fix(sca): make the abs path to be correcnt

checkov/sca_package_2/runner.py

@@ -28,28 +28,36 @@ def __init__(self, report_type: str = check_type) -> None:
         self._code_repo_path: Path | None = None
         self.report_type = report_type
 
+    def _get_s3_file_key_to_abs_path(self, uploaded_files: List[FileToPersist]) -> dict[str, str]:
+        s3_file_key_to_abs_path: dict[str, str] = dict()
+        for item in uploaded_files:
+            if item.s3_file_key in s3_file_key_to_abs_path:
+                raise Exception("[_get_s3_file_key_to_abs_path] not expected that 2 files has the same s3-key")
+            s3_file_key_to_abs_path[item.s3_file_key] = item.full_file_path
+        return s3_file_key_to_abs_path
+
     def prepare_and_scan(
             self,
             root_folder: str | Path | None,
             files: list[str] | None = None,
             runner_filter: RunnerFilter | None = None,
             excluded_file_names: set[str] | None = None,
-    ) -> tuple[dict[str, Any] | None, list[FileToPersist]]:
+    ) -> tuple[dict[str, Any] | None, dict[str, str]]:
         runner_filter = runner_filter or RunnerFilter()
         excluded_file_names = excluded_file_names or set()
 
         # skip complete run, if flag '--check' was used without a CVE check ID or the license policies
         if not should_run_scan(runner_filter.checks):
-            return None, []
+            return None, dict()
 
         if not bc_integration.bc_api_key:
             logging.info("The --bc-api-key flag needs to be set to run SCA package scanning")
-            return None, []
+            return None, dict()
 
         if bc_integration.bc_source and bc_integration.bc_source.name in IDEsSourceTypes \
                 and not bc_integration.is_prisma_integration():
             logging.info("The --bc-api-key flag needs to be set to a Prisma token for SCA scan for vscode or jetbrains extention")
-            return {}, []  # should just return an empty result
+            return {}, dict()  # should just return an empty result
 
         self._code_repo_path = Path(root_folder) if root_folder else None
 
@@ -68,11 +76,11 @@ def prepare_and_scan(
         )
         if uploaded_files is None:
             # failure happened during uploading
-            return None, []
+            return None, dict()
 
         if len(uploaded_files) == 0:
             # no packages were uploaded. we can skip the scanning
-            return {}, uploaded_files
+            return {}, dict()
 
         scanner = Scanner(self.pbar, root_folder)
         self._check_class = f"{scanner.__module__}.{scanner.__class__.__qualname__}"
@@ -81,7 +89,7 @@ def prepare_and_scan(
         if scan_results is not None:
             logging.info(f"SCA package scanning successfully scanned {len(scan_results)} files")
 
-        return scan_results, uploaded_files
+        return scan_results, self._get_s3_file_key_to_abs_path(uploaded_files)
 
     def run(
             self,
@@ -96,7 +104,7 @@ def run(
             self.pbar.turn_off_progress_bar()
 
         report = Report(self.check_type)
-        scan_results, uploaded_files = self.prepare_and_scan(root_folder, files, runner_filter)
+        scan_results, s3_file_key_to_abs_path = self.prepare_and_scan(root_folder, files, runner_filter)
         if scan_results is None:
             report.set_error_status(ErrorStatus.ERROR)
             return report
@@ -106,12 +114,6 @@ def run(
                 continue
             bc_integration.source_id = result.get("sourceId")
             package_file_path = Path(path)
-            if self._code_repo_path:
-                try:
-                    package_file_path = package_file_path.relative_to(self._code_repo_path)
-                except ValueError:
-                    # Path.is_relative_to() was implemented in Python 3.9
-                    pass
 
             vulnerabilities = result.get("vulnerabilities") or []
             packages = result.get("packages") or []
@@ -126,7 +128,7 @@ def run(
             add_to_report_sca_data(
                 report=report,
                 check_class=self._check_class,
-                scanned_file_path=str(package_file_path),
+                scanned_file_path=s3_file_key_to_abs_path.get(rootless_file_path, str(package_file_path)),
                 rootless_file_path=rootless_file_path,
                 runner_filter=runner_filter,
                 vulnerabilities=vulnerabilities,

tests/sca_package_2/conftest.py

@@ -1090,7 +1090,7 @@ def none() -> None:
 
     bc_integration.set_s3_integration = none
 
-
+    os.chdir(str(Path(__file__).parent.parent.parent))
     return Runner().run(root_folder=EXAMPLES_DIR)
 
 
@@ -1101,7 +1101,7 @@ def sca_package_report_dt(package_mocker: MockerFixture, scan_results_dt: Dict[s
     scanner_mock = MagicMock()
     scanner_mock.return_value.scan.return_value = scan_results_dt
     package_mocker.patch("checkov.sca_package_2.runner.Scanner", side_effect=scanner_mock)
-
+    os.chdir(str(Path(__file__).parent.parent.parent))
     return Runner().run(root_folder=EXAMPLES_DIR)
 
 

tests/sca_package_2/outputs/results_cyclonedx.xml

@@ -1,12 +1,12 @@
 <?xml version="1.0" ?>
-<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1" serialNumber="urn:uuid:f1f51feb-cd88-437a-8304-d03741a95496">
+<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1" serialNumber="urn:uuid:bdc3a4d2-f93d-45a7-b870-778773b28fa8">
 	<metadata>
-		<timestamp>2022-09-03T20:46:24.858308+00:00</timestamp>
+		<timestamp>2023-10-18T09:44:16.243642+00:00</timestamp>
 		<tools>
 			<tool>
 				<vendor>CycloneDX</vendor>
 				<name>cyclonedx-python-lib</name>
-				<version>2.7.1</version>
+				<version>3.1.5</version>
 				<externalReferences>
 					<reference type="build-system">
 						<url>https://github.com/CycloneDX/cyclonedx-python-lib/actions</url>
@@ -131,25 +131,25 @@
 			</licenses>
 			<purl>pkg:golang/bridgecrewio/example/path/to/go.sum/golang.org/x/[email protected]</purl>
 		</component>
-		<component type="library" bom-ref="pkg:pypi/bridgecrewio/example/path/to/sub/requirements.txt/[email protected]">
+		<component type="library" bom-ref="pkg:pypi/bridgecrewio/example/requirements.txt/[email protected]">
 			<name>requests</name>
 			<version>2.26.0</version>
 			<licenses>
 				<license>
 					<name>OSI_APACHE</name>
 				</license>
 			</licenses>
-			<purl>pkg:pypi/bridgecrewio/example/path/to/sub/requirements.txt/[email protected]</purl>
+			<purl>pkg:pypi/bridgecrewio/example/requirements.txt/[email protected]</purl>
 		</component>
-		<component type="library" bom-ref="pkg:pypi/bridgecrewio/example/requirements.txt/[email protected]">
+		<component type="library" bom-ref="pkg:pypi/bridgecrewio/example/path/to/sub/requirements.txt/[email protected]">
 			<name>requests</name>
 			<version>2.26.0</version>
 			<licenses>
 				<license>
 					<name>OSI_APACHE</name>
 				</license>
 			</licenses>
-			<purl>pkg:pypi/bridgecrewio/example/requirements.txt/[email protected]</purl>
+			<purl>pkg:pypi/bridgecrewio/example/path/to/sub/requirements.txt/[email protected]</purl>
 		</component>
 	</components>
 	<dependencies>
@@ -159,11 +159,11 @@
 		<dependency ref="pkg:golang/bridgecrewio/example/path/to/go.sum/github.com/miekg/[email protected]"/>
 		<dependency ref="pkg:golang/bridgecrewio/example/path/to/go.sum/github.com/prometheus/[email protected]"/>
 		<dependency ref="pkg:golang/bridgecrewio/example/path/to/go.sum/golang.org/x/[email protected]"/>
-		<dependency ref="pkg:pypi/bridgecrewio/example/path/to/sub/requirements.txt/[email protected]"/>
 		<dependency ref="pkg:pypi/bridgecrewio/example/requirements.txt/[email protected]"/>
+		<dependency ref="pkg:pypi/bridgecrewio/example/path/to/sub/requirements.txt/[email protected]"/>
 	</dependencies>
 	<vulnerabilities>
-		<vulnerability bom-ref="1639877a-5e7f-425e-af0a-93796261f90a">
+		<vulnerability bom-ref="d572c120-f086-4d62-99e1-15978d879cb2">
 			<id>CVE-2016-7401</id>
 			<source>
 				<url>https://nvd.nist.gov/vuln/detail/CVE-2016-7401</url>
@@ -188,7 +188,7 @@
 				</target>
 			</affects>
 		</vulnerability>
-		<vulnerability bom-ref="333f956a-4811-47ab-b294-42e3adcb33e9">
+		<vulnerability bom-ref="312b1ad9-b3f7-48e1-90ae-0a4e6963047d">
 			<id>CVE-2019-19844</id>
 			<source>
 				<url>https://nvd.nist.gov/vuln/detail/CVE-2019-19844</url>
@@ -213,7 +213,7 @@
 				</target>
 			</affects>
 		</vulnerability>
-		<vulnerability bom-ref="e3b7a0b0-c656-4e00-9eaf-94733d332e43">
+		<vulnerability bom-ref="4881c809-536b-4474-9570-64c16c2faf3e">
 			<id>CVE-2021-33203</id>
 			<source>
 				<url>https://nvd.nist.gov/vuln/detail/CVE-2021-33203</url>
@@ -238,7 +238,7 @@
 				</target>
 			</affects>
 		</vulnerability>
-		<vulnerability bom-ref="55888e48-7eaa-4119-8ee8-e477ba04e5ca">
+		<vulnerability bom-ref="eab1abbd-ca63-4cdb-a8af-bc635963c7cf">
 			<id>CVE-2018-1000656</id>
 			<source>
 				<url>https://nvd.nist.gov/vuln/detail/CVE-2018-1000656</url>
@@ -263,7 +263,7 @@
 				</target>
 			</affects>
 		</vulnerability>
-		<vulnerability bom-ref="269f2e3c-bbe5-4277-bb23-0bbe8a5d5ce4">
+		<vulnerability bom-ref="904615aa-9851-4bac-b34b-079e357a6c22">
 			<id>CVE-2020-26160</id>
 			<source>
 				<url>https://nvd.nist.gov/vuln/detail/CVE-2020-26160</url>
@@ -288,7 +288,7 @@
 				</target>
 			</affects>
 		</vulnerability>
-		<vulnerability bom-ref="f6aab757-a60c-463d-811a-eb61769fcfb8">
+		<vulnerability bom-ref="23c97d96-7af7-49cc-963a-7a465625c237">
 			<id>CVE-2020-29652</id>
 			<source>
 				<url>https://nvd.nist.gov/vuln/detail/CVE-2020-29652</url>

