Add repo owner tracking (#243)

* Add tracking of Github repository owner to the DirectLinking API calls.
* Resolved iterable error on missing extension rules

Author: simon-harloff-scw

directLinking.js

@@ -7,13 +7,22 @@ const API_URL_PATH = '/api/v1/trial';
 const PARTNER_ID = 'github-sarif-action';
 
 async function getTrainingData(mappingListId, mappingKey, languageKey) {
+
+    // create an list of values to populate into the Id param of the DI linking API
+    let idValue = [PARTNER_ID];
+    if (process.env.GITHUB_REPOSITORY) {
+        const githubOwner = process.env.GITHUB_REPOSITORY.split('/')[0];
+        idValue.push(githubOwner);
+    }
+
     let url;
     if (languageKey) {
-        url = `${API_URL_ORIGIN}${API_URL_PATH}?Id=${PARTNER_ID}&MappingList=${mappingListId}&MappingKey=${mappingKey}&LanguageKey=${languageKey}`;
+        url = `${API_URL_ORIGIN}${API_URL_PATH}?Id=${idValue.join(':')}&MappingList=${mappingListId}&MappingKey=${mappingKey}&LanguageKey=${languageKey}`;
     }
     else {
-        url = `${API_URL_ORIGIN}${API_URL_PATH}?Id=${PARTNER_ID}&MappingList=${mappingListId}&MappingKey=${mappingKey}`;
+        url = `${API_URL_ORIGIN}${API_URL_PATH}?Id=${idValue.join(':')}&MappingList=${mappingListId}&MappingKey=${mappingKey}`;
     }
+
     return fetch(url)
         .then(function (response) {
             if (!response.ok) {

dist/index.js

@@ -1,6 +1,6 @@
 {
   "name": "github-action-add-sarif-contextual-training",
-  "version": "1.0.6",
+  "version": "1.0.7",
   "description": "GitHub Action for adding contextual training material to SARIF files",
   "main": "index.js",
   "scripts": {

dist/index.js.map

@@ -93,6 +93,8 @@ async function processRun(run, languageKey, triggeredRules) {
 
     if (run && run.tool && run.tool.extensions && run.tool.extensions) {
         for (const extension of run.tool.extensions) {
+            if (!extension.rules || !Array.isArray(extension.rules)) continue;
+
             for (const rule of extension.rules) {
                 try {
                     await processRule(rule, languageKey, triggeredRules);

package.json

@@ -52,8 +52,8 @@
                 "problem.severity": "error"
               },
               "help": {
-                "text": "Non-HTTPS connections can be intercepted by third parties.\n\nBuild your secure coding skills and defend your code:\n\n[CWE 319] Cleartext Transmission of Sensitive Information [What is this? (2min video)](https://media.securecodewarrior.com/v2/module_200_unprotected_transport_of_sensitive_information.mp4)\n\nThe software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. [Try this challenge in Secure Code Warrior](https://portal.securecodewarrior.com/?utm_source=partner-integration:github-sarif-action&partner_id=github-sarif-action#/contextual-microlearning/web/itlp/sensitiveinfo)\n\n[CWE 494] Download of Code Without Integrity Check [What is this? (2min video)](https://media.securecodewarrior.com/v2/module_133_using_components_from_untrusted_sources.mp4)\n\nThe product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code. [Try this challenge in Secure Code Warrior](https://portal.securecodewarrior.com/?utm_source=partner-integration:github-sarif-action&partner_id=github-sarif-action#/contextual-microlearning/web/vulncomponents/untrustedsource)\n\n[CWE 829] Inclusion of Functionality from Untrusted Control Sphere [What is this? (2min video)](https://media.securecodewarrior.com/v2/module_133_using_components_from_untrusted_sources.mp4)\n\nThe software imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere. [Try this challenge in Secure Code Warrior](https://portal.securecodewarrior.com/?utm_source=partner-integration:github-sarif-action&partner_id=github-sarif-action#/contextual-microlearning/web/vulncomponents/untrustedsource)",
-                "markdown": "Non-HTTPS connections can be intercepted by third parties.\n\n## Build your secure coding skills and defend your code\n\n#### [CWE 319] Cleartext Transmission of Sensitive Information *[What is this? (2min video)](https://media.securecodewarrior.com/v2/module_200_unprotected_transport_of_sensitive_information.mp4)*\n\n* The software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. [Try this challenge in Secure Code Warrior](https://portal.securecodewarrior.com/?utm_source=partner-integration:github-sarif-action&partner_id=github-sarif-action#/contextual-microlearning/web/itlp/sensitiveinfo)\n\n#### [CWE 494] Download of Code Without Integrity Check *[What is this? (2min video)](https://media.securecodewarrior.com/v2/module_133_using_components_from_untrusted_sources.mp4)*\n\n* The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code. [Try this challenge in Secure Code Warrior](https://portal.securecodewarrior.com/?utm_source=partner-integration:github-sarif-action&partner_id=github-sarif-action#/contextual-microlearning/web/vulncomponents/untrustedsource)\n\n#### [CWE 829] Inclusion of Functionality from Untrusted Control Sphere *[What is this? (2min video)](https://media.securecodewarrior.com/v2/module_133_using_components_from_untrusted_sources.mp4)*\n\n* The software imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere. [Try this challenge in Secure Code Warrior](https://portal.securecodewarrior.com/?utm_source=partner-integration:github-sarif-action&partner_id=github-sarif-action#/contextual-microlearning/web/vulncomponents/untrustedsource)"
+                "text": "Non-HTTPS connections can be intercepted by third parties.\n\nBuild your secure coding skills and defend your code:\n\n[CWE 319] Cleartext Transmission of Sensitive Information [What is this? (2min video)](https://media.securecodewarrior.com/v2/module_200_unprotected_transport_of_sensitive_information.mp4)\n\nThe software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. [Try this challenge in Secure Code Warrior](https://portal.securecodewarrior.com/?utm_source=partner-integration:github-sarif-action:scw&partner_id=github-sarif-action:scw#/contextual-microlearning/web/itlp/sensitiveinfo)\n\n[CWE 494] Download of Code Without Integrity Check [What is this? (2min video)](https://media.securecodewarrior.com/v2/module_133_using_components_from_untrusted_sources.mp4)\n\nThe product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code. [Try this challenge in Secure Code Warrior](https://portal.securecodewarrior.com/?utm_source=partner-integration:github-sarif-action:scw&partner_id=github-sarif-action:scw#/contextual-microlearning/web/vulncomponents/untrustedsource)\n\n[CWE 829] Inclusion of Functionality from Untrusted Control Sphere [What is this? (2min video)](https://media.securecodewarrior.com/v2/module_133_using_components_from_untrusted_sources.mp4)\n\nThe software imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere. [Try this challenge in Secure Code Warrior](https://portal.securecodewarrior.com/?utm_source=partner-integration:github-sarif-action:scw&partner_id=github-sarif-action:scw#/contextual-microlearning/web/vulncomponents/untrustedsource)",
+                "markdown": "Non-HTTPS connections can be intercepted by third parties.\n\n## Build your secure coding skills and defend your code\n\n#### [CWE 319] Cleartext Transmission of Sensitive Information *[What is this? (2min video)](https://media.securecodewarrior.com/v2/module_200_unprotected_transport_of_sensitive_information.mp4)*\n\n* The software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. [Try this challenge in Secure Code Warrior](https://portal.securecodewarrior.com/?utm_source=partner-integration:github-sarif-action:scw&partner_id=github-sarif-action:scw#/contextual-microlearning/web/itlp/sensitiveinfo)\n\n#### [CWE 494] Download of Code Without Integrity Check *[What is this? (2min video)](https://media.securecodewarrior.com/v2/module_133_using_components_from_untrusted_sources.mp4)*\n\n* The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code. [Try this challenge in Secure Code Warrior](https://portal.securecodewarrior.com/?utm_source=partner-integration:github-sarif-action:scw&partner_id=github-sarif-action:scw#/contextual-microlearning/web/vulncomponents/untrustedsource)\n\n#### [CWE 829] Inclusion of Functionality from Untrusted Control Sphere *[What is this? (2min video)](https://media.securecodewarrior.com/v2/module_133_using_components_from_untrusted_sources.mp4)*\n\n* The software imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere. [Try this challenge in Secure Code Warrior](https://portal.securecodewarrior.com/?utm_source=partner-integration:github-sarif-action:scw&partner_id=github-sarif-action:scw#/contextual-microlearning/web/vulncomponents/untrustedsource)"
               }
             },
             {