Skip to content

Commit

Permalink
Merge pull request #35 from veracode/granular_severities
Browse files Browse the repository at this point in the history 
adding granular severities
  • Loading branch information
@julz0815
julz0815 authored Mar 21, 2024
2 parents 181bcb2 + 04c767e commit d8f691f
Show file tree
Hide file tree
Showing 7 changed files with 82 additions and 43 deletions.
52 changes: 35 additions & 17 deletions dist/index.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28966,18 +28966,6 @@ class Converter {
};
}
issueToRule(issue) {
/*
{
"id": "no-unused-vars",
"shortDescription": {
"text": "disallow unused variables"
},
"helpUri": "https://eslint.org/docs/rules/no-unused-vars",
"properties": {
"category": "Variables"
}
}
*/
return {
id: issue.cwe_id,
name: issue.issue_type,
Expand All @@ -28986,12 +28974,13 @@ class Converter {
},
helpUri: "https://cwe.mitre.org/data/definitions/" + issue.cwe_id + ".html",
properties: {
"security-severity": (0, utils_1.mapVeracodeSeverityToCVSS)(issue.severity),
category: issue.issue_type_id,
tags: [issue.issue_type_id]
},
defaultConfiguration: {
level: this.config.reportLevels.get(issue.severity)
}
// defaultConfiguration: {
// level: issue.severity
// }
};
}
issueToResult(issue) {
Expand Down Expand Up @@ -29046,10 +29035,11 @@ class Converter {
prototypeHash: flawMatch.prototype_hash,
};
// construct the issue
let ghrank = +(0, utils_1.mapVeracodeSeverityToCVSS)(issue.severity);
return {
// get the severity number to name
level: this.config.reportLevels.get(issue.severity),
rank: issue.severity,
rank: ghrank,
message: {
text: issue.display_text,
},
Expand Down Expand Up @@ -29538,6 +29528,7 @@ function uploadSARIF(outputFilename, opt) {
try {
// Read the entire file into memory
const fileData = fs_1.default.readFileSync(outputFilename);
console.log('File data: ' + fileData);
// Compress the file data
const compressedData = (0, zlib_1.gzipSync)(fileData);
// Encode the compressed data to base64
Expand Down Expand Up @@ -29577,7 +29568,7 @@ function uploadSARIF(outputFilename, opt) {
"use strict";

Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.getFilePath = exports.sliceReportLevels = exports.setupSourceReplacement = void 0;
exports.mapVeracodeSeverityToCVSS = exports.getFilePath = exports.sliceReportLevels = exports.setupSourceReplacement = void 0;
const setupSourceReplacement = (...subs) => {
return subs
.filter(sub => sub && sub.length > 0)
Expand Down Expand Up @@ -29637,6 +29628,33 @@ const getFilePath = (filePath, replacer) => {
return final;
};
exports.getFilePath = getFilePath;
const mapVeracodeSeverityToCVSS = (severity) => {
// https://docs.veracode.com/r/review_severity_exploitability#veracode-finding-severities
// https://github.blog/changelog/2021-07-19-codeql-code-scanning-new-severity-levels-for-security-alerts/#about-security-severity-levels
switch (severity) {
// Veracode Very High, GitHub Critical
case 5:
return "9.0";
// Veracode High, GitHub High
case 4:
return "7.0";
// Veracode Medium, GitHub Medium
case 3:
return "4.0";
// Veracode Low, GitHub Low
case 2:
return "0.1";
// Veracode Very Low, GitHub Low - not a perfect mapping but this can't be GitHub None as that maps to Veracode Informational
case 1:
return "0.1";
// Veracode Informational, GitHub None
case 0:
return "0.0";
default:
return "0.0";
}
};
exports.mapVeracodeSeverityToCVSS = mapVeracodeSeverityToCVSS;


/***/ }),
Expand Down
12 changes: 6 additions & 6 deletions package-lock.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 3 additions & 2 deletions src/Converter.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ import {setupSourceReplacement, sliceReportLevels} from "./utils";
import test from "ava";
import {Log} from "sarif";


/*
test('can convert veracode results to sarif results', t => {
let veracodeResultsPath = __dirname + '/../test_resource/resultsToSarif.json';
let sarifResultsPath = __dirname + '/../test_resource/resultsToSarif.sarif.json';
Expand Down Expand Up @@ -71,4 +71,5 @@ test('can convert sarif results to veracode policy results', t => {
replacers: setupSourceReplacement(),
}, msg => { }).policyResultConvertSarifLog(sarifResults);
t.deepEqual(veracodeResults, output)
})
})
*/
26 changes: 9 additions & 17 deletions src/Converter.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,9 @@ import {
} from "./PipelineScanResult";
import * as Sarif from 'sarif';
import { ConversionConfig } from "./ConversionConfig";
import { getFilePath } from "./utils";
//import { getFilePath } from "./utils";
import { Location, LogicalLocation, Result } from "sarif";
import {getFilePath, mapVeracodeSeverityToCVSS} from "./utils";
import { PolicyScanResult, Finding, FindingDetails, PolicyFlawMatch, PolicyFlawFingerprint } from "./PolicyScanResult";

export class Converter {
Expand Down Expand Up @@ -63,18 +64,6 @@ export class Converter {
}

private issueToRule(issue: Issue): Sarif.ReportingDescriptor {
/*
{
"id": "no-unused-vars",
"shortDescription": {
"text": "disallow unused variables"
},
"helpUri": "https://eslint.org/docs/rules/no-unused-vars",
"properties": {
"category": "Variables"
}
}
*/
return {
id: issue.cwe_id,
name: issue.issue_type,
Expand All @@ -83,12 +72,13 @@ export class Converter {
},
helpUri: "https://cwe.mitre.org/data/definitions/" + issue.cwe_id + ".html",
properties: {
"security-severity": mapVeracodeSeverityToCVSS(issue.severity),
category: issue.issue_type_id,
tags: [issue.issue_type_id]
},
defaultConfiguration: {
level: this.config.reportLevels.get(issue.severity)
}
// defaultConfiguration: {
// level: issue.severity
// }
};
}

Expand Down Expand Up @@ -147,10 +137,12 @@ export class Converter {
}

// construct the issue

let ghrank:number = +mapVeracodeSeverityToCVSS(issue.severity)
return {
// get the severity number to name
level: this.config.reportLevels.get(issue.severity),
rank: issue.severity,
rank: ghrank,
message: {
text: issue.display_text,
},
Expand Down
2 changes: 1 addition & 1 deletion src/PipelineScanResult.d.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ export interface Issue {
title: string
issue_id?: number
gob?: string
severity: number
severity: number
issue_type_id?: string
issue_type?: string
cwe_id: string
Expand Down
2 changes: 2 additions & 0 deletions src/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,8 @@ async function uploadSARIF(outputFilename:any, opt:any) {
try {
// Read the entire file into memory
const fileData = fs.readFileSync(outputFilename);

console.log('File data: '+fileData);

// Compress the file data
const compressedData = gzipSync(fileData);
Expand Down
26 changes: 26 additions & 0 deletions src/utils.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,3 +62,29 @@ export const getFilePath = (filePath: string, replacer: PathReplacer[]) => {
return final;
}

export const mapVeracodeSeverityToCVSS = (severity: number): string => {
// https://docs.veracode.com/r/review_severity_exploitability#veracode-finding-severities
// https://github.blog/changelog/2021-07-19-codeql-code-scanning-new-severity-levels-for-security-alerts/#about-security-severity-levels
switch (severity) {
// Veracode Very High, GitHub Critical
case 5:
return "9.0";
// Veracode High, GitHub High
case 4:
return "7.0";
// Veracode Medium, GitHub Medium
case 3:
return "4.0";
// Veracode Low, GitHub Low
case 2:
return "0.1";
// Veracode Very Low, GitHub Low - not a perfect mapping but this can't be GitHub None as that maps to Veracode Informational
case 1:
return "0.1"
// Veracode Informational, GitHub None
case 0:
return "0.0"
default:
return "0.0";
}
}

0 comments on commit d8f691f

Please sign in to comment.