Merge pull request #24 from SecureCodeWarrior/master

Added phrase support and updated dependencies

Author: cwong-scw

.github/workflows/test.yml

@@ -24,3 +24,4 @@ jobs:
       with:
         inputSarifFile: ./fixtures/test002.sarif
         outputSarifFile: ./fixtures/test002.out.sarif
+        githubToken: ${{ secrets.GITHUB_TOKEN }}

README.md

@@ -2,7 +2,7 @@
 
 This GitHub Action adds Secure Code Warrior contextual application security training material to SARIF files. This training material will be displayed within Code Scanning alerts if the resulting SARIF file is imported using the `github/codeql-action/upload-sarif` Action, and includes links to secure coding exercises and short explainer videos where available.
 
-This Action currently supports adding training material based on CWE references included in static analysis findings.
+This Action currently supports adding training material based on CWE references (e.g. CWE 89) and common vulnerability phrases (e.g. use-after-free vulnerability) included in static analysis findings.
 
 ## Usage
 

dist/index.js

@@ -0,0 +1,92 @@
+{
+  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+  "version": "2.1.0",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "Tool Name 3",
+          "rules": [
+            {
+              "id": "TEST01 CWE-22",
+              "name": "Test 01 rule name cwe: 23",
+              "messageStrings": {
+                "default": {
+                  "text": "This is the message text. It might be very long."
+                }
+              },
+              "shortDescription": {
+                "text": "SQL injection in some component"
+              },
+              "fullDescription": {
+                "text": "There is a use-after-free vulnerability in there somewhere too"
+              },
+              "help": {
+                "text": "some help text",
+                "markdown": "markdown version some link [here](https://github.com)"
+              },
+              "properties": {
+                "tags": [
+                  "Tag A",
+                  "cwE-24",
+                  "Tag B",
+                  "ssrF"
+                ]
+              }
+            }
+          ]
+        }
+      },
+      "results": [
+        {
+          "ruleId": "TEST01",
+          "level": "error",
+          "message": {
+            "text": "Result text. This result does not have a rule associated."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app.js"
+                },
+                "region": {
+                  "startLine": 5,
+                  "startColumn": 4,
+                  "endColumn": 10
+                }
+              }
+            }
+          ],
+          "partialFingerprints": {
+            "primaryLocationLineHash": "39fa2ee980eb94b0:1"
+          }
+        },
+        {
+          "ruleId": "TEST01",
+          "level": "note",
+          "message": {
+            "text": "more different text."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app.js"
+                },
+                "region": {
+                  "startLine": 15,
+                  "startColumn": 5,
+                  "endColumn": 8
+                }
+              }
+            }
+          ],
+          "partialFingerprints": {
+            "primaryLocationLineHash": "39fa2ee980eb94d0:1"
+          }
+        }
+      ]
+    }
+  ]
+}