merged multiple code risks on same page

Author: timbastin

cmd/devguard-cli/commands/migrate.go

@@ -53,7 +53,6 @@ func Execute() {
 
 func init() {
 	rootCmd.AddCommand(commands.NewVulndbCommand())
-	rootCmd.AddCommand(commands.NewMigrateCommand())
 	rootCmd.AddCommand(commands.NewComponentsCommand())
 	rootCmd.AddCommand(commands.NewDaemonCommand())
 }

cmd/devguard-cli/main.go

@@ -26,6 +26,7 @@ import (
 	"net/http"
 	"os"
 	"regexp"
+	"strconv"
 	"strings"
 	"time"
 
@@ -238,10 +239,11 @@ func obfuscateString(str string) string {
 }
 
 // add obfuscation function for snippet
-func obfuscateSecret(sarifScan *common.SarifResult) {
+func obfuscateSecretAndAddFingerprint(sarifScan *common.SarifResult) {
 	// obfuscate the snippet
 	for ru, run := range sarifScan.Runs {
 		for re, result := range run.Results {
+			// obfuscate the snippet
 			for lo, location := range result.Locations {
 				snippet := location.PhysicalLocation.Region.Snippet.Text
 				snippetMax := 20
@@ -252,6 +254,10 @@ func obfuscateSecret(sarifScan *common.SarifResult) {
 				// set the snippet
 				sarifScan.Runs[ru].Results[re].Locations[lo].PhysicalLocation.Region.Snippet.Text = snippet
 			}
+
+			//set the fingerprint to the calculated fingerprint if it exists
+			result.Fingerprints.CalculatedFingerprint = result.PartialFingerprints.CommitSha + ":" + result.Locations[0].PhysicalLocation.ArtifactLocation.URI + ":" + result.RuleID + ":" + strconv.Itoa(result.Locations[0].PhysicalLocation.Region.StartLine)
+
 		}
 	}
 }

cmd/devguard-scanner/commands/sarif.go

@@ -8,7 +8,6 @@ import (
 	"os"
 	"os/exec"
 	"path"
-	"strconv"
 
 	"github.com/jedib0t/go-pretty/v6/table"
 	"github.com/jedib0t/go-pretty/v6/text"
@@ -26,13 +25,13 @@ func printSastScanResults(firstPartyVulns []vuln.FirstPartyVulnDTO, webUI, asset
 	green := text.FgGreen
 	for _, vuln := range firstPartyVulns {
 		tw.AppendRow(table.Row{"RuleID", vuln.RuleID})
-		if vuln.Snippet != "" {
-			tw.AppendRow(table.Row{"Snippet", vuln.Snippet})
+		for _, snippet := range vuln.SnippetContents {
+			tw.AppendRow(table.Row{"Snippet", snippet.Snippet})
 		}
 		tw.AppendRow(table.Row{"Message", text.WrapText(*vuln.Message, 80)})
 		if vuln.URI != "" {
-			tw.AppendRow(table.Row{"File", green.Sprint(vuln.URI + ":" + strconv.Itoa(vuln.StartLine))})
-			tw.AppendRow(table.Row{"Line", vuln.StartLine})
+			tw.AppendRow(table.Row{"File", green.Sprint(vuln.URI)})
+
 		}
 		tw.AppendSeparator()
 	}

cmd/devguard-scanner/commands/sast.go

@@ -8,7 +8,6 @@ import (
 	"os"
 	"os/exec"
 	"path"
-	"strconv"
 
 	"github.com/jedib0t/go-pretty/v6/table"
 	"github.com/jedib0t/go-pretty/v6/text"
@@ -75,7 +74,7 @@ func secretScan(p string) (*common.SarifResult, error) {
 	}
 
 	// obfuscate founded secrets
-	obfuscateSecret(&sarifScan)
+	obfuscateSecretAndAddFingerprint(&sarifScan)
 
 	return &sarifScan, nil
 }
@@ -89,16 +88,19 @@ func printSecretScanResults(firstPartyVulns []vuln.FirstPartyVulnDTO, webUI stri
 	for _, vuln := range firstPartyVulns {
 		raw := []table.Row{
 			{"RuleID:", vuln.RuleID},
-			{"File:", green.Sprint(vuln.URI + ":" + strconv.Itoa(vuln.StartLine))},
-			{"Snippet:", text.WrapText(vuln.Snippet, 80)},
-			{"Message:", text.WrapText(*vuln.Message, 80)},
-			{"Line:", vuln.StartLine},
+			{"File:", green.Sprint(vuln.URI)},
+		}
+		tw.AppendRows(raw)
+		for _, snippet := range vuln.SnippetContents {
+			tw.AppendRow(table.Row{"Snippet", snippet.Snippet})
+		}
+		raw = []table.Row{{"Message:", text.WrapText(*vuln.Message, 80)},
+
 			{"Commit:", vuln.Commit},
 			{"Author:", vuln.Author},
 			{"Email:", vuln.Email},
 			{"Date:", vuln.Date},
-			{"Link:", blue.Sprint(fmt.Sprintf("%s/%s/refs/%s/code-risks/%s", webUI, assetName, assetVersionName, vuln.ID))},
-		}
+			{"Link:", blue.Sprint(fmt.Sprintf("%s/%s/refs/%s/code-risks/%s", webUI, assetName, assetVersionName, vuln.ID))}}
 
 		tw.AppendRows(raw)
 		tw.AppendSeparator()

cmd/devguard-scanner/commands/secret_scanning.go

@@ -73,7 +73,7 @@ func TestObfuscateSnippet(t *testing.T) {
 		expectedSnippet := "that is an example c*********************************************************"
 
 		// Call the function with the example data
-		obfuscateSecret(&exampleSarifResult)
+		obfuscateSecretAndAddFingerprint(&exampleSarifResult)
 
 		// Check if the original snippet is not present in the obfuscated result
 		assert.NotContains(t, exampleSarifResult.Runs[0].Results[0].Locations[0].PhysicalLocation.Region.Snippet.Text, originalSnippet)
@@ -94,7 +94,7 @@ func TestObfuscateSnippet(t *testing.T) {
 		exampleSarifResult.Runs[0].Results[0].Locations[0].PhysicalLocation.Region.Snippet.Text = originalSnippet
 
 		// Call the function with the example data
-		obfuscateSecret(&exampleSarifResult)
+		obfuscateSecretAndAddFingerprint(&exampleSarifResult)
 
 		// Check if the original snippet is not present in the obfuscated result
 		assert.NotContains(t, exampleSarifResult.Runs[0].Results[0].Locations[0].PhysicalLocation.Region.Snippet.Text, originalSnippet)

cmd/devguard-scanner/commands/secret_scanning_test.go

@@ -26,6 +26,7 @@ import (
 	"github.com/l3montree-dev/devguard/internal/core"
 	"github.com/l3montree-dev/devguard/internal/core/daemon"
 	"github.com/l3montree-dev/devguard/internal/database"
+	"github.com/l3montree-dev/devguard/internal/database/models"
 
 	_ "github.com/lib/pq"
 )
@@ -78,6 +79,12 @@ func main() {
 			slog.Error("failed to run database migrations", "error", err)
 			panic(errors.New("Failed to run database migrations"))
 		}
+
+		// Run hash migrations if needed (when algorithm version changes)
+		if err := models.RunHashMigrationsIfNeeded(db); err != nil {
+			slog.Error("failed to run hash migrations", "error", err)
+			panic(errors.New("Failed to run hash migrations"))
+		}
 	} else {
 		slog.Info("automatic migrations disabled via AUTO_MIGRATE=false")
 	}

cmd/devguard/main.go

@@ -65,7 +65,8 @@ type PartialFingerprints struct {
 	CommitMessage string `json:"commitMessage"`
 }
 type Fingerprints struct {
-	MatchBasedID string `json:"matchBasedId/v1"`
+	MatchBasedID          string `json:"matchBasedId/v1"`
+	CalculatedFingerprint string `json:"calculatedFingerprint/v1"`
 }
 
 type Properties struct {

internal/common/sarif_result.go

@@ -97,7 +97,7 @@ func preferMarkdown(text common.Text) string {
 
 func (s *service) HandleFirstPartyVulnResult(org models.Org, project models.Project, asset models.Asset, assetVersion *models.AssetVersion, sarifScan common.SarifResult, scannerID string, userID string) (int, int, []models.FirstPartyVuln, error) {
 
-	firstPartyVulnerabilities := []models.FirstPartyVuln{}
+	firstPartyVulnerabilitiesMap := make(map[string]models.FirstPartyVuln)
 
 	ruleMap := make(map[string]common.Rule)
 	for _, run := range sarifScan.Runs {
@@ -135,22 +135,58 @@ func (s *service) HandleFirstPartyVulnResult(org models.Org, project models.Proj
 				firstPartyVulnerability.Date = result.PartialFingerprints.Date
 			}
 
