From 4b807e348e51369c2d1ba2e8e51459c6c12e4622 Mon Sep 17 00:00:00 2001
From: George Liontos <george.liontos@forallsecure.com>
Date: Tue, 12 Nov 2024 16:24:03 +0200
Subject: [PATCH] Add purls in sarif report

Signed-off-by: George Liontos <george.liontos@forallsecure.com>
---
 grype/presenter/sarif/presenter.go                | 15 +++++++++++++++
 .../snapshot/TestSarifPresenter_directory.golden  |  6 ++++++
 .../snapshot/TestSarifPresenter_image.golden      |  6 ++++++
 3 files changed, 27 insertions(+)

diff --git a/grype/presenter/sarif/presenter.go b/grype/presenter/sarif/presenter.go
index 3967f8e0f1b..d623c3e399f 100644
--- a/grype/presenter/sarif/presenter.go
+++ b/grype/presenter/sarif/presenter.go
@@ -17,6 +17,7 @@ import (
 	"github.com/anchore/grype/grype/pkg"
 	"github.com/anchore/grype/grype/presenter/models"
 	"github.com/anchore/grype/grype/vulnerability"
+	"github.com/anchore/packageurl-go"
 	"github.com/anchore/syft/syft/file"
 	"github.com/anchore/syft/syft/source"
 )
@@ -122,6 +123,7 @@ func (pres *Presenter) sarifRules() (out []*sarif.ReportingDescriptor) {
 					// For GitHub reportingDescriptor object:
 					// https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#reportingdescriptor-object
 					"security-severity": pres.securitySeverityValue(m),
+					"purls":             [...]string{deriveBomRef(m.Package)},
 				},
 			})
 		}
@@ -474,3 +476,16 @@ func imageShortPathName(s *source.Description) string {
 	imageName = nonPathChars.ReplaceAllString(imageName, "")
 	return imageName
 }
+
+func deriveBomRef(p pkg.Package) string {
+	// try and parse the PURL if possible and append syft id to it, to make
+	// the purl unique in the BOM.
+	// TODO: In the future we may want to dedupe by PURL and combine components with
+	// the same PURL while preserving their unique metadata.
+	if parsedPURL, err := packageurl.FromString(p.PURL); err == nil {
+		parsedPURL.Qualifiers = append(parsedPURL.Qualifiers, packageurl.Qualifier{Key: "package-id", Value: string(p.ID)})
+		return parsedPURL.ToString()
+	}
+	// fallback is to use strictly the ID if there is no valid pURL
+	return string(p.ID)
+}
diff --git a/grype/presenter/sarif/test-fixtures/snapshot/TestSarifPresenter_directory.golden b/grype/presenter/sarif/test-fixtures/snapshot/TestSarifPresenter_directory.golden
index ca086cf40ea..5c2781585c6 100644
--- a/grype/presenter/sarif/test-fixtures/snapshot/TestSarifPresenter_directory.golden
+++ b/grype/presenter/sarif/test-fixtures/snapshot/TestSarifPresenter_directory.golden
@@ -24,6 +24,9 @@
                 "markdown": "**Vulnerability CVE-1999-0001**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low  | package-1  | 1.1.1  | the-next-version  | rpm  | /some/path/somefile-1.txt  | source-1  | CVE-1999-0001  |\n"
               },
               "properties": {
+                "purls": [
+                  "9baa2db122fea516"
+                ],
                 "security-severity": "4.0"
               }
             },
@@ -42,6 +45,9 @@
                 "markdown": "**Vulnerability CVE-1999-0002**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| critical  | package-2  | 2.2.2  |   | deb  | /some/path/somefile-2.txt  | source-2  | CVE-1999-0002  |\n"
               },
               "properties": {
+                "purls": [
+                  "7bb53d560434bc7f"
+                ],
                 "security-severity": "1.0"
               }
             }
diff --git a/grype/presenter/sarif/test-fixtures/snapshot/TestSarifPresenter_image.golden b/grype/presenter/sarif/test-fixtures/snapshot/TestSarifPresenter_image.golden
index d86f1f7ff19..778f67a76b7 100644
--- a/grype/presenter/sarif/test-fixtures/snapshot/TestSarifPresenter_image.golden
+++ b/grype/presenter/sarif/test-fixtures/snapshot/TestSarifPresenter_image.golden
@@ -24,6 +24,9 @@
                 "markdown": "**Vulnerability CVE-1999-0001**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low  | package-1  | 1.1.1  | the-next-version  | rpm  | somefile-1.txt  | source-1  | CVE-1999-0001  |\n"
               },
               "properties": {
+                "purls": [
+                  "9baa2db122fea516"
+                ],
                 "security-severity": "4.0"
               }
             },
@@ -42,6 +45,9 @@
                 "markdown": "**Vulnerability CVE-1999-0002**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| critical  | package-2  | 2.2.2  |   | deb  | somefile-2.txt  | source-2  | CVE-1999-0002  |\n"
               },
               "properties": {
+                "purls": [
+                  "7bb53d560434bc7f"
+                ],
                 "security-severity": "1.0"
               }
             }