-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve shortDescription in SARIF reports #3008
Labels
kind/feature
Categorizes issue or PR as related to a new feature.
Comments
candrews
added
the
kind/feature
Categorizes issue or PR as related to a new feature.
label
Oct 11, 2022
candrews
added a commit
to candrews/trivy
that referenced
this issue
Oct 11, 2022
…IF reports (aquasecurity#3008) Use the vulnerability title as the value of shortDescription. > The shortDescription property SHOULD be a single sentence that is understandable when visible space is limited to a single line of text. See: https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/sarif-v2.1.0-os.html#_Toc34317845 Signed-off-by: Craig Andrews <candrews@integralblue.com>
candrews
added a commit
to candrews/trivy
that referenced
this issue
Oct 11, 2022
…IF reports (aquasecurity#3008) Use the vulnerability title as the value of shortDescription. > The shortDescription property SHOULD be a single sentence that is understandable when visible space is limited to a single line of text. See: https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/sarif-v2.1.0-os.html#_Toc34317845 Signed-off-by: Craig Andrews <candrews@integralblue.com>
6 tasks
candrews
added a commit
to candrews/trivy
that referenced
this issue
Oct 11, 2022
…reports (aquasecurity#3008) Use the vulnerability title as the value of shortDescription. > The shortDescription property SHOULD be a single sentence that is understandable when visible space is limited to a single line of text. See: https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/sarif-v2.1.0-os.html#_Toc34317845 Signed-off-by: Craig Andrews <candrews@integralblue.com>
candrews
added a commit
to candrews/trivy
that referenced
this issue
Oct 11, 2022
…reports (aquasecurity#3008) Use the vulnerability title as the value of shortDescription. > The shortDescription property SHOULD be a single sentence that is understandable when visible space is limited to a single line of text. See: https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/sarif-v2.1.0-os.html#_Toc34317845 Signed-off-by: Craig Andrews <candrews@integralblue.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
SARIF allows a "shortDescription" to be provided:
See:
https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/sarif-v2.1.0-os.html#_Toc34317845
Currently, Trivy set the
shortDescription
to the id of the vulnerability, which is not very readable or understandable.For example:
A
shortDescription
ofCVE-2020-13844
isn't "understandable"I suggest the vulnerability "title" be used instead, which in this case, would be
kernel: ARM straight-line speculation vulnerability
The text was updated successfully, but these errors were encountered: