Add HTML report to BAP job
Problem to solve
BAP is an analysis tool that runs as part of the secret detection and semgrep pipelines.
It runs the analyzer on a number of projects and then compiles the results to see if there have been any drastic changes to the number of vulnerabilities found. The report generated JSON report is parsed by a script (which causes the job to pass or fail depending on the number of vulnerabilities detected) but it's also useful to manually review the results so contributors can review if their change has had the desired effect, and manually parsing a large JSON report is hard.
Useful information to report
- A list of the rules where the number of vulnerabilities found has changed. Include:
- Rule ID
- Rule Name
- Source Total
- Target Total
- A list of examples, including the URL and line number, where the finding has changed
Proposal
The original version of BAP, HUSH had functionality that converted the JSON report to a HTML report. Bring that functionality back into BAP for secret detection and semgrep.
Edited by Craig Smith