Merge pull request #7 from OPPIDA/feat/c-support

Author: nolliv22

Makefile

@@ -28,4 +28,4 @@ test-debug:	## Spawn an interactive shell in the test container to debug
 	@docker compose run --rm test /bin/bash
 
 docs-serve:	## Serve the documentation locally
-	@mkdocs serve
+	@mkdocs serve --livereload

README.md

@@ -24,7 +24,7 @@ A framework for code security that provides abstractions for static analysis too
 
 - Clone the repository:
 ```bash
-git clone git@github.com:OPPIDA/CodeSecTools.git
+git clone https://github.com/OPPIDA/CodeSecTools.git
 cd CodeSecTools
 ```
 
@@ -53,6 +53,16 @@ cd CodeSecTools
 - **Concurrent Analysis for Cross-Verification**: CodeSecTools can run multiple SAST tools simultaneously on the same project. This allows for the aggregation and cross-verification of results, increasing confidence in the identified vulnerabilities by highlighting findings reported by multiple tools.
 - **Automated Reporting and Visualization**: The framework can generate detailed reports in HTML format and create graphs to visualize analysis results, helping to identify trends such as the most common CWEs or the files with the highest number of defects.
 
+### SAST Tool Integration Status
+
+|SAST Tool|Languages|Maintained|Tested|
+|:---:|:---:|:---:|:---:|
+|Coverity|Java|❌ (Proprietary)|❌ (Proprietary)|
+|Semgrep Community Edition|C, Java|✅|✅|
+|Snyk Code|C, Java|✅|❌ (Rate limited)|
+|Bearer|Java|✅|✅|
+|SpotBugs|Java|✅|✅|
+
 ## Usage
 
 #### Command-line interface

codesectools/sasts/all/cli.py

@@ -66,7 +66,7 @@ def analyze(
         lang: Annotated[
             str,
             typer.Argument(
-                click_type=Choice(all_sast.supported_languages),
+                click_type=Choice(all_sast.sasts_by_lang.keys()),
                 help="Source code language (only one at the time)",
                 metavar="LANG",
             ),
@@ -89,7 +89,7 @@ def analyze(
         ] = False,
     ) -> None:
         """Run analysis on the current project with all available SAST tools."""
-        for sast in all_sast.sasts:
+        for sast in all_sast.sasts_by_lang.get(lang, []):
             if isinstance(sast, PrebuiltSAST) and artifact_dir is None:
                 print(f"{sast.name} required pre-built artifacts for analysis")
                 print(
@@ -117,7 +117,7 @@ def benchmark(
         dataset: Annotated[
             str,
             typer.Argument(
-                click_type=Choice(all_sast.supported_dataset_full_names),
+                click_type=Choice([d.name for d in all_sast.sasts_by_dataset]),
                 metavar="DATASET",
             ),
         ],
@@ -138,7 +138,7 @@ def benchmark(
     ) -> None:
         """Run a benchmark on a dataset using all available SAST tools."""
         dataset_name, lang = dataset.split("_")
-        for sast in all_sast.sasts:
+        for sast in all_sast.sasts_by_dataset.get(lang, []):
             dataset = DATASETS_ALL[dataset_name](lang)
             if isinstance(dataset, FileDataset):
                 sast.analyze_files(dataset, overwrite, testing)

codesectools/sasts/all/graphics.py

@@ -31,8 +31,11 @@ def __init__(self, project_name: str) -> None:
         self.output_dir = self.all_sast.output_dir / project_name
         self.color_mapping = {}
         cmap = plt.get_cmap("Set2")
+        self.sast_names = []
         for i, sast in enumerate(self.all_sast.sasts):
-            self.color_mapping[sast.name] = cmap(i)
+            if self.project_name in sast.list_results(project=True):
+                self.color_mapping[sast.name] = cmap(i)
+                self.sast_names.append(sast.name)
         self.plot_functions = []
 
