From 1461144e18a2fde05239116343f987f0e0381f7c Mon Sep 17 00:00:00 2001
From: jperez <jperezde@redhat.com>
Date: Tue, 2 Apr 2024 17:28:53 +0200
Subject: [PATCH 1/2] parser-json-cov: added column number in results using
 JSONv10

Related: https://issues.redhat.com/browse/OSH-11

Added the column number to the Coverity results using Coverity APIv10
---
 src/lib/parser-json-cov.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/lib/parser-json-cov.cc b/src/lib/parser-json-cov.cc
index 84adb80b..8fdb9905 100644
--- a/src/lib/parser-json-cov.cc
+++ b/src/lib/parser-json-cov.cc
@@ -74,7 +74,7 @@ bool CovTreeDecoder::readNode(Defect *def)
 
         evt.fileName    = valueOf<std::string>(evtNode, "filePathname");
         evt.line        = valueOf<int>        (evtNode, "lineNumber");
-        // TODO: read column?
+        evt.column      = valueOf<int>        (evtNode, "columnNumber");
         evt.event       = valueOf<std::string>(evtNode, "eventTag");
         evt.msg         = valueOf<std::string>(evtNode, "eventDescription");
 

From ac8946dd7149676e0ad0ddf61c02438dfe442e23 Mon Sep 17 00:00:00 2001
From: jperez <jperezde@redhat.com>
Date: Tue, 2 Apr 2024 17:33:54 +0200
Subject: [PATCH 2/2] tests/csgrep: added tests for column property in Coverity
 JSONv10

Related https://issues.redhat.com/browse/OSH-11

Added tests for the column property in Coverity using JSON v10 results. Two different tests cases have been added: IN one of them, the column number is present in the results. In the second one, the column number is null
---
 .../0122-json-parser-cov-v10-column-args.txt  |   1 +
 .../0122-json-parser-cov-v10-column-stdin.txt | 195 ++++++++++++++++++
 ...0122-json-parser-cov-v10-column-stdout.txt |  70 +++++++
 tests/csgrep/CMakeLists.txt                   |   1 +
 4 files changed, 267 insertions(+)
 create mode 100644 tests/csgrep/0122-json-parser-cov-v10-column-args.txt
 create mode 100644 tests/csgrep/0122-json-parser-cov-v10-column-stdin.txt
 create mode 100644 tests/csgrep/0122-json-parser-cov-v10-column-stdout.txt

