Improve usefulness of generic output #28
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…kdown Extract cwe, owasp, subcategory, fix, and references from extra.metadata into alert props. Auto-generate clickable reference URLs from CWE/OWASP IDs. Build a detailedReport markdown blob (matching TruffleHog/Trivy pattern) so the dashboard can display actionable finding details. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- scripts/update_cwe_catalog.py: Fetches full MITRE CWE catalog (Research Concepts view), maps each entry to a vulnerability category and OWASP Top 10 2021 classification, and generates a Python dict at socket_basics/core/connector/opengrep/cwe_catalog.py - 946 entries covering all software CWEs including 2 synthetic entries for deprecated pillar CWEs still referenced by our rules - All 90 CWEs used in our rules are properly categorized - Re-run `python scripts/update_cwe_catalog.py` to update when MITRE publishes new entries - docs/alert-quality-improvement-plan.md: Phased implementation plan for improving alert quality across connector, rules, and messages Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- CWE coverage: 498/499 rules (js-react-missing-key has no CWE), not 499 - Top 20 CWEs cover 68% of rules by count, not ~80% - Severity breakdown: Critical 95, High 184, Medium 159, Low 61 - Critical+High fix target: 279 rules, not ~220 - Phase 1 scope clarified: applies to alerts with a CWE (498/499) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Phase 1 of alert quality improvement: - Import CWE_CATALOG and look up each alert's CWE at scan time - Add vulnerabilityName and vulnerabilityCategory to alert props - Add enrichedDescription from CWE catalog when rule message is sparse - Extract additional metadata: vulnerability_class, likelihood, impact, technology, framework - Add "What is CWE-X?" explainer section to detailedReport markdown Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…OWASP Phase 2 of alert quality improvement: - subcategory: 103/499 -> 499/499 (derived from CWE for missing rules) - vulnerability_class: 0/499 -> 499/499 (new field, mapped from subcategory) - owasp: 93/499 -> 441/499 (mapped from CWE, 58 rules have no natural mapping) - references: 1/499 -> 42/499 (framework-specific docs for 41 rules) - scripts/enrich_rules.py: reproducible script for future rule enrichment Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…h rules Phase 3 of alert quality improvement: - Messages < 60 chars: 403 -> 0 (all now follow What/Why/How pattern) - Fix metadata: 2/499 -> 279/499 (100% of critical+high rules) - Fix text is language-specific with concrete API recommendations - scripts/rewrite_messages.py: reproducible script for future updates Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Phase 4 of alert quality improvement: - Pass --dataflow-traces to OpenGrep CLI for taint source-to-sink data - Extract dataflow_trace into alert props.dataflowTrace with source, sink, and intermediate variable information - Add "Data Flow" section to detailedReport markdown for taint alerts - Handle list/dict variants in trace structure defensively Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The location dict was missing the file path, which all downstream consumers (normalizer, base notifier, and all OpenGrep notifiers) expect under 'path'. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Enrich OpenGrep SAST alerts with actionable metadata
This PR is the result of the hackathon.
Problem: OpenGrep alerts were bare-bones — just a rule ID, a one-liner message, severity, and line numbers. No CWE/OWASP references, no file path in the location, no fix guidance, and no detailed report for the dashboard.
Meanwhile, TruffleHog and Trivy alerts already had rich
detailedReportmarkdown and full metadata. This made OpenGrep findings harder to triage and less useful to consumers (PR comments, Jira tickets, dashboard).What changed:
cwe_catalog.py) so alerts include human-readable CWE names and descriptions, not just numeric IDs. Includes a generator script for future updates.--dataflow-tracesin the OpenGrep CLI invocation. Taint-mode alerts now include source-to-sink flow paths in bothprops.dataflowTraceand thedetailedReportmarkdown.alert.locationso the normalizer, notifiers, and all downstream consumers can resolve file paths correctly.