+			var hash string
+			if result.Fingerprints != nil {
+				if result.Fingerprints.CalculatedFingerprint != "" {
+					firstPartyVulnerability.Fingerprint = result.Fingerprints.CalculatedFingerprint
+				}
+			}
+
 			if len(result.Locations) > 0 {
 				firstPartyVulnerability.URI = result.Locations[0].PhysicalLocation.ArtifactLocation.URI
-				firstPartyVulnerability.StartLine = result.Locations[0].PhysicalLocation.Region.StartLine
-				firstPartyVulnerability.StartColumn = result.Locations[0].PhysicalLocation.Region.StartColumn
-				firstPartyVulnerability.EndLine = result.Locations[0].PhysicalLocation.Region.EndLine
-				firstPartyVulnerability.EndColumn = result.Locations[0].PhysicalLocation.Region.EndColumn
-				firstPartyVulnerability.Snippet = result.Locations[0].PhysicalLocation.Region.Snippet.Text
+
+				snippetContent := models.SnippetContent{
+					StartLine:   result.Locations[0].PhysicalLocation.Region.StartLine,
+					EndLine:     result.Locations[0].PhysicalLocation.Region.EndLine,
+					StartColumn: result.Locations[0].PhysicalLocation.Region.StartColumn,
+					EndColumn:   result.Locations[0].PhysicalLocation.Region.EndColumn,
+					Snippet:     result.Locations[0].PhysicalLocation.Region.Snippet.Text,
+				}
+
+				hash = firstPartyVulnerability.CalculateHash()
+				if existingVuln, ok := firstPartyVulnerabilitiesMap[hash]; ok {
+					snippetContents, err := existingVuln.FromJSONSnippetContents()
+					if err != nil {
+						return 0, 0, []models.FirstPartyVuln{}, errors.Wrap(err, "could not parse existing snippet contents")
+					}
+					snippetContents.Snippets = append(snippetContents.Snippets, snippetContent)
+					firstPartyVulnerability.SnippetContents, err = snippetContents.ToJSON()
+					if err != nil {
+						return 0, 0, []models.FirstPartyVuln{}, errors.Wrap(err, "could not convert snippet contents to JSON")
+					}
+
+				} else {
+
+					snippetContents := models.SnippetContents{
+						Snippets: []models.SnippetContent{snippetContent},
+					}
+					var err error
+					firstPartyVulnerability.SnippetContents, err = snippetContents.ToJSON()
+					if err != nil {
+						return 0, 0, []models.FirstPartyVuln{}, errors.Wrap(err, "could not convert snippet contents to JSON")
+					}
+
+				}
+				firstPartyVulnerabilitiesMap[hash] = firstPartyVulnerability
+
 			}
 
-			firstPartyVulnerabilities = append(firstPartyVulnerabilities, firstPartyVulnerability)
 		}
 	}
-
-	firstPartyVulnerabilities = utils.UniqBy(firstPartyVulnerabilities, func(f models.FirstPartyVuln) string {
-		return f.CalculateHash()
-	})
+	var firstPartyVulnerabilities []models.FirstPartyVuln
+	for _, vuln := range firstPartyVulnerabilitiesMap {
+		firstPartyVulnerabilities = append(firstPartyVulnerabilities, vuln)
+	}
 
 	amountOpened, amountClosed, amountExisting, err := s.handleFirstPartyVulnResult(userID, scannerID, assetVersion, firstPartyVulnerabilities, asset, org, project)
 	if err != nil {
@@ -186,18 +222,42 @@ func (s *service) handleFirstPartyVulnResult(userID string, scannerID string, as
 	fixedVulns := comparison.OnlyInA
 	newVulns := comparison.OnlyInB
 
+	inBoth := comparison.InBoth // these are the vulns that are already in the database, but we need to update them
+
+	updatedFirstPartyVulns := make([]models.FirstPartyVuln, 0)
+
+	for i := range inBoth {
+		for n := range vulns {
+			if inBoth[i].ID == vulns[n].ID {
+				// we found a new vuln that is already in the database, we need to update it
+				inBoth[i].SnippetContents = vulns[n].SnippetContents
+				updatedFirstPartyVulns = append(updatedFirstPartyVulns, inBoth[i])
+			}
+		}
+	}
+
 	// get a transaction
 	if err := s.firstPartyVulnRepository.Transaction(func(tx core.DB) error {
 		if err := s.firstPartyVulnService.UserDetectedFirstPartyVulns(tx, userID, scannerID, newVulns); err != nil {
 			// this will cancel the transaction
 			return err
 		}
-		return s.firstPartyVulnService.UserFixedFirstPartyVulns(tx, userID, fixedVulns)
+		if err := s.firstPartyVulnService.UserFixedFirstPartyVulns(tx, userID, fixedVulns); err != nil {
+			return err
+		}
+
+		// update existing first party vulns within the transaction
+		for _, v := range updatedFirstPartyVulns {
+			if err := s.firstPartyVulnRepository.Save(tx, &v); err != nil {
+				slog.Error("could not update existing first party vulns", "err", err)
+				return err
+			}
+		}
+		return nil
 	}); err != nil {
 		slog.Error("could not save vulns", "err", err)
 		return 0, 0, []models.FirstPartyVuln{}, err
 	}
-
 	// the amount we actually fixed, is the amount that was open before
 	fixedVulns = utils.Filter(fixedVulns, func(vuln models.FirstPartyVuln) bool {
 		return vuln.State == models.VulnStateOpen
@@ -217,7 +277,7 @@ func (s *service) handleFirstPartyVulnResult(userID string, scannerID string, as
 		}()
 	}
 
-	return len(newVulns), len(fixedVulns), append(newVulns, comparison.InBoth...), nil
+	return len(newVulns), len(fixedVulns), append(newVulns, inBoth...), nil
 }
 
 func (s *service) HandleScanResult(org models.Org, project models.Project, asset models.Asset, assetVersion *models.AssetVersion, vulns []models.VulnInPackage, scannerID string, userID string) (opened []models.DependencyVuln, closed []models.DependencyVuln, newState []models.DependencyVuln, err error) {