Wow. Just WOW. Switching to SARIF instantly eliminated the need for a 30% custom code to support custom tools’ formats. The following scanners embed nice and well without any need for any extra code now:
- Snyk Code (This one uses SARIF everywhere, but I won’t tell anybody)
- Snyk Open Source
- Semgrep
It worked like a charm. I guess I am a new SARIF supporter/champion now :)
Scan Project major refactoring is still on the way, but that’s mostly the paid version stuff - the free scanner still works, and the image gets updated daily with new DependencyCheck vulnerability databases. No one will ever notice the switch to SARIF there (Semgrep Open Source), but it’s quite an achievement :)