Support OCSF output #34
Comments
|
Would also be interesting to see how SARIF could be brought into AWS Security Hub. |
|
Not sure what you can ingest into Security Hub, but Amazon recently announced their spearheading of OCSF, which cynically looks like a thing to compete with GitHub and SARIF. https://github.com/ocsf |
juliojimenez
added
enhancement
|
SARIF is a hack in this context. SARIF is meant to be for SAST output. It's line orientated. It was used by CodeQL (a SAST tool) and acted as the bridge to get information into the GitHub Security tab. Then all security tools started generating syntactically valid but partially semantically meaningless SARIF to integrate with GitHub. It's worth doing simply for the GitHub integration though, but things like line number are required but stuffed with arbitrary info. OCSF is pretty different, it's generally about activity rather than state, and not about SAST. The scope of the two specifications is very different. It does have a very simple vulnerability object: https://schema.ocsf.io/objects/vulnerability that can be encapsulated in a finding https://schema.ocsf.io/classes/security_finding. So it would be possible to describe the output with a bit of tinkering in OCSF I think. The CycloneDX vulnerability schema is a much closer match to the Bomber domain as well https://cyclonedx.org/use-cases/#vulnerability-exploitability Note I think part of the value in Bomber is being liberal about inputs and outputs. So ultimately supporting all of the above is likely useful. Bomber I feel is best placed as a swiss army knife. |
|
It looks trivial to do an output of OCSF and map the Vulnerability struct from bomber into it. Possibly add an --output=ocsf flag. @garethr you want to take that on? Probably create a separate ticket? |
djschleen
added
invalid
djschleen
added
enhancement
|
@artis3n - Reopening this issue. We'll be adding a new renderer to output SARIF format. |
Support an output format for SARIF to leverage the Security tab on repos and let GitHub ingest the data. https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning
That link contains file format examples for SARIF-flavored json. There's a schema validator https://sarifweb.azurewebsites.net/ as well.
The text was updated successfully, but these errors were encountered: