microsoft · michaelcfanning · Aug 25, 2023 · Jul 28, 2023
@@ -134,6 +134,7 @@ private static (ReportingDescriptor, IList<Result>) SarifRuleAndResultFromHdfCon
                         Kinds = new List<string>() { "relevant" },
                     }))
             };
+            reportingDescriptor.SetProperty("security-severity", SarifSecuritySeverityFromHdfImpact(execJsonControl.Impact).ToString());
 
             var results = new List<Result>(execJsonControl.Results.Count);
             foreach (ControlResult controlResult in execJsonControl.Results)
@@ -220,7 +221,18 @@ private static FailureLevel SarifLevelFromHdfImpact(double impact)
             }
         }
 
+        private static double SarifSecuritySeverityFromHdfImpact(double impact) =>
+            /*
+            security-descriptor     Hdf Impact
+            >=9.0 (critical)         >=0.9 (critical)
+            >=7.0 (high)             >=0.7 (high)
+            >=4.0 (medium)           >=0.5 (medium)
+            <4.0 (low)               >=0.3 (low)
+            */
+            // security severity is exactly 10x impact
+            impact * 10.0;
         private static double SarifRankFromHdfImpact(double impact) =>
+            // https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#reportingdescriptor-object
             /*
             SARIF rank  Hdf Level   SARIF level Default Viewer Action
             0.0         0           note        Does not display by default

@@ -4047,6 +4047,9 @@
               "shortDescription": {
                 "text": "User Agent Fuzzer."
               },
+              "properties": {
+                "security-severity": "3"
+              },
               "relationships": [
                 {
                   "target": {
@@ -4083,6 +4086,9 @@
               "shortDescription": {
                 "text": "Web Browser XSS Protection Not Enabled."
               },
+              "properties": {
+                "security-severity": "3"
+              },
               "relationships": [
                 {
                   "target": {
@@ -4119,6 +4125,9 @@
               "shortDescription": {
                 "text": "Cookie Slack Detector."
               },
+              "properties": {
+                "security-severity": "3"
+              },
               "relationships": [
                 {
                   "target": {
@@ -4155,6 +4164,9 @@
               "shortDescription": {
                 "text": "Cookie Slack Detector."
               },
+              "properties": {
+                "security-severity": "3"
+              },
               "relationships": [
                 {
                   "target": {
@@ -4194,6 +4206,9 @@
               "defaultConfiguration": {
                 "level": "error"
               },
+              "properties": {
+                "security-severity": "7"
+              },
               "relationships": [
                 {
                   "target": {
@@ -4230,6 +4245,9 @@
               "shortDescription": {
                 "text": "X-Content-Type-Options Header Missing."
               },
+              "properties": {
+                "security-severity": "3"
+              },
               "relationships": [
                 {
                   "target": {
@@ -4269,6 +4287,9 @@
               "defaultConfiguration": {
                 "level": "error"
               },
+              "properties": {
+                "security-severity": "7"
+              },
               "relationships": [
                 {
                   "target": {
@@ -4305,6 +4326,9 @@
               "shortDescription": {
                 "text": "X-Frame-Options Header Not Set."
               },
+              "properties": {
+                "security-severity": "5"
+              },
               "relationships": [
                 {
                   "target": {
@@ -4341,6 +4365,9 @@
               "shortDescription": {
                 "text": "Proxy Disclosure."
               },
+              "properties": {
+                "security-severity": "5"
+              },
               "relationships": [
                 {
                   "target": {
@@ -4380,6 +4407,9 @@
               "defaultConfiguration": {
                 "level": "error"
               },
+              "properties": {
+                "security-severity": "7"
+              },
               "relationships": [
                 {
                   "target": {
@@ -4419,6 +4449,9 @@
               "defaultConfiguration": {
                 "level": "error"
               },
+              "properties": {
+                "security-severity": "7"
+              },
               "relationships": [
                 {
                   "target": {
@@ -4458,6 +4491,9 @@
               "defaultConfiguration": {
                 "level": "error"
               },
+              "properties": {
+                "security-severity": "7"
+              },
               "relationships": [
                 {
                   "target": {
@@ -4494,6 +4530,9 @@
               "shortDescription": {
                 "text": "Format String Error."
               },
+              "properties": {
+                "security-severity": "5"
+              },
               "relationships": [
                 {
                   "target": {