Add Boost Sarif Metadata (#367)

SUSTAPLE117 · web-flow · commit 547803b86f98 · 2025-10-28T16:40:32.000-04:00
* add bost confidence

* add boost taxonomy
diff --git a/formatters/sarif/sarif.go b/formatters/sarif/sarif.go
@@ -39,14 +39,43 @@ func (f *Format) Format(ctx context.Context, packages []*models.PackageInsights)
 		return parts[0]
 	}
 
+	levelToConfidence := func(level string) string {
+		switch level {
+		case "error":
+			return "high"
+		case "warning":
+			return "medium"
+		case "note":
+			return "low"
+		case "none":
+			return "not_set"
+		default:
+			return "not_set"
+		}
+	}
+
 	docs := docs.GetPagesContent()
 
 	for _, pkg := range packages {
 		run := sarif.NewRunWithInformationURI("poutine", "https://github.com/boostsecurityio/poutine")
 		run.Tool.Driver.WithSemanticVersion(f.version)
+		run.Tool.Driver.WithOrganization("boostsecurity")
 		run.Properties = map[string]interface{}{
 			"purl": pkg.Purl,
 		}
+		version := "1.0.0"
+		organization := "boostsecurity"
+
+		taxonomy := &sarif.ToolComponent{
+			Name:         "boost/sast",
+			Version:      &version,
+			Organization: &organization,
+		}
+
+		taxonomyRef := sarif.NewToolComponentReference().WithName("boost/sast")
+		run.Tool.Driver.WithSupportedTaxonomies([]*sarif.ToolComponentReference{taxonomyRef})
+
+		run.WithTaxonomies([]*sarif.ToolComponent{taxonomy})
 
 		sourceGitRepoURI := pkg.GetSourceGitRepoURI()
 
@@ -98,23 +127,33 @@ func (f *Format) Format(ctx context.Context, packages []*models.PackageInsights)
 
 			run.AddDistinctArtifact(path)
 
-			run.CreateResultForRule(ruleId).
+			fingerprint := finding.GenerateFindingFingerprint()
+			confidence := levelToConfidence(rule.Level)
+
+			result := run.CreateResultForRule(ruleId).
 				WithLevel(rule.Level).
 				WithMessage(sarif.NewTextMessage(ruleDescription)).
 				WithPartialFingerPrints(map[string]interface{}{
-					"primaryLocationLineHash": finding.GenerateFindingFingerprint(),
-				}).
-				AddLocation(
-					sarif.NewLocationWithPhysicalLocation(
-						sarif.NewPhysicalLocation().
-							WithArtifactLocation(
-								sarif.NewSimpleArtifactLocation(path),
-							).
-							WithRegion(
-								sarif.NewSimpleRegion(line, line),
-							),
-					),
-				)
+					"primaryLocationLineHash": fingerprint,
+				})
+
+			result.AddLocation(
+				sarif.NewLocationWithPhysicalLocation(
+					sarif.NewPhysicalLocation().
+						WithArtifactLocation(
+							sarif.NewSimpleArtifactLocation(path),
+						).
+						WithRegion(
+							sarif.NewSimpleRegion(line, line),
+						),
+				),
+			)
+
+			result.AttachPropertyBag(&sarif.PropertyBag{
+				Properties: map[string]interface{}{
+					"boost/confidence": confidence,
+				},
+			})
 		}
 		sarifReport.AddRun(run)
 	}
