mastodon.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
The original server operated by the Mastodon gGmbH non-profit

Administered by:

Server stats:

401K
active users

#sarif

0 posts0 participants0 posts today
Habr<p>PVS-Studio соответствует требованиям ГОСТ Р 71207—2024 (статический анализ программного обеспечения)</p><p>Инструментальное средство PVS-Studio разрабатывается с учётом требований, предъявляемых к статическим анализаторам в ГОСТ Р 71207–2024, выявляет критические ошибки и может использоваться при разработке безопасного программного обеспечения. Рассмотрим функциональные возможности, реализованные в PVS-Studio на конец 2024 года в отношении анализа исходного кода программного обеспечения, написанного на компилируемых языках программирования C, C++, C#, Java.</p><p><a href="https://habr.com/ru/companies/pvs-studio/articles/868578/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">habr.com/ru/companies/pvs-stud</span><span class="invisible">io/articles/868578/</span></a></p><p><a href="https://zhub.link/tags/pvsstudio" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pvsstudio</span></a> <a href="https://zhub.link/tags/%D0%B8%D0%BD%D1%84%D0%BE%D1%80%D0%BC%D0%B0%D1%86%D0%B8%D0%BE%D0%BD%D0%BD%D0%B0%D1%8F_%D0%B1%D0%B5%D0%B7%D0%BE%D0%BF%D0%B0%D1%81%D0%BD%D0%BE%D1%81%D1%82%D1%8C" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>информационная_безопасность</span></a> <a href="https://zhub.link/tags/%D1%81%D1%82%D0%B0%D1%82%D0%B8%D1%87%D0%B5%D1%81%D0%BA%D0%B8%D0%B9_%D0%B0%D0%BD%D0%B0%D0%BB%D0%B8%D0%B7_%D0%BA%D0%BE%D0%B4%D0%B0" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>статический_анализ_кода</span></a> <a href="https://zhub.link/tags/%D0%93%D0%9E%D0%A1%D0%A2_%D0%A0_712072024" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ГОСТ_Р_712072024</span></a> <a href="https://zhub.link/tags/%D0%93%D0%9E%D0%A1%D0%A2_%D0%A0_71207" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ГОСТ_Р_71207</span></a> <a href="https://zhub.link/tags/%D0%93%D0%9E%D0%A1%D0%A2_%D0%A0_56939" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ГОСТ_Р_56939</span></a> <a href="https://zhub.link/tags/SAST" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SAST</span></a> <a href="https://zhub.link/tags/c" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>c</span></a> <a href="https://zhub.link/tags/c" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>c</span></a>++ <a href="https://zhub.link/tags/java" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>java</span></a> <a href="https://zhub.link/tags/c" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>c</span></a># <a href="https://zhub.link/tags/%D1%81%D0%B8" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>си</span></a> <a href="https://zhub.link/tags/%D1%81%D0%B8" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>си</span></a>++ <a href="https://zhub.link/tags/static_code_analysis" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>static_code_analysis</span></a> <a href="https://zhub.link/tags/%D0%B0%D0%BD%D0%B0%D0%BB%D0%B8%D0%B7_%D0%BF%D1%80%D0%BE%D0%B3%D1%80%D0%B0%D0%BC%D0%BC%D1%8B" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>анализ_программы</span></a> <a href="https://zhub.link/tags/%D0%B0%D0%BD%D0%B0%D0%BB%D0%B8%D0%B7_%D0%BF%D0%BE%D1%82%D0%BE%D0%BA%D0%BE%D0%B2_%D0%B4%D0%B0%D0%BD%D0%BD%D1%8B%D1%85" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>анализ_потоков_данных</span></a> <a href="https://zhub.link/tags/%D0%BA%D0%BE%D0%BD%D1%82%D0%B5%D0%BA%D1%81%D1%82%D0%BD%D0%BE%D1%87%D1%83%D0%B2%D1%81%D1%82%D0%B2%D0%B8%D1%82%D0%B5%D0%BB%D1%8C%D0%BD%D1%8B%D0%B9_%D0%B0%D0%BD%D0%B0%D0%BB%D0%B8%D0%B7" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>контекстночувствительный_анализ</span></a> <a href="https://zhub.link/tags/%D0%BA%D1%80%D0%B8%D1%82%D0%B8%D1%87%D0%B5%D1%81%D0%BA%D0%B8%D0%B5_%D0%BE%D1%88%D0%B8%D0%B1%D0%BA%D0%B8" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>критические_ошибки</span></a> <a href="https://zhub.link/tags/CWE" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CWE</span></a> <a href="https://zhub.link/tags/SARIF" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SARIF</span></a> <a href="https://zhub.link/tags/%D0%A0%D0%91%D0%9F%D0%9E" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>РБПО</span></a> <a href="https://zhub.link/tags/%D1%80%D0%B0%D0%B7%D1%80%D0%B0%D0%B1%D0%BE%D1%82%D0%BA%D0%B0_%D0%B1%D0%B5%D0%B7%D0%BE%D0%BF%D0%B0%D1%81%D0%BD%D0%BE%D0%B3%D0%BE_%D0%9F%D0%9E" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>разработка_безопасного_ПО</span></a> <a href="https://zhub.link/tags/%D0%B8%D1%81%D0%BF%D0%BE%D0%BB%D1%8C%D0%B7%D0%BE%D0%B2%D0%B0%D0%BD%D0%B8%D0%B5_%D1%87%D1%83%D0%B2%D1%81%D1%82%D0%B2%D0%B8%D1%82%D0%B5%D0%BB%D1%8C%D0%BD%D1%8B%D1%85_%D0%B4%D0%B0%D0%BD%D0%BD%D1%8B%D1%85" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>использование_чувствительных_данных</span></a></p>
Joxean Koret (@matalaz)<p>TIL there is a thing called <a href="https://mastodon.social/tags/Sarif" class="mention hashtag" rel="tag">#<span>Sarif</span></a>, a Static Analysis Results Interchange Format, developed by Microsoft.<br /><a href="https://groups.oasis-open.org/communities/tc-community-home2?CommunityKey=c64ae352-bebf-446d-8ebf-018dc7d3eeb0" target="_blank" rel="nofollow noopener" translate="no"><span class="invisible">https://</span><span class="ellipsis">groups.oasis-open.org/communit</span><span class="invisible">ies/tc-community-home2?CommunityKey=c64ae352-bebf-446d-8ebf-018dc7d3eeb0</span></a></p>
