Add CWE Taxonomy to SARIF Report

Question

Add CWE Taxonomy to SARIF Report

Jeeppler opened this issue a year ago · comments

Description

The SARIF reports generated by FindSecurityBugs do not contain the Common Weakness Enumeration (CWE) taxonomy from MITRE.

Adding the CWE Taxonomies into SARIF reports would make the SARIF report easier to understand for security practitioners already familiar with CWE.

SARIF does support taxonomies in reports.
For example, SARIF reports from the GoSec tool contain the MITRE CWE taxonomy.

welcome · Answer 1 · Sat Jan 21 2023 04:14:11 GMT+0800 (China Standard Time)

Thanks for opening your first issue here! 😃
Please check our contributing guideline. Especially when you report a problem, make sure you share a Minimal, Complete, and Verifiable example to reproduce it in this issue.

Jeeppler · Answer 2 · Sat Jan 21 2023 04:16:46 GMT+0800 (China Standard Time)

I already opened the same issue in FindSecurityBugs: find-sec-bugs/find-sec-bugs/issues/688. However, the maintainers of FindSecurityBugs told me, SpotBugs is responsible for generating the SARIF report.