Native SARIF output support #18
Comments
|
Hi @yongyan-gh |
|
Hi @mthbernardes , The idea is to use clj-watson in PRs with the SARIF integration and send the data to GHAS. This will create security alert notifications during PR, which would facilitate a lot and prevent anyone from check-in vulnerable packages. |
|
Hm I thought that since the sarif upload was only available for the code scanning functionality it would only make sense to send code analyses and not vulnerable dependencies. |
|
This is an example of clj-watson output. [
{
"dependency": "com.fasterxml.jackson.core/jackson-databind",
"dependents": [
"com.auth0/java-jwt"
],
"paths": [
"/Users/username/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar"
],
"secure-version": {
"mvn/version": "2.13.1"
},
"deps/manifest": "mvn",
"mvn/version": "2.9.8",
"parents": [
[
"com.auth0/java-jwt"
]
],
"remediate-suggestion": {
"com.auth0/java-jwt": {
"exclusions": [
"com.fasterxml.jackson.core/jackson-databind"
]
},
"com.fasterxml.jackson.core/jackson-databind": {
"mvn/version": "2.13.1"
}
},
"vulnerabilities": [
{
"vulnerableVersionRange": ">= 2.0.0, < 2.9.9",
"advisory": {
"severity": "HIGH",
"cvss": {
"score": 7.5
},
"identifiers": [
{
"value": "GHSA-5ww9-j83m-q7qx"
},
{
"value": "CVE-2019-12086"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.9"
}
},
{
"vulnerableVersionRange": "< 2.9.10",
"advisory": {
"severity": "CRITICAL",
"cvss": {
"score": 9.8
},
"identifiers": [
{
"value": "GHSA-85cw-hj65-qqv9"
},
{
"value": "CVE-2019-16335"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.10"
}
},
{
"vulnerableVersionRange": "< 2.9.10",
"advisory": {
"severity": "CRITICAL",
"cvss": {
"score": 9.8
},
"identifiers": [
{
"value": "GHSA-h822-r4r5-v8jg"
},
{
"value": "CVE-2019-14540"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.10"
}
},
{
"vulnerableVersionRange": ">= 2.9.0, <= 2.9.10.1",
"advisory": {
"severity": "CRITICAL",
"cvss": {
"score": 9.8
},
"identifiers": [
{
"value": "GHSA-gww7-p5w4-wrfv"
},
{
"value": "CVE-2019-20330"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.10.2"
}
},
{
"vulnerableVersionRange": ">= 2.9.0, <= 2.9.10.2",
"advisory": {
"severity": "CRITICAL",
"cvss": {
"score": 9.8
},
"identifiers": [
{
"value": "GHSA-4w82-r329-3q67"
},
{
"value": "CVE-2020-8840"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.10.3"
}
},
{
"vulnerableVersionRange": ">= 2.0.0, <= 2.9.10.3",
"advisory": {
"severity": "MODERATE",
"cvss": {
"score": 0
},
"identifiers": [
{
"value": "GHSA-fqwf-pjwf-7vqv"
},
{
"value": "CVE-2020-10673"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.10.4"
}
},
{
"vulnerableVersionRange": ">= 2.9.0, < 2.9.10",
"advisory": {
"severity": "HIGH",
"cvss": {
"score": 0
},
"identifiers": [
{
"value": "GHSA-qmqc-x3r4-6v39"
},
{
"value": "CVE-2019-14893"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.10"
}
},
{
"vulnerableVersionRange": ">= 2.0.0, <= 2.9.10.3",
"advisory": {
"severity": "CRITICAL",
"cvss": {
"score": 9.8
},
"identifiers": [
{
"value": "GHSA-q93h-jc49-78gg"
},
{
"value": "CVE-2020-9547"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.10.4"
}
},
{
"vulnerableVersionRange": ">= 2.9.0, <= 2.9.10.3",
"advisory": {
"severity": "HIGH",
"cvss": {
"score": 8.8
},
"identifiers": [
{
"value": "GHSA-95cm-88f5-f2c7"
},
{
"value": "CVE-2020-10672"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.10.4"
}
},
{
"vulnerableVersionRange": ">= 2.9.0, <= 2.9.10.3",
"advisory": {
"severity": "HIGH",
"cvss": {
"score": 8.1
},
"identifiers": [
{
"value": "GHSA-h4rc-386g-6m85"
},
{
"value": "CVE-2020-11620"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.10.4"
}
},
{
"vulnerableVersionRange": ">= 2.0.0, <= 2.9.10.3",
"advisory": {
"severity": "CRITICAL",
"cvss": {
"score": 9.8
},
"identifiers": [
{
"value": "GHSA-p43x-xfjf-5jhr"
},
{
"value": "CVE-2020-9548"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.10.4"
}
},
{
"vulnerableVersionRange": ">= 2.9.0, <= 2.9.10.3",
"advisory": {
"severity": "CRITICAL",
"cvss": {
"score": 9.8
},
"identifiers": [
{
"value": "GHSA-5p34-5m6p-p58g"
},
{
"value": "CVE-2020-9546"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.10.4"
}
},
{
"vulnerableVersionRange": ">= 2.9.0, <= 2.9.10.3",
"advisory": {
"severity": "HIGH",
"cvss": {
"score": 8.8
},
"identifiers": [
{
"value": "GHSA-758m-v56v-grj4"
},
{
"value": "CVE-2020-10969"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.10.4"
}
},
{
"vulnerableVersionRange": ">= 2.9.0, < 2.9.10",
"advisory": {
"severity": "HIGH",
"cvss": {
"score": 7.5
},
"identifiers": [
{
"value": "GHSA-cf6r-3wgc-h863"
},
{
"value": "CVE-2019-14892"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.10"
}
},
{
"vulnerableVersionRange": ">= 2.9.0, <= 2.9.10.3",
"advisory": {
"severity": "HIGH",
"cvss": {
"score": 8.8
},
"identifiers": [
{
"value": "GHSA-rf6r-2c4q-2vwg"
},
{
"value": "CVE-2020-10968"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.10.4"
}
},
{
"vulnerableVersionRange": ">= 2.9.0, <= 2.9.10.3",
"advisory": {
"severity": "HIGH",
"cvss": {
"score": 8.8
},
"identifiers": [
{
"value": "GHSA-v3xw-c963-f5hc"
},
{
"value": "CVE-2020-11111"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.10.4"
}
},
{
"vulnerableVersionRange": ">= 2.9.0, <= 2.9.10.3",
"advisory": {
"severity": "HIGH",
"cvss": {
"score": 8.8
},
"identifiers": [
{
"value": "GHSA-9vvp-fxw6-jcxr"
},
{
"value": "CVE-2020-11113"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.10.4"
}
},
{
"vulnerableVersionRange": ">= 2.9.0, <= 2.9.10.3",
"advisory": {
"severity": "HIGH",
"cvss": {
"score": 8.1
},
"identifiers": [
{
"value": "GHSA-27xj-rqx5-2255"
},
{
"value": "CVE-2020-11619"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.10.4"
}
},
{
"vulnerableVersionRange": ">= 2.9.0, <= 2.9.10.3",
"advisory": {
"severity": "HIGH",
"cvss": {
"score": 8.8
},
"identifiers": [
{
"value": "GHSA-58pp-9c76-5625"
},
{
"value": "CVE-2020-11112"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.10.4"
}
},
{
"vulnerableVersionRange": "< 2.9.10",
"advisory": {
"severity": "CRITICAL",
"cvss": {
"score": 9.8
},
"identifiers": [
{
"value": "GHSA-f3j5-rmmp-3fc5"
},
{
"value": "CVE-2019-17267"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.10"
}
},
{
"vulnerableVersionRange": ">= 2.9.0, <= 2.9.10.4",
"advisory": {
"severity": "HIGH",
"cvss": {
"score": 8.1
},
"identifiers": [
{
"value": "GHSA-mc6h-4qgp-37qh"
},
{
"value": "CVE-2020-14195"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.10.5"
}
},
{
"vulnerableVersionRange": ">= 2.9.0, <= 2.9.10.4",
"advisory": {
"severity": "HIGH",
