de-jcup commented 4 years ago

We will provide SARIF inside Sereco ( see https://sarifweb.azurewebsites.net/) because it is supported by OASIS and becomes a standard of SAST report formats.

It will also help us to simplyfy PDS integration very much! Every product supporting SARIF will be very easy to integration when PDS integration in SecHub is full done.

Jeeppler commented 3 years ago

I think this issue is a duplicate of #364.

4w31ss3 commented 3 years ago

575 addresses currently empty vulnerability description field.

de-jcup commented 3 years ago

@Jeeppler , @4w31ss3 : I did some changes in the PR:

We got now a full working integration test with PDS - see Scenario 9 tests
Inside reports I added following (was necessary, otherwise Users had no information except line number and location when SecHub Job returned final result in integration test)
- name is filled now when possible
- description is filled now when possible
Bugfix: product id was used with "SARIF" but we needed "pds_codescan" because pds scans use this as product identifier. When a importer shall be usable for more than one product type we must change the import support classes to provide multiple ids - or do a custom implementation where necessary
Bugfix: ProductResultImporter#isAbleToImport - must only return ABLE_TO_IMPORT when it's really able to do the import job. Otherwise it will be used for all kind of reports and will fail - and so the SecHub job. So I changed the SARIF importer behaviour here and it checks now the complete content (if importer support declares it as JSON and contains at least a "run" inside...)
Documentation: I added some javadoc at methods, classes, to make some parts more clear

mercedes-benz / sechub

Sereco support for SARIF #386

575 addresses currently empty vulnerability description field.