Skip to content

SARIF "kind" not handled

SARIF's kind is not currently handled. kind is how SARIF records findings for tests that were done or skipped or errored out as well as vulnerabilities (kind=fail, the default if kind is absent, indicates a vulnerability).

The values for kind and what I think this project should do in each case are:

  • pass should not record the vulnerability
  • open should behave the same as fail
  • informational should not record the vulnerability
  • notApplicable should not record the vulnerability
  • review should behave the same as fail
  • fail (default is kind is no specified) should record the vulnerability (the current behavior)

Note that kind and level are related:

If kind (§3.27.9) has any value other than "fail", then if level is absent, it SHALL default to "none", and if it is present, it SHALL have the value "none".

If kind has the value "fail" and level is absent, then level SHALL be determined by the following procedure: ...

Handling kind is important because some tools (such as openscap) output SARIF that contains results that record that a test was done and passed or a test was skipped. Such results are not vulnerabilities and should not appear as such in GitLab's reporting UI.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information