Open Jeeppler opened 2 years ago
Dup of #66, or at least related?
@cooljeanius no, this issue has nothing to do with issue #66, they are not related in any way. This issue is about the artifact location of findings. Oppose to issue #66, which is about links to additional help resources in rules.
oh sorry, I guess I just got confused by the "uri" stuff...
Issue
Flawfinder generates artifact locations starting with a
/
slash or./
. At the same time and for portability reasons Flawfinder uses theuriBaseId
property in SARIF. However, the idea of theuriBaseId
is, that it is a placeholder to allow the artifactLocation to be relative. The placeholder of theSRCROOT
can be replaced easily to make absolute paths.Example
Test project: https://github.com/pwk4m1/Damn_Vulnerable_Device_Driver
Calling Flawfinder like this:
Will result in:
Instead of
"uri": "./Damn_Vulnerable_Device_Driver/DVDD.c", it should be
"uri": "Damn_Vulnerable_Device_Driver/DVDD.c",`.Solution
Improve the SARIF output by removing the slash
/
in front of the result.