Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

enhance sarif output (closes #2608) #2925

Merged
merged 4 commits into from
Nov 30, 2022
Merged

enhance sarif output (closes #2608) #2925

merged 4 commits into from
Nov 30, 2022

Conversation

tarunKoyalwar
Copy link
Member

@tarunKoyalwar tarunKoyalwar commented Nov 29, 2022
edited
Loading

Description

Fix and Enhance Static Analysis Results Interchange Format (SARIF) Output

closes #2608

Changes

Run Below Command to verify

nuclei -u https://scanme.sh -se report.sarif

Supported Viewers

Generated sarif output is compatible with all available Sarif viewers

  1. Sarif-WebComponent
  2. [VSCode-Extension](Sarif Viewer)
  3. Github repository security -> Code Scanning

Note:

impact & severity , title is properly configured in PR . below screenshots were created using random data to match testcases hence result is messed up actual/new report generated is proper without errors

github_security

vscode

@tarunKoyalwar
Copy link
Member Author

Nuclei will probably be receiving UI soon . Currently there are 2 options available to visualize nuclei outputs using SARIF

1) Using SARIF Web Component

Visit Web-Component and upload generated SARIF file using open at top right corner .

Example nuclei generated sarif file : https://gist.github.com/tarunKoyalwar/f76fc7b55c29e69b1ea1d02f4d6661a8
UI is clean and Minimal and results are grouped based on templates with hyperlinks to hosts

2) Using Github Security page of repo

   - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@v2
        with:
          # Path to SARIF file relative to the root of the repository
          sarif_file: results.sarif

can be used along with nuclei-actions or any other method to upload SARIF to security page of that repo . Output location is same as CodeQL i.e security -> Code Scanning

UI has many filters as show in above image and alerts are scoped to organization level

@tarunKoyalwar tarunKoyalwar self-assigned this Nov 29, 2022
@tarunKoyalwar tarunKoyalwar added the Type: Enhancement Most issues will probably ask for additions or changes. label Nov 29, 2022
@tarunKoyalwar tarunKoyalwar linked an issue Nov 29, 2022 that may be closed by this pull request
Output SARIF format is confusing / broken #2608
Closed
2 tasks
Mzack9999
Mzack9999 requested changes Nov 30, 2022
View reviewed changes
Copy link
Member

@Mzack9999 Mzack9999 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

merge conflict - go mod tidy should suffice

Mzack9999
Mzack9999 approved these changes Nov 30, 2022
View reviewed changes
Copy link
Member

@Mzack9999 Mzack9999 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm!

$ go run . -u https://scanme.sh -se report.sarif
...
[2022-11-30 12:25:39] [self-signed-ssl] [ssl] [low] scanme.sh

image

@tarunKoyalwar
Copy link
Member Author

Fixed issue related to result title
Updated result title format
nuclei_sarifgh

@tarunKoyalwar
Copy link
Member Author

@ehsandeep , currently nuclei-actions does not upload sarif to security page , maybe we can make it upload to security page by default

@ehsandeep ehsandeep merged commit d566ad9 into dev Nov 30, 2022
@ehsandeep ehsandeep deleted the issue-2608-fix-sarif branch November 30, 2022 14:52
@ehsandeep ehsandeep mentioned this pull request Nov 30, 2022
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mzack9999 Mzack9999 Mzack9999 approved these changes

@ehsandeep ehsandeep ehsandeep approved these changes

Assignees

@tarunKoyalwar tarunKoyalwar

Labels
Type: Enhancement Most issues will probably ask for additions or changes.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Output SARIF format is confusing / broken
3 participants
@tarunKoyalwar @ehsandeep @Mzack9999