search

mercedes-benz / sechub

SecHub provides a central API to test software with different security tools.
https://mercedes-benz.github.io/sechub/
MIT License
263 stars 63 forks source link

Enhance SecHub report model to provide revision information for findings #3093

Closed de-jcup closed 5 months ago

de-jcup commented 5 months ago

Situation

With #3092 (and others) we will integrate SCM history secret scanning.

But revision information is currently not available inside model.

Wanted

The SecHub report model shall contain revision information possibility for findings

Solution

{
  "jobUUID": "6cf02ccf-da13-4dee-b529-0225ed9661bd", 
  "trafficLight": "YELLOW", 
  "messages": [],
  "status": "SUCCESS",
  "reportVersion": "1.0",

  "result": {

    "count": 2,

    "findings": [
      {
        "id": 1,
        "description": "Use of hard coded credentials",
        "severity": "HIGH",
        "code": {
          "location": "java/org/example/SomewhereWithCredentials.java",
          "line": 137,
          "column": 5,
          "source": "xyz",

        },
        "revision" : {
            "id" : "57adf786209eaf01d9f26beb0a9e9fffdcf5f04b"
        }

        "type": "secretScan",
        "cweId": 798,
      }
    ]
  }
}

When the revision information for a finding is NOT set, the revision will be always the revision defined inside the meta data for version control (see #3094 )