Are you using SAST tools? How many tools you're using? Just one? Then it's fine. A few? It's still working, probably. More? Welcome to one of difficulties of DevSecOps!
Currently, when we maintain a system, it's quite common to depend on multiple languages and ecosystems. If system is enough small, a one-stop SAST solution should be enough... but later you may find it's not enough.
Then how to integrate reports generated by multiple SAST tools, to grab the overview of your system? The Static Analysis Results Interchange Format (SARIF) could be a solution.
SARIF is an OASIS standard and an industry standard format for the output of static analysis tools. Configure each SAST tool to generate a SARIF report, then we can merge reports to get a simple overview of the service. The GitHub Code scanning is one example, it works as a dashboard of all SAST tools like below:
How to configure SpotBugs to generate a SARIF report
First, it's better to use SpotBugs 4.4.1 and above, that includes a fix to make SARIF report compatible with Github code scanning API requirements.
If you use command line interface to run SpotBugs, append -sarif
option.
If you are using Gradle, configure tasks with SpotBugsTask
to set reports.sarif.enabled
:
spotbugsMain {
reports {
sarif {
enabled = true
}
}
}
If you are using Maven, configure the plugin with <sarifOutput>true</sarifOutput>
:
<plugin>
<groupId>com.github.spotbugs</groupId>
<artifactId>spotbugs-maven-plugin</artifactId>
<configuration>
<sarifOutput>true</sarifOutput>
</configuration>
</plugin>
Refer to spotbugs/spotbugs-gradle-plugin as a living example with GitHub Code scanning integration.
Hope that this guide helps you to find new way to handle SAST tool reports, and make your hacking awesome!
Top comments (0)