joyliu-q / sastall Goto Github PK
View Code? Open in Web Editor NEWStatic application security testing toolkit
Static application security testing toolkit
I need to actually figure out how caching works
This is actually really simple to do. Just replace the file name from sastall.sarif
to a specific one to the project (e.g. flaskproject-sastall.sarif
).
I just haven't done it yet because of finals season.
Opening this issue to use it to track the progress of SASTAll.
We want a tool that is able to simplify the process of running 3 different SAST tools.
There are 2 possible solutions that would follow SASTAll's vision.
Either way, the results have to be aggregated by some means. Or do they?
Before starting on this project, I thought that aggregation was one of the biggest wins/advantages of SASTAll. Running multiple tools does not change the rate of false positives (~50%), but if we can take all of the results in SARIF format and do something interesting with it, running multiple tools could actually be worth it.
However, after looking into how Github actually works, I was greatly disillusioned. Apparently for these tools, they already have CIs built into place and everything just shows up on the Github security tab. It looks great, too: there are even little tags you can filter different issues by. So, is there even a purpose to take all of the SARIF files generated, parse it, combine results, and display it somewhere?
The only advantage to doing aggregation is because currently Github just takes the issues found and throws it onto the security tab. There may be some redundancy. However, redundancy might be good because you see "Wow, all 3 of these tools did not like this particular line. Maybe I should look into this!"
But that's okay! Because here's a potential idea: do something with the Code Scanning API
Late into this project, I realized custom GH actions through actions.yml
doesn't seem to support having multiple jobs inside it. The closest thing I found is composite action, which I will try to do.
Running the different tools concurrently is integral to the project. Even with concurrency, CodeQL is already bottlenecking, and running them one-by-one will reduce the benefits of this project to only convenience.
If the only benefit is just convenience, I would not even use this myself because DIY would be more customizable.
Anyways gotta try to find a workaround
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.