battlecard-printer reporter

Author: northdpole

components/reporters/battlecard-printer/README.md

@@ -0,0 +1,80 @@
+# Battlecard Printer Reporter
+
+## Overview
+
+The **battlecard-printer** is a Smithy reporter component that logs a summary of vulnerability findings in a concise "battlecard" format. It is designed to help teams quickly understand the results of security scans, highlighting key metrics such as total findings, enrichments, and findings by tool.
+
+## Features
+
+* Summarizes vulnerability findings from Smithy workflows
+* Aggregates enrichments and findings by tool
+* Outputs a human-readable battlecard report
+* Integrates easily into Smithy workflows
+
+## Usage
+
+### Workflow Integration
+
+To use the battlecard-printer in a Smithy workflow, add it as a reporter component in your workflow YAML:
+
+```yaml
+components:
+  - component: file://components/targets/git-clone/component.yaml
+  - component: file://components/scanners/mobsfscan/component.yaml
+  - component: file://components/enrichers/custom-annotation/component.yaml
+  - component: file://components/reporters/battlecard-printer/component.yaml
+```
+
+### Component Configuration
+
+The component is defined as follows:
+
+```yaml
+name: battlecard-printer
+description: "Logs a summary of vulnerability findings in a battlecard format."
+type: reporter
+steps:
+  - name: battlecard-printer
+    image: components/reporters/battlecard-printer
+    executable: /bin/app
+```
+
+## Output Format
+
+The battlecard-printer generates output similar to:
+
+```
+Battlecard Report
+=================
+Total Findings: 3
+Enrichments:
+  - bar: 1
+  - foo: 1
+Findings By Tool:
+  - gosec: 2
+  - trufflehog: 1
+```
+
+## How It Works
+
+The reporter:
+
+* Collects all findings from the workflow
+* Aggregates enrichments (e.g., custom annotations)
+* Counts findings per tool (e.g., gosec, trufflehog)
+* Logs the summary using the Smithy logger
+
+## Testing
+
+Unit tests for the battlecard report generation can be found in:
+
+* `internal/reporter/reporter_test.go`
+
+These tests cover:
+
+* Correct aggregation of findings and enrichments
+* Output formatting
+
+## Contributing
+
+Contributions and improvements are welcome! Please submit issues or pull requests via GitHub.

components/reporters/battlecard-printer/cmd/main.go

@@ -0,0 +1,36 @@
+package main
+
+import (
+	"context"
+	"log"
+	"time"
+
+	"github.com/go-errors/errors"
+
+	"github.com/smithy-security/smithy/sdk/component"
+
+	"github.com/smithy-security/smithy/components/reporters/battlecard-printer/internal/reporter"
+)
+
+func main() {
+	ctx, cancel := context.WithTimeout(context.Background(), 1*time.Minute)
+	defer cancel()
+
+	if err := Main(ctx); err != nil {
+		log.Fatalf("unexpected error: %v", err)
+	}
+}
+
+func Main(ctx context.Context, opts ...component.RunnerOption) error {
+	opts = append(opts, component.RunnerWithComponentName("battlecard-printer"))
+
+	if err := component.RunReporter(
+		ctx,
+		reporter.NewBattlecardPrinter(),
+		opts...,
+	); err != nil {
+		return errors.Errorf("could not run reporter: %w", err)
+	}
+
+	return nil
+}

components/reporters/battlecard-printer/component.yaml

@@ -0,0 +1,7 @@
+name: battlecard-printer
+description: "Logs a summary of vulnerability findings in a battlecard format."
+type: reporter
+steps:
+  - name: battlecard-printer
+    image: components/reporters/battlecard-printer
+    executable: /bin/app

components/reporters/battlecard-printer/internal/reporter/reporter.go

@@ -0,0 +1,88 @@
+package reporter
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+	"maps"
+	"slices"
+
+	vf "github.com/smithy-security/smithy/sdk/component/vulnerability-finding"
+	componentlogger "github.com/smithy-security/smithy/sdk/logger"
+)
+
+// NewBattlecardPrinter returns a new battlecard logger.
+func NewBattlecardPrinter() battlecardLogger {
+	return battlecardLogger{}
+}
+
+type battlecardLogger struct{}
+
+// Report logs the findings in json format.
+func (j battlecardLogger) Report(
+	ctx context.Context,
+	findings []*vf.VulnerabilityFinding,
+) error {
+	logger := componentlogger.
+		LoggerFromContext(ctx).
+		With(slog.Int("num_findings", len(findings)))
+	enrichments := map[string]int{}
+	for _, finding := range findings {
+		for _, enrichment := range finding.Finding.Enrichments {
+			enrichments[enrichment.Name] += 1
+		}
+	}
+	logger.Debug("logging battlecard findings",
+		slog.Int("num_enrichments", len(enrichments)),
+		slog.Any("enrichments", enrichments),
+	)
+
+	logger.Info("scan finished with", slog.Int("num_findings", len(findings)))
+	for enrichmentName, count := range enrichments {
+		logger.Info("enrichment",
+			slog.String("name", enrichmentName),
+			slog.Int("count", count),
+		)
+	}
+	return nil
+}
+
+func generateBattlecard(ctx context.Context, findings []*vf.VulnerabilityFinding) string {
+	logger := componentlogger.
+		LoggerFromContext(ctx).
+		With(slog.Int("num_findings", len(findings)))
+
+	enrichments := map[string]int{}
+	tools := map[string]int{}
+	for _, finding := range findings {
+		if finding.Finding.FindingInfo.ProductUid == nil {
+			logger.Warn("finding missing product UID",
+				slog.String("uid", finding.Finding.FindingInfo.Uid),
+			)
+		} else {
+			tools[*finding.Finding.FindingInfo.ProductUid] += 1
+		}
+		for _, enrichment := range finding.Finding.Enrichments {
+			enrichments[enrichment.Name] += 1
+		}
+	}
+
+	result := "Battlecard Report\n"
+	result += "=================\n"
+	result += "Total Findings: " + fmt.Sprintf("%d\n", len(findings))
+	result += "Enrichments:\n"
+	enrichmentKeys := maps.Keys(enrichments)
+	alphabeticalEnrichments := slices.Sorted(enrichmentKeys)
+	for _, name := range alphabeticalEnrichments {
+		result += fmt.Sprintf("  - %s: %d\n", name, enrichments[name])
+	}
+
+	result += "Findings By Tool:\n"
+	toolKeys := maps.Keys(tools)
+	alphabeticalTools := slices.Sorted(toolKeys)
+	for _, toolName := range alphabeticalTools {
+		result += fmt.Sprintf("  - %s: %d\n", toolName, tools[toolName])
+	}
+
+	return result
+}