We will provide SARIF inside Sereco ( see https://sarifweb.azurewebsites.net/) because it is supported by OASIS and becomes a standard of SAST report formats.
It will also help us to simplyfy PDS integration very much! Every product supporting SARIF will be very easy to integration when PDS integration in SecHub is full done.
@Jeeppler , @4w31ss3 : I did some changes in the PR:
We got now a full working integration test with PDS - see Scenario 9 tests
Inside reports I added following (was necessary, otherwise Users had no information except line number and location when SecHub Job returned final result in integration test)
name is filled now when possible
description is filled now when possible
Bugfix: product id was used with "SARIF" but we needed "pds_codescan" because pds scans use this as product identifier. When a importer shall be usable for more than one product type we must change the import support classes to provide multiple ids - or do a custom implementation where necessary
Bugfix: ProductResultImporter#isAbleToImport - must only return ABLE_TO_IMPORT when it's really able to do the import job. Otherwise it will be used for all kind of reports and will fail - and so the SecHub job. So I changed the SARIF importer behaviour here and it checks now the complete content (if importer support declares it as JSON and contains at least a "run" inside...)
Documentation: I added some javadoc at methods, classes, to make some parts more clear
We will provide SARIF inside Sereco ( see https://sarifweb.azurewebsites.net/) because it is supported by OASIS and becomes a standard of SAST report formats.
It will also help us to simplyfy PDS integration very much! Every product supporting SARIF will be very easy to integration when PDS integration in SecHub is full done.