Support for gosec output with CWE references

The CWE and OWASP rules for Go are missing coverage in some areas. The gosec native JSON output provides CWE references for each security issue reported, but this does not come through when put into the sonarqube format for ingestion using the sonar.externalIssuesReportPaths parameters. Currently the gosec findings show up in Sonar as vulnerabilities with no CWE or OWASP association.

It would be ideal to either:
a. Add support to the externalIssuesReportPath file spec to allow for CWE references to be included or
b. Add support for the native JSON gosec output so that this output can be ingested and tied to the provided CWE references

Hi @CameronG,

Thank you for your suggestion! It looks like a good one :slight_smile:
I have recorded it so we can consider it in the future.

Denis