Extend the advisor with Static Application Security Testing (SAST)

oss-review-toolkit / ort

A suite of tools to automate software compliance checks.

https://oss-review-toolkit.org

Apache License 2.0

1.52k stars 299 forks source link

Extend the advisor with Static Application Security Testing (SAST) #7302

Open sschuberth opened 11 months ago

sschuberth commented 11 months ago

We could extend the advisor's capabilities for static code analysis, esp. with a focus on security, like with any of these (alphabetical order):

Bearer
Eclipse Steady.
Semgrep

See e.g. here for an overview.

tsteenbe commented 11 months ago

@sschuberth Note that Bearer is under Elastic License 2.0 which does not allow providing Bearer CLI to third parties as a hosted or managed service. Will be an issue for several ORT users such as Bosch.