feat(#2439): populate CVSS scores in SARIF files #5014
Conversation
|
Hello, what is the status of this PR? We are using both Snyk and Trivy for scans in GIthub Actions and pushing them to Security Dashboard. The problem with Snyk is that is doesn't report security-severity. This means that all reports by Snyk get a warning or note severity instead of medium or low, which hides them in later pages of github advanced security. Example: Snyk and Trivy report the same vulnerability but Trivy reports it as Low severity and Snyk as Medium severity. In Github Security Dashboard, Trivy will get correct severity of Low, but Snyk gets a wrong severity of "warning" instead of "medium", and it is placed below the severity of Trivy, thus making us think the severity is Low or below. |
|
Hi @ipanagiotidis, apologies for the delay, I've been AFK for a few weeks due to a knee surgery and just returned today. I intend to address the comments in this PR, then move the code to a new branch to prepare for merge. Hang tight! 🙏 |
schottsfired
force-pushed
the
feat/security-severity
branch
4 times, most recently
from
61f6aec to
1dff3a8
Compare
Pull request was closed
schottsfired
force-pushed
the
feat/security-severity
branch
from
1dff3a8 to
8a2f0c7
Compare
schottsfired
force-pushed
the
feat/security-severity
branch
3 times, most recently
from
01bbcaf to
39cd4a3
Compare
schottsfired
force-pushed
the
feat/security-severity
branch
from
39cd4a3 to
13da263
Compare
|
Unfortunately this broke import of Sarif files to GitHub as it expects quoted string for security-severity as in doc https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#reportingdescriptor-object |
|
Darn! Sorry about that @pgrabowski - I overlooked "A string representing a score" 🤦♂️ Thanks so much @thisislawatts for the quick fix 🙏 |
Addresses #2439.
Adds
security-severityto open source and container SARIF output.