         # Plot options
@@ -156,6 +159,9 @@ def plot_overview(self) -> Figure:
         # Plot by categories
         X_categories = ["HIGH", "MEDIUM", "LOW"]
         for category in X_categories:
+            if not by_categories.get(category):
+                continue
+
             sast_counts = by_categories[category]["sast_counts"]
 
             bars = []
@@ -200,10 +206,9 @@ def plot_top_cwes(self) -> Figure:
             X_cwes.append(f"{cwe.name}")
             cwe_data.append(data)
 
-        sast_names = sorted([sast.name for sast in self.all_sast.sasts])
         bottoms = [0] * len(X_cwes)
 
-        for sast_name in sast_names:
+        for sast_name in self.sast_names:
             sast_counts = [data["sast_counts"].get(sast_name, 0) for data in cwe_data]
 
             ax.bar(

codesectools/sasts/all/sast.py

@@ -2,7 +2,6 @@
 
 from typing import TYPE_CHECKING
 
-from codesectools.datasets import DATASETS_ALL
 from codesectools.sasts import SASTS_ALL
 from codesectools.sasts.all.parser import AllSASTAnalysisResult
 from codesectools.utils import USER_OUTPUT_DIR
@@ -25,31 +24,21 @@ def __init__(self) -> None:
             if sast_data["status"] == "full":
                 self.sasts.append(sast_data["sast"]())
 
-        self.supported_languages = {}
-        self.supported_dataset_names = {}
+        self.sasts_by_lang = {}
+        self.sasts_by_dataset = {}
 
         for sast in self.sasts:
-            if not self.supported_languages:
-                self.supported_languages = set(sast.supported_languages)
-                self.supported_dataset_names = set(sast.supported_dataset_names)
-            else:
-                self.supported_languages &= set(sast.supported_languages)
-                self.supported_dataset_names &= set(sast.supported_dataset_names)
-
-        self.supported_datasets = [
-            DATASETS_ALL[d] for d in self.supported_dataset_names
-        ]
-
-    @property
-    def supported_dataset_full_names(self) -> set[str]:
-        """List all language-specific datasets supported by all enabled SAST tools."""
-        datasets_full_name = set()
-        for dataset in self.supported_datasets:
-            for dataset_full_name in dataset.list_dataset_full_names():
-                dataset_name, lang = dataset_full_name.split("_")
-                if lang in self.supported_languages:
-                    datasets_full_name.add(dataset_full_name)
-        return datasets_full_name
+            for lang in sast.supported_languages:
+                if self.sasts_by_lang.get(lang):
+                    self.sasts_by_lang[lang].append(sast)
+                else:
+                    self.sasts_by_lang[lang] = [sast]
+
+            for dataset in sast.supported_datasets:
+                if self.sasts_by_dataset.get(dataset):
+                    self.sasts_by_dataset[dataset].append(sast)
+                else:
+                    self.sasts_by_dataset[dataset] = [sast]
 
     def list_results(
         self, project: bool = False, dataset: bool = False, limit: int | None = None

codesectools/sasts/core/sast/__init__.py

@@ -53,6 +53,7 @@ class SAST(ABC):
         properties (SASTProperties): The properties of the SAST tool.
         requirements (SASTRequirements): The requirements for the SAST tool.
         commands (list[list[str]]): Command-line templates to be executed.
+        valid_codes (list[int]): A list of exit codes indicating that the command did not fail.
         environ (dict[str, str]): Environment variables to set for commands.
         output_files (list[tuple[Path, bool]]): Expected output files and
             whether they are required.
@@ -75,6 +76,7 @@ class SAST(ABC):
     properties: SASTProperties
     requirements: SASTRequirements
     commands: list[list[str]]
+    valid_codes: list[int]
     environ: dict[str, str] = {}
     output_files: list[tuple[Path, bool]]
     parser: AnalysisResult
@@ -84,9 +86,7 @@ class SAST(ABC):
     def __init__(self) -> None:
         """Initialize the SAST instance.
 
