DefectDojo - codeQL setup reflect?

[MarkusTiede]

SARIF compatible - interesting for @FT?

In February a new student joins us to continue with DefectDojo. He will contact us for any further cooperation.

[MarkusTiede]

Related issues

• https://github.com/baloise/open-source/issues/245
• https://github.com/baloise/open-source/issues/288

[MarkusTiede]

last information

Comparison of codeQL & SonarQube findings: no significant advantages of findings e.g. within code smells, security & co

SARIF is not (yet) supported as interchange format in sonarqube; we wrote a lightweight mapping

current idea / potential

• write (our own) codeQL queries (@arburk)
• aggregated view of findings e.g. within defectDojo (@marcellobellini and FT)
  • semgrep - https://semgrep.dev
  • codeQL
• sequence / ordering / clustering of items currently unknown
  • configurable "flight-altitude"
  • e.g. C-level
  • Security community
  • developer (e.g. also showing up technical debt)

Next exchange: Show & Tell of defectDojo instance tool?

[MarkusTiede]

Basic demonstration of neutral project "Juice Shop" : https://owasp.org/www-project-juice-shop/

[MarkusTiede]

Test instance is ready - contact @MrCode97 for additional information.