Hi all,
Here is the information about MicroFocus Fortify support for SARIF:
FortifyVulnerabilityExporter can export vulnerability data from both SSC and FoD to GitHub-optimized SARIF format:
https://github.com/fortify/FortifyVulnerabilityExporter#github-configuration . SSC can also ingest SARIF using
https://github.com/fortify-ps/fortify-ssc-parser-sarif . Given the flexibility that the SARIF specification provides, we may not be able to import all possible SARIF outputs, but were able
to successfully import some sample outputs from Brakeman, PMD and TFSec.
Hope this helps,
k
From:
sarif@lists.oasis-open.org <
sarif@lists.oasis-open.org>
On Behalf Of Michael Fanning
Sent: Thursday, May 27, 2021 7:25 AM
To:
sarif@lists.oasis-open.org Cc: Eddy Nakamura <
Eddy.Nakamura@microsoft.com>
Subject: [sarif] SARIF eco-system information
Eddy and I, working with GitHub, have created a working list of direct SARIF producers.
MicroFocus and GrammaTech support is conspicuously absent: we will be soliciting appropriate representation in this list on the TC call today.
MCF
BinSkim is a binary-level security checker that validates Window, Mac and *nix binaries.
Brakeman is
a static analysis tool which checks Ruby on Rails applications for security vulnerabilities.
Checkstyle is
a Java style guidelines checking.
CodeQL is a multilanguage, intraprocedural checker with a large rule set.
Clang
Analyzer , the LLVM C/C++ checker, has added
SARIF export .
CredScan is a file scanner that detects plaintext secrets.
DartAnalyzer is
a dart/flutter analyzer.
Detekt is
a static code analysis tool for the Kotlin programming language.
DevSkim is
a set of IDE checkers and language analyzers that provide inline security analysis.
Electronegativity is
a tool to identify misconfigurations and security anti-patterns in Electron -based
applications.
ESLint
Sarif Formatter enables SARIF export for ESLint ,
a _javascript_ static analyzer.
Flawfinder is
a C/C++ source code security checker.
GoSec is
a GoLang security checker.
Kubesec ,
backed by ControlPlane.io provides
Security risk analysis for Kubernetes resources.
MobSF is
is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
NodeJSScan is
a Static security code scanner (SAST) for Node.js applications.
Psalm is
an open source tool for finding security vulnerabilities in PHP.
PMD is
a multilanguage source code analyzer.
PSScriptAnalyzer is
a static code checker for PowerShell modules and scripts
PREfast is
the C/C++ correctness checker behind the Microsoft compiler /analyze switch.
Roslyn is
a platform for analyzing and rewriting C#/VB.NET code.
Sarif
Pattern Matcher is a security-focused pattern matcher that detects (and in some cases authenticates) plaintext secrets, sensitive data, etc.
Security
Code Scan is a Vulnerability Patterns Detector for C# and VB.NET.
Semgrep ,
sponsored by R2C ,
supports a variety
of languages .
Soblow is
the security-focused static analyzer for the Elixir Phoenix Framework.
SpotBugs is
a Java code checker.
TFSec uses
static analysis of your terraform templates to spot potential security issues.
Trivy is
a vulnerability scanner for containers and other artifacts.