security-alert icon indicating copy to clipboard operation
security-alert copied to clipboard
verified publisher icon security-alert

Resulting report does not have severity level if rule's defaultConfiguration is missing

Open kolomied opened this issue 3 years ago • 0 comments

defaultConfiguration is optional according to the spec. Some security tools generate the reports without this property - tfsec example:

{
  "id": "aws-cloudwatch-log-group-customer-key",
  "shortDescription": {
    "text": "CloudWatch log groups should be encrypted using CMK"
  },
  "helpUri": "https://aquasecurity.github.io/tfsec/v1.26.3/checks/aws/cloudwatch/log-group-customer-key/"
}

The spec says that if defaultConfiguration

is absent, it SHALL be taken to be present, and its properties SHALL be taken to have the default values specified

For the level property the default is:

If level is absent, it SHALL default to "warning".

There are few places with the code similar to the following line that result in invalid (empty) severity value and omitted results from the final report:

https://github.com/security-alert/security-alert/blob/2101df6ab56c2f30a22f842b4b8efc7c42fba024/packages/sarif-to-markdown/src/sarif-to-markdown.ts#L204

kolomied avatar Aug 05 '22 13:08 kolomied