devops-kung-fu / bomber

Scans Software Bill of Materials (SBOMs) for security vulnerabilities
https://devops-kung-fu.github.io/bomber/
Mozilla Public License 2.0
517 stars 45 forks source link

Support SARIF output #34

Open artis3n opened 2 years ago

artis3n commented 2 years ago

Support an output format for SARIF to leverage the Security tab on repos and let GitHub ingest the data. https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning

That link contains file format examples for SARIF-flavored json. There's a schema validator https://sarifweb.azurewebsites.net/ as well.

djschleen commented 2 years ago

Would also be interesting to see how SARIF could be brought into AWS Security Hub.

artis3n commented 2 years ago

Not sure what you can ingest into Security Hub, but Amazon recently announced their spearheading of OCSF, which cynically looks like a thing to compete with GitHub and SARIF.

https://github.com/ocsf https://aws.amazon.com/blogs/security/aws-co-announces-release-of-the-open-cybersecurity-schema-framework-ocsf-project/

garethr commented 2 years ago

SARIF is a hack in this context. SARIF is meant to be for SAST output. It's line orientated. It was used by CodeQL (a SAST tool) and acted as the bridge to get information into the GitHub Security tab. Then all security tools started generating syntactically valid but partially semantically meaningless SARIF to integrate with GitHub. It's worth doing simply for the GitHub integration though, but things like line number are required but stuffed with arbitrary info.

OCSF is pretty different, it's generally about activity rather than state, and not about SAST. The scope of the two specifications is very different. It does have a very simple vulnerability object: https://schema.ocsf.io/objects/vulnerability that can be encapsulated in a finding https://schema.ocsf.io/classes/security_finding. So it would be possible to describe the output with a bit of tinkering in OCSF I think.

The CycloneDX vulnerability schema is a much closer match to the Bomber domain as well https://cyclonedx.org/use-cases/#vulnerability-exploitability

Note I think part of the value in Bomber is being liberal about inputs and outputs. So ultimately supporting all of the above is likely useful. Bomber I feel is best placed as a swiss army knife.

djschleen commented 2 years ago

It looks trivial to do an output of OCSF and map the Vulnerability struct from bomber into it. Possibly add an --output=ocsf flag. @garethr you want to take that on? Probably create a separate ticket?

djschleen commented 1 year ago

Hey @artis3n - gonna close this one in lieu of implementing the VDR CycloneDX format for output. #114

djschleen commented 5 months ago

@artis3n - Reopening this issue. We'll be adding a new renderer to output SARIF format.