In the current SARIF output, the rules[].name field uses a CamelCase version of the technical ID (e.g., IosCertPinning for ios_cert_pinning).
When these reports are ingested by GitLab or other SARIF-compatible dashboards, the dashboard often defaults to displaying the CWE ID (e.g., "CWE-295") as the vulnerability name because the name field is too technical/generic, while the actual human-readable description is buried in results[].message.text.
Proposed Change:
Update the rules object generation so that the name field contains the clear, descriptive title of the check.
• Current: "name": "IosCertPinning"
• Proposed: "name": "Missing Certificate Pinning" or "name": "Improper Certificate Validation (CWE-295)"
Impact:
This will ensure that "Vulnerability Name" columns in GitLab, GitHub Advanced Security, and SonarQube display meaningful titles instead of technical codes like "CWE-295".
In the current SARIF output, the rules[].name field uses a CamelCase version of the technical ID (e.g., IosCertPinning for ios_cert_pinning).
When these reports are ingested by GitLab or other SARIF-compatible dashboards, the dashboard often defaults to displaying the CWE ID (e.g., "CWE-295") as the vulnerability name because the name field is too technical/generic, while the actual human-readable description is buried in results[].message.text.
Proposed Change:
Update the rules object generation so that the name field contains the clear, descriptive title of the check.
• Current: "name": "IosCertPinning"
• Proposed: "name": "Missing Certificate Pinning" or "name": "Improper Certificate Validation (CWE-295)"
Impact:
This will ensure that "Vulnerability Name" columns in GitLab, GitHub Advanced Security, and SonarQube display meaningful titles instead of technical codes like "CWE-295".