Marco Ivaldi<p>Awesome tool released by <span class="h-card" translate="no"><a href="https://infosec.exchange/@trailofbits" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>trailofbits</span></a></span> ✊ </p><p>Streamline your static analysis triage with <a href="https://infosec.exchange/tags/SARIF" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SARIF</span></a> Explorer</p><p><a href="https://blog.trailofbits.com/2024/03/20/streamline-the-static-analysis-triage-process-with-sarif-explorer/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blog.trailofbits.com/2024/03/2</span><span class="invisible">0/streamline-the-static-analysis-triage-process-with-sarif-explorer/</span></a></p>
ϺΛDИVTTΛH<p>Yup. The nightly build is there. I'm pretty confident that the <a href="https://fosstodon.org/tags/automatedBuild" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>automatedBuild</span></a> will run too. :blobcatgiggle: </p><p>I've added <a href="https://fosstodon.org/tags/trivy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>trivy</span></a> <a href="https://fosstodon.org/tags/opensource" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>opensource</span></a> <a href="https://fosstodon.org/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a> scanner. It will run on schedule for testing and will be later included into the <a href="https://fosstodon.org/tags/cd" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cd</span></a> <a href="https://fosstodon.org/tags/pipeline" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pipeline</span></a>. The <a href="https://fosstodon.org/tags/sarif" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>sarif</span></a> report will be attached to madnuttah bot's releases as build artifact. </p><p><a href="https://fosstodon.org/tags/unbound" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>unbound</span></a> <a href="https://fosstodon.org/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://fosstodon.org/tags/dnssec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dnssec</span></a> <a href="https://fosstodon.org/tags/workflow" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>workflow</span></a> <a href="https://fosstodon.org/tags/github" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>github</span></a> <a href="https://fosstodon.org/tags/transparency" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>transparency</span></a> </p><p><a href="https://github.com/madnuttah/unbound-docker" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/madnuttah/unbound-d</span><span class="invisible">ocker</span></a></p>
Anders Eknert<p>Took some time to look into implementing a <a href="https://hachyderm.io/tags/SARIF" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SARIF</span></a> output format option for <a href="https://hachyderm.io/tags/Regal" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Regal</span></a> yesterday. Regal a linter, and SARIF a standard format for static analysis, so it seemed like a reasonable thing to have. The specification however is 280 pages long! 😫 I skipped that and went straight for the libraries. Found one for <a href="https://hachyderm.io/tags/golang" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>golang</span></a> and had a PR up an hour later. Just a prettier way to build a struct for marshaling really, but I’ll take that over 280 pages of SHALL, MAY and MUST.</p>
aegilops :github::microsoft:<p>I've made a Python :python: code linting Action ▶️ for GitHub :github: Code Scanning.</p><p>It wraps up <a href="https://fosstodon.org/tags/Ruff" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Ruff</span></a>, <a href="https://fosstodon.org/tags/Flake8" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Flake8</span></a>, <a href="https://fosstodon.org/tags/Pylint" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Pylint</span></a>, <a href="https://fosstodon.org/tags/Fixit2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Fixit2</span></a>, <a href="https://fosstodon.org/tags/Mypy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Mypy</span></a>, <a href="https://fosstodon.org/tags/Pyright" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Pyright</span></a> and <a href="https://fosstodon.org/tags/Pytype" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Pytype</span></a> into an Action that uploads to Code Scanning, part of Advanced Security, the GitHub appsec platform.</p><p>ℹ️ that’s free for open source repos hosted on GitHub!</p><p>Read 📖 about it👇 on my blog:<br><a href="https://lnkd.in/es_pd2W6" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">lnkd.in/es_pd2W6</span><span class="invisible"></span></a></p><p>Try ⚙️ it👇 on the Actions ▶️ marketplace:<br><a href="https://lnkd.in/ei7-H2V9" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">lnkd.in/ei7-H2V9</span><span class="invisible"></span></a></p><p><a href="https://fosstodon.org/tags/Python" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Python</span></a> <a href="https://fosstodon.org/tags/Linting" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Linting</span></a> <a href="https://fosstodon.org/tags/CodeQuality" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CodeQuality</span></a> <a href="https://fosstodon.org/tags/Linters" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Linters</span></a> <a href="https://fosstodon.org/tags/SARIF" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SARIF</span></a> <a href="https://fosstodon.org/tags/GitHubActions" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GitHubActions</span></a></p>
