search

mercedes-benz / sechub

SecHub provides a central API to test software with different security tools.
https://mercedes-benz.github.io/sechub/
MIT License
259 stars 58 forks source link

Improve SarifV1JSONImporter descriptions and names #575

Open 4w31ss3 opened 3 years ago

4w31ss3 commented 3 years ago

Situation

In SarifV1JSONImporter the vulnerability description field is set to empty String (""). This was implemented analog to the CheckmarxV1XMLImporter, because of unwanted html-tags in Checkmarx reports.

Wanted

The vulnerability description within SarifV1JSONImporter should be set with useful information provided by the underlying SARIF report of the corresponding tool. Some SARIF report generating tools could have unwanted proprietary information in their message objects (such as references to tool specifics). This should be addressed.

Solution

Therefore the message object of SARIF could/should be used (https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.pdf 3.11 message object). In SARIF 2.1.0 the message object can contain "plain text messages" as well as "formatted messages".

Albert Weißert albert.weissert@daimler.com, Daimler TSS GmbH, imprint

de-jcup commented 3 years ago

With #386 a simple approach was already done for Type/Name (differs between internal Sereco format and Sechub report) and description. The descripiton used the plain text data from SARIF.

So simple variant is already done (we needed this, because otherwise users have sometimes no info at all).

This issue should improve the data resolving mechanism - if possible.