search

advanced-security / crypto-bill-of-materials-data

Generate a Crypto Bill of Materials using CodeQL
MIT License
1 stars 1 forks source link

How will project information be reported in the SARIF? #24

Closed emilejq closed 10 months ago

emilejq commented 11 months ago

Hi,

The way information on the project being scanned is presented in the SARIF output is inconsistent with the format used in the MRVA repo. This is causing an issue when generating a CBOM from the output as the parser expects to be able to extract an identifier for the project

This Repo The project name is extractable only from the automationDetails key:

"automationDetails" : {
    "id": "PQC:curzona/pytest-xdist/python/"
}

https://github.com/pre-quantum-research/pqc-data/blob/main/data/curzona/pytest-xdist/15db3ad1580211f1ecda2f129d101967dac02d67/python.sarif

MRVA Repo The project name is extractable only from the versionControlProvenance key

"versionControlProvenance": [
    {
        "repositoryUri": "https://github.com/MaterializeInc/materialize",
        "revisionId": "0f612c8e670f07ccfbfc40f72ca2b3f3a3c0a485"
    }
]

https://github.com/pre-quantum-research/MRVA/blob/main/results/python/py_quantum_readiness_cbom_all_asymmetric_encryption_algorithms_(MaterializeInc_materialize).sarif

Please could we get clarification on how project information will be reported in the SARIF output going forwards, so that the parser can read the output accordingly?

Thanks

ctcampbell commented 11 months ago

MRVA is not capable of running multiple queries at once, so the GitHub Action that has been created does not use the MRVA service. The output will use automationDetails going forwards.