SAST custom report documentation is incorrect
Summary
The table on SAST report formats lists many different fields that can be defined for a SAST report and what they do. Several of these fields are either not used or don't do what they say. The documentation should be updated to correctly describe what does and does not happen.
Steps to reproduce
- Read the documentation page
- Produce a custom SAST report leveraging various fields
- The custom fields are not displayed as the documentation indicates they should be.
Specifically, I noticed this for the following fields:
vulnerabilities[].scanner.name
vulnerabilities[].scanner.id
Example Project
https://gitlab.com/stkerr/custom-scanner
What is the current bug behavior?
The custom provided fields are not displayed as described in the documentation
What is the expected correct behavior?
Relevant logs and/or screenshots
(Paste any relevant logs - please use code blocks (```) to format console output, logs, and code as it's tough to read otherwise.)
Scanner report:
{
"version": "2.2",
"vulnerabilities": [
{
"category": "NOT SAST",
"name": "SAM VULN",
"message": "SAM VULN",
"description": "asdfasdf",
"cve": "Hmm.",
"scanner": {
"id": "my_custom_scanner",
"name": "A Custom Scanner"
},
"location": {
"file": "routes/index.js",
"start_line": 11,
"dependency": {
"package": {}
}
},
"identifiers": [
{
"type": "node_js_scan_id",
"name": "NodeJsScan ID: 17",
"value": "17"
}
]
}
],
"remediations": []
}
Vulnerability result:
Possible fixes
The documentation is updated to correctly describe how to use the field or the unused fields are removed from the table.