diff --git a/tests/csgrep/0122-json-parser-cov-v10-column-args.txt b/tests/csgrep/0122-json-parser-cov-v10-column-args.txt
new file mode 100644
index 00000000..7df3c951
--- /dev/null
+++ b/tests/csgrep/0122-json-parser-cov-v10-column-args.txt
@@ -0,0 +1 @@
+--mode=json
diff --git a/tests/csgrep/0122-json-parser-cov-v10-column-stdin.txt b/tests/csgrep/0122-json-parser-cov-v10-column-stdin.txt
new file mode 100644
index 00000000..d11cb2c0
--- /dev/null
+++ b/tests/csgrep/0122-json-parser-cov-v10-column-stdin.txt
@@ -0,0 +1,195 @@
+{
+  "type" : "Coverity issues",
+  "formatVersion" : 10,
+  "suppressedIssueCount" : 0,
+  "issues" : [
+    {
+      "mergeKey" : "0d67db2be2df7aa477796bac827f024b",
+      "occurrenceCountForMK" : 1,
+      "occurrenceNumberInMK" : 1,
+      "referenceOccurrenceCountForMK" : null,
+      "checkerName" : "HARDCODED_CREDENTIALS",
+      "subcategory" : "none",
+      "type" : "hardcoded_credentials",
+      "code-language" : "python",
+      "extra" : "\"app\",\"secret_key\"",
+      "domain" : "OTHER",
+      "language" : "Python 3",
+      "mainEventFilePathname" : "/tmp/cspodmanu0m_p6ko/istio-proxyv2/unpacked_remote_sources/istio/app/samples/bookinfo/src/productpage/productpage.py",
+      "strippedMainEventFilePathname" : "/tmp/cspodmanu0m_p6ko/istio-proxyv2/unpacked_remote_sources/istio/app/samples/bookinfo/src/productpage/productpage.py",
+      "mainEventLineNumber" : 56,
+      "mainEventColumnNumber" : 1,
+      "properties" : {},
+      "functionDisplayName" : "<script>",
+      "functionMangledName" : "!productpage.py!%SCRIPT",
+      "functionHtmlDisplayName" : "!productpage.py!%SCRIPT",
+      "functionSimpleName" : "function",
+      "functionSearchName" : "<script>",
+      "localStatus" : null,
+      "ordered" : true,
+      "events" : [
+        {
+          "covLStrEventDescription" : "{CovLStrv2{{t{Assigning: {0} = {1}.}{{code{app}}}{{code{Flask(__name__)}}}}}}",
+          "eventDescription" : "Assigning: \"app\" = \"Flask(__name__)\".",
+          "eventNumber" : 1,
+          "eventTreePosition" : "1",
+          "eventSet" : 0,
+          "eventTag" : "assign",
+          "filePathname" : "/tmp/cspodmanu0m_p6ko/istio-proxyv2/unpacked_remote_sources/istio/app/samples/bookinfo/src/productpage/productpage.py",
+          "strippedFilePathname" : "/tmp/cspodmanu0m_p6ko/istio-proxyv2/unpacked_remote_sources/istio/app/samples/bookinfo/src/productpage/productpage.py",
+          "lineNumber" : 47,
+          "columnNumber" : 1,
+          "main" : false,
+          "moreInformationId" : null,
+          "remediation" : false,
+          "events" : null
+        },
+        {
+          "covLStrEventDescription" : "{CovLStrv2{{t{Assigning: {0} = {1}.}{{code{app.secret_key}}}{{code{b\"_5#y2L\\\"F4Q8z\\n\\xec]/\"}}}}}}",
+          "eventDescription" : "Assigning: \"app.secret_key\" = \"b\"_5#y2L\\\"F4Q8z\\n\\xec]/\"\".",
+          "eventNumber" : 2,
+          "eventTreePosition" : "2",
+          "eventSet" : 0,
+          "eventTag" : "assign",
+          "filePathname" : "/tmp/cspodmanu0m_p6ko/istio-proxyv2/unpacked_remote_sources/istio/app/samples/bookinfo/src/productpage/productpage.py",
+          "strippedFilePathname" : "/tmp/cspodmanu0m_p6ko/istio-proxyv2/unpacked_remote_sources/istio/app/samples/bookinfo/src/productpage/productpage.py",
+          "lineNumber" : 56,
+          "columnNumber" : 1,
+          "main" : false,
+          "moreInformationId" : null,
+          "remediation" : false,
+          "events" : null
+        },
+        {
+          "covLStrEventDescription" : "{CovLStrv2{{t{{0} uses the constant string as credentials.}{{code{app.secret_key}}}}}}",
+          "eventDescription" : "\"app.secret_key\" uses the constant string as credentials.",
+          "eventNumber" : 3,
+          "eventTreePosition" : "3",
+          "eventSet" : 0,
+          "eventTag" : "credentials_use",
+          "filePathname" : "/tmp/cspodmanu0m_p6ko/istio-proxyv2/unpacked_remote_sources/istio/app/samples/bookinfo/src/productpage/productpage.py",
+          "strippedFilePathname" : "/tmp/cspodmanu0m_p6ko/istio-proxyv2/unpacked_remote_sources/istio/app/samples/bookinfo/src/productpage/productpage.py",
+          "lineNumber" : 56,
+          "columnNumber" : 1,
+          "main" : true,
+          "moreInformationId" : null,
+          "remediation" : false,
+          "events" : null
+        },
+        {
+          "covLStrEventDescription" : "{CovLStrv2{{t{Credentials should be stored in a configuration file or database that is inaccessible to unauthorized users.}}}}",
+          "eventDescription" : "Credentials should be stored in a configuration file or database that is inaccessible to unauthorized users.",
+          "eventNumber" : 4,
+          "eventTreePosition" : "4",
+          "eventSet" : 0,
+          "eventTag" : "remediation",
