Lots of tools generate .json results files. Can you add some metadata to your .json results files that includes data like:

• Toolname
• Tool version
• Scan start time
• Scan complete time
• Maybe GUID for the scan results themselves, in case the same code is scanned again.

Any other overall metadata you think might be useful.

@davewichers This repo is for the open-source tool called slscan which outputs SARIF files with some metadata as described here - https://slscan.io/en/latest/integrations/sarif/#run

Could you kindly check and let me know if you're looking for any additional metadata?

@davewichers is talking about a reader I wrote for https://github.com/OWASP/Benchmark. Running

docker run --rm -e "WORKSPACE=${PWD}" -v ~/.m2:/.m2 -v <source path>:/app shiftleft/scan scan --src /app --type java

returns several result files:

-rw-r--r-- 1 sknoop sknoop  92K Jun  3 19:42 .sastscan.baseline
-rw-r--r-- 1 sknoop sknoop 7.1M Jun  3 19:41 class-report.html
-rw-r--r-- 1 sknoop sknoop 7.2M Jun  3 19:41 class-report.sarif
-rw-r--r-- 1 sknoop sknoop  13M Jun  3 19:41 class-report.xml
-rw-r--r-- 1 sknoop sknoop 8.6M Jun  3 19:42 ngsast-report.findings.json
-rw-r--r-- 1 sknoop sknoop 5.2M Jun  3 19:42 scan-full-report.json
-rw-r--r-- 1 sknoop sknoop    0 Jun  3 19:41 source-java-report.csv
-rw-r--r-- 1 sknoop sknoop  17K Jun  3 19:42 source-java-report.html
-rw-r--r-- 1 sknoop sknoop 2.3K Jun  3 19:42 source-java-report.sarif

For release 2.0.0 the file scan-full-report.json contains:

{
  "tool": {
    "driver": {
      "name": "Java Source Analyzer",
      "version": "1.0.0-scan",
      "fullName": "Java Source Analyzer"
    }
  },
[...]

-> Wrong version?

The result file only contains endTimeUtc, but no start times?

@darkspirit510 Now I understand. Since this open-source version wraps findsecbugs the result would be identical to invoking findsecbugs directly. Regarding start times, I will take it as an enhancement request but is going to take sometime.