-
-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support SARIF output #34
Comments
Would also be interesting to see how SARIF could be brought into AWS Security Hub. |
Not sure what you can ingest into Security Hub, but Amazon recently announced their spearheading of OCSF, which cynically looks like a thing to compete with GitHub and SARIF. https://github.com/ocsf |
SARIF is a hack in this context. SARIF is meant to be for SAST output. It's line orientated. It was used by CodeQL (a SAST tool) and acted as the bridge to get information into the GitHub Security tab. Then all security tools started generating syntactically valid but partially semantically meaningless SARIF to integrate with GitHub. It's worth doing simply for the GitHub integration though, but things like line number are required but stuffed with arbitrary info. OCSF is pretty different, it's generally about activity rather than state, and not about SAST. The scope of the two specifications is very different. It does have a very simple vulnerability object: https://schema.ocsf.io/objects/vulnerability that can be encapsulated in a finding https://schema.ocsf.io/classes/security_finding. So it would be possible to describe the output with a bit of tinkering in OCSF I think. The CycloneDX vulnerability schema is a much closer match to the Bomber domain as well https://cyclonedx.org/use-cases/#vulnerability-exploitability Note I think part of the value in Bomber is being liberal about inputs and outputs. So ultimately supporting all of the above is likely useful. Bomber I feel is best placed as a swiss army knife. |
It looks trivial to do an output of OCSF and map the Vulnerability struct from bomber into it. Possibly add an --output=ocsf flag. @garethr you want to take that on? Probably create a separate ticket? |
@artis3n - Reopening this issue. We'll be adding a new renderer to output SARIF format. |
Support an output format for SARIF to leverage the Security tab on repos and let GitHub ingest the data. https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning
That link contains file format examples for SARIF-flavored json. There's a schema validator https://sarifweb.azurewebsites.net/ as well.
The text was updated successfully, but these errors were encountered: