### Problem to solve OASIS Static Analysis Results Interchange Format (SARIF) is a newer proposal from the OASIS standards consortium. This outlines a common specification for static analysis results which we should evaluate and consider for our own analyzers and/or usage. #### Links - https://sarifweb.azurewebsites.net/ - https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=sarif - https://github.com/oasis-tcs/sarif-spec ### Intended users * [Delaney (Development Team Lead)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#delaney-development-team-lead) * [Sasha (Software Developer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sasha-software-developer) * [Sam (Security Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sam-security-analyst) ### Further details <!-- Include use cases, benefits, and/or goals (contributes to our vision?) --> ### Proposal Consider standardizing our ~"Category:SAST" reporting format or making a compliant export format matching the SARIF standard. #### Scanners with native SARIF support - [x] ~~gitlab.com/gitlab-org/security-products/analyzers/bandit (via https://github.com/microsoft/bandit-sarif-formatter)~~ (deprecated) - [x] gitlab.com/gitlab-org/security-products/analyzers/brakeman - [ ] ~~gitlab.com/gitlab-org/security-products/analyzers/eslint~~ (deprecated) - [x] gitlab.com/gitlab-org/security-products/analyzers/flawfinder - [x] ~~gitlab.com/gitlab-org/security-products/analyzers/gosec~~ (deprecated) - [x] gitlab.com/gitlab-org/security-products/analyzers/kics - [x] gitlab.com/gitlab-org/security-products/analyzers/kubesec - [x] gitlab.com/gitlab-org/security-products/analyzers/mobsf (via mobsfscan) - [x] gitlab.com/gitlab-org/security-products/analyzers/nodejs-scan (via njsscan) - [ ] gitlab.com/gitlab-org/security-products/analyzers/phpcs-security-audit - [x] gitlab.com/gitlab-org/security-products/analyzers/pmd-apex - [x] gitlab.com/gitlab-org/security-products/analyzers/security-code-scan - [x] gitlab.com/gitlab-org/security-products/analyzers/semgrep - [x] gitlab.com/gitlab-org/security-products/analyzers/sobelow - [x] gitlab.com/gitlab-org/security-products/analyzers/spotbugs ### Permissions and Security No change to existing permissions ### Documentation <!-- See the Feature Change Documentation Workflow https://docs.gitlab.com/ee/development/documentation/feature-change-workflow.html Add all known Documentation Requirements here, per https://docs.gitlab.com/ee/development/documentation/feature-change-workflow.html#documentation-requirements If this feature requires changing permissions, this document https://docs.gitlab.com/ee/user/permissions.html must be updated accordingly. --> ### Testing <!-- What risks does this change pose? How might it affect the quality of the product? What additional test coverage or changes to tests will be needed? Will it require cross-browser testing? See the test engineering process for further help: https://about.gitlab.com/handbook/engineering/quality/test-engineering/ --> ### What does success look like, and how can we measure that? <!-- Define both the success metrics and acceptance criteria. Note that success metrics indicate the desired business outcomes, while acceptance criteria indicate when the solution is working correctly. If there is no way to measure success, link to an issue that will implement a way to measure this. --> ### What is the type of buyer? ~"GitLab Ultimate" ### Links / references