-        Set up the list of supported dataset objects based on the
-        `supported_dataset_names` class attribute and define the tool-specific
-        output directory.
+        Set up supported datasets, the output directory, and requirement status.
         """
         self.supported_datasets = [
             DATASETS_ALL[d] for d in self.supported_dataset_names
@@ -153,7 +153,7 @@ def run_analysis(
                 rendered_command = self.render_command(command, render_variables)
                 retcode, out = run_command(rendered_command, project_dir, self.environ)
                 command_output += out
-                if retcode != 0:
+                if retcode not in self.valid_codes:
                     raise NonZeroExit(rendered_command, command_output)
             end = time.time()
 

codesectools/sasts/tools/Bearer/sast.py

@@ -27,6 +27,7 @@ class BearerSAST(BuildlessSAST):
         properties (SASTProperties): The properties of the SAST tool.
         requirements (SASTRequirements): The requirements for the SAST tool.
         commands (list[list[str]]): A list of command-line templates to be executed.
+        valid_codes (list[int]): A list of exit codes indicating that the command did not fail.
         output_files (list[tuple[Path, bool]]): A list of expected output files and
             whether they are required.
         parser (type[BearerAnalysisResult]): The parser class for the tool's results.
@@ -64,6 +65,7 @@ class BearerSAST(BuildlessSAST):
             "--exit-code=0",
         ]
     ]
+    valid_codes = [0]
     output_files = [
         (Path("bearer_output.json"), True),
     ]

codesectools/sasts/tools/Coverity/sast.py

@@ -26,6 +26,7 @@ class CoveritySAST(BuildlessSAST):
         properties (SASTProperties): The properties of the SAST tool.
         requirements (SASTRequirements): The requirements for the SAST tool.
         commands (list[list[str]]): A list of command-line templates to be executed.
+        valid_codes (list[int]): A list of exit codes indicating that the command did not fail.
         output_files (list[tuple[Path, bool]]): A list of expected output files and
             whether they are required.
         parser (type[CoverityAnalysisResult]): The parser class for the tool's results.
@@ -69,6 +70,7 @@ class CoveritySAST(BuildlessSAST):
             "--enable-callgraph-metrics",
         ],
     ]
+    valid_codes = [0]
     output_files = [
         (Path("coverity.yaml"), False),
         (Path("idir", "coverity-cli", "capture-files-src-list*"), True),

codesectools/sasts/tools/SemgrepCE/sast.py

@@ -27,6 +27,7 @@ class SemgrepCESAST(BuildlessSAST):
         properties (SASTProperties): The properties of the SAST tool.
         requirements (SASTRequirements): The requirements for the SAST tool.
         commands (list[list[str]]): A list of command-line templates to be executed.
+        valid_codes (list[int]): A list of exit codes indicating that the command did not fail.
         output_files (list[tuple[Path, bool]]): A list of expected output files and
             whether they are required.
         parser (type[SemgrepCEAnalysisResult]): The parser class for the tool's results.
@@ -35,7 +36,7 @@ class SemgrepCESAST(BuildlessSAST):
     """
 
     name = "SemgrepCE"
-    supported_languages = ["java"]
+    supported_languages = ["java", "c"]
     supported_dataset_names = ["BenchmarkJava", "CVEfixes"]
     properties = SASTProperties(free=True, offline=True)
     requirements = SASTRequirements(
@@ -60,6 +61,7 @@ class SemgrepCESAST(BuildlessSAST):
             "--json-output=semgrepce_output.json",
         ]
     ]
+    valid_codes = [0, 1]  # https://semgrep.dev/docs/cli-reference#exit-codes
     output_files = [
         (Path("semgrepce_output.json"), True),
     ]

codesectools/sasts/tools/SnykCode/parser.py

@@ -54,6 +54,8 @@ class SnykCodeAnalysisResult(AnalysisResult):
     metadata, including timings, file lists, and defects.
     """
 
+    normalize_lang_names = {"cpp": ["c", "cpp"]}
+
     def __init__(self, output_dir: Path, result_data: dict, cmdout: dict) -> None:
         """Initialize a SnykCodeAnalysisResult instance.
 
@@ -81,7 +83,7 @@ def __init__(self, output_dir: Path, result_data: dict, cmdout: dict) -> None:
             for result in run["results"]:
                 rule_index = result["ruleIndex"]
                 lang, *_, checker = result["ruleId"].split("/")
-                if lang != self.lang:
+                if self.lang not in self.normalize_lang_names[lang]:
                     continue
 
                 defect = SnykCodeIssue(