RE: SARIF eco-system information

[Yekaterina O'Neil <katrina@microfocus.com>]

Hi all,

Here is the information about MicroFocus Fortify support for SARIF:

• FortifyVulnerabilityExporter can export vulnerability data from both SSC and FoD to GitHub-optimized SARIF format: https://github.com/fortify/FortifyVulnerabilityExporter#github-configuration.
• SSC can also ingest SARIF using https://github.com/fortify-ps/fortify-ssc-parser-sarif. Given the flexibility that the SARIF specification provides, we may not be able to import all possible SARIF outputs, but were able to successfully import some sample outputs from Brakeman, PMD and TFSec.

Hope this helps,

k

 

From: sarif@lists.oasis-open.org <sarif@lists.oasis-open.org> On Behalf Of Michael Fanning
Sent: Thursday, May 27, 2021 7:25 AM
To: sarif@lists.oasis-open.org
Cc: Eddy Nakamura <Eddy.Nakamura@microsoft.com>
Subject: [sarif] SARIF eco-system information

 

Eddy and I, working with GitHub, have created a working list of direct SARIF producers.

MicroFocus and GrammaTech support is conspicuously absent: we will be soliciting appropriate representation in this list on the TC call today.

MCF

 

        BinSkim is a binary-level security checker that validates Window, Mac and *nix binaries. 

        Brakeman is a static analysis tool which checks Ruby on Rails applications for security vulnerabilities.  

        Checkstyle is a Java style guidelines checking. 

        CodeQL is a multilanguage, intraprocedural checker with a large rule set. 

        Clang Analyzer, the LLVM C/C++ checker, has added SARIF export. 

        CredScan is a file scanner that detects plaintext secrets. 

        DartAnalyzer is a dart/flutter analyzer. 

        Detekt is a static code analysis tool for the Kotlin programming language.  

        DevSkim is a set of IDE checkers and language analyzers that provide inline security analysis. 

        Electronegativity is a tool to identify misconfigurations and security anti-patterns in Electron-based applications. 

        ESLint Sarif Formatter enables SARIF export for ESLint, a _javascript_ static analyzer. 

        Flawfinderâis a C/C++ source code security checker. 

        GoSec is a GoLang security checker. 

        Kubesec, backed by ControlPlane.io provides Security risk analysis for Kubernetes resources. 

        MobSF is is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.  

        NodeJSScan is a Static security code scanner (SAST) for Node.js applications. 

        Psalm is an open source tool for finding security vulnerabilities in PHP. 

        PMD is a multilanguage source code analyzer. 

        PSScriptAnalyzer is a static code checker for PowerShell modules and scripts 

        PREfast is the C/C++ correctness checker behind the Microsoft compiler /analyze switch. 

        Roslyn is a platform for analyzing and rewriting C#/VB.NET code. 

        Sarif Pattern Matcherâis a security-focused pattern matcher that detects (and in some cases authenticates) plaintext secrets, sensitive data, etc. 

        Security Code Scan is a Vulnerability Patterns Detector for C# and VB.NET. 

        Semgrep, sponsored by R2C, supports a variety of languages. 

        Soblow is the security-focused static analyzer for the Elixir Phoenix Framework. 

        SpotBugs is a Java code checker. 

        TFSec uses static analysis of your terraform templates to spot potential security issues. 

        Trivy is a vulnerability scanner for containers and other artifacts.