Extend the advisor with Static Application Security Testing (SAST)

oss-review-toolkit / ort

A suite of tools to automate software compliance checks.

https://oss-review-toolkit.org

Apache License 2.0

1.61k stars 312 forks source link

Extend the advisor with Static Application Security Testing (SAST) #7302

Open sschuberth opened 1 year ago

sschuberth commented 1 year ago

We could extend the advisor's capabilities for static code analysis, esp. with a focus on security, like with any of these (alphabetical order):

Bearer
Eclipse Steady.
Semgrep
PHPStan

See e.g. here for an overview.

tsteenbe commented 1 year ago

@sschuberth Note that Bearer is under Elastic License 2.0 which does not allow providing Bearer CLI to third parties as a hosted or managed service. Will be an issue for several ORT users such as Bosch.

sschuberth commented 4 months ago

To start with, we should probably do like GitLab does and use Semgrep for pretty much everything.