## Background A few of the SAST tools that we support do not provide CWE mappings for the reported vulnerabilities. This prohibits us from accurately comparing the results of one SAST tool to that of another SAST tool, which is useful for tracking our own progress, comparing how GitLab SAST performs against different languages, and third party SAST tool comparisons. ## Contributing to SAST tools used by GitLab SAST Analyzers As per the conversation in https://gitlab.com/gitlab-org/security-products/sast-benchmark/-/issues/26, we have decided it is in our best interest to add CWE information to the different SAST tools that we use in our analyzers, which we will then contribute publicly back to the original project. ## GitLab SAST Analyzers Below is a list of SAST tools the GitLab SAST [project's](https://gitlab.com/gitlab-org/security-products/sast) [analyzers](https://gitlab.com/gitlab-org/security-products/analyzers) use to perform static analysis on a project. Each analyzer should be checked to see if it supports CWEs in its findings. ### Missing CWEs | Analyzer | Language/Framework | Notes | |--------------------------------------------------------------------------------------------------------|-----------------------|-------| | [bandit](https://gitlab.com/gitlab-org/security-products/analyzers/bandit) | Python | [CWE support for bandit (PR Open)](https://github.com/PyCQA/bandit/issues/612) | | [brakeman](https://gitlab.com/gitlab-org/security-products/analyzers/brakeman) | Ruby | | | [phpcs-security-audit](https://gitlab.com/gitlab-org/security-products/analyzers/phpcs-security-audit) | PHP | | | [security-code-scan](https://gitlab.com/gitlab-org/security-products/analyzers/security-code-scan) | .NET | | | [nodejs-scan](https://gitlab.com/gitlab-org/security-products/analyzers/nodejs-scan) | NodeJS | | | [eslint](https://gitlab.com/gitlab-org/security-products/analyzers/eslint) | Javascript/EcmaScript | | | [tslint](https://gitlab.com/gitlab-org/security-products/analyzers/tslint) | TypeScript | | | [sobelow](https://gitlab.com/gitlab-org/security-products/analyzers/sobelow) | Phoenix Elixir | | | [pmd-apex](https://gitlab.com/gitlab-org/security-products/analyzers/pmd-apex) | SalesForce Apex | N/A? | ### Supports CWEs | Analyzer | Language/Framework | Notes | |------------------------------------------------------------------------------------|--------------------|-------| | [gosec](https://gitlab.com/gitlab-org/security-products/analyzers/gosec) | Go | | | [spotbugs](https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs) | Java | | | [flawfinder](https://gitlab.com/gitlab-org/security-products/analyzers/flawfinder) | C/C++ | | ### N/A | Analyzer | Language/Framework | Notes | |------------------------------------------------------------------------------|---------------------|-------| | [secrets](https://gitlab.com/gitlab-org/security-products/analyzers/secrets) | General Git Secrets | | | [kubesec](https://gitlab.com/gitlab-org/security-products/analyzers/kubesec) | k8s | |