Class: WPScan::Formatter::Sarif

Inherits:

Json

Object
Base
Json
WPScan::Formatter::Sarif

show all

Defined in:: app/formatters/sarif.rb

Overview

SARIF v2.1.0 Formatter.

Emits scan results in SARIF v2.1.0 format so they can be consumed by static-analysis aggregators such as GitHub Code Scanning. WPScan is a DAST tool, so findings don’t have a source file + line; we follow the mapping discussed on issue #1879:

* `result.locations[].physicalLocation.artifactLocation.uri` carries
  the URL where the finding was observed. SARIF explicitly allows
  `uri` to be an absolute URL — see SARIF v2.1.0 §3.4.3
  (https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/sarif-v2.1.0-os.html#_Toc34317419).
* `result.locations[].logicalLocations[]` carries the WordPress
  component identity (core / plugin <slug> / theme <slug>) decoupled
  from any URL — see SARIF v2.1.0 §3.33
  (https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/sarif-v2.1.0-os.html#_Toc34317719).

GitHub’s guidance on which SARIF fields surface in Code Scanning is at docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning.

This formatter inherits from Json and reuses the JSON ERB views: the full scan is buffered as JSON during the run, then transformed into a SARIF document in #beautify. Reusing the JSON layer keeps the SARIF mapping in one place and lets new JSON fields flow through automatically.

Constant Summary collapse

SARIF_VERSION =

'2.1.0'

SARIF_SCHEMA =

'https://json.schemastore.org/sarif-2.1.0.json'

INFO_URI =

'https://wpscan.com/wordpress-security-scanner'

Constants inherited from Base

Base::ERB_SUPPORTS_KVARGS

Instance Attribute Summary

Attributes inherited from Base

#controller_name

Instance Method Summary collapse

#base_format ⇒ Object

Make ERB lookups fall back to the json/* views.
#beautify ⇒ Object

Methods included from Buffer

#buffer, #output

Methods inherited from Base

#format, #formats, #initialize, #output, #render, #streams?, #template_vars, #user_interaction?, #view_path, #views_directories

Constructor Details

This class inherits a constructor from WPScan::Formatter::Base

Instance Method Details

#base_format ⇒ `Object`

Make ERB lookups fall back to the json/* views.



36
37
38

# File 'app/formatters/sarif.rb', line 36

def base_format
  'json'
end

#beautify ⇒ `Object`

# File 'app/formatters/sarif.rb', line 40

def beautify
  data = JSON.parse("{#{buffer.chomp.chomp(',')}}")
  puts JSON.pretty_generate(sarif_document(data))
end