bandit icon indicating copy to clipboard operation
bandit copied to clipboard

Published 20 hours ago verified publisher icon PyCQA

Support for the SARIF (Static Analysis Results Interchange Format)

Open abhaybhargav opened this issue 4 years ago • 8 comments

Is your feature request related to a problem? Please describe. I think integration is the name of the game today and the SARIF format (https://github.com/oasis-tcs/sarif-spec) is a standard that most static analysis tools have embraced. It would be great if Bandit could have that as well. Simply because this integrates with Github, Vulnerability Management Tools and makes results consistent

Describe the solution you'd like Support for the sarif-spec based on the JSON spec listed here and --output and --format flags that support SARIF as an option in addition to JSON, XML, etc.

abhaybhargav avatar Nov 20 '20 03:11 abhaybhargav

For reference, it looks like Microsoft wrote a converter here: https://github.com/microsoft/bandit-sarif-formatter

kiwiz avatar Dec 30 '20 22:12 kiwiz

@ericwb Hi Eric. My team is planning to modify either bandit or the converter provided above so that the SARIF output includes suppression information. I see you've added this enhancement for 2.0.0 - is someone already working on this? How could we contribute? Thanks.

syl-ms avatar Jul 05 '21 08:07 syl-ms

any news on this issue?

damiencarol avatar Dec 23 '21 13:12 damiencarol

Since Microsoft has already created a Bandit formatter and sarif library, I don't think there's any reason for Bandit duplicate the effort. Instead, maybe we can look at an easier way to make use of 3rd party plugins such as this.

ericwb avatar Jan 21 '22 02:01 ericwb

@ericwb like add something in the documentation? Because I tested the MS plugin but it was not very easy to find this module and use it. Maybe just a link to the MS repo could by enough to help users

damiencarol avatar Jan 21 '22 10:01 damiencarol

We from SecHub project at Mercedes-Benz Tech Innovation would like to contribute a SARIF 2.1.0 formatter. We would like to have SARIF support as one of the standard report format options in Bandit.

The Bandit SARIF formatter by Microsoft does not seem to be developed anymore and we need to have support for the Common Weakness Enumeration (CWE) taxonomy in the SARIF report. As a result of the limitations, we are happy to contribute a SARIF 2.1.0 formatter to Bandit.

@ericwb is the SARIF open to the idea of adding the SARIF support directly to Bandit in case we develop and contribute it?

Jeeppler avatar Sep 22 '23 10:09 Jeeppler

@Jeeppler we're definitely open to the creation of a new formatter that supports SARIF.

ericwb avatar Sep 23 '23 03:09 ericwb

@ericwb thanks for the quick reply. We will start working on it.

Jeeppler avatar Sep 23 '23 13:09 Jeeppler