Support for the SARIF (Static Analysis Results Interchange Format) #646
Comments
|
For reference, it looks like Microsoft wrote a converter here: https://github.com/microsoft/bandit-sarif-formatter |
|
@ericwb Hi Eric. My team is planning to modify either bandit or the converter provided above so that the SARIF output includes suppression information. I see you've added this enhancement for 2.0.0 - is someone already working on this? How could we contribute? Thanks. |
|
any news on this issue? |
|
Since Microsoft has already created a Bandit formatter and sarif library, I don't think there's any reason for Bandit duplicate the effort. Instead, maybe we can look at an easier way to make use of 3rd party plugins such as this. |
|
@ericwb like add something in the documentation? Because I tested the MS plugin but it was not very easy to find this module and use it. |
|
We from SecHub project at Mercedes-Benz Tech Innovation would like to contribute a SARIF 2.1.0 formatter. We would like to have SARIF support as one of the standard report format options in Bandit. The Bandit SARIF formatter by Microsoft does not seem to be developed anymore and we need to have support for the Common Weakness Enumeration (CWE) taxonomy in the SARIF report. As a result of the limitations, we are happy to contribute a SARIF 2.1.0 formatter to Bandit. @ericwb is the SARIF open to the idea of adding the SARIF support directly to Bandit in case we develop and contribute it? |
|
@Jeeppler we're definitely open to the creation of a new formatter that supports SARIF. |
|
@ericwb thanks for the quick reply. We will start working on it. |
This commit adds a formatter that outputs JSON in a specific SARIF format according to spec at [1]. This code is largely leveraged from an existing implementation found here [2]. SARIF format is very useful for integration into ecosystems such as GitHub's Actions. [1] https://docs.oasis-open.org/sarif/sarif/v2.1.0/cs01/sarif-v2.1.0-cs01.html [2] https://github.com/microsoft/bandit-sarif-formatter Closes PyCQA#646 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
This commit adds a formatter that outputs JSON in a specific SARIF format according to spec at [1]. This code is largely leveraged from an existing implementation found here [2]. SARIF format is very useful for integration into ecosystems such as GitHub's Actions. [1] https://docs.oasis-open.org/sarif/sarif/v2.1.0/cs01/sarif-v2.1.0-cs01.html [2] https://github.com/microsoft/bandit-sarif-formatter Closes PyCQA#646 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
This commit adds a formatter that outputs JSON in a specific SARIF format according to spec at [1]. This code is largely leveraged from an existing implementation found here [2]. SARIF format is very useful for integration into ecosystems such as GitHub's Actions. [1] https://docs.oasis-open.org/sarif/sarif/v2.1.0/cs01/sarif-v2.1.0-cs01.html [2] https://github.com/microsoft/bandit-sarif-formatter Closes PyCQA#646 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
This commit adds a formatter that outputs JSON in a specific SARIF format according to spec at [1]. This code is largely leveraged from an existing implementation found here [2]. SARIF format is very useful for integration into ecosystems such as GitHub's Actions. [1] https://docs.oasis-open.org/sarif/sarif/v2.1.0/cs01/sarif-v2.1.0-cs01.html [2] https://github.com/microsoft/bandit-sarif-formatter Closes PyCQA#646 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
This commit adds a formatter that outputs JSON in a specific SARIF format according to spec at [1]. This code is largely leveraged from an existing implementation found here [2]. SARIF format is very useful for integration into ecosystems such as GitHub's Actions. [1] https://docs.oasis-open.org/sarif/sarif/v2.1.0/cs01/sarif-v2.1.0-cs01.html [2] https://github.com/microsoft/bandit-sarif-formatter Closes PyCQA#646 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
This commit adds a formatter that outputs JSON in a specific SARIF format according to spec at [1]. This code is largely leveraged from an existing implementation found here [2]. SARIF format is very useful for integration into ecosystems such as GitHub's Actions. [1] https://docs.oasis-open.org/sarif/sarif/v2.1.0/cs01/sarif-v2.1.0-cs01.html [2] https://github.com/microsoft/bandit-sarif-formatter Closes PyCQA#646 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
This commit adds a formatter that outputs JSON in a specific SARIF format according to spec at [1]. This code is largely leveraged from an existing implementation found here [2]. SARIF format is very useful for integration into ecosystems such as GitHub's Actions. [1] https://docs.oasis-open.org/sarif/sarif/v2.1.0/cs01/sarif-v2.1.0-cs01.html [2] https://github.com/microsoft/bandit-sarif-formatter Closes PyCQA#646 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
This commit adds a formatter that outputs JSON in a specific SARIF format according to spec at [1]. This code is largely leveraged from an existing implementation found here [2]. SARIF format is very useful for integration into ecosystems such as GitHub's Actions. [1] https://docs.oasis-open.org/sarif/sarif/v2.1.0/cs01/sarif-v2.1.0-cs01.html [2] https://github.com/microsoft/bandit-sarif-formatter Closes #646 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
Is your feature request related to a problem? Please describe.
I think integration is the name of the game today and the SARIF format (https://github.com/oasis-tcs/sarif-spec) is a standard that most static analysis tools have embraced. It would be great if Bandit could have that as well. Simply because this integrates with Github, Vulnerability Management Tools and makes results consistent
Describe the solution you'd like
Support for the sarif-spec based on the JSON spec listed here and
--outputand--formatflags that support SARIF as an option in addition to JSON, XML, etc.The text was updated successfully, but these errors were encountered: