Make SAST analyzers compliant with Data Model constraints
Problem to solve
SAST analyzers needs to provide more data in order to store the security reports in database:
Proposal
- all reported vulnerabilities must provide one primary identifier (and unlimited not primary ones):
- add
primary
property to identifier struct - find a way to generate a unique identifier for NodeJs-scan analyzer as it currently has none
- find a way to generate a unique identifier for flawfinder when it does not provide a CWE
- add
- add a new
scanner
struct instead of thetool
string:{ "id": "find_sec_bugs", "name": "FindSecBugs" }
TODO
-
Update common
lib to returnscanner
objects -
Update analyzers to return scanner
objets accordingly -
Make flawfinder
analyzer generate unique identifiers -
Make nodejs-scan
analyzer generate unique identifiers -
Update main SAST project (tests)
What does success look like, and how can we measure that?
SAST Report contains the expected data
Links / references
Edited by Fabien Catteau