Do a proof of concept then break down next steps: Leverage SAST to improve accuracy of Dependency Scanning
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Problem to solve
Dependency Scanning (DS) reports false-positives when a project depends on a vulnerable module/package but doesn't use the vulnerable code of this module/package. These false-positives can be removed if the Vulnerability Database explicitly lists the vulnerable methods, functions or module, and if the SAST report shows that these are not used in the context of the scanned project.
Intended users
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sidney (Systems Administrator)
- Sam (Security Analyst)
Further details
Internally SAST for Java (Spotbugs) builds a list of method calls for the scanned project, and compares this list to a list of vulnerable method calls. This information could be used to improve the accuracy of Dependency Scanning for Java.
Similarly, SAST for Python could build a list of the imported modules, which would improve the accuracy of DS for Python.
Proposal
- add fields to the gemnasium-db schema, to be specific about the code that is affected
- make SAST generate a list of what is called or imported, depending on the language
- make Dependency Scanning compare the output of SAST with the extra fields added to the security advisories, and reject the vulnerability if the affected code is not used
Challenges
This may significantly increase the size of SAST output, and the time it takes to run a SAST scan.
This may increase the risk of false-negatives.
Permissions and Security
No change.
Documentation
No change.
Availability & Testing
Add a test project where DS and SAST are both enabled, and where SAST output makes possible to exclude some vulnerabilities reported by DS.
What does success look like, and how can we measure that?
Users of Dependency Scanning dismiss less vulnerabilities using the dismissed button, because there are less false-positives.