feat(report): add new jsonv2 format for security

.tool-versions

@@ -0,0 +1 @@
+golang 1.21.1

e2e/flags/.snapshots/TestReportFlagsShouldFail-invalid-format-flag-security

@@ -1,6 +1,6 @@
 
 --
-Error: flag error: report flags error: invalid format argument for security report; supported values: json, yaml, sarif, gitlab-sast, rdjson, html
+Error: flag error: report flags error: invalid format argument for security report; supported values: json, yaml, sarif, gitlab-sast, rdjson, html, jsonv2
 Usage:
   bearer scan [flags] <path>
 Aliases:
@@ -46,5 +46,5 @@ General Flags
       --no-color                Disable color in output
 
 
-flag error: report flags error: invalid format argument for security report; supported values: json, yaml, sarif, gitlab-sast, rdjson, html
+flag error: report flags error: invalid format argument for security report; supported values: json, yaml, sarif, gitlab-sast, rdjson, html, jsonv2
 

internal/flag/report_flags.go

@@ -14,6 +14,7 @@ var (
 	FormatGitLabSast = "gitlab-sast"
 	FormatSarif      = "sarif"
 	FormatJSON       = "json"
+	FormatJSONV2     = "jsonv2"
 	FormatYAML       = "yaml"
 	FormatHTML       = "html"
 	FormatCSV        = "csv"
@@ -28,7 +29,7 @@ var (
 )
 
 var (
-	ErrInvalidFormatSecurity = errors.New("invalid format argument for security report; supported values: json, yaml, sarif, gitlab-sast, rdjson, html")
+	ErrInvalidFormatSecurity = errors.New("invalid format argument for security report; supported values: json, yaml, sarif, gitlab-sast, rdjson, html, jsonv2")
 	ErrInvalidFormatPrivacy  = errors.New("invalid format argument for privacy report; supported values: csv, json, yaml, html")
 	ErrInvalidFormatDefault  = errors.New("invalid format argument; supported values: json, yaml")
 	ErrInvalidReport         = errors.New("invalid report argument; supported values: security, privacy")
@@ -153,7 +154,7 @@ func (f *ReportFlagGroup) ToOptions() (ReportOptions, error) {
 		if report != ReportPrivacy {
 			return ReportOptions{}, invalidFormat
 		}
-	case FormatSarif, FormatGitLabSast, FormatReviewDog:
+	case FormatSarif, FormatGitLabSast, FormatReviewDog, FormatJSONV2:
 		if report != ReportSecurity {
 			return ReportOptions{}, invalidFormat
 		}

internal/report/output/security/formatter.go

@@ -6,6 +6,7 @@ import (
 
 	"github.com/hhatto/gocloc"
 
+	"github.com/bearer/bearer/cmd/bearer/build"
 	"github.com/bearer/bearer/internal/commands/process/settings"
 	"github.com/bearer/bearer/internal/flag"
 	"github.com/bearer/bearer/internal/report/output/gitlab"
@@ -24,6 +25,12 @@ type Formatter struct {
 	EndTime      time.Time
 }
 
+type RawFindingsOutput struct {
+	Source   string      `json:"source" yaml:"source"`
+	Version  string      `json:"version" yaml:"version"`
+	Findings RawFindings `json:"findings" yaml:"findings"`
+}
+
 func NewFormatter(reportData *outputtypes.ReportData, config settings.Config, goclocResult *gocloc.Result, startTime time.Time, endTime time.Time) *Formatter {
 	return &Formatter{
 		ReportData:   reportData,
@@ -58,6 +65,12 @@ func (f Formatter) Format(format string) (output string, err error) {
 		return outputhandler.ReportJSON(sastContent)
 	case flag.FormatJSON:
 		return outputhandler.ReportJSON(f.ReportData.FindingsBySeverity)
+	case flag.FormatJSONV2:
+		return outputhandler.ReportJSON(RawFindingsOutput{
+			Source:   "Bearer",
+			Version:  build.Version,
+			Findings: f.ReportData.RawFindings,
+		})
 	case flag.FormatYAML:
 		return outputhandler.ReportYAML(f.ReportData.FindingsBySeverity)
 	case flag.FormatHTML:

internal/report/output/security/security.go

@@ -42,6 +42,7 @@ var severityColorFns = map[string]func(x ...interface{}) string{
 	globaltypes.LevelWarning:  color.New(color.FgCyan).SprintFunc(),
 }
 
+type RawFindings = []types.RawFinding
 type Findings = map[string][]types.Finding
 type IgnoredFindings = map[string][]types.IgnoredFinding
 
@@ -99,6 +100,12 @@ func AddReportData(
 		return err
 	}
 
+	for severity, findingsSlice := range summaryFindings {
+		for _, finding := range findingsSlice {
+			reportData.RawFindings = append(reportData.RawFindings, finding.ToRawFinding(severity))
+		}
+	}
+
 	if !config.Scan.Quiet {
 		fingerprintOutput(
 			append(fingerprints, builtInFingerprints...),

internal/report/output/security/types/types.go

@@ -1,6 +1,7 @@
 package types
 
 import (
+	"encoding/json"
 	"fmt"
 	"strings"
 
@@ -10,6 +11,11 @@ import (
 	ignoretypes "github.com/bearer/bearer/internal/util/ignore/types"
 )
 
+type RawFinding struct {
+	*Finding
+	Severity string `json:"severity" yaml:"severity"`
+}
+
 type Finding struct {
 	*Rule
 	LineNumber       int          `json:"line_number,omitempty" yaml:"line_number,omitempty"`
@@ -36,9 +42,18 @@ type IgnoredFinding struct {
 
 type GenericFinding interface {
 	GetFinding() Finding
+	ToRawFinding(severity string) RawFinding
 	GetIgnoreMeta() *ignoretypes.IgnoredFingerprint
 }
 
+func (f Finding) ToRawFinding(severity string) RawFinding {
+	rawFindingJson, _ := json.Marshal(f)
+	var rawFinding RawFinding
+	json.Unmarshal(rawFindingJson, &rawFinding)
+	rawFinding.Severity = f.SeverityMeta.DisplaySeverity
+	return rawFinding
+}
+
 func (f Finding) GetFinding() Finding {
 	return f
 }

internal/report/output/types/types.go

@@ -14,6 +14,7 @@ type ReportData struct {
 	FoundLanguages            map[string]int32 // language => loc e.g. { "Ruby": 6742, "JavaScript": 122 }
 	Detectors                 []any
 	Dataflow                  *DataFlow
+	RawFindings               []securitytypes.RawFinding `json:"findings"`
 	FindingsBySeverity        map[string][]securitytypes.Finding
 	IgnoredFindingsBySeverity map[string][]securitytypes.IgnoredFinding
 	PrivacyReport             *privacytypes.Report