Skip to content

Commit

Permalink
HdfConverter: Set security-severity property used by GitHub
Browse files Browse the repository at this point in the history
  • Loading branch information
candrews committed Aug 25, 2023
1 parent 84d2047 commit fcb8045
Show file tree
Hide file tree
Showing 2 changed files with 51 additions and 0 deletions.
12 changes: 12 additions & 0 deletions src/Sarif.Converters/HdfConverter.cs
Original file line number Diff line number Diff line change
Expand Up @@ -134,6 +134,7 @@ private static (ReportingDescriptor, IList<Result>) SarifRuleAndResultFromHdfCon
Kinds = new List<string>() { "relevant" },
}))
};
reportingDescriptor.SetProperty("security-severity", SarifSecuritySeverityFromHdfImpact(execJsonControl.Impact).ToString());

var results = new List<Result>(execJsonControl.Results.Count);
foreach (ControlResult controlResult in execJsonControl.Results)
Expand Down Expand Up @@ -220,7 +221,18 @@ private static FailureLevel SarifLevelFromHdfImpact(double impact)
}
}

private static double SarifSecuritySeverityFromHdfImpact(double impact) =>
/*
security-descriptor Hdf Impact
>=9.0 (critical) >=0.9 (critical)
>=7.0 (high) >=0.7 (high)
>=4.0 (medium) >=0.5 (medium)
<4.0 (low) >=0.3 (low)
*/
// security severity is exactly 10x impact
impact * 10.0;
private static double SarifRankFromHdfImpact(double impact) =>
// https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#reportingdescriptor-object
/*
SARIF rank Hdf Level SARIF level Default Viewer Action
0.0 0 note Does not display by default
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4047,6 +4047,9 @@
"shortDescription": {
"text": "User Agent Fuzzer."
},
"properties": {
"security-severity": "3"
},
"relationships": [
{
"target": {
Expand Down Expand Up @@ -4083,6 +4086,9 @@
"shortDescription": {
"text": "Web Browser XSS Protection Not Enabled."
},
"properties": {
"security-severity": "3"
},
"relationships": [
{
"target": {
Expand Down Expand Up @@ -4119,6 +4125,9 @@
"shortDescription": {
"text": "Cookie Slack Detector."
},
"properties": {
"security-severity": "3"
},
"relationships": [
{
"target": {
Expand Down Expand Up @@ -4155,6 +4164,9 @@
"shortDescription": {
"text": "Cookie Slack Detector."
},
"properties": {
"security-severity": "3"
},
"relationships": [
{
"target": {
Expand Down Expand Up @@ -4194,6 +4206,9 @@
"defaultConfiguration": {
"level": "error"
},
"properties": {
"security-severity": "7"
},
"relationships": [
{
"target": {
Expand Down Expand Up @@ -4230,6 +4245,9 @@
"shortDescription": {
"text": "X-Content-Type-Options Header Missing."
},
"properties": {
"security-severity": "3"
},
"relationships": [
{
"target": {
Expand Down Expand Up @@ -4269,6 +4287,9 @@
"defaultConfiguration": {
"level": "error"
},
"properties": {
"security-severity": "7"
},
"relationships": [
{
"target": {
Expand Down Expand Up @@ -4305,6 +4326,9 @@
"shortDescription": {
"text": "X-Frame-Options Header Not Set."
},
"properties": {
"security-severity": "5"
},
"relationships": [
{
"target": {
Expand Down Expand Up @@ -4341,6 +4365,9 @@
"shortDescription": {
"text": "Proxy Disclosure."
},
"properties": {
"security-severity": "5"
},
"relationships": [
{
"target": {
Expand Down Expand Up @@ -4380,6 +4407,9 @@
"defaultConfiguration": {
"level": "error"
},
"properties": {
"security-severity": "7"
},
"relationships": [
{
"target": {
Expand Down Expand Up @@ -4419,6 +4449,9 @@
"defaultConfiguration": {
"level": "error"
},
"properties": {
"security-severity": "7"
},
"relationships": [
{
"target": {
Expand Down Expand Up @@ -4458,6 +4491,9 @@
"defaultConfiguration": {
"level": "error"
},
"properties": {
"security-severity": "7"
},
"relationships": [
{
"target": {
Expand Down Expand Up @@ -4494,6 +4530,9 @@
"shortDescription": {
"text": "Format String Error."
},
"properties": {
"security-severity": "5"
},
"relationships": [
{
"target": {
Expand Down

0 comments on commit fcb8045

Please sign in to comment.