SARIF Output for SCA - Githubissues

oasis-tcs / sarif-spec

OASIS SARIF TC: Repository for development of the draft standard, where requests for modification should be made via Github Issues

https://github.com/oasis-tcs/sarif-spec

Other

163 stars 46 forks source link

SARIF Output for SCA #485

Open vtky opened 3 years ago

vtky commented 3 years ago

I'd like to better understand if the SARIF output format would work well with SCA tooling. For example, the various tooling that integrate Sonatype's OSSIndex. Is there an example SARIF output for such tools?

Another more specific question, given a vulnerability in a particular package, how should the vulnerable package name be reported in a SARIF output? Would it be best fit in location.logicalLocations.name ?

Jeeppler commented 2 years ago

As far as I understood, the OWASP CycloneDX would be a better fit for Software Composition Analysis (SCA).

stevespringett commented 2 years ago

The CycloneDX team has been thinking of ways to integrate with SARIF as we believe the two specs are complimentary with a ton of potential for future use cases.

See https://github.com/CycloneDX/specification/issues/103