secureCodeBox icon indicating copy to clipboard operation
secureCodeBox copied to clipboard
verified publisher icon secureCodeBox

👨‍🔬 Cross check the OASIS SARIF format with the SCB generic DAST Finding Format

Open rfelber opened this issue 4 years ago • 0 comments

The OASIS introduced a standard format for Static Analysis Results (SAST) which means a lot of SAST scanners recently adopted this as a common result format. Sadly as for now there is no comparable standard for DAST scanners. But maybe it's a good inspiration and starting point to cross check this standard with the generic secureCodeBox Findings Result Format used for all integrated DAST scanners by now.

  • https://docs.securecodebox.io/docs/api/finding

Additional Context

  • Original Source & Documentation
    • https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=sarif
    • https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html
    • https://github.com/oasis-tcs/sarif-spec
  • GitHub Support: https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/uploading-a-sarif-file-to-github
  • GitLab Support: https://gitlab.com/gitlab-org/gitlab/-/issues/118496
  • SARIF Validator: https://sarifweb.azurewebsites.net/Validation
  • FindBugs Example: https://github.com/ShiftLeftSecurity/sast-scan/blob/master/test/data/findsecbugs-report.sarif

rfelber avatar Mar 09 '21 20:03 rfelber