Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support SARIF output #34

Open
artis3n opened this issue Sep 1, 2022 · 6 comments
Open

Support SARIF output #34

artis3n opened this issue Sep 1, 2022 · 6 comments
Assignees
Labels
enhancement New feature or request

Comments

@artis3n
Copy link

artis3n commented Sep 1, 2022

Support an output format for SARIF to leverage the Security tab on repos and let GitHub ingest the data. https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning

That link contains file format examples for SARIF-flavored json. There's a schema validator https://sarifweb.azurewebsites.net/ as well.

@djschleen
Copy link
Member

Would also be interesting to see how SARIF could be brought into AWS Security Hub.

@artis3n
Copy link
Author

artis3n commented Sep 2, 2022

Not sure what you can ingest into Security Hub, but Amazon recently announced their spearheading of OCSF, which cynically looks like a thing to compete with GitHub and SARIF.

https://github.com/ocsf
https://aws.amazon.com/blogs/security/aws-co-announces-release-of-the-open-cybersecurity-schema-framework-ocsf-project/

@juliojimenez juliojimenez added enhancement New feature or request go Pull requests that update Go code labels Oct 6, 2022
@juliojimenez juliojimenez self-assigned this Oct 6, 2022
@garethr
Copy link
Contributor

garethr commented Nov 2, 2022

SARIF is a hack in this context. SARIF is meant to be for SAST output. It's line orientated. It was used by CodeQL (a SAST tool) and acted as the bridge to get information into the GitHub Security tab. Then all security tools started generating syntactically valid but partially semantically meaningless SARIF to integrate with GitHub. It's worth doing simply for the GitHub integration though, but things like line number are required but stuffed with arbitrary info.

OCSF is pretty different, it's generally about activity rather than state, and not about SAST. The scope of the two specifications is very different. It does have a very simple vulnerability object: https://schema.ocsf.io/objects/vulnerability that can be encapsulated in a finding https://schema.ocsf.io/classes/security_finding. So it would be possible to describe the output with a bit of tinkering in OCSF I think.

The CycloneDX vulnerability schema is a much closer match to the Bomber domain as well https://cyclonedx.org/use-cases/#vulnerability-exploitability

Note I think part of the value in Bomber is being liberal about inputs and outputs. So ultimately supporting all of the above is likely useful. Bomber I feel is best placed as a swiss army knife.

@djschleen
Copy link
Member

It looks trivial to do an output of OCSF and map the Vulnerability struct from bomber into it. Possibly add an --output=ocsf flag. @garethr you want to take that on? Probably create a separate ticket?

@djschleen djschleen changed the title Support SARIF output Support OCSF output Dec 8, 2022
@djschleen djschleen assigned zroll and unassigned juliojimenez Jan 12, 2023
@djschleen djschleen mentioned this issue Feb 10, 2023
@djschleen
Copy link
Member

Hey @artis3n - gonna close this one in lieu of implementing the VDR CycloneDX format for output. #114

@djschleen djschleen added invalid This doesn't seem right wontfix This will not be worked on and removed enhancement New feature or request invalid This doesn't seem right go Pull requests that update Go code labels Nov 9, 2023
@djschleen djschleen assigned mirxcle and unassigned zroll Jun 25, 2024
@djschleen djschleen added enhancement New feature or request and removed wontfix This will not be worked on labels Jun 25, 2024
@djschleen
Copy link
Member

@artis3n - Reopening this issue. We'll be adding a new renderer to output SARIF format.

@djschleen djschleen reopened this Jun 25, 2024
@djschleen djschleen changed the title Support OCSF output Support SARIF output Oct 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Development

No branches or pull requests

6 participants