Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cbom reporting contextRegion line numbers, instead of specific line number (from region) #6

Open
mtcolman opened this issue Dec 8, 2023 · 1 comment · May be fixed by #5
Open

cbom reporting contextRegion line numbers, instead of specific line number (from region) #6

mtcolman opened this issue Dec 8, 2023 · 1 comment · May be fixed by #5

Comments

@mtcolman
Copy link
Contributor

mtcolman commented Dec 8, 2023
edited
Loading

In the cbom.json, instead of reporting the specifc line of the finding, I get multiple lines:

"detectionContext": [
    {
        "additionalContext": "from hashlib import md5",
        "filePath": "sqli/dao/dummy.py",
        "lineNumbers": [
            1,
            2,
            3
        ]
    },

My output.sarif file gives two sections of detail on the finding: region and contextRegion. region gives the precise line(s) and this would be more useful in the cbom (in my opinion).

"detectionContext": [
    {
        "additionalContext": "from hashlib import md5",
        "filePath": "sqli/dao/dummy.py",
        "lineNumbers": [
            1
        ]
    },

Have created #5 with code update for this.
@mtcolman mtcolman linked a pull request Dec 8, 2023 that will close this issue
Open
@emilejq
Copy link
Contributor

emilejq commented Dec 8, 2023

This really is by design. Using a single line number would lose information that provides important additional context about the crypto asset, such as modes and padding schemes for algorithms, key sizes, cryptographic operations and just generally the wider context in which the asset is used.

It's quite easy for someone to find an exact line in the wider code snippet using the additional information that is provided. In the case of algorithms for instance, the specific algorithm is still given in the variant field, so it's quite easy for someone to pinpoint the precise location whilst still benefitting from having the additional context of the code either side of it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update utils.py mtcolman/cryptobom-forge
2 participants
@mtcolman @emilejq