HdfConverter: Set precision and tags

microsoft / sarif-sdk

.NET code and supporting files for working with the 'Static Analysis Results Interchange Format' (SARIF, see https://github.com/oasis-tcs/sarif-spec)

Other

192 stars 90 forks source link

HdfConverter: Set precision and tags #2712

Closed candrews closed 1 year ago

candrews commented 1 year ago

GitHub recommends that precision be set. Other tools, such as Trivy, set precision="very-high" when there's no available data to determine otherwise, so that's what's done here too.

tags must include "security" for GitHub to process the security-severity and consider the results to be a security finding.

See: https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#reportingdescriptor-object

candrews commented 1 year ago

@michaelcfanning, With this change, the resulting SARIF results in GitHub seem to look good. I uploaded ValidResults.sarif to see what it looks like: https://github.com/candrews/sarif-test/security/code-scanning

michaelcfanning commented 1 year ago

Update release notes? Otherwise looks good.

candrews commented 1 year ago

Update release notes? Otherwise looks good.

Updated the release notes

michaelcfanning commented 1 year ago

Alright! You ready for me to burn a release for you?

candrews commented 1 year ago

Alright! You ready for me to burn a release for you?

I am! :-D