The way information on the project being scanned is presented in the SARIF output is inconsistent with the format used in the MRVA repo. This is causing an issue when generating a CBOM from the output as the parser expects to be able to extract an identifier for the project
This Repo
The project name is extractable only from the automationDetails key:
Please could we get clarification on how project information will be reported in the SARIF output going forwards, so that the parser can read the output accordingly?
MRVA is not capable of running multiple queries at once, so the GitHub Action that has been created does not use the MRVA service. The output will use automationDetails going forwards.
Hi,
The way information on the project being scanned is presented in the SARIF output is inconsistent with the format used in the MRVA repo. This is causing an issue when generating a CBOM from the output as the parser expects to be able to extract an identifier for the project
This Repo The project name is extractable only from the
automationDetails
key:https://github.com/pre-quantum-research/pqc-data/blob/main/data/curzona/pytest-xdist/15db3ad1580211f1ecda2f129d101967dac02d67/python.sarif
MRVA Repo The project name is extractable only from the
versionControlProvenance
keyhttps://github.com/pre-quantum-research/MRVA/blob/main/results/python/py_quantum_readiness_cbom_all_asymmetric_encryption_algorithms_(MaterializeInc_materialize).sarif
Please could we get clarification on how project information will be reported in the SARIF output going forwards, so that the parser can read the output accordingly?
Thanks