Skip to content

Split Github Vulnerability Scan into separate SCA & SAST parsers #12773

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 26 commits into
base: dev
Choose a base branch
from
Open

Split Github Vulnerability Scan into separate SCA & SAST parsers #12773

wants to merge 26 commits into from

Conversation

Logicmn
Copy link

@Logicmn Logicmn commented Jul 11, 2025
edited
Loading

Description

Hello! The current parser implementation for GitHub code scanning results is baked into the "Github Vulnerability Scan" scan type, which is a parser originally meant to be used for GitHub SCA (Dependabot) vulnerabilities. Since these two scan types are exceptionally different, issues can arise especially around the fields used for deduplication in the hash code. This PR splits out GitHub code scanning into its own GithubSASTParser, with a scan-type string called ""Github SAST Scan." I have included documentation, unit tests, and a new list of fields for hash code deduplication.

I also included several improvements for the original Github Vulnerability Scan parser. These improvements include:

  • Add support for the cvssSeverities which will replace the cvss field in GitHub's graphql response in October, 2025.
  • Add the permalink from the dependabotUpdate field to the finding description
  • Add GitHub's now supported epss percentage and percentile to finding.epss_score and finding.epss_percentile finding fields
  • Set finding.url to GitHub Dependabot alert hyperlink for convenience
  • Improve vulnerability ID handling (now explicitly sets finding.cve and finding.vuln_id_from_tool fields before falling back to unsaved_vulnerability_ids)
  • Fix a bug where finding.component_version was only being set when the vulnerableRequirements str started with =
  • Improve defensive coding where applicable, like using .get() to access fields

Backward compatibility: existing users of the “Github Vulnerability Scan” scan type (driven by GithubVulnerabilityParser) for SCA imports will see no change. If you’d been using it to ingest SAST/code-scanning JSON, you’ll need to switch your import to the new “Github SAST Scan” scan type (driven by GithubSASTParser).

Ref links:

@github-actions github-actions bot added settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR docs unittests parser labels Jul 11, 2025
@Logicmn
Copy link
Author

Logicmn commented Jul 14, 2025

@Maffooch All linting errors should be fixed now, thanks for bearing with. :)

valentijnscholten
valentijnscholten reviewed Jul 15, 2025
View reviewed changes
valentijnscholten
valentijnscholten reviewed Jul 15, 2025
View reviewed changes
@valentijnscholten valentijnscholten added this to the 2.49.0 milestone Jul 15, 2025
valentijnscholten
valentijnscholten reviewed Jul 30, 2025
View reviewed changes
Copy link
Member

@valentijnscholten valentijnscholten left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

comment posted above

@valentijnscholten valentijnscholten modified the milestones: 2.49.0, 2.50.0 Aug 4, 2025
dogboat
dogboat approved these changes Aug 25, 2025
View reviewed changes
Copy link
Contributor

@dogboat dogboat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just two nits about import placement, but otherwise looks great; approving because they're not blockers imho.

@valentijnscholten valentijnscholten modified the milestones: 2.50.0, 2.51.0 Sep 2, 2025
@Logicmn
Copy link
Author

Logicmn commented Sep 27, 2025

comment posted above

Responded

@Logicmn Logicmn force-pushed the github-vuln-parser-improvements branch from 2ffb18d to 82ed3f8 Compare September 27, 2025 19:51
@github-actions GitHub Actions
Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@github-actions GitHub Actions
Copy link
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

mtesauro
mtesauro approved these changes Oct 2, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@valentijnscholten valentijnscholten valentijnscholten left review comments

@mtesauro mtesauro mtesauro approved these changes

@dogboat dogboat dogboat approved these changes

@Maffooch Maffooch Awaiting requested review from Maffooch Maffooch is a code owner

At least 4 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
docs parser settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR unittests
Projects
None yet
Milestone
2.51.0
Development

Successfully merging this pull request may close these issues.
4 participants
@Logicmn @mtesauro @valentijnscholten @dogboat