Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/advanced-security/codeql-sarif-security-standard-annotator

Compare a CodeQL SARIF results file to a security standard CWE list and annotate the SARIF rules with a tag to highlight results applicable to the security standard
https://github.com/advanced-security/codeql-sarif-security-standard-annotator

Last synced: 3 months ago
JSON representation

Compare a CodeQL SARIF results file to a security standard CWE list and annotate the SARIF rules with a tag to highlight results applicable to the security standard

Host: GitHub
URL: https://github.com/advanced-security/codeql-sarif-security-standard-annotator
Owner: advanced-security
License: mit
Created: 2023-04-26T21:26:20.000Z (over 1 year ago)
Default Branch: main
Last Pushed: 2024-05-28T10:57:23.000Z (5 months ago)
Last Synced: 2024-05-30T05:56:01.191Z (5 months ago)
Language: TypeScript
Homepage:
Size: 1.88 MB
Stars: 5
Watchers: 1
Forks: 0
Open Issues: 13
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Codeowners: CODEOWNERS
- Security: SECURITY.md
- Support: SUPPORT.md

Awesome Lists containing this project

awesome-codeql - codeql-sarif-security-standard-annotator - Add an `owasp-top10-2021` tag to relevant results (CodeQL Actions Helpers)

README

## CodeQL SARIF Security Standard Annotator

Compare a CodeQL SARIF results file to a security standard CWE list and annotate the SARIF rules with a tag to highlight results applicable to the security standard

- Defaults to a comparison against the OWASP Top 10 2021 CWE mapping taken from https://cwe.mitre.org/data/xml/views/1344.xml.zip
- Any XML file can be provided as an alternative, with the option to provide an XPath query that identifies the CWE ID values to use in the comparison
- Tag value is configurable

This supports the ability to filter the Security dashboards by `tag`

As well as displaying this information along side the Code scanning alert

## Usage in GitHub Actions

```
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
with:
upload: false
output: sarif-results

- name: Annotate CodeQL SARIF with OWASP Top 10 2021 tag
uses: advanced-security/codeql-sarif-security-standard-annotator@v1
with:
sarifFile: sarif-results/${{matrix.language}}.sarif

- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: sarif-results/${{matrix.language}}.sarif
```

```
inputs:
sarifFile:
required: true
description: 'The CodeQL SARIF result file'
cweFile:
required: false
description: 'The CWE list XML file, defaults to OWASP Top 10 2021'
cweIdXpath:
required: false
description: 'The XPath query that selects CWE ID numbers from the CWE list file'
securityStandardTag:
required: false
description: 'The security standard tag to add to the SARIF file, defaults to "owasp-top10-2021"'
outputFile:
required: false
description: 'The output SARIF file path, defaults to the input SARIF file path'
```

## Dev requirements

The repo include a Node.js devcontainer [configuration](.devcontainer/devcontainer.json) which should be used for development. See [CONTRIBUTING](CONTRIBUTING.md).

## License

This project is licensed under the terms of the MIT open source license. Please refer to [MIT](./LICENSE.txt) for the full terms.

## Maintainers

See [CODEOWNERS](CODEOWNERS)

## Support

See [SUPPORT](SUPPORT.md)

## Acknowledgement

@aegilops for the inspiration