Add Gitlab SAST and DAST

[rcsilva83]

Gitlab have builtin security tools:

• SAST (free)
• Advanced SAST (paid)
• DAST (paid)

It would be vary nice to have them included as Gitlab is one major DevSecOps platform.

[darkspirit510]

Did you just read about the tools or actually create a result file. If the second applies, provide me a result file and I'll create a Reader for it 😉

[rcsilva83]

I don't have a results file yet but I'll try to create. Do you have any guidance on this or is it just run those tools against this repo?

[darkspirit510]

Just scan the repo. Have a look at https://github.com/OWASP-Benchmark/BenchmarkJava/tree/master/scripts to see how other tools are invoked and how they create the result files.

[darkspirit510]

I can't access the files. Can you send them via mail? github@darkspirit510.de

PS: Be careful when posting results from Tools, it may be against their TOS. If in doubt, delete them. 😉

[rcsilva83]

This might help: https://gitlab.com/ignis-build/sarif-converter/

[darkspirit510]

Thanks for the link, but I'm already working on the reader and don't like the necessity of converting a result file before Benchmark can handle it 😊

[darkspirit510]

Hi @rcsilva83,

reader for Advanced SAST done. Sadly, the result file from free version does not contain any result (although according to the mentioned tools, it should). So you either invoked it wrong - or GitLab does not add results on purpose (which feels odd, it should at least contain SOME results).

Sascha