Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add SARIF support #909

Closed
stevespringett opened this issue Jan 28, 2021 · 5 comments · Fixed by #3561
Closed

Add SARIF support #909

stevespringett opened this issue Jan 28, 2021 · 5 comments · Fixed by #3561
Labels
enhancement New feature or request good first issue Good for newcomers p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/S Small effort
Milestone

Comments

@stevespringett
Copy link
Member

SARIF should be able to describe vulnerable components even though its' original purpose was representing source code vulnerabilities.

Recently, the Dependency-Check project implemented SARIF support with the intended use case that the resulting file would be published to GitHub (which now supports SARIF) and can process and display results directly in GitHub.

This enhancement request is to add support for generating SARIF via an API. This would dynamically generate the SARIF (via pebble), and the resulting file would be downloaded.

@stevespringett stevespringett added the enhancement New feature or request label Jan 28, 2021
@stevespringett stevespringett added the p2 Non-critical bugs, and features that help organizations to identify and reduce risk label Jan 28, 2021
@stevespringett
Copy link
Member Author

Refer to jeremylong/DependencyCheck#3081

@RunFox
Copy link

RunFox commented Mar 15, 2024

Hello!
Is any updates?

@nscuro nscuro added good first issue Good for newcomers size/S Small effort labels Mar 16, 2024
@nscuro
Copy link
Member

nscuro commented Mar 16, 2024

@RunFox Not implemented so far. But it seems like a nice "good first issue" candidate for new contributors to work on. :)

Note on implementation: The existing /api/v1/finding/<PROJECT_UUID> endpoint should be extended to support an Accept: application/sarif+json header. If that header is provided, return the findings in SARIF format. Otherwise, return findings in the existing, DT-specific JSON format. https://www.iana.org/assignments/media-types/application/sarif+json

@aravindparappil46
Copy link
Contributor

Hi folks,
I have created a PR for this enhancement: #3561
Would appreciate any feedback! (Some eyes on the sarif.peb would be great!)

@nscuro nscuro added this to the 4.11 milestone Mar 26, 2024
Copy link
Contributor

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 27, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
enhancement New feature or request good first issue Good for newcomers p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/S Small effort
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants