Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add SARIF support #909

Closed
stevespringett opened this issue Jan 28, 2021 · 5 comments · Fixed by #3561
Closed

Add SARIF support #909

stevespringett opened this issue Jan 28, 2021 · 5 comments · Fixed by #3561
Labels
enhancement New feature or request good first issue Good for newcomers p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/S Small effort
Milestone
4.11

Comments

@stevespringett
Copy link
Member

SARIF should be able to describe vulnerable components even though its' original purpose was representing source code vulnerabilities.

Recently, the Dependency-Check project implemented SARIF support with the intended use case that the resulting file would be published to GitHub (which now supports SARIF) and can process and display results directly in GitHub.

This enhancement request is to add support for generating SARIF via an API. This would dynamically generate the SARIF (via pebble), and the resulting file would be downloaded.
@stevespringett stevespringett added the enhancement New feature or request label Jan 28, 2021
@stevespringett stevespringett mentioned this issue Jan 28, 2021
Open
@stevespringett stevespringett added the p2 Non-critical bugs, and features that help organizations to identify and reduce risk label Jan 28, 2021
@stevespringett
Copy link
Member Author

Refer to jeremylong/DependencyCheck#3081

@RunFox
Copy link

RunFox commented Mar 15, 2024

Hello!
Is any updates?

@nscuro nscuro added good first issue Good for newcomers size/S Small effort labels Mar 16, 2024
@nscuro
Copy link
Member

nscuro commented Mar 16, 2024
edited

@RunFox Not implemented so far. But it seems like a nice "good first issue" candidate for new contributors to work on. :)

Note on implementation: The existing /api/v1/finding/<PROJECT_UUID> endpoint should be extended to support an Accept: application/sarif+json header. If that header is provided, return the findings in SARIF format. Otherwise, return findings in the existing, DT-specific JSON format. https://www.iana.org/assignments/media-types/application/sarif+json

@aravindparappil46 aravindparappil46 mentioned this issue Mar 18, 2024
Merged
5 tasks
@aravindparappil46
Copy link
Contributor

Hi folks,
I have created a PR for this enhancement: #3561
Would appreciate any feedback! (Some eyes on the sarif.peb would be great!)

@nscuro nscuro added this to the 4.11 milestone Mar 26, 2024
@github-actions GitHub Actions
Copy link
Contributor

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 27, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement New feature or request good first issue Good for newcomers p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/S Small effort
Projects
None yet
Milestone
4.11
Development

Successfully merging a pull request may close this issue.

Generate SARIF File Of Project Vulnerability Findings aravindparappil46/dependency-track
4 participants
@stevespringett @nscuro @RunFox @aravindparappil46