gosec icon indicating copy to clipboard operation
gosec copied to clipboard
verified publisher icon securego

Use multiple output formats

Open ShreyasSubhedar opened this issue 4 years ago • 8 comments

Summary

I want multiple output formats to be generated + stdout format while running the gosec.

Steps to reproduce the behavior

GO111MODULE=on ./bin/gosec -fmt=text -out=text.txt -fmt=json -out=result.json ./...

gosec version

latest

Go version (output of 'go version')

v1.16

Operating system / Environment

Expected behavior

All provided formats need to be generated with stdout

Actual behavior

Only last -out is been generated

ShreyasSubhedar avatar Apr 30 '21 06:04 ShreyasSubhedar

What's wrong with looping on the tool call, like in the following pseudo-code ?

runs = [{"fmt" :"text", "out" :"file.txt" }, {"fmt" :"json", "out" :"file.json" } ] 
for run in runs 
   GO111MODULE=on ./bin/gosec -fmt=run.fmt -out=run.out
   cat run.out 
endfor

Allowing what you are asking seems to be against the SRP.

mmorel-35 avatar May 07 '21 11:05 mmorel-35

I agree, but in my opinion, running the analysis twice just to generate multiple file format isn’t the best approach! Where we can always save the output in different format!

And also running it multiple times creates multiple [gosec] logs

[gosec] 2021/05/08 20:44:07 Checking package: yaml < 1st time
[gosec] 2021/05/08 20:44:07 Checking file: /Users/shreyas.subhedar/Documents/GitHub/gosec/report/yaml/writer.go
[gosec] 2021/05/08 20:44:07 Import directory: /Users/shreyas.subhedar/Documents/GitHub/gosec
[gosec] 2021/05/08 20:44:07 Checking package: gosec
[gosec] 2021/05/08 20:44:07 Checking package: yaml < 2nd time
[gosec] 2021/05/08 20:44:07 Checking file: /Users/shreyas.subhedar/Documents/GitHub/gosec/report/yaml/writer.go
[gosec] 2021/05/08 20:44:07 Import directory: /Users/shreyas.subhedar/Documents/GitHub/gosec
[gosec] 2021/05/08 20:44:07 Checking package: gosec

ShreyasSubhedar avatar May 08 '21 15:05 ShreyasSubhedar

If you allow multiple kind of output then you may have to change the command parameters to look like -json=file.json -sarif=report.sarif...

Having multiple logs for the same analysis seems too much indeed. But another idea would be to implement a command to convert from json to any other format. So there would be only one analysis which would output a json file and then a call to the convert command for every other format you might need.

mmorel-35 avatar May 08 '21 15:05 mmorel-35

Ill try my best to achieve it!

ShreyasSubhedar avatar May 13 '21 05:05 ShreyasSubhedar

What do you think about using cobra to handle commands and flags?

mmorel-35 avatar Jun 13 '21 12:06 mmorel-35

Yeah its awesome !

ShreyasSubhedar avatar Jun 16 '21 18:06 ShreyasSubhedar

It would make sense to converted to cobra, but I would create another issue for this work.

ccojocar avatar Jul 19 '21 09:07 ccojocar

@ccojocar I could attempt to fix this if this is still an issue?

ArnPellesGit avatar May 13 '22 12:05 ArnPellesGit

Closing this since it can be handled with a script, and is not cleared what is the value of supporting this feature in gosec. Thanks

ccojocar avatar Oct 18 '23 13:10 ccojocar