noseyparker
noseyparker copied to clipboard
praetorian-inc
Improve SARIF output
SARIF support was recently added (#33, #4), adding a new output format to Nosey Parker's report command. This support is preliminary, but good enough that viewers like the VSCode SARIF plugin can do something useful with the output in some cases.
However, I want Nosey Parker to do something useful in all cases. The end goal is that Nosey Parker's SARIF output is complete enough that common viewers can usefully render all findings.
Viewers of particular interest:
- GitHub Code Analysis (so that SARIF output can be automatically shown in pull requests)
- VSCode SARIF Viewer
- The
sarif-fmtcommand-line program
Rough edges and opportunities for improvement:
- Findings in blobs from Git repositories don't have useful location information associated with them.
- Nosey Parker rules don't have a stable and machine-friendly ID associated with them, just a name.
- Nosey Parker rules don't have a long description, severity, or precision associated with them.
- Currently, the VSCode SARIF Viewer's functionality to annotate findings as false positives crashes with Nosey Parker-generated output, probably due to some missing field.
- The location info in SARIF results is for the entire regex match rather than just the match group.
See this for requirements and suggestions related to GitHub Code Analysis SARIF support: https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning
I asked for help in understanding how best to represent Nosey Parker's findings in SARIF: https://github.com/oasis-tcs/sarif-spec/issues/564