securesauce / precli

Precaution CLI - command line static application security testing tool
https://precli.readthedocs.io/
Other
13 stars 3 forks source link

Use taxa instead of tags to associate CWE in SARIF renderer #446

Open ericwb opened 3 months ago

ericwb commented 3 months ago

Describe the bug Currently the CWE number is associated to a rule via the tags property on the rule. However, according to spec, the taxa property should be used instead.

Tags SHOULD NOT be used to label a result or a rule as belonging to a category in a classification system such as the Common Weakness Enumeration [CWE™] (for example, by adding a tag "CWE/622"). Instead, taxonomies (§3.19.3) SHOULD be used for this purpose.

To Reproduce Steps to reproduce the behavior: n/a

Expected behavior Will this still work in GitHub UI? If not, might have to do both.

Version

precli 0.5.2
Copyright 2024 Secure Saurce LLC
License BUSL-1.1: Business Source License 1.1 <https://spdx.org/licenses/BUSL-1.1.html>
  Python 3.12.1 (main, Dec 12 2023, 13:19:17) [Clang 15.0.0 (clang-1500.0.40.1)]

Additional context See 3.19.25 taxa property in https://docs.oasis-open.org/sarif/sarif/v2.1.0/csprd01/sarif-v2.1.0-csprd01.html