Open 4w31ss3 opened 3 years ago
With #386 a simple approach was already done for Type/Name (differs between internal Sereco format and Sechub report) and description. The descripiton used the plain text data from SARIF.
So simple variant is already done (we needed this, because otherwise users have sometimes no info at all).
This issue should improve the data resolving mechanism - if possible.
Situation
In
SarifV1JSONImporter
the vulnerability description field is set to empty String (""). This was implemented analog to theCheckmarxV1XMLImporter
, because of unwanted html-tags in Checkmarx reports.Wanted
The vulnerability description within
SarifV1JSONImporter
should be set with useful information provided by the underlying SARIF report of the corresponding tool. Some SARIF report generating tools could have unwanted proprietary information in their message objects (such as references to tool specifics). This should be addressed.Solution
Therefore the message object of SARIF could/should be used (https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.pdf
3.11 message object
). In SARIF 2.1.0 the message object can contain "plain text messages" as well as "formatted messages".Albert Weißert albert.weissert@daimler.com, Daimler TSS GmbH, imprint