smithy-security
diff --git a/‎sarif/sarif.go‎
Lines changed: 62 additions & 8 deletions b/‎sarif/sarif.go‎
Lines changed: 62 additions & 8 deletions
@@ -32,6 +32,10 @@ type SarifTransformer struct {
 	ruleToEcosystem   map[string]string
 	richDescription   bool
 	dataSource        *ocsffindinginfo.DataSource
+
+	// the root path to which all file paths should be relative to, will be ultimately removed from findings,
+	// this is used to handle CI/CD cases where findings have absolute path to the filesystem as opposed to project root.
+	workspacePath string
 }
 
 var typeName = map[int64]string{
@@ -76,6 +80,7 @@ func NewTransformer(
 	guidProvider StableUUIDProvider,
 	richDescription bool,
 	dataSource *ocsffindinginfo.DataSource,
+	workspacePath string,
 ) (*SarifTransformer, error) {
 	if scanResult == nil {
 		return nil, errors.Errorf("method 'NewTransformer called with nil scanResult")
@@ -97,6 +102,11 @@ func NewTransformer(
 		return nil, errors.Errorf("invalid data source provider: %w", err)
 	}
 
+	cleanedWorkspacePath := filepath.Clean(workspacePath)
+	if !filepath.IsAbs(cleanedWorkspacePath) {
+		return nil, errors.Errorf("workspace path must be an absolute path")
+	}
+
 	return &SarifTransformer{
 		clock:             clock,
 		sarifResult:       *scanResult,
@@ -106,6 +116,7 @@ func NewTransformer(
 		taxasByCWEID:      make(map[string]sarif.ReportingDescriptor),
 		richDescription:   richDescription,
 		dataSource:        dataSource,
+		workspacePath:     cleanedWorkspacePath,
 	}, nil
 }
 
@@ -161,7 +172,10 @@ func (s *SarifTransformer) transformToOCSF(
 	res *sarif.Result,
 ) (*ocsf.VulnerabilityFinding, error) {
 	slog.Debug("parsing run from", slog.String("toolname", toolName))
-	affectedCode, affectedPackages := s.mapAffected(res)
+	affectedCode, affectedPackages, err := s.mapAffected(res)
+	if err != nil {
+		return nil, errors.Errorf("could not map affected code/packages: %w", err)
+	}
 
 	var (
 		ruleID           *string
@@ -346,6 +360,32 @@ func (s *SarifTransformer) isSnykURI(uri string) bool {
 	return strings.HasPrefix(uri, "https_//")
 }
 
+// constructPath will take a given path and construct a file url pointing to the file relative to the workspacePath
+func (s *SarifTransformer) constructPath(path string) (string, error) {
+	// if path is a file url (file://) we need to get the path after file before adding it back
+	if strings.HasPrefix(path, "file://") {
+		pathURL, err := url.Parse(path)
+		if err != nil {
+			return "", errors.Errorf("could not parse file url %s: %w", path, err)
+		}
+		if pathURL.Host != "" {
+			path = pathURL.Host + pathURL.Path
+		} else {
+			path = pathURL.Path
+		}
+	}
+	cleanedPath := filepath.Clean(path)
+	if s.workspacePath != "" && strings.HasPrefix(cleanedPath, s.workspacePath) {
+		pth, err := filepath.Rel(s.workspacePath, cleanedPath)
+		if err != nil {
+			return "", errors.Errorf("could not get relative path from path %s using prefix %q", cleanedPath, s.workspacePath)
+		}
+		cleanedPath = pth
+	}
+	finalPath := fmt.Sprintf("file://%s", cleanedPath)
+	return finalPath, nil
+}
+
 func (s *SarifTransformer) mapAffectedPackage(fixes []sarif.Fix, purl packageurl.PackageURL) *ocsf.AffectedPackage {
 	affectedPackage := &ocsf.AffectedPackage{
 		Purl:           utils.Ptr(purl.String()),
@@ -440,11 +480,11 @@ func (s *SarifTransformer) rulesToEcosystem() map[string]string {
 	return result
 }
 
-func (s *SarifTransformer) mapAffected(res *sarif.Result) ([]*ocsf.AffectedCode, []*ocsf.AffectedPackage) {
+func (s *SarifTransformer) mapAffected(res *sarif.Result) ([]*ocsf.AffectedCode, []*ocsf.AffectedPackage, error) {
 	var affectedCode []*ocsf.AffectedCode
 	var affectedPackages []*ocsf.AffectedPackage
 	if s.dataSource.TargetType == ocsffindinginfo.DataSource_TARGET_TYPE_WEBSITE { // websites do not carry code or package info
-		return nil, nil
+		return nil, nil, nil
 	}
 
 	for _, location := range res.Locations {
@@ -469,14 +509,21 @@ func (s *SarifTransformer) mapAffected(res *sarif.Result) ([]*ocsf.AffectedCode,
 		}
 
 		if physicalLocation.ArtifactLocation != nil && physicalLocation.ArtifactLocation.Uri != nil {
+			uri := *location.PhysicalLocation.ArtifactLocation.Uri
 			if p := s.detectPackageFromPhysicalLocation(*physicalLocation, pkgType); p != nil {
 				affectedPackages = append(affectedPackages, s.mapAffectedPackage(res.Fixes, *p))
-			} else if !s.isSnykURI(*location.PhysicalLocation.ArtifactLocation.Uri) {
 				// Snyk special case, they use the repo url with some weird replacement as the artifact location
+			} else if !s.isSnykURI(uri) {
+				finalPath, err := s.constructPath(uri)
+				if err != nil {
+					return nil, nil, errors.Errorf("could not construct path for affected code: %w", err)
+				}
+
 				ac := &ocsf.AffectedCode{
 					File: &ocsf.File{
-						Name: *location.PhysicalLocation.ArtifactLocation.Uri,
-						Path: utils.Ptr(fmt.Sprintf("file://%s", *location.PhysicalLocation.ArtifactLocation.Uri)),
+						// we will also need to change this line as well, if we can
+						Name: strings.ReplaceAll(finalPath, "file://", ""),
+						Path: utils.Ptr(finalPath),
 					},
 				}
 
@@ -500,7 +547,7 @@ func (s *SarifTransformer) mapAffected(res *sarif.Result) ([]*ocsf.AffectedCode,
 		}
 	}
 
-	return affectedCode, affectedPackages
+	return affectedCode, affectedPackages, nil
 }
 
 func (s *SarifTransformer) mapSeverity(sarifResLevel sarif.ResultLevel) ocsf.VulnerabilityFinding_SeverityId {
@@ -657,9 +704,16 @@ func (s *SarifTransformer) mergeDataSources(
 		if s.isSnykURI(*location.PhysicalLocation.ArtifactLocation.Uri) {
 			dataSource.Uri = nil
 		} else {
+			uri := *location.PhysicalLocation.ArtifactLocation.Uri
+
+			finalPath, err := s.constructPath(uri)
+			if err != nil {
+				return nil, errors.Errorf("could not construct path for repository data source: %w", err)
+			}
+
 			dataSource.Uri = &ocsffindinginfo.DataSource_URI{
 				UriSchema: ocsffindinginfo.DataSource_URI_SCHEMA_FILE,
-				Path:      "file://" + filepath.Clean(*location.PhysicalLocation.ArtifactLocation.Uri),
+				Path:      finalPath,
 			}
 		}