Skip to content

Add SiteShadow SARIF reader#283

Closed
hisopo wants to merge 1 commit intoOWASP-Benchmark:mainfrom
hisopo:add-siteshadow-reader
Closed

Add SiteShadow SARIF reader#283
hisopo wants to merge 1 commit intoOWASP-Benchmark:mainfrom
hisopo:add-siteshadow-reader

Conversation

@hisopo
Copy link
Copy Markdown

@hisopo hisopo commented Mar 29, 2026

Summary

  • Adds SiteShadowReader extending SarifReader for parsing SiteShadow SAST results
  • SiteShadow is an open-source taint analysis tool using tree-sitter WASM parsing
  • Uses CweSourceType.TAG — CWEs are encoded in SARIF rule property tags (e.g., ["CWE-89", "security"])
  • Registered in Reader.allReaders()

Context

SiteShadow performs graph-based intraprocedural and interprocedural taint analysis for Java (and other languages). On OWASP Benchmark v1.2, it achieves:

  • 100% TPR, 0% FPR on all 7 taint-relevant CWEs (CWE-22, 78, 79, 89, 90, 501, 643)
  • 902/902 true positives detected, 0/796 false positives

A companion PR to BenchmarkJava will add the SARIF results file and generated scorecard.

Test plan

  • BenchmarkUtils builds successfully with the new reader
  • Scorecard generated correctly from SiteShadow SARIF results file
  • Verify reader is picked up by canRead() for SiteShadow SARIF files

🤖 Generated with Claude Code

@claude
Add SiteShadowReader for SARIF-based taint analysis results
7ab97ce 
SiteShadow is an open-source SAST tool that performs graph-based
intraprocedural and interprocedural taint analysis using tree-sitter
WASM parsing. It outputs results in SARIF 2.1.0 format with CWEs
encoded in rule property tags.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
hisopo pushed a commit to hisopo/BenchmarkJava that referenced this pull request Mar 29, 2026
@claude
Add SiteShadow v1.0.0 benchmark results and scorecard
22a2cf8 
SiteShadow is an open-source SAST tool performing graph-based taint
analysis using tree-sitter WASM. Results: 100% TPR, 0% FPR on all 7
taint-relevant CWEs (22, 78, 79, 89, 90, 501, 643). 902 TPs, 0 FPs.

Does not cover: hash, crypto, weakrand, securecookie categories.
Overall average including unscored categories: 63.64%.

Companion BenchmarkUtils PR: OWASP-Benchmark/BenchmarkUtils#283

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@hisopo hisopo mentioned this pull request Mar 29, 2026
Closed
3 tasks
@hisopo
Copy link
Copy Markdown
Author

hisopo commented Mar 30, 2026

Closing — resubmitting alongside updated results covering all 11 CWEs.

@hisopo hisopo closed this Mar 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hisopo