"cvss": {
"score": 8.1
},
"identifiers": [
{
"value": "GHSA-j823-4qch-3rgm"
},
{
"value": "CVE-2020-14060"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.10.5"
}
},
{
"vulnerableVersionRange": ">= 2.9.0, <= 2.9.10.4",
"advisory": {
"severity": "HIGH",
"cvss": {
"score": 8.1
},
"identifiers": [
{
"value": "GHSA-c265-37vj-cwcc"
},
{
"value": "CVE-2020-14062"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.10.5"
}
},
{
"vulnerableVersionRange": ">= 2.9.0, <= 2.9.10.4",
"advisory": {
"severity": "HIGH",
"cvss": {
"score": 8.1
},
"identifiers": [
{
"value": "GHSA-c2q3-4qrh-fm48"
},
{
"value": "CVE-2020-14061"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.10.5"
}
},
{
"vulnerableVersionRange": "<= 2.9.10.6",
"advisory": {
"severity": "HIGH",
"cvss": {
"score": 0
},
"identifiers": [
{
"value": "GHSA-5949-rw7g-wx7w"
},
{
"value": "CVE-2021-20190"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.10.7"
}
},
{
"vulnerableVersionRange": ">= 2.7.0.0, <= 2.9.10.6",
"advisory": {
"severity": "HIGH",
"cvss": {
"score": 7.5
},
"identifiers": [
{
"value": "GHSA-288c-cq4h-88gq"
},
{
"value": "CVE-2020-25649"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.10.7"
}
},
{
"vulnerableVersionRange": ">= 2.0, <= 2.9.10.7",
"advisory": {
"severity": "HIGH",
"cvss": {
"score": 8.1
},
"identifiers": [
{
"value": "GHSA-vfqx-33qm-g869"
},
{
"value": "CVE-2020-36189"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.10.8"
}
},
{
"vulnerableVersionRange": ">= 2.0, <= 2.9.10.7",
"advisory": {
"severity": "HIGH",
"cvss": {
"score": 8.1
},
"identifiers": [
{
"value": "GHSA-r695-7vr9-jgc2"
},
{
"value": "CVE-2020-36187"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.10.8"
}
},
{
"vulnerableVersionRange": ">= 2.0, <= 2.9.10.7",
"advisory": {
"severity": "HIGH",
"cvss": {
"score": 8.1
},
"identifiers": [
{
"value": "GHSA-f9xh-2qgp-cq57"
},
{
"value": "CVE-2020-36188"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.10.8"
}
},
{
"vulnerableVersionRange": ">= 2.0, <= 2.9.10.7",
"advisory": {
"severity": "HIGH",
"cvss": {
"score": 8.1
},
"identifiers": [
{
"value": "GHSA-9m6f-7xcq-8vf8"
},
{
"value": "CVE-2020-36183"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.10.8"
}
},
{
"vulnerableVersionRange": ">= 2.0, <= 2.9.10.7",
"advisory": {
"severity": "HIGH",
"cvss": {
"score": 8.1
},
"identifiers": [
{
"value": "GHSA-m6x4-97wx-4q27"
},
{
"value": "CVE-2020-36184"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.10.8"
}
},
{
"vulnerableVersionRange": ">= 2.0, <= 2.9.10.7",
"advisory": {
"severity": "HIGH",
"cvss": {
"score": 8.1
},
"identifiers": [
{
"value": "GHSA-8c4j-34r4-xr8g"
},
{
"value": "CVE-2020-36180"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.10.8"
}
},
{
"vulnerableVersionRange": ">= 2.0, <= 2.9.10.7",
"advisory": {
"severity": "HIGH",
"cvss": {
"score": 8.1
},
"identifiers": [
{
"value": "GHSA-cvm9-fjm9-3572"
},
{
"value": "CVE-2020-36181"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.10.8"
}
},
{
"vulnerableVersionRange": ">= 2.0, <= 2.9.10.7",
"advisory": {
"severity": "HIGH",
"cvss": {
"score": 8.1
},
"identifiers": [
{
"value": "GHSA-8w26-6f25-cm9x"
},
{
"value": "CVE-2020-36185"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.10.8"
}
},
{