tests/sca_package_2/test_output_reports.py

@@ -279,10 +279,10 @@ def test_get_csv_report(sca_package_2_report, tmp_path: Path):
         'github.com/dgrijalva/jwt-go,v3.2.0,/path/to/go.sum,,acme,bridgecrewio/example,CVE-2020-26160,HIGH,"jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m[\\""aud\\""] (which is allowed by the specification). Because the type assertion fails, \\""\\"" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.",Unknown,4.0.0rc1,,,',
         'django,1.2,/requirements.txt,,acme,bridgecrewio/example,CVE-2016-6186,MEDIUM,"Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.",OSI_BDS,1.8.14,https://pypi.python.org/,,',
         'flask,0.6,/requirements.txt,,acme,bridgecrewio/example,CVE-2019-1010083,HIGH,The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656.,"OSI_APACHE, DUMMY_OTHER_LICENSE",1.0,https://pypi.python.org/,,',
+        'requests,2.26.0,/requirements.txt,,acme,bridgecrewio/example,,,,OSI_APACHE,N/A,https://pypi.python.org/,,',
         'github.com/miekg/dns,v1.1.41,/path/to/go.sum,,acme,bridgecrewio/example,,,,Unknown,N/A,,,',
         'github.com/prometheus/client_model,v0.0.0-20190129233127-fd36f4220a90,/path/to/go.sum,,acme,bridgecrewio/example,,,,Unknown,N/A,,,',
-        'requests,2.26.0,/path/to/sub/requirements.txt,,acme,bridgecrewio/example,,,,OSI_APACHE,N/A,,,',
-        'requests,2.26.0,/requirements.txt,,acme,bridgecrewio/example,,,,OSI_APACHE,N/A,https://pypi.python.org/,,', '']
+        'requests,2.26.0,/path/to/sub/requirements.txt,,acme,bridgecrewio/example,,,,OSI_APACHE,N/A,,,', '']
     csv_output_as_list = csv_output.split("\n")
     assert csv_output_as_list == expected_csv_output
 
@@ -296,10 +296,10 @@ def test_get_csv_report(sca_package_2_report, tmp_path: Path):
         '"github.com/dgrijalva/jwt-go",v3.2.0,/path/to/go.sum,,acme,bridgecrewio/example,CVE-2020-26160,HIGH,"jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m[\\"aud\\"] (which is allowed by the specification). Because the type assertion fails, \\"\\" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.","Unknown",4.0.0rc1,,,',
         '"django",1.2,/requirements.txt,,acme,bridgecrewio/example,CVE-2016-6186,MEDIUM,"Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.","OSI_BDS",1.8.14,https://pypi.python.org/,,',
         '"flask",0.6,/requirements.txt,,acme,bridgecrewio/example,CVE-2019-1010083,HIGH,"The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656.","OSI_APACHE, DUMMY_OTHER_LICENSE",1.0,https://pypi.python.org/,,',
+        '"requests",2.26.0,/requirements.txt,,acme,bridgecrewio/example,,,"","OSI_APACHE",N/A,https://pypi.python.org/,,',
         '"github.com/miekg/dns",v1.1.41,/path/to/go.sum,,acme,bridgecrewio/example,,,"","Unknown",N/A,,,',
         '"github.com/prometheus/client_model",v0.0.0-20190129233127-fd36f4220a90,/path/to/go.sum,,acme,bridgecrewio/example,,,"","Unknown",N/A,,,',
         '"requests",2.26.0,/path/to/sub/requirements.txt,,acme,bridgecrewio/example,,,"","OSI_APACHE",N/A,,,',
-        '"requests",2.26.0,/requirements.txt,,acme,bridgecrewio/example,,,"","OSI_APACHE",N/A,https://pypi.python.org/,,',
         '']
     csv_output_str_as_list = csv_output_str.split("\n")
     assert csv_output_str_as_list == expected_csv_output_str
@@ -534,7 +534,7 @@ def test_sarif_output(sca_package_report_2_with_skip_scope_function):
                             {
                                 "physicalLocation": {
                                     "artifactLocation": {
-                                        "uri": "requirements.txt"
+                                        "uri": "tests/sca_package_2/examples/requirements.txt"
                                     },
                                     "region": {
                                         "startLine": 1,
@@ -559,7 +559,7 @@ def test_sarif_output(sca_package_report_2_with_skip_scope_function):
                             {
                                 "physicalLocation": {
                                     "artifactLocation": {
-                                        "uri": "requirements.txt"
+                                        "uri": "tests/sca_package_2/examples/requirements.txt"
                                     },
                                     "region": {
                                         "startLine": 1,
@@ -584,7 +584,7 @@ def test_sarif_output(sca_package_report_2_with_skip_scope_function):
                             {
                                 "physicalLocation": {
                                     "artifactLocation": {
-                                        "uri": "requirements.txt"
+                                        "uri": "tests/sca_package_2/examples/requirements.txt"
                                     },
                                     "region": {
                                         "startLine": 1,
@@ -609,7 +609,7 @@ def test_sarif_output(sca_package_report_2_with_skip_scope_function):
                             {
                                 "physicalLocation": {
                                     "artifactLocation": {
-                                        "uri": "requirements.txt"
+                                        "uri": "tests/sca_package_2/examples/requirements.txt"
                                     },
                                     "region": {
                                         "startLine": 1,
@@ -634,7 +634,7 @@ def test_sarif_output(sca_package_report_2_with_skip_scope_function):
                             {
                                 "physicalLocation": {
                                     "artifactLocation": {
-                                        "uri": "requirements.txt"
+                                        "uri": "tests/sca_package_2/examples/requirements.txt"
                                     },
                                     "region": {
                                         "startLine": 1,
@@ -684,7 +684,7 @@ def test_sarif_output(sca_package_report_2_with_skip_scope_function):
                             {
                                 "physicalLocation": {
                                     "artifactLocation": {
-                                        "uri": "requirements.txt"
+                                        "uri": "tests/sca_package_2/examples/requirements.txt"
                                     },
                                     "region": {
                                         "startLine": 1,
@@ -715,7 +715,7 @@ def test_sarif_output(sca_package_report_2_with_skip_scope_function):
                             {
                                 "physicalLocation": {
                                     "artifactLocation": {
-                                        "uri": "requirements.txt"
+                                        "uri": "tests/sca_package_2/examples/requirements.txt"
                                     },
                                     "region": {
                                         "startLine": 1,
@@ -746,7 +746,7 @@ def test_sarif_output(sca_package_report_2_with_skip_scope_function):
                             {
                                 "physicalLocation": {
                                     "artifactLocation": {
-                                        "uri": "requirements.txt"
+                                        "uri": "tests/sca_package_2/examples/requirements.txt"
                                     },
                                     "region": {
                                         "startLine": 1,

tests/sca_package_2/test_runner_dependency_tree.py

@@ -34,10 +34,10 @@ def test_run(sca_package_report_dt):
         'This may cause unexpected application behaviour including data disclosure. '
         'This issue affects: MongoDB Inc. js-bson library version 1.1.3 and prior to.'
     )
-    assert cve_record.file_abs_path == "/package-lock.json"
+    assert cve_record.file_abs_path == f"{EXAMPLES_DIR}/package-lock.json"
     assert cve_record.file_line_range == [0, 0]
     assert cve_record.file_path == "/package-lock.json"
-    assert cve_record.repo_file_path == "/package-lock.json"
+    assert cve_record.repo_file_path == "/tests/sca_package_2/examples/package-lock.json"
     assert cve_record.resource == 'package-lock.json.bson'
     assert cve_record.severity == Severities[BcSeverities.MEDIUM]
     assert cve_record.short_description == 'CVE-2019-2391 - bson: 1.0.9'