update: sanitize HTML tag and new line breaks in desc

cyberchen1995 · cyberchen1995 · commit ce52b082a42c · 2024-01-09T17:00:27.000+08:00
diff --git a/cmd/format/sarif.go b/cmd/format/sarif.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"html"
 	"io"
+	"regexp"
 	"strings"
 
 	"github.com/xmirrorsecurity/opensca-cli/v3/cmd/detail"
@@ -154,8 +155,8 @@ func formatDesc(v *detail.VulnInfo) string {
 		{"| cnvd | %s |", v.Cnvd},
 		{"| cwe | %s |", v.Cwe},
 		{"| level | %s |", v.SecurityLevel()},
-		{"| desc | %s |", v.Description},
-		{"| suggestion | %s |", v.Suggestion},
+		{"| desc | %s |", sanitizeString(v.Description)},
+		{"| suggestion | %s |", sanitizeString(v.Suggestion)},
 	}
 	var lines []string
 	for _, line := range table {
@@ -168,9 +169,20 @@ func formatDesc(v *detail.VulnInfo) string {
 			lines = append(lines, fmt.Sprintf(line.fmt, line.val))
 		}
 	}
+
 	return html.EscapeString(strings.Join(lines, "\n"))
 }
 
+func sanitizeString(s string) string {
+	re := regexp.MustCompile("<[^>]*>")
+	s = re.ReplaceAllString(s, "")
+
+	s = strings.ReplaceAll(s, "\r", "")
+	s = strings.ReplaceAll(s, "\n", "")
+
+	return s
+}
+
 func formatTags(v *detail.VulnInfo) []string {
 	tags := []string{"security", "Use-Vulnerable-and-Outdated-Components", v.Cve, v.Cwe, v.AttackType, v.Language}
 	for i := 0; i < len(tags); {
