Closed mazen160 closed 2 years ago
Hi @mazen160 - thanks a ton for this input! We had been focusing on general usability issues over the last couple weeks and now need to focus on our reporting format(s), especially, as you point out, SARIF and JSON. We really appreciate the details in your write-up here and will make sure to address them each in our upcoming work on extending our internal representation and standardization of our output. Keep an eye out for changes starting next week in this area!
The JSON duplication should be fixed by PR #55
Fixed in #55
Hi!
Thanks for developing this awesome project. I was experimenting it today, and found an odd bug. When scanning Golang apps with finding.
Source code line content is not shown on SARIF.
When scanning vulnerable golang apps (https://github.com/0c34/govwa), there are findings on default and JSON format, and one finding on SARIF.
Reporting on JSON is a bit hard to follow; it may need to be standardized into a single-document format instead of the current one. The JSON report has multiple JSON objects, one per each line, and then an invalid text (string). I also find that the findings are repeated. It may need to be reviewed.
Untrusted sources are not shown on SARIF. It can be found on JSON output, but it's not there on SARIF.