matthiasrohr
commented
8 years ago sorry, my fault, just lerned that I have to map all vulnerabilities mannually to a specific CWE. Perhaps something that could be automated with a mapping table?
Closed matthiasrohr closed 8 years ago
matthiasrohr
commented
8 years ago sorry, my fault, just lerned that I have to map all vulnerabilities mannually to a specific CWE. Perhaps something that could be automated with a mapping table?
dancornell
commented
8 years ago We have mappings for some of the FindBugs results. The challenge is that FindBugs is primarily a quality tool and only has a small subset of rules that highlight security issues. So - when importing FindBugs results there are a large percentage of results that don't have sensible - or at least reasonably specific - CWE mappings. PMD is in a similar situation.
Tried to import a result from FindBugs Sec Plugin consisting one XSS (file attached). The import does not raise any errors but 0 vulnerabilities are found by ThreadFix. findbugsXml.xml.txt