In previous versions of KICS (prior to 1.7.12), SARIF reports did not include Common Weakness Enumeration (CWE) identifiers for findings. To address this, a workaround was implemented in SecHub that adds a default CWE to all findings to ensure that reports were compliant with expected standards.
Wanted
With the release of KICS version 1.7.12, some CWEs are now included for Docker findings. However, the current workaround in SecHub indiscriminately adds a default CWE to all findings, which can lead to inaccuracies in the reports where KICS already provides a CWE.
Solution
The workaround needs to be refined to check if a CWE is already present in the SARIF report for a finding. If a CWE is present, the workaround should not add a default CWE. This adjustment will ensure that the SARIF reports contain accurate CWE information when available from KICS, and fall back to the default CWE only when necessary.
Situation
In previous versions of KICS (prior to 1.7.12), SARIF reports did not include Common Weakness Enumeration (CWE) identifiers for findings. To address this, a workaround was implemented in SecHub that adds a default CWE to all findings to ensure that reports were compliant with expected standards.
Wanted
With the release of KICS version 1.7.12, some CWEs are now included for Docker findings. However, the current workaround in SecHub indiscriminately adds a default CWE to all findings, which can lead to inaccuracies in the reports where KICS already provides a CWE.
Solution
The workaround needs to be refined to check if a CWE is already present in the SARIF report for a finding. If a CWE is present, the workaround should not add a default CWE. This adjustment will ensure that the SARIF reports contain accurate CWE information when available from KICS, and fall back to the default CWE only when necessary.