Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: critical level is considered error in sarif #2492

Merged
merged 1 commit into from
Jan 5, 2022
Merged

fix: critical level is considered error in sarif #2492

merged 1 commit into from
Jan 5, 2022

Conversation

teodora-sandu
Copy link
Contributor

@teodora-sandu teodora-sandu commented Dec 21, 2021
edited
Loading

What does this PR do?

This PR makes sure that critical security issues are treated as errors in SARIF for code scanning alerts. At the moment they would be treated as warnings, which is not correct as critical is the highest severity.

How should this be manually tested?

Snyk IaC only supports critical severity via custom rules.

  1. Download bundle.tar.gz
  2. Clone https://github.com/snyk/custom-rules-example.
  3. Run npm run build in snyk/snyk
  4. Run snyk-dev iac test ./rules/CUSTOM-RULE-1/fixtures/denied.tf --rules=bundle.tar.gz in snyk/custom-rules-example to see Critical issue CUSTOM-RULE-1
  5. Run snyk-dev iac test ./rules/CUSTOM-RULE-1/fixtures/denied.tf --rules=bundle.tar.gz --sarif in snyk/custom-rules-example to see that it's an error

Any background context you want to provide?

This is a byproduct of Snyk IaC investigating our existing SARIF output in https://snyksec.atlassian.net/browse/CFG-1278 and reading the documentation at https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#supported-sarif-output-file-properties to find out if anything is missing.

Screenshots

Screenshot 2021-12-21 at 14 39 02

Screenshot 2021-12-21 at 14 38 19

@teodora-sandu teodora-sandu requested review from a team as code owners December 21, 2021 14:38
@teodora-sandu teodora-sandu requested review from wbeuil, myarichuk, jk05, ekbsnyk and rontalx and removed request for wbeuil December 21, 2021 14:38
@github-actions
Copy link
Contributor

github-actions bot commented Dec 21, 2021
edited
Loading

Warnings
⚠️

Since the CLI is unifying on a standard and improved tooling, we're starting to migrate old-style imports and exports to ES6 ones.
A file you've modified is using either module.exports or require(). If you can, please update them to ES6 import syntax and export syntax.
Files found:

  • src/lib/formatters/iac-output.ts
  • src/lib/formatters/sarif-output.ts

Generated by 🚫 dangerJS against a034e57

@teodora-sandu teodora-sandu requested review from ofekatr and removed request for jk05, myarichuk and ekbsnyk December 31, 2021 09:28
@teodora-sandu teodora-sandu force-pushed the fix/critical-level-sarif branch from 6c0a2d8 to 2e762ec Compare December 31, 2021 09:32
@teodora-sandu teodora-sandu removed the request for review from rontalx December 31, 2021 09:32
ghost
ghost reviewed Dec 31, 2021
View reviewed changes
src/lib/formatters/iac-output.ts Outdated Show resolved Hide resolved
src/lib/formatters/sarif-output.ts Outdated Show resolved Hide resolved
@teodora-sandu teodora-sandu force-pushed the fix/critical-level-sarif branch from 2e762ec to 2900e3e Compare December 31, 2021 14:05
@teodora-sandu teodora-sandu requested a review from a user December 31, 2021 14:48
ghost
ghost approved these changes Dec 31, 2021
View reviewed changes
Copy link

@ghost ghost left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! 🎉

@teodora-sandu teodora-sandu force-pushed the fix/critical-level-sarif branch 3 times, most recently from 530dbb7 to 093c166 Compare December 31, 2021 17:16
ofekatr
ofekatr approved these changes Jan 2, 2022
View reviewed changes
Copy link
Contributor

@ofekatr ofekatr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 💯

anthogez
anthogez reviewed Jan 2, 2022
View reviewed changes
Copy link
Contributor

@anthogez anthogez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work here @teodora-sandu 🎉
Could you please copy your GitHub's note into your commit's message body? Thanks!

@teodora-sandu
fix: critical level is considered error in sarif
a034e57 
Makes sure that critical security issues are treated as errors in SARIF for code scanning alerts.
At the moment they would be treated as warnings, which is not correct as critical is the highest severity.
@teodora-sandu teodora-sandu force-pushed the fix/critical-level-sarif branch from 093c166 to a034e57 Compare January 5, 2022 09:53
@teodora-sandu teodora-sandu merged commit eec58db into master Jan 5, 2022
@teodora-sandu teodora-sandu deleted the fix/critical-level-sarif branch January 5, 2022 10:42
@RyanPHigh RyanPHigh mentioned this pull request Nov 27, 2023
Open
@romathur romathur mentioned this pull request Nov 28, 2023
Open
This was referenced Nov 28, 2023
Open
Open
This was referenced Nov 29, 2023
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@anthogez anthogez anthogez left review comments

@ofekatr ofekatr ofekatr approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@teodora-sandu @anthogez @ofekatr