SARIF Output Support #937
Comments
|
Hi @anthturner this is a good suggestion. We are going to study the possibility of adding this new output format. Feel free if you want to contribute something, it would be a pleasure to help you. |
matheusalcantarazup
added
kind/improvement
|
Go is one of the languages I'm less familiar with. I have messed around with adding bindings for new output format but still have a ways to go until I get anything that actually works. I'll take more time on it this weekend. If you'd like, I can fork and start work on this item, and we can collaborate on getting it working as desired. (Or if it's easier, I can work from a branch on this repo; your choice) Thanks for the response! |
|
For outside contributors we suggest to fork the repository and open a PR. Fell free to make any question here or on a PR. The code that make the reports live on You can read the function that process the results as a Sonarqube output here, its very simple. The code that create the Sonarqube output format lives on internal/services/sonarqube package. On CONTRIBUTING.md we have some steps that should be done by contributors and BUILD.md contains the dependencies and commands necessary to build and test Horusec, fell free to make any question, and thanks for your interest. |
|
Took a shot at creating this. As noted in the PR there are still some gaps which are mostly all data-based now, such as not all RuleIDs being present. That said, it's neat to see this working with this standardized output. |
|
@matheusalcantarazup (or other)... Would appreciate some thoughts on my idea to supplement the RuleID on formatters which don't have it. anthturner@71f2b49 I'd like to extend this across the board but want to get at least a vague thumbs up on the general direction before I put in the larger effort. |
I think that would be better open another issue for further discussion. Can you please open? |
Fixes #937 Signed-off-by: Anthony Turner <225599+anthturner@users.noreply.github.com>
What would you like to be added:
An output formatting module which generates SARIF files ( https://github.com/microsoft/sarif-tutorials ).
SARIF is a fairly new OASIS standard to help integrate and chain together the results of many static analysis tools on the same target.
The biggest difference between SARIF output and the current JSON output is the addition of a dictionary of all rules from all engines. Most of the rest of the changes are semantic or basic structural adjustments.
Why is this needed:
Similar to the output formatting for JSON or Sonarqube, it would be useful for Horusec to output SARIF documents as well, to integrate with things like GitHub's security dashboard natively.
More info on that can be found here: https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning
While conversion from reports into SARIF files is possible (and is currently my workaround via a large regular expression), it would be better served closer to the Horusec application itself to avoid syntax changes breaking the converter.
The text was updated successfully, but these errors were encountered: