Builds on the SARIF 2.1.0 emitter (#626): give each SARIF rule one or more
`stride:<leg>` tags (Spoofing / Tampering / Repudiation / Information
disclosure / Denial of service / Elevation of privilege) derived from the
finding's CWE, so consumers — the GitHub code-scanning Security tab, ASPM
dashboards, coverage reports — can group and filter findings by
threat-model leg. SARIF results inherit their rule's tags via ruleId, so
tagging the rule is sufficient.
- _CWE_TO_STRIDE maps common CWEs to legs (dominant leg first where a CWE
spans several); unmapped / no-CWE findings fall back to a default
(tampering + information-disclosure) so every finding carries >=1 leg
and downstream reports have no coverage gaps.
- Includes mappings for CWEs surfaced by real scans: 798 (hardcoded
creds), 862 (missing authz), 259 (hardcoded password), 1391 (weak
credential).
Tests: tests/report/test_sarif_stride.py (14 cases — mapping, normalization
of CWE-306/306/"cwe: 306" forms, default fallback, rule-tag emission).
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>