Adding parser for Veracode SCA (SourceClear) JSON/CSV files #6698
Conversation
github-actions
bot
added
docs
parser
settings_changes
coheigea
force-pushed
the
coheigea/veracode_sca
branch
3 times, most recently
from
d43e855 to
781772d
Compare
There was a problem hiding this comment.
It's a very interesting PR.
But few things bother me:
- it seems the CSV and JSON have the same data but not in the same format. but the parsers set values differently. for ex in JSON we set unique_id but in CSV we set vuln_id.
- it seems that the report have Issue and Vuln data but the parser filter to only have Issue when the type is Vuln. so should we just consider data of vuln? this way de-duplication will be easier. (we can use the id of the vulnerability directly for de-duplication)
coheigea
force-pushed
the
coheigea/veracode_sca
branch
2 times, most recently
from
f6523a8 to
e7628b6
Compare
|
@damiencarol Thanks for the feedback, I've made all the changes suggested, apart from your second point. The vulnerability data alone isn't enough to parse, for example the library information isn't in the vulnerability section. |
coheigea
force-pushed
the
coheigea/veracode_sca
branch
from
e7628b6 to
992b92b
Compare
My comment was more to align data on both parser (for ex use the vuln id in both parser for unique_id_from_tools attribute) you can still use data from the issue for things like components. But the PR is good enough IMO. let release this one. more PR will come if modifications are needed |
This is a new parser for Veracode SCA (SourceClear). It supports both CSV files that can be exported from the UI, as well as the JSON exports available via the API.