Marco Ivaldi<p>I've recently started using the <a href="https://infosec.exchange/tags/SARIF" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SARIF</span></a> Viewer extension to view <a href="https://infosec.exchange/tags/semgrep" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>semgrep</span></a> scan results in <a href="https://infosec.exchange/tags/vscode" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vscode</span></a> and it's awesome!</p><p>It provides a much more streamlined experience compared to what I was used to. I recommend to try it out, it might drastically improve your workflow.</p><p><a href="https://marketplace.visualstudio.com/items?itemName=MS-SarifVSCode.sarif-viewer" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">marketplace.visualstudio.com/i</span><span class="invisible">tems?itemName=MS-SarifVSCode.sarif-viewer</span></a></p>
aegilops :github::microsoft:<p>I’ve released 🤲 a GitHub Action to convert Dart/Flutter analyzer output to SARIF.</p><p>That lets you upload ⬆️ the results to GitHub Advanced Security, as I show in a sample workflow.</p><p><a href="https://github.com/advanced-security/dart-analyzer-sarif" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/advanced-security/d</span><span class="invisible">art-analyzer-sarif</span></a></p><p><a href="https://fosstodon.org/tags/AppSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AppSec</span></a> <a href="https://fosstodon.org/tags/Dart" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Dart</span></a> <a href="https://fosstodon.org/tags/Flutter" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Flutter</span></a> <a href="https://fosstodon.org/tags/Linting" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Linting</span></a> <a href="https://fosstodon.org/tags/SARIF" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SARIF</span></a> <a href="https://fosstodon.org/tags/GitHub" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GitHub</span></a></p>
Sebastian Bergmann :phpunit:<p>TIL: there is Static Analysis Results Interchange Format (<a href="https://phpc.social/tags/SARIF" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SARIF</span></a>):</p><p><a href="https://developers.redhat.com/articles/2023/05/31/improvements-static-analysis-gcc-13-compiler#sarif_output" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="ellipsis">developers.redhat.com/articles</span><span class="invisible">/2023/05/31/improvements-static-analysis-gcc-13-compiler#sarif_output</span></a></p><p>Wondering what the benefits could be for <a href="https://phpc.social/tags/PHP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PHP</span></a> if <a href="https://phpc.social/tags/Psalm" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Psalm</span></a> and/or <a href="https://phpc.social/tags/PHPStan" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PHPStan</span></a> supported this.</p>
aegilops :github::microsoft:<p>I have a plan around <a href="https://fosstodon.org/tags/Scala" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Scala</span></a> :scala: </p><p>I want to statically analyse it using tools that understand <a href="https://fosstodon.org/tags/Java" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Java</span></a> :java: , by decompiling the .class files that the Scala source compiles to, then analysing the decompiled Java source.</p><p>That works 💪 (on trivial stuff!) but I need to match up line numbers. Scala‘s debug output in .tasty files and some decompiler info should do, but I haven’t done it yet.</p><p>Thoughts?</p><p>Know a good static analyser for Scala that outputs SARIF?</p><p><a href="https://fosstodon.org/tags/SAST" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SAST</span></a> <a href="https://fosstodon.org/tags/decompilation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>decompilation</span></a> <a href="https://fosstodon.org/tags/SARIF" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SARIF</span></a></p>
Brad Larsen<p>What tools / services do you use that import and do something interesting with SARIF static analysis results?</p><p>For example, GitHub Code Analysis understands SARIF. There is also a VSCode viewer plugin.</p><p>Context: thinking about adding SARIF output support to Nosey Parker, the secrets detector I'm working on: <a href="https://github.com/praetorian-inc/noseyparker" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/praetorian-inc/nose</span><span class="invisible">yparker</span></a></p><p><a href="https://infosec.exchange/tags/sarif" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>sarif</span></a> <a href="https://infosec.exchange/tags/sast" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>sast</span></a> <a href="https://infosec.exchange/tags/staticanalysis" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>staticanalysis</span></a></p>
check-spellingcoming attractions
ZAP<p>ZAP Reports now support <a href="https://infosec.exchange/tags/SARIF" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SARIF</span></a> thanks to <a href="https://github.com/de-jcup" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="">github.com/de-jcup</span><span class="invisible"></span></a><br> <br><a href="https://www.zaproxy.org/docs/desktop/addons/report-generation/report-sarif-json/" rel="nofollow noopener" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">zaproxy.org/docs/desktop/addon</span><span class="invisible">s/report-generation/report-sarif-json/</span></a></p>
check-spellingcoming attractions