"vulnerableVersionRange": ">= 2.0, <= 2.9.10.7",
"advisory": {
"severity": "HIGH",
"cvss": {
"score": 8.1
},
"identifiers": [
{
"value": "GHSA-9gph-22xh-8x98"
},
{
"value": "CVE-2020-36179"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.10.8"
}
},
{
"vulnerableVersionRange": ">= 2.0, <= 2.9.10.7",
"advisory": {
"severity": "HIGH",
"cvss": {
"score": 8.1
},
"identifiers": [
{
"value": "GHSA-89qr-369f-5m5x"
},
{
"value": "CVE-2020-36182"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.10.8"
}
},
{
"vulnerableVersionRange": ">= 2.0, <= 2.9.10.5",
"advisory": {
"severity": "CRITICAL",
"cvss": {
"score": 8.1
},
"identifiers": [
{
"value": "GHSA-qjw2-hr98-qgfh"
},
{
"value": "CVE-2020-24750"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.10.6"
}
},
{
"vulnerableVersionRange": ">= 2.0.0, <= 2.9.10.7",
"advisory": {
"severity": "HIGH",
"cvss": {
"score": 8.1
},
"identifiers": [
{
"value": "GHSA-r3gr-cxrf-hg25"
},
{
"value": "CVE-2020-35491"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.10.8"
}
},
{
"vulnerableVersionRange": ">= 2.0.0, <= 2.9.10.7",
"advisory": {
"severity": "HIGH",
"cvss": {
"score": 8.1
},
"identifiers": [
{
"value": "GHSA-wh8g-3j2c-rqj5"
},
{
"value": "CVE-2020-35490"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.10.8"
}
},
{
"vulnerableVersionRange": "<= 2.9.9.1",
"advisory": {
"severity": "HIGH",
"cvss": {
"score": 7.5
},
"identifiers": [
{
"value": "GHSA-gwp4-hfv6-p7hw"
},
{
"value": "CVE-2019-14439"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.9.2"
}
},
{
"vulnerableVersionRange": ">= 2.0.0, <= 2.9.9",
"advisory": {
"severity": "MODERATE",
"cvss": {
"score": 5.9
},
"identifiers": [
{
"value": "GHSA-cmfg-87vq-g5g4"
},
{
"value": "CVE-2019-12814"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.9.1"
}
},
{
"vulnerableVersionRange": "<= 2.9.9",
"advisory": {
"severity": "MODERATE",
"cvss": {
"score": 5.9
},
"identifiers": [
{
"value": "GHSA-mph4-vhrx-mv67"
},
{
"value": "CVE-2019-12384"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.9.1"
}
},
{
"vulnerableVersionRange": "<= 2.9.10.0",
"advisory": {
"severity": "CRITICAL",
"cvss": {
"score": 9.8
},
"identifiers": [
{
"value": "GHSA-gjmw-vf9h-g25v"
},
{
"value": "CVE-2019-17531"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.10.1"
}
},
{
"vulnerableVersionRange": "<= 2.9.10.0",
"advisory": {
"severity": "CRITICAL",
"cvss": {
"score": 9.8
},
"identifiers": [
{
"value": "GHSA-fmmc-742q-jg75"
},
{
"value": "CVE-2019-16943"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.10.1"
}
},
{
"vulnerableVersionRange": ">= 2.0.0, <= 2.9.10",
"advisory": {
"severity": "CRITICAL",
"cvss": {
"score": 9.8
},
"identifiers": [
{
"value": "GHSA-mx7p-6679-8g3q"
},
{
"value": "CVE-2019-16942"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.10.1"
}
},
{
"vulnerableVersionRange": "<= 2.9.9.1",
"advisory": {
"severity": "CRITICAL",
"cvss": {
"score": 9.8
},
"identifiers": [
{
"value": "GHSA-6fpp-rgj9-8rwc"
},
{
"value": "CVE-2019-14379"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.9.2"
}
},
{
"vulnerableVersionRange": ">= 2.0.0, <= 2.9.10.5",
"advisory": {
"severity": "HIGH",
"cvss": {
"score": 8.1
},
"identifiers": [
{
"value": "GHSA-h3cw-g4mq-c5x2"
},
{
"value": "CVE-2020-24616"
}
]
},
"firstPatchedVersion": {
"identifier": "2.9.10.6"
}
}
]
},
{
"mvn/version": "42.2.10",
"deps/manifest": "mvn",
"parents": [
[]
],
"paths": [
"/Users/username/.m2/repository/org/postgresql/postgresql/42.2.10/postgresql-42.2.10.jar"
],
"dependency": "org.postgresql/postgresql",
"vulnerabilities": [
{
"vulnerableVersionRange": ">= 9.4.1208, < 42.2.25",
"advisory": {
"severity": "HIGH",
"cvss": {
"score": 7
},
"identifiers": [
{
"value": "GHSA-v7wg-cpwc-24m4"
},
{
"value": "CVE-2022-21724"
}
]
},
"firstPatchedVersion": {
"identifier": "42.2.25"
}
},
{
"vulnerableVersionRange": "< 42.2.13",
"advisory": {
"severity": "HIGH",
"cvss": {
"score": 7.7
},
"identifiers": [
{
"value": "GHSA-88cc-g835-76rp"
},
{
"value": "CVE-2020-13692"
}
]
},
"firstPatchedVersion": {
"identifier": "42.2.13"
}
},
{
"vulnerableVersionRange": ">= 42.1.0, < 42.3.3",
"advisory": {
"severity": "MODERATE",
"cvss": {
"score": 0
},
"identifiers": [
{
"value": "GHSA-673j-qm5f-xpv8"
}
]
},
"firstPatchedVersion": {
"identifier": "42.3.3"
}
}
],
"secure-version": {
"mvn/version": "42.3.3"
},
"remediate-suggestion": {
"org.postgresql/postgresql": {
"mvn/version": "42.3.3"
}
}
},
{
"dependency": "com.taoensso/nippy",
"dependents": [
"com.taoensso/carmine"
],
"paths": [
"/Users/username/.m2/repository/com/taoensso/nippy/2.14.0/nippy-2.14.0.jar"
],
"secure-version": {
"mvn/version": "3.1.1"
},
"deps/manifest": "mvn",
"mvn/version": "2.14.0",
"parents": [
[
"io.replikativ/datahike",
"io.replikativ/hitchhiker-tree",
"com.taoensso/carmine"
]
],
"remediate-suggestion": {
"io.replikativ/datahike": {
"exclusions": [
"com.taoensso/carmine"
]
},
"com.taoensso/carmine": {
"mvn/version": "3.2.0-SNAPSHOT"
}
},
"vulnerabilities": [
{
"vulnerableVersionRange": "< 2.14.2",
"advisory": {
"severity": "HIGH",
"cvss": {
"score": 7.8
},
"identifiers": [
{
"value": "GHSA-p5gm-fgfx-hr7h"
},
{
"value": "CVE-2020-24164"
}
]
},
"firstPatchedVersion": {
"identifier": "2.14.2"
}
}
]
}
]It does not contains a few data necessary to sarif output, like line information and the rule is basically a public cve/github advisory. |
This is like https://github.com/aquasecurity/trivy, which analyzes container package dependencies checking for vulnerabilities. My thoughts were:
let us know if you want us to do that work or if u are going to do it. :) |
|
@eddynaka already working to add sarif output support to |
|
I've just implemented it on PR #19 and made a alpha release https://github.com/clj-holmes/clj-watson/releases/tag/v3.0.2-ALPHA |
|
I generated a report and tested it in this site and the results were detected. |
|
output example: {
"$schema": "https://www.schemastore.org/schemas/json/sarif-2.1.0-rtm.5.json",
"version": "2.1.0",
"runs": [
{
"tool": {
"driver": {
"name": "clj-watson",
"informationUri": "https://github.com/clj-holmes/clj-watson",
"version": "3.0.1",
"rules": [
{
"id": "GHSA-p5gm-fgfx-hr7h",
"name": "VulnerableDependencyNippy",
"shortDescription": {
"text": "Gadget chain attack in Nippy"
},
"fullDescription": {
"text": "A deserialization flaw is present in Taoensso Nippy before 2.14.2. In some circumstances, it is possible for an attacker to create a malicious payload that, when deserialized, will allow arbitrary code to be executed. This occurs because there is automatic use of the Java Serializable interface."
},
"help": {
"text": "Vulnerability found in package com.taoensso/nippy"
},
"helpUri": "https://github.com/advisories/GHSA-p5gm-fgfx-hr7h",
"properties": {
"security-severity": 7.8
},
"defaultConfiguration": {
"level": "error"
}
}
]
}
},
"results": [
{
"ruleId": "GHSA-p5gm-fgfx-hr7h",
"message": {
"text": "Vulnerability found in package com.taoensso/nippy"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "deps.edn"
},
"region": {
"startLine": 5,
"endLine": 5,
"startColumn": 12,
"endColumn": 34
}
}
}
]
}
]
}
]
} |
|
@yongyan-gh , can you test as well? |
|
@mthbernardes , can you add one configuration in ur sarif-upload: let's see if we get a result. |
|
@mthbernardes the output looks pretty good, verified using validator, and looks fine in SARIF web viewer and VS viewer. I replaced the schema in the file (https://www.schemastore.org/schemas/json/sarif-2.1.0-rtm.5.json) with another Uri (https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.5.json) it works for VS code. I tried the create similar workflow @mthbernardes created in another test repo, I see the same issue: According to GitHub's document https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning , all the required fields are provided in SARIF file. @eddynaka I haven't seen this kind of issue before, may need GH team to take a look. Attached the sample SAIRF generated using clj-watson. Artifact |
|
btw I investigate further and found an error while uploading clj-watson's SARIF results (github/codeql-action/upload-sarif@v1): The issue seems caused by SARIF file has a property bag "security-severity" value is 7.8 The value of property bags can be a float/double number according to SARIF spec. Seems GitHub cannot parse it somehow. @mthbernardes if you can remove this property or convert it to string in your branch, we can try again to see if it works. |
|
@mthbernardes I found other issues in clj-watson's SARIF report when I use parameter Please see the sample SARIF file: clj-watson2.zip To summary all above issues below, please take a look.
|
|
Thx for all the help @yongyan-gh @eddynaka it's now working. |
|
@yongyan-gh , if you have time, pls suggest the fixes. |
|
The rule help text markdown looks very nice in code scanning alert page! 👍 I still see issues with parameter |
|
@mthbernardes do you plan to merge the changes from your branch to the main branch and create an official release? Or you'd like to the action/starter workflow to reference to the alpha version? actions/starter-workflows#1460 |
|
I'll merge the PR without the sarif support to dependency-check scan and create a new issue for it. |
|
Thank you @mthbernardes, can you pls also publish a new release of clj-watson-action with the new |
Hi,
We are working with the Github team on the SARIF ecosystem, looking for adding native SARIF output functionality of the clj-watson tool, so that customers can easily create a workflow to scan vulnerabilities in their repo using clj-watson, generate code scanning alerts in Github security tab for each vulnerability found.
To achieve this goal below 3 steps needed:
We are glad to help/contribute to these tasks. I see the SARIF report functionality in clj-holmes, according to the rule's definition and sample output I can find the fields map to SARIF report. But I don't find a document about clj-watson's output and from the sample output I don't figure out which properties should be used for SARIF report. Can you please provide the information about the tool's output?
Below are the required properties of a SARIF report according to a Github article at https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning. Can you please take a look and let me know what properties/values in clj-watson report can map to them?
Thanks!
cc @eddynaka @michaelcfanning
The text was updated successfully, but these errors were encountered: