Merge pull request #79 from felickz/main

Improve CodeScanning top 10 report to use better severities
theztefan · Jan 20, 2025 · e1771fd · e1771fd
2 parents dd2979b + c2a1852
commit e1771fd
Show file tree

Hide file tree

Showing 4 changed files with 90 additions and 45 deletions.
diff --git a/dist/index.js b/dist/index.js
@@ -64470,34 +64470,38 @@ const FilterBetweenDates = (stringDate, minDate, maxDate) => {
     const date = Date.parse(stringDate);
     return date >= minDate.getTime() && date < maxDate.getTime();
 };
+function getAlertSeverity(alert) {
+    if (isDependancyAlert(alert)) {
+        return alert.security_advisory.severity.toLowerCase();
+    }
+    else if (isCodeScanningAlert(alert)) {
+        const codeScanningAlert = alert;
+        return codeScanningAlert.rule?.security_severity_level
+            ? codeScanningAlert.rule?.security_severity_level.toLowerCase()
+            : codeScanningAlert.rule?.severity.toLowerCase() || "none";
+    }
+    return "none";
+}
 function compareAlertSeverity(a, b) {
-    //critical, high, medium, low, warning, note, error
     const weight = {
         critical: 7,
         high: 6,
-        medium: 5,
-        low: 4,
+        error: 5,
+        medium: 4,
         warning: 3,
-        note: 2,
-        error: 1,
+        low: 2,
+        note: 1,
         none: 0,
     };
-    let comparison = 0;
-    let severity1 = "none";
-    let severity2 = "none";
-    severity1 = isDependancyAlert(a)
-        ? a.security_advisory.severity.toLowerCase()
-        : a.rule?.severity.toLowerCase();
-    severity2 = isDependancyAlert(b)
-        ? b.security_advisory.severity.toLowerCase()
-        : b.rule?.severity.toLowerCase();
-    if (weight[severity1] < weight[severity2]) {
-        comparison = 1;
+    const severity1 = getAlertSeverity(a);
+    const severity2 = getAlertSeverity(b);
+    if (weight[severity1] > weight[severity2]) {
+        return -1;
     }
-    else if (weight[severity1] > weight[severity2]) {
-        comparison = -1;
+    else if (weight[severity1] < weight[severity2]) {
+        return 1;
     }
-    return comparison;
+    return 0;
 }
 function isDependancyAlert(alert) {
     return "security_advisory" in alert;
@@ -64699,6 +64703,7 @@ class CodeScanning extends Printable {
     attributes = [
         "Vulnerability",
         "Severity",
+        "Weakness",
         "Tool",
         "Vulnerable file",
         "Link",
@@ -64711,12 +64716,29 @@ class CodeScanning extends Printable {
         this.metrics = AlertsMetrics(alerts, frequency, "fixed_at", "fixed", true, "commitDate", "created_at");
         return this.metrics;
     }
+    //Extracts CWE-### from CodeScanningAlert.rule.tags[] from any format like  "external/cwe/cwe-247" or "CWE-352: Cross-Site Request Forgery (CSRF)"
+    cweFromTags(rule) {
+        const cwe = rule.rule?.tags
+            .map((tag) => {
+            const cwe = tag.match(/cwe-(\d+)/i);
+            if (cwe) {
+                return `CWE-${cwe[1]}`;
+            }
+            return "";
+        })
+            .filter((cwe) => cwe !== "")
+            .join(", ");
+        return cwe;
+    }
     summaryTop10() {
         return this.metrics.top10.map((a) => [
             a.rule?.name || "",
-            a.rule?.severity || "",
+            a.rule?.security_severity_level || a.rule?.severity || "",
+            this.cweFromTags(a),
             a.tool?.name || "",
-            a.most_recent_instance?.location.path || "",
+            a.most_recent_instance?.location?.path
+                ? `${a.most_recent_instance.location.path}#L${a.most_recent_instance.location.start_line}`
+                : "",
             a.html_url,
         ]);
     }

diff --git a/src/context/CodeScanning.ts b/src/context/CodeScanning.ts
@@ -16,6 +16,7 @@ export class CodeScanning extends Printable implements Feature {
   attributes: string[] = [
     "Vulnerability",
     "Severity",
+    "Weakness",
     "Tool",
     "Vulnerable file",
     "Link",
@@ -46,12 +47,30 @@ export class CodeScanning extends Printable implements Feature {
     return this.metrics;
   }
 
+  //Extracts CWE-### from CodeScanningAlert.rule.tags[] from any format like  "external/cwe/cwe-247" or "CWE-352: Cross-Site Request Forgery (CSRF)"
+  cweFromTags(rule: CodeScanningAlert): string {
+    const cwe = rule.rule?.tags
+      .map((tag) => {
+        const cwe = tag.match(/cwe-(\d+)/i);
+        if (cwe) {
+          return `CWE-${cwe[1]}`;
+        }
+        return "";
+      })
+      .filter((cwe) => cwe !== "")
+      .join(", ");
+    return cwe;
+  }
+
   summaryTop10(): string[][] {
     return this.metrics.top10.map((a: CodeScanningAlert) => [
       a.rule?.name || "",
-      a.rule?.severity || "",
+      a.rule?.security_severity_level || a.rule?.severity || "",
+      this.cweFromTags(a),
       a.tool?.name || "",
-      a.most_recent_instance?.location.path || "",
+      a.most_recent_instance?.location?.path
+        ? `${a.most_recent_instance.location.path}#L${a.most_recent_instance.location.start_line}`
+        : "",
       a.html_url,
     ]);
   }

diff --git a/src/types/common/main.d.ts b/src/types/common/main.d.ts
@@ -187,6 +187,7 @@ export interface Rule {
   description: string;
   name: string;
   tags: string[];
+  security_severity_level: string;
 }
 
 export interface Tool {

diff --git a/src/utils/AlertMetrics.ts b/src/utils/AlertMetrics.ts
@@ -156,36 +156,39 @@ const FilterBetweenDates = (
   return date >= minDate.getTime() && date < maxDate.getTime();
 };
 
+function getAlertSeverity(alert: Alert): string {
+  if (isDependancyAlert(alert)) {
+    return alert.security_advisory.severity.toLowerCase();
+  } else if (isCodeScanningAlert(alert)) {
+    const codeScanningAlert = alert as CodeScanningAlert;
+    return codeScanningAlert.rule?.security_severity_level
+      ? codeScanningAlert.rule?.security_severity_level.toLowerCase()
+      : codeScanningAlert.rule?.severity.toLowerCase() || "none";
+  }
+  return "none";
+}
+
 function compareAlertSeverity(a: Alert, b: Alert) {
-  //critical, high, medium, low, warning, note, error
   const weight: { [key: string]: number } = {
     critical: 7,
     high: 6,
-    medium: 5,
-    low: 4,
+    error: 5,
+    medium: 4,
     warning: 3,
-    note: 2,
-    error: 1,
+    low: 2,
+    note: 1,
     none: 0,
   };
-  let comparison = 0;
-  let severity1 = "none";
-  let severity2 = "none";
-
-  severity1 = isDependancyAlert(a)
-    ? a.security_advisory.severity.toLowerCase()
-    : (a as CodeScanningAlert).rule?.severity.toLowerCase();
-  severity2 = isDependancyAlert(b)
-    ? b.security_advisory.severity.toLowerCase()
-    : (b as CodeScanningAlert).rule?.severity.toLowerCase();
-
-  if (weight[severity1] < weight[severity2]) {
-    comparison = 1;
-  } else if (weight[severity1] > weight[severity2]) {
-    comparison = -1;
-  }
 
-  return comparison;
+  const severity1 = getAlertSeverity(a);
+  const severity2 = getAlertSeverity(b);
+
+  if (weight[severity1] > weight[severity2]) {
+    return -1;
+  } else if (weight[severity1] < weight[severity2]) {
+    return 1;
+  }
+  return 0;
 }
 
 export function isDependancyAlert(alert: Alert): alert is DependancyAlert {