Integrate third-party Code Scan Results into Mend SAST
Overview
Some programming languages that are not covered by Mend.io may have dedicated open source scanners (e.g., Kani). Mend SAST allows you to import the scans/findings from such scanners into the Mend AppSec Platform using an API, so they can all be consumed by security managers alongside the Mend SAST results via the Mend AppSec Platform UI, maintaining a uniform user experience and retaining the Mend Platform as a single hub for all AppSec findings.
Use Cases
Security managers should be able to run any tool of preference and import the results from that tool into the Mend AppSec Platform to have them displayed side-by-side with the regular Code scans/findings.
Getting it done
To import scans/findings from a 3rd-party tool into the Mend AppSec Platform, run the following Mend CLI command:
mend code import --dir <projectDir> --scope <scope> --import-file <pathToFile>
The command will import the results from the specified file, process them (signatures, suppressions etc.) and try to extract snippets from the specified project directory.
A Successful Import in the Mend CLI
Import Format
This section is designed to help you map the output of the 3rd-party tool to Mend.io’s SARIF-like JSON format.
JSON Schema
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Scan Results Schema",
"type": "object",
"description": "Root object for the scan results",
"properties": {
"tool": {
"type": "object",
"description": "Information about the tool used",
"properties": {
"name": {
"type": "string",
"minLength": 1,
"description": "Tool name must not be empty"
},
"version": {
"type": "string",
"description": "Tool version can be empty or non-empty, no specific restriction"
}
},
"required": [
"name",
"version"
]
},
"run": {
"type": "object",
"description": "Run object",
"properties": {
"language": {
"type": "string",
"minLength": 1,
"description": "Language must not be empty"
},
"findings": {
"type": "array",
"description": "List of findings for this run",
"items": {
"type": "object",
"properties": {
"type": {
"type": "object",
"description": "Type details of the finding",
"properties": {
"name": {
"type": "string",
"minLength": 1,
"description": "Finding type name must not be empty"
},
"severity": {
"type": "string",
"enum": [
"critical",
"high",
"medium",
"low",
"unknown"
],
"description": "Possible severities for the finding"
},
"description": {
"type": "string",
"description": "Optional description"
},
"cwe": {
"type": "integer",
"minimum": 1,
"description": "If provided, cwe must be >= 1 (i.e., can't be 0)"
}
},
"required": [
"name",
"severity"
]
},
"description": {
"type": "string",
"description": "Optional top-level description for the finding"
},
"sink": {
"type": "object",
"description": "Sink location details for the finding",
"properties": {
"name": {
"type": "string",
"minLength": 1,
"description": "Sink name must not be empty"
},
"file": {
"type": "string",
"minLength": 1,
"description": "Sink file must not be empty"
},
"line": {
"type": "integer",
"minimum": 1,
"description": "Sink line must not be 0"
}
},
"required": [
"name",
"file",
"line"
]
},
"flows": {
"type": "array",
"description": "Optional flow trace for the finding",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string",
"minLength": 1,
"description": "Flow name must not be empty if present"
},
"file": {
"type": "string",
"minLength": 1,
"description": "Flow file must not be empty if present"
},
"line": {
"type": "integer",
"minimum": 1,
"description": "Flow line must not be 0 if present"
}
},
"required": [
"name",
"file",
"line"
]
}
}
},
"required": [
"type",
"sink"
]
}
}
},
"required": [
"language",
"findings"
]
}
},
"required": [
"tool",
"run"
]
}JSON file example with schema import
{
"$schema": "./import-schema.json",
"tool": {
"name": "SomeTool",
"version": ""
},
"run": {
"language": "Scala",
"metrics": {
"files": 100,
"lines": 10000
},
"findings": [
{
"type": {
"name": "SQL Injection",
"severity": "high",
"description": "",
"cwe": 89
},
"compliance": [
"pci-dss"
],
"description": "",
"sink": {
"name": "executeQuery",
"file": "/some/path/somefile.scala",
"line": 34
},
"flows": [
{
"name": "something",
"file": "/some/path/somefile.scala",
"line": 56
}
]
}
]
}
}Limitations
Configuration of the 3rd party tool is required for the import; it cannot be achieved using Mend.io’s scan configuration mechanism.
If an imported finding has a CWE not natively supported by Mend.io, it will not be mapped to a compliance standard.