+          "filePathname" : "/tmp/cspodmanu0m_p6ko/istio-proxyv2/unpacked_remote_sources/istio/app/samples/bookinfo/src/productpage/productpage.py",
+          "strippedFilePathname" : "/tmp/cspodmanu0m_p6ko/istio-proxyv2/unpacked_remote_sources/istio/app/samples/bookinfo/src/productpage/productpage.py",
+          "lineNumber" : 56,
+          "columnNumber" : 1,
+          "main" : false,
+          "moreInformationId" : null,
+          "remediation" : true,
+          "events" : null
+        }
+      ],
+      "stateOnServer" : null,
+      "localTriage" : null,
+      "checkerProperties" : {
+        "category" : "Medium impact security",
+        "categoryDescription" : "Medium impact security",
+        "cweCategory" : "798",
+        "weaknessIdCategory" : "410",
+        "issueKinds" : [
+          "SECURITY"
+        ],
+        "eventSetCaptions" : [],
+        "impact" : "Medium",
+        "impactDescription" : "Medium",
+        "subcategoryLocalEffect" : "Users with access to this source code can use these credentials to access production services or data.  Changing these credentials requires changing the code and re-deploying the application.",
+        "subcategoryShortDescription" : "Use of hard-coded credentials",
+        "subcategoryLongDescription" : "Credentials are stored directly in the source code"
+      }
+    },
+    {
+      "mergeKey" : "0b1c337fa107a6e55fcc49555eaa2f90",
+      "occurrenceCountForMK" : 1,
+      "occurrenceNumberInMK" : 1,
+      "referenceOccurrenceCountForMK" : null,
+      "checkerName" : "SIGMA.access_to_secret",
+      "subcategory" : "kubernetes",
+      "type" : "sigma.access_to_secret",
+      "subtype" : "kubernetes",
+      "code-language" : "text",
+      "extra" : "access_to_secret_kubernetes -- istio-discovery/templates/role.yaml -- ##Σ-markup - ##Σ-markup - rules - ##Σ-markup",
+      "domain" : "OTHER",
+      "language" : "Text",
+      "mainEventFilePathname" : "/tmp/cspodmanu0m_p6ko/istio-proxyv2/unpacked_remote_sources/istio/app/manifests/charts/istio-control/istio-discovery/templates/role.yaml",
+      "strippedMainEventFilePathname" : "/tmp/cspodmanu0m_p6ko/istio-proxyv2/unpacked_remote_sources/istio/app/manifests/charts/istio-control/istio-discovery/templates/role.yaml",
+      "mainEventLineNumber" : 17,
+      "mainEventColumnNumber" : null,
+      "properties" : {},
+      "functionDisplayName" : null,
+      "functionMangledName" : null,
+      "functionHtmlDisplayName" : null,
+      "functionSimpleName" : null,
+      "functionSearchName" : null,
+      "localStatus" : null,
+      "ordered" : true,
+      "events" : [
+        {
+          "covLStrEventDescription" : "The `secrets` resource is granted `get`, `list`, or `watch` access on the Kubernetes API. This can allow an attacker to view Kubernetes cluster or external resources whose credentials are stored in `secrets`.",
+          "eventDescription" : "The `secrets` resource is granted `get`, `list`, or `watch` access on the Kubernetes API. This can allow an attacker to view Kubernetes cluster or external resources whose credentials are stored in `secrets`.",
+          "eventNumber" : 1,
+          "eventTreePosition" : "1",
+          "eventSet" : 0,
+          "eventTag" : "Sigma main event",
+          "filePathname" : "/tmp/cspodmanu0m_p6ko/istio-proxyv2/unpacked_remote_sources/istio/app/manifests/charts/istio-control/istio-discovery/templates/role.yaml",
+          "strippedFilePathname" : "/tmp/cspodmanu0m_p6ko/istio-proxyv2/unpacked_remote_sources/istio/app/manifests/charts/istio-control/istio-discovery/templates/role.yaml",
+          "lineNumber" : 17,
+          "columnNumber" : null,
+          "main" : true,
+          "moreInformationId" : null,
+          "remediation" : false,
+          "events" : null
+        },
+        {
+          "covLStrEventDescription" : "Avoid granting `get`, `list`, or `watch` permissions for `secrets`.",
+          "eventDescription" : "Avoid granting `get`, `list`, or `watch` permissions for `secrets`.",
+          "eventNumber" : 2,
+          "eventTreePosition" : "2",
+          "eventSet" : 0,
+          "eventTag" : "remediation",
+          "filePathname" : "/tmp/cspodmanu0m_p6ko/istio-proxyv2/unpacked_remote_sources/istio/app/manifests/charts/istio-control/istio-discovery/templates/role.yaml",
+          "strippedFilePathname" : "/tmp/cspodmanu0m_p6ko/istio-proxyv2/unpacked_remote_sources/istio/app/manifests/charts/istio-control/istio-discovery/templates/role.yaml",
+          "lineNumber" : 17,
+          "columnNumber" : null,
+          "main" : false,
+          "moreInformationId" : null,
+          "remediation" : true,
+          "events" : null
+        }
+      ],
+      "stateOnServer" : null,
+      "localTriage" : null,
+      "checkerProperties" : {
+        "category" : "Sigma",
