Add support for Bearer SAST

Author: nolliv22

codesectools/sasts/Bearer/__init__.py

@@ -0,0 +1 @@
+"""Initializes the Bearer SAST integration module."""

codesectools/sasts/Bearer/cli.py

@@ -0,0 +1,10 @@
+"""Defines the command-line interface for the Bearer integration.
+
+This script sets up the `typer` command group for Bearer and uses the
+`CLIFactory` to generate the standard set of subcommands (analyze, benchmark, etc.).
+"""
+
+from codesectools.sasts.Bearer.sast import BearerSAST
+from codesectools.sasts.core.cli import CLIFactory
+
+BearerCLIFactory = CLIFactory(BearerSAST(), custom_messages={"main": "Bearer SAST"})

codesectools/sasts/Bearer/parser.py

@@ -0,0 +1,93 @@
+"""Provide classes for parsing Bearer analysis results.
+
+This module defines `BearerFinding` and `BearerAnalysisResult` to process
+the JSON output from a Bearer scan, converting it into the standardized
+format used by CodeSecTools.
+"""
+
+import json
+from pathlib import Path
+from typing import Self
+
+from codesectools.sasts.core.parser import AnalysisResult, Defect
+from codesectools.shared.cwe import CWEs
+from codesectools.utils import MissingFile
+
+
+class BearerFinding(Defect):
+    """Represent a single defect found by Bearer."""
+
+    def __init__(self, defect_data: dict, severity: str) -> None:
+        """Initialize a BearerFinding instance.
+
+        Args:
+            defect_data: A dictionary representing a single finding from the JSON output.
+            severity: The severity level of the finding.
+
+        """
+        super().__init__(
+            file=Path(defect_data["filename"]).name,
+            checker=defect_data["id"],
+            category=severity,
+            cwe=CWEs.from_id(int(defect_data["cwe_ids"][0])),
+            data=defect_data,
+        )
+
+
+class BearerAnalysisResult(AnalysisResult):
+    """Represent the complete result of a Bearer analysis."""
+
+    def __init__(self, output_dir: Path, result_data: dict, cmdout: dict) -> None:
+        """Initialize a BearerAnalysisResult instance.
+
+        Args:
+            output_dir: The directory where the results are stored.
+            result_data: Parsed data from the main Bearer JSON output.
+            cmdout: A dictionary with metadata from the command execution.
+
+        """
+        super().__init__(
+            name=output_dir.name,
+            lang=cmdout["lang"],
+            files=[],
+            defects=[],
+            time=cmdout["duration"],
+            loc=cmdout["loc"],
+            data=(result_data, cmdout),
+        )
+
+        for severity, findings in result_data.items():
+            for finding in findings:
+                self.files.append(Path(finding["filename"]).name)
+                self.defects.append(
+                    BearerFinding(defect_data=finding, severity=severity)
+                )
+
+    @classmethod
+    def load_from_output_dir(cls, output_dir: Path) -> Self:
+        """Load and parse Bearer analysis results from a directory.
+
+        Read `bearer_output.json` and `cstools_output.json` to construct a complete
+        analysis result object.
+
+        Args:
+            output_dir: The directory containing the Bearer output files.
+
+        Returns:
+            An instance of `BearerAnalysisResult`.
+
+        Raises:
+            MissingFile: If a required result file is not found.
+
+        """
+        # Cmdout
+        cmdout = json.load((output_dir / "cstools_output.json").open())
+
+        # Analysis outputs
+        analysis_output_path = output_dir / "bearer_output.json"
+        if analysis_output_path.is_file():
+            analysis_output = json.load(analysis_output_path.open("r"))
+        else:
+            raise MissingFile(["bearer_output.json"])
+
+        return cls(output_dir, analysis_output, cmdout)

codesectools/sasts/Bearer/sast.py

@@ -0,0 +1,76 @@
+"""Define the SAST integration for Bearer.
+
+This module provides the `BearerSAST` class, which configures and orchestrates
+the execution of Bearer scans using the core SAST framework.
+"""
+
+from pathlib import Path
+
+from codesectools.sasts.Bearer.parser import BearerAnalysisResult
+from codesectools.sasts.core.sast.properties import SASTProperties
+from codesectools.sasts.core.sast.requirements import (
+    Binary,
+    GitRepo,
+    SASTRequirements,
+)
+from codesectools.sasts.core.sast.sast import SAST
+from codesectools.utils import USER_CACHE_DIR
+
+
+class BearerSAST(SAST):
+    """SAST integration for Bearer.
+
+    Attributes:
+        name (str): The name of the SAST tool.
+        supported_languages (list[str]): A list of supported programming languages.
+        supported_dataset_names (list[str]): A list of names of compatible datasets.
+        properties (SASTProperties): The properties of the SAST tool.
+        requirements (SASTRequirements): The requirements for the SAST tool.
+        commands (list[list[str]]): A list of command-line templates to be executed.
+        output_files (list[tuple[Path, bool]]): A list of expected output files and
+            whether they are required.
+        parser (type[BearerAnalysisResult]): The parser class for the tool's results.
+        color_mapping (dict): A mapping of result categories to colors for plotting.
+
+    """
+
+    name = "Bearer"
+    supported_languages = ["java"]
+    supported_dataset_names = ["BenchmarkJava", "CVEfixes"]
+    properties = SASTProperties(free=True, offline=True, buildless=True)
+    requirements = SASTRequirements(
+        full_reqs=[Binary("bearer", url="https://docs.bearer.com/quickstart/")],
+        partial_reqs=[
+            GitRepo(
+                name="bearer-rules",
+                repo_url="https://github.com/Bearer/bearer-rules.git",
+                license="Elastic License 2.0",
+                license_url="https://www.elastic.co/licensing/elastic-license",
+            )
+        ],
+    )
+    commands = [
+        [
+            "bearer",
+            "scan",
+            ".",
+            "--force",
+            "--disable-default-rules",
+            f"--external-rule-dir={str(USER_CACHE_DIR / 'bearer-rules' / 'rules' / '{lang}')}",
+            "--scanner=sast",
+            "--format=json",
+            "--output=bearer_output.json",
+            "--disable-version-check",
+        ]
+    ]
+    output_files = [
+        (Path("bearer_output.json"), True),
+    ]
+    parser = BearerAnalysisResult
+    color_mapping = {
+        "critical": "red",
+        "high": "orangered",
+        "medium": "orange",
+        "low": "gold",
+        "warning": "yellow",
+    }

docs/sast/profiles/bearer.yaml

@@ -0,0 +1,16 @@
+name: Bearer
+description: Bearer is a static application security testing (SAST) tool designed to scan your source code and analyze data flows to identify, filter, and prioritize security and privacy risks.
+type: Data Flow Analysis
+url: https://github.com/Bearer/bearer
+supported_version: 1.151.0
+legal:
+  license: Elastic License 2.0
+  license_type: Source Available
+  license_url: https://www.elastic.co/licensing/elastic-license
+requirements:
+  - An existing installation of Bearer.
+  - An internet connection is required **only** to download [bearer-rules](https://github.com/Bearer/bearer-rules).
+extra: |
+    !!! warning "Key Considerations"
+        
+        The analysis tool is using Bearer Rules which is also license under [Elastic License 2.0](https://www.elastic.co/licensing/elastic-license).

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "CodeSecTools"
-version = "0.6.5"
+version = "0.7.0"
 description = "A framework for code security that provides abstractions for static analysis tools and datasets to support their integration, testing, and evaluation."
 readme = "README.md"
 license = "AGPL-3.0-only"

tests/Dockerfile

@@ -20,11 +20,13 @@ RUN apt update -qq && \
     apt install \
         git \
         cloc \
+        curl \
     -y -qq --no-install-recommends && \
     rm -rf /var/lib/apt/lists/*
 
 # Free SASTs only
 RUN pip install --no-cache semgrep
+RUN curl -sfL https://raw.githubusercontent.com/Bearer/bearer/main/contrib/install.sh | BINDIR=/usr/bin sh
 
 COPY --from=builder --chown=app:app /app /app
 ENV PATH="/app/.venv/bin:$PATH"