Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add SARIF output format #1500

Merged
merged 1 commit into from
Sep 17, 2020
Merged

Add SARIF output format #1500

merged 1 commit into from
Sep 17, 2020

Conversation

swinton
Copy link
Contributor

@swinton swinton commented Aug 11, 2020
edited
Loading

👋 This PR adds support for the SARIF (Static Analysis Results Interchange Format) output format to Brakeman.

Todo

@swinton swinton mentioned this pull request Aug 12, 2020
Closed
@swinton swinton marked this pull request as ready for review August 12, 2020 21:54
@swinton swinton marked this pull request as draft August 19, 2020 19:50
@swinton
Copy link
Contributor Author

swinton commented Aug 19, 2020

Switching this PR back to 🚧 to draft following a review with one of the SARIF spec authors (✨) who had a couple of minor points of feedback. I'll switch this back once I've pushed up the changes.

@swinton swinton marked this pull request as ready for review August 24, 2020 20:15
@swinton
Copy link
Contributor Author

swinton commented Aug 24, 2020

I'll switch this back once I've pushed up the changes.

I moved this back to "ready for review", to summarize the recent changes:

  1. c981d1c: I learned that we don't need "artifacts" to be present if it's not adding information beyond "X and Y" -- so these are removed
  2. 794acc3: I re-ordered some of the result properties so the order is more logical to a human eye
  3. 10ce40f: help text is removed in favor of just helpUri, since the help text carried no additional information

presidentbeef
presidentbeef reviewed Aug 25, 2020
View reviewed changes
lib/brakeman/report/report_sarif.rb Outdated Show resolved Hide resolved
lib/brakeman/report/report_sarif.rb Outdated Show resolved Hide resolved
@swinton
Copy link
Contributor Author

swinton commented Sep 16, 2020

Consider pulling more documentation into the SARIF format, via https://github.com/presidentbeef/brakeman/tree/main/docs/warning_types.

@presidentbeef I would love to hear your thoughts on this piece. Is this the only thing blocking this PR from merging?

@presidentbeef
Copy link
Owner

Happy to merge without that piece. Is there anything outstanding? Otherwise, happy to merge.

@swinton
Copy link
Contributor Author

swinton commented Sep 17, 2020

Is there anything outstanding?

I think I will reintroduce a temporary help until we can follow up with the revised warning_type docs. Let me do that today then we should be good to go!

@swinton
Copy link
Contributor Author

swinton commented Sep 17, 2020

I think I will reintroduce a temporary help until we can follow up with the revised warning_type docs.

✅ Done. Here's how it looks in the Security alerts on GitHub (taken from this demo rails3.2 repo, which is a copy of this test app), More info links to this page:

image

@presidentbeef please feel free to merge this if you're happy with it as well! 🙇

@presidentbeef
Copy link
Owner

Thanks for all your work on this @swinton! Can you squash it down for me? Thanks!

@swinton
Copy link
Contributor Author

swinton commented Sep 17, 2020

Can you squash it down for me? Thanks!

Yep, done

Is that Code Climate issue new to this branch? 👀

@presidentbeef presidentbeef merged commit 67f56c3 into presidentbeef:main Sep 17, 2020
@presidentbeef
Copy link
Owner

Code Climate config was messed up. Don't worry about it :)

@swinton swinton deleted the add-sarif-output-format branch September 17, 2020 20:16
@presidentbeef presidentbeef added this to the 5.0 milestone Sep 18, 2020
Repository owner locked and limited conversation to collaborators Jan 27, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@presidentbeef presidentbeef Awaiting requested review from presidentbeef

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
5.0
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@swinton @presidentbeef