Update Secure Analyzer compatibility matrix to include more details on external identifiers

What problem are we solving

Our ~Secure analyzers currently wrap a number of underlying tools. Some of these tools return standardized identifiers and others do not. This can be confusing and difficult to assess vulnerabilities. We should improve our compatibility matrix to include more data on which analyzers return CVE identifiers, CWE identifiers, CVSS identifiers, BID, Microsoft reference ID, and which are entirely custom identifiers.

Ideally we should look at introducing more standardization in these tools and either contributing upstream mappings or adding our own, however that this can be considered a prerequisite to that task in order to assess level of effort. See related discussion on adding CWE mappings during the introduction of our Elixir SAST analyzer

Proposal

TBD

Helpful links

sast Analyzer compatibility matrix https://gitlab.com/gitlab-org/security-products/sast/blob/master/docs/analyzers.md#analyzers-data
CVSS, CVE, CWE, CAPEC – common standards security professionals should know https://infosec-handbook.eu/blog/cvss-cve-cwe-capec/

cc @twoodham @gonzoyumo @plafoucriere

Edited Apr 30, 2019 by Lucas Charles