json-parser: recognize SARIF format for semgrep output

[rhyw]

Related: https://issues.redhat.com/browse/OSH-57
Closes: #162

[hanchuntao]

Could you tell me how to create this stdout, thanks!

[rhyw]

My attempt was very tricky - I don't find from anywhere the helpers on generating files like this.

What I did was to use the plugin semgrep to scan a source rpm, so I get a .sarif file and a .js(json) file. I then tweak the sarif file as stdin and the scan-results-all.js as stdout. I did some investigation and guess that's how these text files were feeded by other plugins(snyk, gitleaks for example). If I understand it correctly, it's used by csgrep(used in the filter_hook) to test if after processing the output is as expected.

By tweaking the sarif file, I mean the original scan may contain tens of thousands of lines, thus I need to remove some redundant lines, for example I randomly chose a gzip source build, there're 700+ semgrep rules claimings with approx 70k+ lines, we definitely don't want to include all of them. Other tweaks includes for example to alter some of the lines produced, for example the unintended suspicous temporary dir prefix in the rules path. I think the process is quite time consuming without a guide. Also I doubt if there's a better way of doing this.

cc @kdudka

[kdudka]

@hanchuntao There is a script to sync the expected output of tests: https://github.com/csutils/csdiff/blob/main/tests/csgrep/sync.sh

[kdudka]

@rhyw OSH-57 should be referred to as Related: rather than Resolves: because this pull request does not resolve the issue on its own.

[lzaoral]

LGTM

[rhyw]

@rhyw OSH-57 should be referred to as Related: rather than Resolves: because this pull request does not resolve the issue on its own.

Thanks. Commit message / PR description updated.

[kdudka]

@rhyw Looks good. Thanks for the update!