We are lacking a proper tool for checking the vulnerabilities produced by scanners causing our unit tests to check if the results produced approximately look like what they are supposed to.
We should build a tool that asserts that the list of results produced by a scanner is exactly like the expected one and that all the fields listed in it are valid. More specifically, we need to make sure that the data sources are set as expected, the affected code is set if the result is a SAST/SCA result, the fine lines are great than zero, the line numbers are all equal or greater than zero, the filenames are normalised and relative to the root of the repo, etc.
The utility should expect a list of findings from the scanner and a list of expected results and compare the two
We are lacking a proper tool for checking the vulnerabilities produced by scanners causing our unit tests to check if the results produced approximately look like what they are supposed to.
We should build a tool that asserts that the list of results produced by a scanner is exactly like the expected one and that all the fields listed in it are valid. More specifically, we need to make sure that the data sources are set as expected, the affected code is set if the result is a SAST/SCA result, the fine lines are great than zero, the line numbers are all equal or greater than zero, the filenames are normalised and relative to the root of the repo, etc.
The utility should expect a list of findings from the scanner and a list of expected results and compare the two