+        "categoryDescription" : "Sigma",
+        "cweCategory" : "284",
+        "weaknessIdCategory" : "none",
+        "issueKinds" : [
+          "SECURITY"
+        ],
+        "eventSetCaptions" : [],
+        "impact" : "Low",
+        "impactDescription" : "Low",
+        "subcategoryLocalEffect" : "",
+        "subcategoryShortDescription" : "Access to secret",
+        "subcategoryLongDescription" : "The `secrets` resource is granted `get`, `list`, or `watch` access on the Kubernetes API. This can allow an attacker to view Kubernetes cluster or external resources whose credentials are stored in `secrets`."
+      }
+    }
+  ],
+  "desktopAnalysisSettings" : null,
+  "error" : null,
+  "warnings" : []
+}
diff --git a/tests/csgrep/0122-json-parser-cov-v10-column-stdout.txt b/tests/csgrep/0122-json-parser-cov-v10-column-stdout.txt
new file mode 100644
index 00000000..2739271f
--- /dev/null
+++ b/tests/csgrep/0122-json-parser-cov-v10-column-stdout.txt
@@ -0,0 +1,70 @@
+{
+    "defects": [
+        {
+            "checker": "HARDCODED_CREDENTIALS",
+            "cwe": 798,
+            "function": "<script>",
+            "language": "python",
+            "tool": "coverity",
+            "key_event_idx": 2,
+            "events": [
+                {
+                    "file_name": "/tmp/cspodmanu0m_p6ko/istio-proxyv2/unpacked_remote_sources/istio/app/samples/bookinfo/src/productpage/productpage.py",
+                    "line": 47,
+                    "column": 1,
+                    "event": "assign",
+                    "message": "Assigning: \"app\" = \"Flask(__name__)\".",
+                    "verbosity_level": 1
+                },
+                {
+                    "file_name": "/tmp/cspodmanu0m_p6ko/istio-proxyv2/unpacked_remote_sources/istio/app/samples/bookinfo/src/productpage/productpage.py",
+                    "line": 56,
+                    "column": 1,
+                    "event": "assign",
+                    "message": "Assigning: \"app.secret_key\" = \"b\"_5#y2L\\\"F4Q8z\\n\\xec]/\"\".",
+                    "verbosity_level": 1
+                },
+                {
+                    "file_name": "/tmp/cspodmanu0m_p6ko/istio-proxyv2/unpacked_remote_sources/istio/app/samples/bookinfo/src/productpage/productpage.py",
+                    "line": 56,
+                    "column": 1,
+                    "event": "credentials_use",
+                    "message": "\"app.secret_key\" uses the constant string as credentials.",
+                    "verbosity_level": 0
+                },
+                {
+                    "file_name": "/tmp/cspodmanu0m_p6ko/istio-proxyv2/unpacked_remote_sources/istio/app/samples/bookinfo/src/productpage/productpage.py",
+                    "line": 56,
+                    "column": 1,
+                    "event": "remediation",
+                    "message": "Credentials should be stored in a configuration file or database that is inaccessible to unauthorized users.",
+                    "verbosity_level": 1
+                }
+            ]
+        },
+        {
+            "checker": "SIGMA.access_to_secret",
+            "cwe": 284,
+            "function": "null",
+            "language": "text",
+            "tool": "coverity",
+            "key_event_idx": 0,
+            "events": [
+                {
+                    "file_name": "/tmp/cspodmanu0m_p6ko/istio-proxyv2/unpacked_remote_sources/istio/app/manifests/charts/istio-control/istio-discovery/templates/role.yaml",
+                    "line": 17,
+                    "event": "Sigma main event",
+                    "message": "The `secrets` resource is granted `get`, `list`, or `watch` access on the Kubernetes API. This can allow an attacker to view Kubernetes cluster or external resources whose credentials are stored in `secrets`.",
+                    "verbosity_level": 0
+                },
+                {
+                    "file_name": "/tmp/cspodmanu0m_p6ko/istio-proxyv2/unpacked_remote_sources/istio/app/manifests/charts/istio-control/istio-discovery/templates/role.yaml",
+                    "line": 17,
+                    "event": "remediation",
+                    "message": "Avoid granting `get`, `list`, or `watch` permissions for `secrets`.",
+                    "verbosity_level": 1
+                }
+            ]
+        }
+    ]
+}
diff --git a/tests/csgrep/CMakeLists.txt b/tests/csgrep/CMakeLists.txt
index 60ef7723..3d6fb815 100644
--- a/tests/csgrep/CMakeLists.txt
+++ b/tests/csgrep/CMakeLists.txt
@@ -165,3 +165,4 @@ test_csgrep("0118-gcc-parser-ubsan-dedup"             )
 test_csgrep("0119-cov-parser-sigma"                   )
 test_csgrep("0120-sarif-parser-semgrep"               )
 test_csgrep("0121-cov-parser-lock-evasion"            )
+test_csgrep("0122-json-parser-cov-v10-column"         )