only include a valid git url in sarif output (#365)

SUSTAPLE117 · web-flow · commit 8f3b2fdb7300 · 2025-10-27T14:01:05.000-04:00
diff --git a/formatters/sarif/sarif.go b/formatters/sarif/sarif.go
@@ -5,6 +5,8 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"net/url"
+	"regexp"
 	"strings"
 
 	"github.com/boostsecurityio/poutine/results"
@@ -46,11 +48,18 @@ func (f *Format) Format(ctx context.Context, packages []*models.PackageInsights)
 			"purl": pkg.Purl,
 		}
 
+		sourceGitRepoURI := pkg.GetSourceGitRepoURI()
+
+		versionControlProvenance := sarif.NewVersionControlDetails().
+			WithRevisionID(pkg.SourceGitCommitSha).
+			WithBranch(pkg.SourceGitRef)
+
+		if IsValidGitURL(sourceGitRepoURI) {
+			versionControlProvenance = versionControlProvenance.
+				WithRepositoryURI(sourceGitRepoURI)
+		}
 		run.AddVersionControlProvenance(
-			sarif.NewVersionControlDetails().
-				WithRepositoryURI(pkg.GetSourceGitRepoURI()).
-				WithRevisionID(pkg.SourceGitCommitSha).
-				WithBranch(pkg.SourceGitRef),
+			versionControlProvenance,
 		)
 
 		findingsByPurl := make(map[string][]results.Finding)
@@ -120,3 +129,25 @@ func (f *Format) Format(ctx context.Context, packages []*models.PackageInsights)
 func (f *Format) FormatWithPath(ctx context.Context, packages []*models.PackageInsights, pathAssociations map[string][]*models.RepoInfo) error {
 	return errors.New("not implemented")
 }
+
+// IsValidGitURL validates if a string is a valid Git URL (HTTP(S) or SSH format)
+func IsValidGitURL(gitURL string) bool {
+	if strings.HasPrefix(gitURL, "http://") || strings.HasPrefix(gitURL, "https://") {
+		parsedURL, err := url.Parse(gitURL)
+		if err != nil {
+			return false
+		}
+		return parsedURL.Host != "" && parsedURL.Path != ""
+	}
+
+	if strings.HasPrefix(gitURL, "ssh://") {
+		parsedURL, err := url.Parse(gitURL)
+		if err != nil {
+			return false
+		}
+		return parsedURL.Host != "" && parsedURL.Path != ""
+	}
+
+	sshPattern := regexp.MustCompile(`^[a-zA-Z0-9_-]+@[a-zA-Z0-9._-]+:[a-zA-Z0-9/._-]+$`)
+	return sshPattern.MatchString(gitURL)
+}
diff --git a/formatters/sarif/sarif_test.go b/formatters/sarif/sarif_test.go
@@ -0,0 +1,47 @@
+package sarif
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestIsValidGitURL(t *testing.T) {
+	tests := []struct {
+		name    string
+		gitURL  string
+		isValid bool
+	}{
+		{
+			name:    "Valid HTTPS Git URL",
+			gitURL:  "https://github.com/user/repo.git",
+			isValid: true,
+		},
+		{
+			name:    "Valid SSH Git URL",
+			gitURL:  "ssh://git@bitbucket.org/user/repo.git",
+			isValid: true,
+		},
+		{
+			name:    "Valid Git URL without .git",
+			gitURL:  "https://gitlab.com/user/repo",
+			isValid: true,
+		},
+		{
+			name:    "Invalid Git URL - missing scheme",
+			gitURL:  "github.com/user/repo.git",
+			isValid: false,
+		},
+		{
+			name:    "Invalid Git URL - empty",
+			gitURL:  "",
+			isValid: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			isValid := IsValidGitURL(tt.gitURL)
+			require.Equal(t, tt.isValid, isValid)
+		})
+	}
+}
