diff --git a/src/Sarif.Converters/HdfConverter.cs b/src/Sarif.Converters/HdfConverter.cs index 2296af9f8..1a23a2a75 100644 --- a/src/Sarif.Converters/HdfConverter.cs +++ b/src/Sarif.Converters/HdfConverter.cs @@ -134,6 +134,7 @@ private static (ReportingDescriptor, IList) SarifRuleAndResultFromHdfCon Kinds = new List() { "relevant" }, })) }; + reportingDescriptor.SetProperty("security-severity", SarifSecuritySeverityFromHdfImpact(execJsonControl.Impact).ToString()); var results = new List(execJsonControl.Results.Count); foreach (ControlResult controlResult in execJsonControl.Results) @@ -220,7 +221,18 @@ private static FailureLevel SarifLevelFromHdfImpact(double impact) } } + private static double SarifSecuritySeverityFromHdfImpact(double impact) => + /* + security-descriptor Hdf Impact + >=9.0 (critical) >=0.9 (critical) + >=7.0 (high) >=0.7 (high) + >=4.0 (medium) >=0.5 (medium) + <4.0 (low) >=0.3 (low) + */ + // security severity is exactly 10x impact + impact * 10.0; private static double SarifRankFromHdfImpact(double impact) => + // https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#reportingdescriptor-object /* SARIF rank Hdf Level SARIF level Default Viewer Action 0.0 0 note Does not display by default diff --git a/src/Test.UnitTests.Sarif.Converters/TestData/HdfConverter/ExpectedOutputs/ValidResults.sarif b/src/Test.UnitTests.Sarif.Converters/TestData/HdfConverter/ExpectedOutputs/ValidResults.sarif index 0eae71f54..3cf8d5e82 100644 --- a/src/Test.UnitTests.Sarif.Converters/TestData/HdfConverter/ExpectedOutputs/ValidResults.sarif +++ b/src/Test.UnitTests.Sarif.Converters/TestData/HdfConverter/ExpectedOutputs/ValidResults.sarif @@ -4047,6 +4047,9 @@ "shortDescription": { "text": "User Agent Fuzzer." }, + "properties": { + "security-severity": "3" + }, "relationships": [ { "target": { @@ -4083,6 +4086,9 @@ "shortDescription": { "text": "Web Browser XSS Protection Not Enabled." }, + "properties": { + "security-severity": "3" + }, "relationships": [ { "target": { @@ -4119,6 +4125,9 @@ "shortDescription": { "text": "Cookie Slack Detector." }, + "properties": { + "security-severity": "3" + }, "relationships": [ { "target": { @@ -4155,6 +4164,9 @@ "shortDescription": { "text": "Cookie Slack Detector." }, + "properties": { + "security-severity": "3" + }, "relationships": [ { "target": { @@ -4194,6 +4206,9 @@ "defaultConfiguration": { "level": "error" }, + "properties": { + "security-severity": "7" + }, "relationships": [ { "target": { @@ -4230,6 +4245,9 @@ "shortDescription": { "text": "X-Content-Type-Options Header Missing." }, + "properties": { + "security-severity": "3" + }, "relationships": [ { "target": { @@ -4269,6 +4287,9 @@ "defaultConfiguration": { "level": "error" }, + "properties": { + "security-severity": "7" + }, "relationships": [ { "target": { @@ -4305,6 +4326,9 @@ "shortDescription": { "text": "X-Frame-Options Header Not Set." }, + "properties": { + "security-severity": "5" + }, "relationships": [ { "target": { @@ -4341,6 +4365,9 @@ "shortDescription": { "text": "Proxy Disclosure." }, + "properties": { + "security-severity": "5" + }, "relationships": [ { "target": { @@ -4380,6 +4407,9 @@ "defaultConfiguration": { "level": "error" }, + "properties": { + "security-severity": "7" + }, "relationships": [ { "target": { @@ -4419,6 +4449,9 @@ "defaultConfiguration": { "level": "error" }, + "properties": { + "security-severity": "7" + }, "relationships": [ { "target": { @@ -4458,6 +4491,9 @@ "defaultConfiguration": { "level": "error" }, + "properties": { + "security-severity": "7" + }, "relationships": [ { "target": { @@ -4494,6 +4530,9 @@ "shortDescription": { "text": "Format String Error." }, + "properties": { + "security-severity": "5" + }, "relationships": [ { "target": {