Some SAST scanners have rules that don't map cleanly to standard CWE IDs but are still relevant to AppDev STIG findings. Examples:
- Semgrep has rules like
python.django.security.audit.xss.template-variable-unescaped that may not carry a CWE tag but clearly map to CWE-79 / V-222609
- CodeQL has quality rules (not just security rules) that touch STIG-relevant areas
- Bandit has Python-specific checks (e.g.,
B608 for SQL injection via string formatting) with varying CWE coverage
This issue tracks adding scanner-specific rule ID → CWE mappings as a secondary resolution path in the SARIF ingestion layer, so that findings from popular scanners get mapped even when CWE metadata is absent.
Priority scanners to cover:
- Semgrep (most popular OSS SAST)
- Bandit (Python-specific, common in federal)
- CodeQL (GitHub default)
- SonarQube (enterprise, SARIF export via plugin)
Some SAST scanners have rules that don't map cleanly to standard CWE IDs but are still relevant to AppDev STIG findings. Examples:
python.django.security.audit.xss.template-variable-unescapedthat may not carry a CWE tag but clearly map to CWE-79 / V-222609B608for SQL injection via string formatting) with varying CWE coverageThis issue tracks adding scanner-specific rule ID → CWE mappings as a secondary resolution path in the SARIF ingestion layer, so that findings from popular scanners get mapped even when CWE metadata is absent.
Priority scanners to cover: