Resulting report has no indication of FPs and FNs
Summary
Currently, an original Vulnerability
object is copied to the resulting report, which carries no information on whether a vulnerability was a false positive or a false negative. In order to compute how much SAST overestimates or underestimates, information about amount of FPs and FNs is required.
Possible solution
Use Go struct embeddings and add a field to Vulnerability
for storing FP or FN.
type DifferenceVulnerability struct {
Vulnerability
SomeNewField string
}
Similarly, resulting report will have to have a list of DifferenceVulnerability
type DifferenceReport struct {
Report
Vulnerabilities []DifferenceVulnerability
}