A tool that finds the optimal minimum number of code fixes needed to eliminate all vulnerabilities from SARIF scan results. Uses the set cover problem optimization to determine the most efficient fix strategy - guaranteeing the absolute minimum number of code changes required to address all security issues.
📖 For detailed algorithm explanation, mathematical formulation, and implementation details, see src/prodsec_sast_set_cover_solver/docs/MATHEMATICAL_DETAILS.md
pip3 install --extra-index-url https://user:[email protected]/tr1/api/pypi/pypi-local/simple prodsec_sast_set_cover_solvergit clone <repository-url>
cd solver
uv sync
uv pip install -e .# Basic usage
prodsec-sast-set-cover-solver vulnerabilities.sarif
# Choose solver
prodsec-sast-set-cover-solver vulnerabilities.sarif --solver cp-sat
# Filtering options
prodsec-sast-set-cover-solver vulnerabilities.sarif --severity-filter high medium
prodsec-sast-set-cover-solver vulnerabilities.sarif --rule-filter java/XSS java/PT
# Export options
prodsec-sast-set-cover-solver vulnerabilities.sarif --export # Detailed solution with vulnerability details
prodsec-sast-set-cover-solver vulnerabilities.sarif --minimal-export # Optimal path with fix locations only
# Quiet mode
prodsec-sast-set-cover-solver vulnerabilities.sarif --quiet --minimal-exportfrom prodsec_sast_set_cover_solver import SarifSetCoverSolver
# Basic usage
optimizer = SarifSetCoverSolver("vulnerabilities.sarif")
optimizer.solve_mathematical_optimization()
# With filtering and export
optimizer = SarifSetCoverSolver(
"vulnerabilities.sarif",
severity_filter=["high", "medium"],
rule_filter=["java/XSS"],
export_detailed=True
)
optimizer.solve_mathematical_optimization()cd solver
uv run python -m prodsec_sast_set_cover_solver.cli.main vulnerabilities.sarif
# Available options:
# --severity-filter {high,medium,low,info} Filter by severity
# --rule-filter RULE_ID [RULE_ID ...] Filter by rule IDs
# --export Export detailed solution
# --minimal-export Export minimal solution
# --quiet Suppress console outputsrc/
└── prodsec_sast_set_cover_solver/
├── __init__.py
├── cli/
│ ├── __init__.py
│ └── main.py # CLI entry point
├── utils/
│ ├── __init__.py
│ ├── sarif_parser.py # SARIF parsing
│ ├── severity_mapper.py # Severity mapping
│ └── data_structures.py # Data classes
├── solver/
│ ├── __init__.py
│ ├── set_cover_solver.py # Main solver implementation
│ └── optimizer.py # Optimization algorithms
├── set_cover/
│ ├── __init__.py
│ └── initializer.py # Set cover initialization
└── docs/ # Documentation
tests/ # Test files
# Run tests
uv run pytest
# Format and lint
uv run ruff format .
uv run ruff check .
uv run mypy .MIT License
- Fork the repository
- Create a feature branch
- Make your changes
- Add tests for new functionality
- Submit a pull request