As raised with https://gitlab.com/gitlab-org/gitlab/-/issues/6730 we should look into the Severities mapped by our ~"Category:SAST" analyzers and re-evaluate our mappings to better normalize our results. ## Actions 1. Audit severities as produced by analyzers - [x] [`brakeman`](https://gitlab.com/groups/gitlab-org/-/epics/4004#note_415218268) (https://gitlab.com/gitlab-org/security-products/analyzers/brakeman/-/merge_requests/49) - [x] [`eslint`](https://gitlab.com/groups/gitlab-org/-/epics/4004#note_420666214) (https://gitlab.com/gitlab-org/security-products/analyzers/eslint/-/merge_requests/68) - [x] [`flawfinder`](https://gitlab.com/groups/gitlab-org/-/epics/4004#note_399075558) (https://gitlab.com/gitlab-org/security-products/analyzers/flawfinder/-/merge_requests/32) - [x] [`nodejs-scan`](https://gitlab.com/groups/gitlab-org/-/epics/4004#note_399586607) (https://gitlab.com/gitlab-org/gitlab/-/issues/220847) - [x] [`security-code-scan`](https://gitlab.com/groups/gitlab-org/-/epics/4004#note_401915784) | https://gitlab.com/gitlab-org/security-products/analyzers/security-code-scan/-/merge_requests/104 - [ ] [`sobelow`](https://gitlab.com/groups/gitlab-org/-/epics/4004#note_420669449) 1. Add missing severities for those analyzers that do not map one (currently defaulting to `Unknown`) 1. Reconsider severity mapping to normalize; i.e. evaluate against CVSS