Replies: 2 comments
-
I think this makes sense. DefectDojo is a vulnerability management tool and should stay focussed on security problems. |
Beta Was this translation helpful? Give feedback.
-
Coverity has Issue Kinds of Quality, Security and Various. Some checkers are classified as both Quality and Security. Their results will be classified as Various. So, including just Security will not always provide the correct results. This is why I was thinking it might be better to use the filtering capabilities of a report in Coverity to create a JSON file with the Security issues (as defined by the organization) rather than rely on Coverity's classification of what is and isn't a Security issue. |
Beta Was this translation helpful? Give feedback.
-
I was trying out the Coverity API parser, and none of my results were showing up in Defect Dojo. After looking through the code, I noticed that the parser is only including items with "displayIssueKind" of "Security".
28 # get only security findings
29 if "Security" != issue.get("displayIssueKind"):
30 continue
Was there any specific reason for this decision? My file specifically only had displayIssueKind of Quality and Various. Since the user can do plenty of filtering in Coverity, I'm thinking that it might be better to include all findings from the results json file.
Beta Was this translation helpful? Give feedback.
All reactions