Integrate CWE/NIST SARIF taxonomy data with Flawfinder (preparatory to Heimdall/HDF conversion)

[michaelcfanning]

This is a tracking item to describe next possible steps with Flawfinder SARIF + HDF support.

Observations:

• The HDF format currently requires encoding tool -> CWE/other NIST standard mappings in a non-standard format which is currently persisted to the HDF tooling repo.
• If we solve this problem using SARIF taxonomies, it appears we could create a straightforward SARIF -> HDF converter that would unlock the SARIF eco-system for Heimdall.
• This interoperability isn't free, however: tools that opt into HDF support will need to explicit map their rule ids to the NIST standards. Several existing tools (Flawfinder being one) already have mapping data in some form.

As preparatory work, we are building a CWE Sarif taxonomy, which s/be published to a well-known web location. We will also need to create a taxonomy for the NIST standard (and create relationships from CWE to NIST IDs, as shown in the heimdall_tools repo).

It'd be interesting to discuss how these definitive taxonomy files are published on the web.

Once this core work is complete, we should update Flawfinder to emit its rule id -> CWE/NIST mappings in the log file. The Flawfinder log will also contain a link to the external CWE/NIST web-hosted taxonomies.

With a finished log such as this, a new SARIF -> HDF converter will be able to produce HDF that can flow into the various Heimdall tools. That will be very nice! All of this work will demonstrate a good path for other tools to follow.

Thoughts? :)

@eddynaka @yongyan-dh @david-a-wheeler

[david-a-wheeler]

All of that seems reasonable. I think additional mappings should probably be new database entries or straightforward mappings from an existing entry. If you want to pull out CWE entries to separate dtabase entries that'd be fine too.

[eddynaka]

Hi,

just a quick update on this:

• the SARIF -> HDF was merged: https://github.com/mitre/heimdall_tools/pull/93
• we started the taxonomies in the sarif-standard repository: https://github.com/sarif-standard/taxonomies