Review and update all GitLab-maintained SAST rule severity levels (used in the Semgrep-based analyzer)

Problem

Previously, our Semgrep-based analyzer was unable to have fine grained severity levels. It could only use Info, Medium, and Critical, due to limitations in the conversion process from SARIF to the GitLab SAST report.

Now with Add security-severity field merged in we can apply more accurate severity levels.

Implementation Plan

Do a single pass over all rules in sast-rules that sets severity levels using our Vulnerability severity levels.

By doing it in a single pass, we can ensure vulnerability classes have the same severity level, regardless of language.

Severity Level Determination

We may want to merge in a suggested change to our documentation that clarifies the values of severities.

Namely using the convention of CVSS v3.1 ranges:

Unknown 0.0
Low 1.0-3.9
Medium 4.0-6.9
High 7.0-8.9
Critical 9.0-10.0

Of course we do not have full context, so some values for CVSS will need to be hardcoded (e.g. always consider authenticated).

Risks/Concerns

We do not have a confidence level, so we need to decide if we want to assume that the issue is a True Positive and /not/ take the possibility into account when scoring particular bugs. (e.g. a high to FP rule that is actually a critical finding if true, should be graded as a Critical).

Auto-Summary 🤖

Discoto Usage

Points

Discussion points are declared by headings, list items, and single lines that start with the text (case-insensitive) point:. For example, the following are all valid points:

#### POINT: This is a point

* point: This is a point

+ Point: This is a point

- pOINT: This is a point

point: This is a **point**

Note that any markdown used in the point text will also be propagated into the topic summaries.

Topics

Topics can be stand-alone and contained within an issuable (epic, issue, MR), or can be inline.

Inline topics are defined by creating a new thread (discussion) where the first line of the first comment is a heading that starts with (case-insensitive) topic:. For example, the following are all valid topics:

# Topic: Inline discussion topic 1

## TOPIC: **{+A Green, bolded topic+}**

### tOpIc: Another topic

Quick Actions

Action Description

/discuss sub-topic TITLE Create an issue for a sub-topic. Does not work in epics

/discuss link ISSUABLE-LINK Link an issuable as a child of this discussion

Action	Description
`/discuss sub-topic TITLE`	Create an issue for a sub-topic. Does not work in epics
`/discuss link ISSUABLE-LINK`	Link an issuable as a child of this discussion

Last updated by this job

TOPIC Status quo for severity assignment #403591 (comment 1337333533)
TOPIC Severity methodology #403591 (comment 1337334647)
TOPIC Rollout strategy #403591 (comment 1337343846)
TOPIC Confidence level #403591 (comment 1337346033)

Discoto Settings

---
summary:
  max_items: -1
  sort_by: created
  sort_direction: ascending

See the settings schema for details.

Edited Sep 07, 2023 by Connor Gilbert