Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Integrate CWE/NIST SARIF taxonomy data with Flawfinder (preparatory to Heimdall/HDF conversion) #38

Open
michaelcfanning opened this issue Mar 13, 2021 · 2 comments
Open

Integrate CWE/NIST SARIF taxonomy data with Flawfinder (preparatory to Heimdall/HDF conversion) #38

michaelcfanning opened this issue Mar 13, 2021 · 2 comments

Comments

@michaelcfanning
Copy link

This is a tracking item to describe next possible steps with Flawfinder SARIF + HDF support.

Observations:

  • The HDF format currently requires encoding tool -> CWE/other NIST standard mappings in a non-standard format which is currently persisted to the HDF tooling repo.
  • If we solve this problem using SARIF taxonomies, it appears we could create a straightforward SARIF -> HDF converter that would unlock the SARIF eco-system for Heimdall.
  • This interoperability isn't free, however: tools that opt into HDF support will need to explicit map their rule ids to the NIST standards. Several existing tools (Flawfinder being one) already have mapping data in some form.

As preparatory work, we are building a CWE Sarif taxonomy, which s/be published to a well-known web location. We will also need to create a taxonomy for the NIST standard (and create relationships from CWE to NIST IDs, as shown in the heimdall_tools repo).

It'd be interesting to discuss how these definitive taxonomy files are published on the web.

Once this core work is complete, we should update Flawfinder to emit its rule id -> CWE/NIST mappings in the log file. The Flawfinder log will also contain a link to the external CWE/NIST web-hosted taxonomies.

With a finished log such as this, a new SARIF -> HDF converter will be able to produce HDF that can flow into the various Heimdall tools. That will be very nice! All of this work will demonstrate a good path for other tools to follow.

Thoughts? :)

@eddynaka @yongyan-dh @david-a-wheeler
@david-a-wheeler
Copy link
Owner

All of that seems reasonable. I think additional mappings should probably be new database entries or straightforward mappings from an existing entry. If you want to pull out CWE entries to separate dtabase entries that'd be fine too.

@eddynaka
Copy link

Hi,

just a quick update on this:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@david-a-wheeler @michaelcfanning @eddynaka