open-source icon indicating copy to clipboard operation
open-source copied to clipboard
verified publisher icon baloise

DefectDojo - codeQL setup reflect?

Open MarkusTiede opened this issue 3 years ago • 4 comments

SARIF compatible - interesting for @FT?

In February a new student joins us to continue with DefectDojo. He will contact us for any further cooperation.

MarkusTiede avatar Mar 10 '22 12:03 MarkusTiede

Related issues

  • https://github.com/baloise/open-source/issues/245
  • https://github.com/baloise/open-source/issues/288

MarkusTiede avatar Mar 10 '22 12:03 MarkusTiede

last information

Comparison of codeQL & SonarQube findings: no significant advantages of findings e.g. within code smells, security & co

SARIF is not (yet) supported as interchange format in sonarqube; we wrote a lightweight mapping

current idea / potential

  • write (our own) codeQL queries (@arburk)
  • aggregated view of findings e.g. within defectDojo (@marcellobellini and FT)
    • semgrep - https://semgrep.dev
    • codeQL
  • sequence / ordering / clustering of items currently unknown
    • configurable "flight-altitude"
      • e.g. C-level
      • Security community
      • developer (e.g. also showing up technical debt)

Next exchange: Show & Tell of defectDojo instance tool?

MarkusTiede avatar Mar 10 '22 12:03 MarkusTiede

Basic demonstration of neutral project "Juice Shop" : https://owasp.org/www-project-juice-shop/

MarkusTiede avatar Mar 10 '22 12:03 MarkusTiede

Test instance is ready - contact @MrCode97 for additional information.

MarkusTiede avatar May 05 '22 11:05 MarkusTiede