Open davewichers opened 3 years ago
prabhu
commented
3 years ago @davewichers This repo is for the open-source tool called slscan which outputs SARIF files with some metadata as described here - https://slscan.io/en/latest/integrations/sarif/#run
Could you kindly check and let me know if you're looking for any additional metadata?
darkspirit510
commented
3 years ago @davewichers is talking about a reader I wrote for https://github.com/OWASP/Benchmark. Running
docker run --rm -e "WORKSPACE=${PWD}" -v ~/.m2:/.m2 -v <source path>:/app shiftleft/scan scan --src /app --type java
returns several result files:
-rw-r--r-- 1 sknoop sknoop 92K Jun 3 19:42 .sastscan.baseline
-rw-r--r-- 1 sknoop sknoop 7.1M Jun 3 19:41 class-report.html
-rw-r--r-- 1 sknoop sknoop 7.2M Jun 3 19:41 class-report.sarif
-rw-r--r-- 1 sknoop sknoop 13M Jun 3 19:41 class-report.xml
-rw-r--r-- 1 sknoop sknoop 8.6M Jun 3 19:42 ngsast-report.findings.json
-rw-r--r-- 1 sknoop sknoop 5.2M Jun 3 19:42 scan-full-report.json
-rw-r--r-- 1 sknoop sknoop 0 Jun 3 19:41 source-java-report.csv
-rw-r--r-- 1 sknoop sknoop 17K Jun 3 19:42 source-java-report.html
-rw-r--r-- 1 sknoop sknoop 2.3K Jun 3 19:42 source-java-report.sarifFor release 2.0.0 the file scan-full-report.json contains:
{
"tool": {
"driver": {
"name": "Java Source Analyzer",
"version": "1.0.0-scan",
"fullName": "Java Source Analyzer"
}
},
[...]-> Wrong version?
The result file only contains endTimeUtc, but no start times?
prabhu
commented
3 years ago @darkspirit510 Now I understand. Since this open-source version wraps findsecbugs the result would be identical to invoking findsecbugs directly. Regarding start times, I will take it as an enhancement request but is going to take sometime.
Lots of tools generate .json results files. Can you add some metadata to your .json results files that includes data like:
Any other overall metadata you think might be useful.