Open vtky opened 3 years ago
As far as I understood, the OWASP CycloneDX would be a better fit for Software Composition Analysis (SCA).
The CycloneDX team has been thinking of ways to integrate with SARIF as we believe the two specs are complimentary with a ton of potential for future use cases.
I'd like to better understand if the SARIF output format would work well with SCA tooling. For example, the various tooling that integrate Sonatype's OSSIndex. Is there an example SARIF output for such tools?
Another more specific question, given a vulnerability in a particular package, how should the vulnerable package name be reported in a SARIF output? Would it be best fit in
location.logicalLocations.name
?