{
+			Tool:               toolMetadata,
 				Name:           vetName,
 				Version:        version,
 				InformationURI: vetInformationURI,
 			},
 			IncludeVulns:       true,
 			IncludeMalware:     true,
 			ProductID:          queryDefectDojoProductID,
--- a/scan.go
+++ b/scan.go
@ -175,8 +175,8 @@ func newScanCommand() *cobra.Command {
 		"Generate consolidated JSON report to file (EXPERIMENTAL schema)")
 	cmd.Flags().StringVarP(&sarifReportPath, "report-sarif", "", "",
 		"Generate SARIF report to file (*.sarif or *.sarif.json)")
-	cmd.Flags().BoolVarP(&sarifIncludeVulns, "report-sarif-vulns", "", false, "Include vulnerabilities in SARIF report")
+	cmd.Flags().BoolVarP(&sarifIncludeVulns, "report-sarif-vulns", "", true, "Include vulnerabilities in SARIF report (Enabled by default)")
-	cmd.Flags().BoolVarP(&sarifIncludeMalware, "report-sarif-malware", "", false, "Include malware in SARIF report")
+	cmd.Flags().BoolVarP(&sarifIncludeMalware, "report-sarif-malware", "", true, "Include malware in SARIF report (Enabled by default)")
 	cmd.Flags().StringVarP(&graphReportDirectory, "report-graph", "", "",
 		"Generate dependency graph (if available) as dot files to directory")
 	cmd.Flags().BoolVarP(&syncReport, "report-sync", "", false,
@ -269,6 +269,13 @@ func startScan() {
 }
 func internalStartScan() error {
 	toolMetadata := reporter.ToolMetadata{
 		Name:           vetName,
 		Version:        version,
 		InformationURI: vetInformationURI,
 		VendorName:     vetVendorName,
 	}
 	readerList := []readers.PackageManifestReader{}
 	var reader readers.PackageManifestReader
 	var err error
@ -438,10 +445,7 @@ func internalStartScan() error {
 	if !utils.IsEmptyString(markdownSummaryReportPath) {
 		rp, err := reporter.NewMarkdownSummaryReporter(reporter.MarkdownSummaryReporterConfig{
-			ToolMetadata: reporter.MarkdownSummaryToolMetadata{
+			Tool:                   toolMetadata,
 				Name:    vetName,
 				Version: version,
 			},
 			Path:                   markdownSummaryReportPath,
 			IncludeMalwareAnalysis: enrichMalware,
 		})
@ -454,9 +458,8 @@ func internalStartScan() error {
 	if !utils.IsEmptyString(jsonReportPath) {
 		rp, err := reporter.NewJsonReportGenerator(reporter.JsonReportingConfig{
-			Path:        jsonReportPath,
+			Path: jsonReportPath,
-			ToolName:    vetName,
+			Tool: toolMetadata,
 			ToolVersion: version,
 		})
 		if err != nil {
 			return err
@ -467,11 +470,7 @@ func internalStartScan() error {
 	if !utils.IsEmptyString(sarifReportPath) {
 		rp, err := reporter.NewSarifReporter(reporter.SarifReporterConfig{
-			Tool: reporter.SarifToolMetadata{
+			Tool:           toolMetadata,
 				Name:           vetName,
 				Version:        version,
 				InformationURI: vetInformationURI,
 			},
 			IncludeVulns:   sarifIncludeVulns,
 			IncludeMalware: sarifIncludeMalware,
 			Path:           sarifReportPath,
@ -491,13 +490,9 @@ func internalStartScan() error {
 		engagementName := fmt.Sprintf("vet-report-%s", time.Now().Format("2006-01-02"))
 		rp, err := reporter.NewDefectDojoReporter(reporter.DefectDojoReporterConfig{
-			Tool: reporter.DefectDojoToolMetadata{
+			Tool:               toolMetadata,
 				Name:           vetName,
 				Version:        version,
 				InformationURI: vetInformationURI,
 			},
 			IncludeVulns:       true,
-			IncludeMalware:     enrichMalware,
+			IncludeMalware:     true,
 			ProductID:          defectDojoProductID,
 			EngagementName:     engagementName,
 			DefectDojoHostUrl:  defectDojoHostUrl,
@ -532,10 +527,8 @@ func internalStartScan() error {
 	if !utils.IsEmptyString(gitlabReportPath) {
 		rp, err := reporter.NewGitLabReporter(reporter.GitLabReporterConfig{
-			Path:           gitlabReportPath,
+			Path: gitlabReportPath,
-			ToolVersion:    version,
+			Tool: toolMetadata,
 			ToolName:       vetName,
 			ToolVendorName: vetVendorName,
 		})
 		if err != nil {
 			return err
@ -554,8 +547,7 @@ func internalStartScan() error {
 		}
 		rp, err := reporter.NewSyncReporter(reporter.SyncReporterConfig{
-			ToolName:               vetName,
+			Tool:                   toolMetadata,
 			ToolVersion:            version,
 			ProjectName:            syncReportProject,
 			ProjectVersion:         syncReportStream,
 			EnableMultiProjectSync: syncEnableMultiProject,