-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix sarif parser location files processing #11265
Conversation
DryRun Security SummaryThe pull request focuses on improving the SARIF parser in the Dojo application security tool, enhancing the handling of SARIF results with multiple locations, improving snippet extraction and description generation, and expanding the range of security findings from different scanning tools that the parser can process. Expand for full summarySummary: The code changes in this pull request focus on improving the SARIF (Static Analysis Results Interchange Format) parser in the Dojo application security tool. The key changes include:
Additionally, the changes to the unit tests for the SARIF parser indicate that the parser is being updated to handle a wider range of security findings from different scanning tools, such as Files Changed:
Code AnalysisWe ran Riskiness🟢 Risk threshold not exceeded. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approved
Description
In sarif results -> locations provided list of files by sarif standart. In many scanners like semgrep each item in results contain one file in locations, but in some scanners like mobsfscan scanner reports contain multiple files for one item:
Example for located in tests mobsfscan report:
In old parser logic all files in one result except the first file are lost because
locations[0]
used for item filling.In new logic information about scanner hit in each file saved in
files
list and after from this list created separate vuln items.Test results
Fixed tests for mobsfscan and njsscan sarif reports.