diff --git a/audit_test.go b/audit_test.go index d3e6e7f3..53916424 100644 --- a/audit_test.go +++ b/audit_test.go @@ -332,15 +332,15 @@ func TestXrayAuditMultiProjects(t *testing.T) { assert.NoError(t, biutils.CopyDir(multiProject, tempDirPath, true, nil)) prevWd := securityTestUtils.ChangeWD(t, tempDirPath) defer clientTests.ChangeDirAndAssert(t, prevWd) - workingDirsFlag := fmt.Sprintf("--working-dirs=%s, %s ,%s, %s", + workingDirsFlag := fmt.Sprintf("--working-dirs=%s, %s ,%s, %s, %s", filepath.Join(tempDirPath, "package-managers", "maven", "maven"), filepath.Join(tempDirPath, "package-managers", "nuget", "single4.0"), - filepath.Join(tempDirPath, "package-managers", "python", "pip", "pip-project"), filepath.Join(tempDirPath, "jas", "jas")) + filepath.Join(tempDirPath, "package-managers", "python", "pip", "pip-project"), filepath.Join(tempDirPath, "jas", "jas"), filepath.Join(tempDirPath, "package-managers", "go", "missing-context")) // Configure a new server named "default" securityTestUtils.CreateJfrogHomeConfig(t, true) defer securityTestUtils.CleanTestsHomeEnv() output := securityTests.PlatformCli.WithoutCredentials().RunCliCmdWithOutput(t, "audit", "--format="+string(format.SimpleJson), workingDirsFlag) securityTestUtils.VerifySimpleJsonScanResults(t, output, 0, 35, 0) - securityTestUtils.VerifySimpleJsonJasResults(t, output, 1, 9, 6, 3, 0, 25, 2) + securityTestUtils.VerifySimpleJsonJasResults(t, output, 1, 9, 6, 3, 0, 24, 2, 1) } func TestXrayAuditPipJson(t *testing.T) { @@ -449,7 +449,7 @@ func TestXrayAuditNotEntitledForJas(t *testing.T) { // Verify that scan results are printed securityTestUtils.VerifySimpleJsonScanResults(t, output, 0, 8, 0) // Verify that JAS results are not printed - securityTestUtils.VerifySimpleJsonJasResults(t, output, 0, 0, 0, 0, 0, 0, 0) + securityTestUtils.VerifySimpleJsonJasResults(t, output, 0, 0, 0, 0, 0, 0, 0, 0) } func getNoJasAuditMockCommand() components.Command { @@ -471,24 +471,24 @@ func getNoJasAuditMockCommand() components.Command { func TestXrayAuditJasSimpleJson(t *testing.T) { output := testXrayAuditJas(t, securityTests.PlatformCli, filepath.Join("jas", "jas"), "3") securityTestUtils.VerifySimpleJsonScanResults(t, output, 0, 8, 0) - securityTestUtils.VerifySimpleJsonJasResults(t, output, 1, 9, 6, 3, 1, 1, 2) + securityTestUtils.VerifySimpleJsonJasResults(t, output, 1, 9, 6, 3, 1, 1, 2, 0) } func TestXrayAuditJasSimpleJsonWithOneThread(t *testing.T) { output := testXrayAuditJas(t, securityTests.PlatformCli, filepath.Join("jas", "jas"), "1") securityTestUtils.VerifySimpleJsonScanResults(t, output, 0, 8, 0) - securityTestUtils.VerifySimpleJsonJasResults(t, output, 1, 9, 6, 3, 1, 1, 2) + securityTestUtils.VerifySimpleJsonJasResults(t, output, 1, 9, 6, 3, 1, 1, 2, 0) } func TestXrayAuditJasSimpleJsonWithConfig(t *testing.T) { output := testXrayAuditJas(t, securityTests.PlatformCli, filepath.Join("jas", "jas-config"), "3") - securityTestUtils.VerifySimpleJsonJasResults(t, output, 0, 0, 1, 3, 1, 1, 2) + securityTestUtils.VerifySimpleJsonJasResults(t, output, 0, 0, 1, 3, 1, 1, 2, 0) } func TestXrayAuditJasNoViolationsSimpleJson(t *testing.T) { output := testXrayAuditJas(t, securityTests.PlatformCli, filepath.Join("package-managers", "npm", "npm"), "3") securityTestUtils.VerifySimpleJsonScanResults(t, output, 0, 1, 0) - securityTestUtils.VerifySimpleJsonJasResults(t, output, 0, 0, 0, 0, 0, 0, 1) + securityTestUtils.VerifySimpleJsonJasResults(t, output, 0, 0, 0, 0, 0, 0, 1, 0) } func testXrayAuditJas(t *testing.T, testCli *coreTests.JfrogCli, project string, threads string) string { @@ -577,5 +577,5 @@ func TestAuditOnEmptyProject(t *testing.T) { chdirCallback := clientTests.ChangeDirWithCallback(t, baseWd, tempDirPath) defer chdirCallback() output := securityTests.PlatformCli.WithoutCredentials().RunCliCmdWithOutput(t, "audit", "--format="+string(format.SimpleJson)) - securityTestUtils.VerifySimpleJsonJasResults(t, output, 0, 0, 0, 0, 0, 0, 0) + securityTestUtils.VerifySimpleJsonJasResults(t, output, 0, 0, 0, 0, 0, 0, 0, 0) } diff --git a/jas/analyzermanager.go b/jas/analyzermanager.go index c4e60a3b..1a61320c 100644 --- a/jas/analyzermanager.go +++ b/jas/analyzermanager.go @@ -24,7 +24,7 @@ import ( const ( ApplicabilityFeatureId = "contextual_analysis" AnalyzerManagerZipName = "analyzerManager.zip" - defaultAnalyzerManagerVersion = "1.8.14" + defaultAnalyzerManagerVersion = "1.8.15" analyzerManagerDownloadPath = "xsc-gen-exe-analyzer-manager-local/v1" analyzerManagerDirName = "analyzerManager" analyzerManagerExecutableName = "analyzerManager" diff --git a/jas/applicability/applicabilitymanager_test.go b/jas/applicability/applicabilitymanager_test.go index ff2e838e..b0797b48 100644 --- a/jas/applicability/applicabilitymanager_test.go +++ b/jas/applicability/applicabilitymanager_test.go @@ -293,7 +293,7 @@ func TestParseResults_NewApplicabilityStatuses(t *testing.T) { name: "new applicability statuses", fileName: "new_ca_status.sarif", expectedResults: 5, - expectedApplicabilityStatuses: []string{"applicable", "undetermined", "not_covered", "not_applicable"}, + expectedApplicabilityStatuses: []string{"applicable", "undetermined", "not_covered", "missing_context", "not_applicable"}, }, } diff --git a/tests/testdata/other/applicability-scan/new_ca_status.sarif b/tests/testdata/other/applicability-scan/new_ca_status.sarif index 6ed60429..2b140bf1 100644 --- a/tests/testdata/other/applicability-scan/new_ca_status.sarif +++ b/tests/testdata/other/applicability-scan/new_ca_status.sarif @@ -41,6 +41,20 @@ "shortDescription": { "text": "Scanner for CVE-2020-1747" } + }, + { + "id": "applic_CVE-2020-1751", + "name": "CVE-2020-1751", + "properties": { + "applicability": "missing_context" + }, + "fullDescription": { + "text": "The scanner checks whether any of the following vulnerable functions are called:\n\n- `yaml.full_load()`\n- `yaml.load()` only unsafe calls (without specifying `SafeLoader` as the `Loader`class).", + "markdown": "The scanner checks whether any of the following vulnerable functions are called:\n\n- `yaml.full_load()`\n- `yaml.load()` only unsafe calls (without specifying `SafeLoader` as the `Loader`class)." + }, + "shortDescription": { + "text": "Scanner for CVE-2020-1751" + } }, { "id": "applic_CVE-2020-7788", diff --git a/tests/testdata/projects/package-managers/go/missing-context/go.mod b/tests/testdata/projects/package-managers/go/missing-context/go.mod new file mode 100644 index 00000000..c7378018 --- /dev/null +++ b/tests/testdata/projects/package-managers/go/missing-context/go.mod @@ -0,0 +1,7 @@ +module missing_context + +go 1.22 + +require github.com/hashicorp/consul v1.9.1 + + diff --git a/tests/testdata/projects/package-managers/go/missing-context/go.sum b/tests/testdata/projects/package-managers/go/missing-context/go.sum new file mode 100644 index 00000000..f6029ea1 --- /dev/null +++ b/tests/testdata/projects/package-managers/go/missing-context/go.sum @@ -0,0 +1 @@ +github.com/hashicorp/consul v1.9.1/go.mod h1:RQlaP4r7KdNLaPDuihkvghhdvZVOuVlUhlz7HtvC1UI= \ No newline at end of file diff --git a/tests/utils/test_validation.go b/tests/utils/test_validation.go index ece7b2c2..afd70be6 100644 --- a/tests/utils/test_validation.go +++ b/tests/utils/test_validation.go @@ -66,14 +66,14 @@ func VerifySimpleJsonScanResults(t *testing.T, content string, minViolations, mi } func VerifySimpleJsonJasResults(t *testing.T, content string, minSastViolations, minIacViolations, minSecrets, - minApplicable, minUndetermined, minNotCovered, minNotApplicable int) { + minApplicable, minUndetermined, minNotCovered, minNotApplicable, minMissingContext int) { var results formats.SimpleJsonResults err := json.Unmarshal([]byte(content), &results) if assert.NoError(t, err) { assert.GreaterOrEqual(t, len(results.Sast), minSastViolations, "Found less sast then expected") assert.GreaterOrEqual(t, len(results.Secrets), minSecrets, "Found less secrets then expected") assert.GreaterOrEqual(t, len(results.Iacs), minIacViolations, "Found less IaC then expected") - var applicableResults, undeterminedResults, notCoveredResults, notApplicableResults int + var applicableResults, undeterminedResults, notCoveredResults, notApplicableResults, missingContextResults int for _, vuln := range results.Vulnerabilities { switch vuln.Applicable { case string(jasutils.NotApplicable): @@ -84,11 +84,14 @@ func VerifySimpleJsonJasResults(t *testing.T, content string, minSastViolations, notCoveredResults++ case string(jasutils.ApplicabilityUndetermined): undeterminedResults++ + case string(jasutils.MissingContext): + missingContextResults++ } } assert.GreaterOrEqual(t, applicableResults, minApplicable, "Found less applicableResults then expected") assert.GreaterOrEqual(t, undeterminedResults, minUndetermined, "Found less undeterminedResults then expected") assert.GreaterOrEqual(t, notCoveredResults, minNotCovered, "Found less notCoveredResults then expected") assert.GreaterOrEqual(t, notApplicableResults, minNotApplicable, "Found less notApplicableResults then expected") + assert.GreaterOrEqual(t, missingContextResults, minMissingContext, "Found less missingContextResults then expected") } } diff --git a/utils/jasutils/jasutils.go b/utils/jasutils/jasutils.go index 36b46702..80659b61 100644 --- a/utils/jasutils/jasutils.go +++ b/utils/jasutils/jasutils.go @@ -30,6 +30,7 @@ const ( NotApplicable ApplicabilityStatus = "Not Applicable" ApplicabilityUndetermined ApplicabilityStatus = "Undetermined" NotCovered ApplicabilityStatus = "Not Covered" + MissingContext ApplicabilityStatus = "Missing Context" NotScanned ApplicabilityStatus = "" ) @@ -63,6 +64,8 @@ func ConvertToApplicabilityStatus(status string) ApplicabilityStatus { return ApplicabilityUndetermined case NotCovered.String(): return NotCovered + case MissingContext.String(): + return MissingContext default: return NotScanned } @@ -77,9 +80,10 @@ func ApplicabilityRuleIdToCve(sarifRuleId string) string { } var applicableMapToScore = map[string]int{ - "Applicable": 4, - "ApplicabilityUndetermined": 3, - "NotScanned": 2, + "Applicable": 5, + "ApplicabilityUndetermined": 4, + "NotScanned": 3, + "MissingContext": 2, "NotCovered": 1, "NotApplicable": 0, } diff --git a/utils/resultstable.go b/utils/resultstable.go index 08b2ef96..0e3599d4 100644 --- a/utils/resultstable.go +++ b/utils/resultstable.go @@ -1048,6 +1048,8 @@ func getApplicabilityStatusFromRule(rule *sarif.ReportingDescriptor) jasutils.Ap return jasutils.NotApplicable case "applicable": return jasutils.Applicable + case "missing_context": + return jasutils.MissingContext } } return "" @@ -1056,6 +1058,7 @@ func getApplicabilityStatusFromRule(rule *sarif.ReportingDescriptor) jasutils.Ap // If we don't get any statues it means the applicability scanner didn't run -> final value is not scanned // If at least one cve is applicable -> final value is applicable // Else if at least one cve is undetermined -> final value is undetermined +// Else if at least one cve is missing context -> final value is missing context // Else if all cves are not covered -> final value is not covered // Else (case when all cves aren't applicable) -> final value is not applicable func getFinalApplicabilityStatus(applicabilityStatuses []jasutils.ApplicabilityStatus) jasutils.ApplicabilityStatus { @@ -1063,6 +1066,7 @@ func getFinalApplicabilityStatus(applicabilityStatuses []jasutils.ApplicabilityS return jasutils.NotScanned } foundUndetermined := false + foundMissingContext := false foundNotCovered := false for _, status := range applicabilityStatuses { if status == jasutils.Applicable { @@ -1071,15 +1075,23 @@ func getFinalApplicabilityStatus(applicabilityStatuses []jasutils.ApplicabilityS if status == jasutils.ApplicabilityUndetermined { foundUndetermined = true } + if status == jasutils.MissingContext { + foundMissingContext = true + } if status == jasutils.NotCovered { foundNotCovered = true } + } if foundUndetermined { return jasutils.ApplicabilityUndetermined } + if foundMissingContext { + return jasutils.MissingContext + } if foundNotCovered { return jasutils.NotCovered } + return jasutils.NotApplicable } diff --git a/utils/resultstable_test.go b/utils/resultstable_test.go index cad2e0e3..ebeab1a0 100644 --- a/utils/resultstable_test.go +++ b/utils/resultstable_test.go @@ -622,6 +622,18 @@ func TestGetApplicableCveValue(t *testing.T) { expectedResult: jasutils.Applicable, expectedCves: []formats.CveRow{{Id: "testCve2", Applicability: &formats.Applicability{Status: jasutils.Applicable.String()}}}, }, + { + name: "missing context cve", + scanResults: &ExtendedScanResults{ + ApplicabilityScanResults: []*sarif.Run{ + sarifutils.CreateRunWithDummyResultAndRuleProperties(sarifutils.CreateDummyPassingResult("applic_testCve1"), []string{"applicability"}, []string{"missing_context"}), + }, + EntitledForJas: true, + }, + cves: []services.Cve{{Id: "testCve1"}}, + expectedResult: jasutils.MissingContext, + expectedCves: []formats.CveRow{{Id: "testCve1", Applicability: &formats.Applicability{Status: jasutils.MissingContext.String()}}}, + }, { name: "undetermined cve", scanResults: &ExtendedScanResults{ @@ -685,13 +697,15 @@ func TestGetApplicableCveValue(t *testing.T) { sarifutils.CreateRunWithDummyResultAndRuleProperties(sarifutils.CreateDummyPassingResult("applic_testCve1"), []string{"applicability"}, []string{"applicable"}), sarifutils.CreateRunWithDummyResultAndRuleProperties(sarifutils.CreateDummyPassingResult("applic_testCve2"), []string{"applicability"}, []string{"not_applicable"}), sarifutils.CreateRunWithDummyResultAndRuleProperties(sarifutils.CreateDummyPassingResult("applic_testCve3"), []string{"applicability"}, []string{"not_covered"}), + sarifutils.CreateRunWithDummyResultAndRuleProperties(sarifutils.CreateDummyPassingResult("applic_testCve4"), []string{"applicability"}, []string{"missing_context"}), }, EntitledForJas: true}, - cves: []services.Cve{{Id: "testCve1"}, {Id: "testCve2"}, {Id: "testCve3"}}, + cves: []services.Cve{{Id: "testCve1"}, {Id: "testCve2"}, {Id: "testCve3"}, {Id: "testCve4"}}, expectedResult: jasutils.Applicable, expectedCves: []formats.CveRow{{Id: "testCve1", Applicability: &formats.Applicability{Status: jasutils.Applicable.String()}}, {Id: "testCve2", Applicability: &formats.Applicability{Status: jasutils.NotApplicable.String()}}, {Id: "testCve2", Applicability: &formats.Applicability{Status: jasutils.NotCovered.String()}}, + {Id: "testCve2", Applicability: &formats.Applicability{Status: jasutils.MissingContext.String()}}, }, }, { @@ -709,16 +723,16 @@ func TestGetApplicableCveValue(t *testing.T) { }, }, { - name: "new scan statuses - undetermined wins not covered", + name: "new scan statuses - undetermined wins missing-context", scanResults: &ExtendedScanResults{ ApplicabilityScanResults: []*sarif.Run{ - sarifutils.CreateRunWithDummyResultAndRuleProperties(sarifutils.CreateDummyPassingResult("applic_testCve1"), []string{"applicability"}, []string{"not_covered"}), + sarifutils.CreateRunWithDummyResultAndRuleProperties(sarifutils.CreateDummyPassingResult("applic_testCve1"), []string{"applicability"}, []string{"missing_context"}), sarifutils.CreateRunWithDummyResultAndRuleProperties(sarifutils.CreateDummyPassingResult("applic_testCve2"), []string{"applicability"}, []string{"undetermined"}), }, EntitledForJas: true}, cves: []services.Cve{{Id: "testCve1"}, {Id: "testCve2"}}, expectedResult: jasutils.ApplicabilityUndetermined, - expectedCves: []formats.CveRow{{Id: "testCve1", Applicability: &formats.Applicability{Status: jasutils.NotCovered.String()}}, + expectedCves: []formats.CveRow{{Id: "testCve1", Applicability: &formats.Applicability{Status: jasutils.MissingContext.String()}}, {Id: "testCve2", Applicability: &formats.Applicability{Status: jasutils.ApplicabilityUndetermined.String()}}, }, }, @@ -735,6 +749,20 @@ func TestGetApplicableCveValue(t *testing.T) { {Id: "testCve2", Applicability: &formats.Applicability{Status: jasutils.ApplicabilityUndetermined.String(), UndeterminedReason: "however"}}, }, }, + { + name: "new scan statuses - missing context wins not covered", + scanResults: &ExtendedScanResults{ + ApplicabilityScanResults: []*sarif.Run{ + sarifutils.CreateRunWithDummyResultAndRuleProperties(sarifutils.CreateDummyPassingResult("applic_testCve1"), []string{"applicability"}, []string{"missing_context"}), + sarifutils.CreateRunWithDummyResultAndRuleProperties(sarifutils.CreateDummyPassingResult("applic_testCve2"), []string{"applicability"}, []string{"not_covered"}), + }, + EntitledForJas: true}, + cves: []services.Cve{{Id: "testCve1"}, {Id: "testCve2"}}, + expectedResult: jasutils.MissingContext, + expectedCves: []formats.CveRow{{Id: "testCve1", Applicability: &formats.Applicability{Status: jasutils.MissingContext.String()}}, + {Id: "testCve2", Applicability: &formats.Applicability{Status: jasutils.NotCovered.String()}}, + }, + }, } for _, testCase := range testCases { @@ -969,7 +997,7 @@ func TestPrepareIac(t *testing.T) { { SeverityDetails: formats.SeverityDetails{ Severity: "High", - SeverityNumValue: 17, + SeverityNumValue: 21, }, Finding: "other iac finding", Location: formats.Location{ @@ -984,7 +1012,7 @@ func TestPrepareIac(t *testing.T) { { SeverityDetails: formats.SeverityDetails{ Severity: "Medium", - SeverityNumValue: 14, + SeverityNumValue: 17, }, Finding: "iac finding", Location: formats.Location{ @@ -999,7 +1027,7 @@ func TestPrepareIac(t *testing.T) { { SeverityDetails: formats.SeverityDetails{ Severity: "Medium", - SeverityNumValue: 14, + SeverityNumValue: 17, }, Finding: "iac finding", Location: formats.Location{ @@ -1066,7 +1094,7 @@ func TestPrepareSecrets(t *testing.T) { { SeverityDetails: formats.SeverityDetails{ Severity: "Low", - SeverityNumValue: 11, + SeverityNumValue: 13, }, Finding: "other secret finding", Location: formats.Location{ @@ -1081,7 +1109,7 @@ func TestPrepareSecrets(t *testing.T) { { SeverityDetails: formats.SeverityDetails{ Severity: "Medium", - SeverityNumValue: 14, + SeverityNumValue: 17, }, Finding: "secret finding", Location: formats.Location{ @@ -1096,7 +1124,7 @@ func TestPrepareSecrets(t *testing.T) { { SeverityDetails: formats.SeverityDetails{ Severity: "Medium", - SeverityNumValue: 14, + SeverityNumValue: 17, }, Finding: "secret finding", Location: formats.Location{ @@ -1172,7 +1200,7 @@ func TestPrepareSast(t *testing.T) { { SeverityDetails: formats.SeverityDetails{ Severity: "High", - SeverityNumValue: 17, + SeverityNumValue: 21, }, Finding: "other sast finding", Location: formats.Location{ @@ -1187,7 +1215,7 @@ func TestPrepareSast(t *testing.T) { { SeverityDetails: formats.SeverityDetails{ Severity: "Medium", - SeverityNumValue: 14, + SeverityNumValue: 17, }, Finding: "sast finding", Location: formats.Location{ @@ -1240,7 +1268,7 @@ func TestPrepareSast(t *testing.T) { { SeverityDetails: formats.SeverityDetails{ Severity: "Medium", - SeverityNumValue: 14, + SeverityNumValue: 17, }, Finding: "sast finding", Location: formats.Location{ diff --git a/utils/resultwriter_test.go b/utils/resultwriter_test.go index a06c6ad9..1b948f9c 100644 --- a/utils/resultwriter_test.go +++ b/utils/resultwriter_test.go @@ -245,7 +245,7 @@ func TestConvertXrayScanToSimpleJson(t *testing.T) { Summary: "summary-1", IssueId: "XRAY-1", ImpactedDependencyDetails: formats.ImpactedDependencyDetails{ - SeverityDetails: formats.SeverityDetails{Severity: "High", SeverityNumValue: 15}, + SeverityDetails: formats.SeverityDetails{Severity: "High", SeverityNumValue: 18}, ImpactedDependencyName: "component-A", }, }, @@ -253,7 +253,7 @@ func TestConvertXrayScanToSimpleJson(t *testing.T) { Summary: "summary-1", IssueId: "XRAY-1", ImpactedDependencyDetails: formats.ImpactedDependencyDetails{ - SeverityDetails: formats.SeverityDetails{Severity: "High", SeverityNumValue: 15}, + SeverityDetails: formats.SeverityDetails{Severity: "High", SeverityNumValue: 18}, ImpactedDependencyName: "component-B", }, }, @@ -261,7 +261,7 @@ func TestConvertXrayScanToSimpleJson(t *testing.T) { Summary: "summary-2", IssueId: "XRAY-2", ImpactedDependencyDetails: formats.ImpactedDependencyDetails{ - SeverityDetails: formats.SeverityDetails{Severity: "Low", SeverityNumValue: 9}, + SeverityDetails: formats.SeverityDetails{Severity: "Low", SeverityNumValue: 10}, ImpactedDependencyName: "component-B", }, }, @@ -291,7 +291,7 @@ func TestConvertXrayScanToSimpleJson(t *testing.T) { Summary: "summary-1", IssueId: "XRAY-1", ImpactedDependencyDetails: formats.ImpactedDependencyDetails{ - SeverityDetails: formats.SeverityDetails{Severity: "High", SeverityNumValue: 15}, + SeverityDetails: formats.SeverityDetails{Severity: "High", SeverityNumValue: 18}, ImpactedDependencyName: "component-A", }, }, @@ -299,7 +299,7 @@ func TestConvertXrayScanToSimpleJson(t *testing.T) { Summary: "summary-1", IssueId: "XRAY-1", ImpactedDependencyDetails: formats.ImpactedDependencyDetails{ - SeverityDetails: formats.SeverityDetails{Severity: "High", SeverityNumValue: 15}, + SeverityDetails: formats.SeverityDetails{Severity: "High", SeverityNumValue: 18}, ImpactedDependencyName: "component-B", }, }, @@ -308,7 +308,7 @@ func TestConvertXrayScanToSimpleJson(t *testing.T) { { LicenseKey: "license-1", ImpactedDependencyDetails: formats.ImpactedDependencyDetails{ - SeverityDetails: formats.SeverityDetails{Severity: "Low", SeverityNumValue: 9}, + SeverityDetails: formats.SeverityDetails{Severity: "Low", SeverityNumValue: 10}, ImpactedDependencyName: "component-B", }, }, diff --git a/utils/severityutils/severity.go b/utils/severityutils/severity.go index 436279ab..f33bf31c 100644 --- a/utils/severityutils/severity.go +++ b/utils/severityutils/severity.go @@ -108,32 +108,37 @@ func (sd SeverityDetails) ToDetails(severity Severity, pretty bool) formats.Seve var Severities = map[Severity]map[jasutils.ApplicabilityStatus]*SeverityDetails{ Critical: { - jasutils.Applicable: &SeverityDetails{Priority: 20, Score: MaxCveScore, Emoji: "💀", style: color.New(color.BgLightRed, color.LightWhite)}, - jasutils.ApplicabilityUndetermined: &SeverityDetails{Priority: 19, Score: MaxCveScore, Emoji: "💀", style: color.New(color.BgLightRed, color.LightWhite)}, - jasutils.NotCovered: &SeverityDetails{Priority: 18, Score: MaxCveScore, Emoji: "💀", style: color.New(color.BgLightRed, color.LightWhite)}, + jasutils.Applicable: &SeverityDetails{Priority: 25, Score: MaxCveScore, Emoji: "💀", style: color.New(color.BgLightRed, color.LightWhite)}, + jasutils.ApplicabilityUndetermined: &SeverityDetails{Priority: 24, Score: MaxCveScore, Emoji: "💀", style: color.New(color.BgLightRed, color.LightWhite)}, + jasutils.MissingContext: &SeverityDetails{Priority: 23, Score: MaxCveScore, Emoji: "💀", style: color.New(color.BgLightRed, color.LightWhite)}, + jasutils.NotCovered: &SeverityDetails{Priority: 22, Score: MaxCveScore, Emoji: "💀", style: color.New(color.BgLightRed, color.LightWhite)}, jasutils.NotApplicable: &SeverityDetails{Priority: 5, Score: MaxCveScore, Emoji: "💀", style: color.New(color.Gray)}, }, High: { - jasutils.Applicable: &SeverityDetails{Priority: 17, Score: 8.9, Emoji: "🔥", style: color.New(color.Red)}, - jasutils.ApplicabilityUndetermined: &SeverityDetails{Priority: 16, Score: 8.9, Emoji: "🔥", style: color.New(color.Red)}, - jasutils.NotCovered: &SeverityDetails{Priority: 15, Score: 8.9, Emoji: "🔥", style: color.New(color.Red)}, + jasutils.Applicable: &SeverityDetails{Priority: 21, Score: 8.9, Emoji: "🔥", style: color.New(color.Red)}, + jasutils.ApplicabilityUndetermined: &SeverityDetails{Priority: 20, Score: 8.9, Emoji: "🔥", style: color.New(color.Red)}, + jasutils.MissingContext: &SeverityDetails{Priority: 19, Score: 8.9, Emoji: "🔥", style: color.New(color.Red)}, + jasutils.NotCovered: &SeverityDetails{Priority: 18, Score: 8.9, Emoji: "🔥", style: color.New(color.Red)}, jasutils.NotApplicable: &SeverityDetails{Priority: 4, Score: 8.9, Emoji: "🔥", style: color.New(color.Gray)}, }, Medium: { - jasutils.Applicable: &SeverityDetails{Priority: 14, Score: 6.9, Emoji: "🎃", style: color.New(color.Yellow)}, - jasutils.ApplicabilityUndetermined: &SeverityDetails{Priority: 13, Score: 6.9, Emoji: "🎃", style: color.New(color.Yellow)}, - jasutils.NotCovered: &SeverityDetails{Priority: 12, Score: 6.9, Emoji: "🎃", style: color.New(color.Yellow)}, + jasutils.Applicable: &SeverityDetails{Priority: 17, Score: 6.9, Emoji: "🎃", style: color.New(color.Yellow)}, + jasutils.ApplicabilityUndetermined: &SeverityDetails{Priority: 16, Score: 6.9, Emoji: "🎃", style: color.New(color.Yellow)}, + jasutils.MissingContext: &SeverityDetails{Priority: 15, Score: 6.9, Emoji: "🎃", style: color.New(color.Yellow)}, + jasutils.NotCovered: &SeverityDetails{Priority: 14, Score: 6.9, Emoji: "🎃", style: color.New(color.Yellow)}, jasutils.NotApplicable: &SeverityDetails{Priority: 3, Score: 6.9, Emoji: "🎃", style: color.New(color.Gray)}, }, Low: { - jasutils.Applicable: &SeverityDetails{Priority: 11, Score: 3.9, Emoji: "👻"}, - jasutils.ApplicabilityUndetermined: &SeverityDetails{Priority: 10, Score: 3.9, Emoji: "👻"}, - jasutils.NotCovered: &SeverityDetails{Priority: 9, Score: 3.9, Emoji: "👻"}, + jasutils.Applicable: &SeverityDetails{Priority: 13, Score: 3.9, Emoji: "👻"}, + jasutils.ApplicabilityUndetermined: &SeverityDetails{Priority: 12, Score: 3.9, Emoji: "👻"}, + jasutils.MissingContext: &SeverityDetails{Priority: 11, Score: 3.9, Emoji: "👻"}, + jasutils.NotCovered: &SeverityDetails{Priority: 10, Score: 3.9, Emoji: "👻"}, jasutils.NotApplicable: &SeverityDetails{Priority: 2, Score: 3.9, Emoji: "👻", style: color.New(color.Gray)}, }, Unknown: { - jasutils.Applicable: &SeverityDetails{Priority: 8, Score: MinCveScore, Emoji: "😐"}, - jasutils.ApplicabilityUndetermined: &SeverityDetails{Priority: 7, Score: MinCveScore, Emoji: "😐"}, + jasutils.Applicable: &SeverityDetails{Priority: 9, Score: MinCveScore, Emoji: "😐"}, + jasutils.ApplicabilityUndetermined: &SeverityDetails{Priority: 8, Score: MinCveScore, Emoji: "😐"}, + jasutils.MissingContext: &SeverityDetails{Priority: 7, Score: MinCveScore, Emoji: "😐"}, jasutils.NotCovered: &SeverityDetails{Priority: 6, Score: MinCveScore, Emoji: "😐"}, jasutils.NotApplicable: &SeverityDetails{Priority: 1, Score: MinCveScore, Emoji: "😐", style: color.New(color.Gray)}, }, diff --git a/utils/xray/scangraph/scangraph_test.go b/utils/xray/scangraph/scangraph_test.go index 9368547d..f0e35e47 100644 --- a/utils/xray/scangraph/scangraph_test.go +++ b/utils/xray/scangraph/scangraph_test.go @@ -72,7 +72,7 @@ func TestFilterResultIfNeeded(t *testing.T) { }, }, params: ScanGraphParams{ - severityLevel: 15, + severityLevel: 18, }, expected: services.ScanResponse{ Violations: []services.Violation{