Provide "Expected Issues" list so users can compared SAST productsΒ #12
Description
In order to assess the maturity of a SAST product, it's important to know which issues are hidden in benchmark such as this repo.
It would be great to provide the list of expected issues, including their location + the corresponding CWE identifier.
The goal for sure it's not to hard code the finding but to save time and re-invent the wheel for every SAST products.
Recently, I work with the author of https://github.com/SasanLabs/VulnerableApp/ to provide such list for his project. Here is the file: https://github.com/SasanLabs/VulnerableApp/blob/master/scanner/sast/expectedIssues.csv
It's as simple as a CSV file with the following information:
CWE | Vulnerability Type | File | Line | Number of Sources
If you are OK with the idea, I can contribute a first version and we iterate on it.