search

Santandersecurityresearch / cryptobom-forge

Tools and utilities needed to parse GitHub Multi-Repository Variant Analysis output
GNU General Public License v3.0
14 stars 1 forks source link

cbom reporting contextRegion line numbers, instead of specific line number (from region) #6

Open mtcolman opened 11 months ago

mtcolman commented 11 months ago

In the cbom.json, instead of reporting the specifc line of the finding, I get multiple lines:

"detectionContext": [
    {
        "additionalContext": "from hashlib import md5",
        "filePath": "sqli/dao/dummy.py",
        "lineNumbers": [
            1,
            2,
            3
        ]
    },

My output.sarif file gives two sections of detail on the finding: region and contextRegion. region gives the precise line(s) and this would be more useful in the cbom (in my opinion).

"detectionContext": [
    {
        "additionalContext": "from hashlib import md5",
        "filePath": "sqli/dao/dummy.py",
        "lineNumbers": [
            1
        ]
    },

Have created #5 with code update for this.

emilejq commented 11 months ago

This really is by design. Using a single line number would lose information that provides important additional context about the crypto asset, such as modes and padding schemes for algorithms, key sizes, cryptographic operations and just generally the wider context in which the asset is used.

It's quite easy for someone to find an exact line in the wider code snippet using the additional information that is provided. In the case of algorithms for instance, the specific algorithm is still given in the variant field, so it's quite easy for someone to pinpoint the precise location whilst still benefitting from having the additional context of the code either side of it