Skip to content

Add Seqra SARIF reader support#266

Open
seqradev wants to merge 2 commits intoOWASP-Benchmark:mainfrom
seqradev:seqradev/support-seqra
Open

Add Seqra SARIF reader support#266
seqradev wants to merge 2 commits intoOWASP-Benchmark:mainfrom
seqradev:seqradev/support-seqra

Conversation

@seqradev
Copy link

@seqradev seqradev commented Feb 6, 2026

  • Add SeqraReader, a new SARIF-based parser for the Seqra static analysis tool
  • Include CWE mapping override for the cookie-issecure-false rule, which reports CWE-319 but should map to CWE-614 (Insecure Cookie) for Benchmark scoring
  • Register the reader in Reader.java alongside existing parsers

@seqradev
Add Seqra SARIF reader support
b7932c5 
Add support for Seqra security static analysis tool:
- SeqraReader.java: SARIF reader using CweSourceType.TAG
- SeqraReaderTest.java: Unit tests for the reader
- Benchmark_Seqra.sarif: Test data file
- Register reader in Reader.java
@seqradev seqradev mentioned this pull request Feb 6, 2026
Open
@davewichers
Copy link
Contributor

davewichers commented Feb 6, 2026

@darkspirit510 - Can you review all this and the change to BencharkJava too. This tool's repo is apparently at: https://github.com/seqra/seqra-jvm and there is a wiki article about it here: https://deepwiki.com/seqra/seqra-jvm-sast.

@seqradev
Copy link
Author

seqradev commented Feb 6, 2026

Hi @davewichers,
The main repository for the tool is https://github.com/seqra/seqra, and the corresponding wiki article is https://deepwiki.com/seqra/seqra. We also have a website at https://seqra.dev.

If you have any questions, feel free to ask. Thanks for the quick response!

darkspirit510
darkspirit510 reviewed Feb 7, 2026
View reviewed changes
Copy link
Contributor

@darkspirit510 darkspirit510 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just one minor thing, the rest looks good to me.

plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/SeqraReader.java Outdated
}

@Override
public String toolName(ResultFile resultFile) {
Copy link
Contributor

@darkspirit510 darkspirit510 Feb 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you try without this method? The toolName method of SarifReader should already pick the correct name from the Sarif file.

Copy link
Author

@seqradev seqradev Feb 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just tested it — it works — so I removed that method.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@darkspirit510 darkspirit510 darkspirit510 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@seqradev @davewichers @darkspirit510