Feat: Reclassify Confidence level as Severity
What does this MR do?
We previously reported the flawfinder level as confidence
, however
according to the docs this is a "risk level" and would be better
classified as severity
.
Quoting from the docs:
Flawfinder will produce a list of ‘hits’ (potential security flaws, also called findings), sorted by risk; the riskiest hits are shown first. The risk level is shown inside square brackets and varies from 0, very little risk, to 5, great risk. This risk level depends not only on the function, but on the values of the parameters of the function. For example, constant strings are often less risky than fully variable strings in many contexts, and in those contexts the hit will have a lower risk level.
IMO this was incorrectly classified as confidence
previously and we should be reporting this as severity
. We also no longer display confidence
so this is additionally more useful to our users.
NOTE: While we do not need to rename the CI variable, we should likely update our docs with a better description. This can be done as a follow-up to this work.
What are the relevant issue numbers?
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary - [-] Documentation created/updated for this project, if necessary
- [-] Documentation reviewed by technical writer or follow-up review issue created
-
Tests added for this feature/bug - [-] Job definition updated, if necessary
- [-] Auto-DevOps template
- [-] Job definition example
- [-] CI Templates
-
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer