Add metadata severity to all rules
What does this MR do?
In !371 (merged) security-severity
was added to all of the NodeJS Scan rules. This MR adds security-severity
to the rest of the rules.
The method of calculating security-severity
was taking the current severity
and mapping it to security-severity
using:
severity_map = {
'ERROR' => 'CRITICAL',
'WARNING' => 'MEDIUM',
'INFO' => 'INFO',
}
This change should not impact our analyzers at all, as the mapping is the same as that defined in https://gitlab.com/gitlab-org/security-products/analyzers/report/-/blob/d93ddec3f8167f989e05fdbf82769afe9a7ec8b1/sarif.go#L264.
This is demonstrated in gitlab-org/security-products/analyzers/semgrep!373 (closed) which shows the change to sast-ruels does not affect reported severity of the expected JSON.
What are the relevant issue numbers?
gitlab-org/gitlab#398574 (closed)
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer
Edited by Craig Smith