-
Notifications
You must be signed in to change notification settings - Fork 49
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SARIF 2.2 proposal: security-severity
field for reportingDescriptors and results
#612
Comments
The four levels of severity here correspond to an ask to add fatal/noncontiuable/critical to the current (business process level) I have two questions: 1) could we render this property simply as |
Overall, I think we can have more discussion here.
Ruleset files for VS that are used for both security, quality, and even just style. There are default values for Thinking even about codeql within Microsoft, we have the idea of sdl-required and sdl-recommended groups of issues. Even with these, it is often up to the individual organizations and business owners to determine which set will result in folks showing up as red in S360. Overall, my initial inkling is to perhaps add |
Giving a detailed reliability example - if this helps: My team surfaces crashes in SARIF. There are a few ways that we see dev teams and analytics determine severity.
What do we want SARIF and SARIF clients to be able to do to determine and communicate severity? Having an |
Good example. Our first principle for @adityasharad, my concrete proposal is that we approve 'Very high' may be preferable to 'critical' as a suggested label. These specific details, i.e., precise information on how to bucketize findings, will address concerns you raised on the call, I hope. @stacywray |
Originally filed as #598, split into more focused component issues.
GitHub Advanced Security's code scanning feature recognises
security-severity
levels, currently read from theproperties
bag of a SARIFreportingDescriptor
orresult
object, and renders these in the UI. GitHub CodeQL populates this property in its SARIF output, and the property is recognised for other code scanning tools.Docs: https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#reportingdescriptor-object and https://github.blog/changelog/2021-07-19-codeql-code-scanning-new-severity-levels-for-security-alerts/
Using the properties bag was a pragmatic measure to provide this functionality without requiring a SARIF spec change. For SARIF 2.2 I propose we make
security-severity
an accepted property directly on a reportingDescriptor or a result.Although GitHub currently accepts numeric values in this property, and translates them on the backend into enum values, we recommend moving away from this for the spec, and instead directly accept an enum of possible values:
critical
,high
,medium
,low
, or omitted entirely (e.g. for non-security rules/results). SARIF producer tools can supply this property to indicate the tool's own confidence in the security severity of the result, or for a rule, the security severity of the results indicated by this rule. This avoids constraining tool developers into using the same translation methodology that we follow for CodeQL (which is based on CVSS scores, which all producers may not wish to follow). We can update CodeQL to begin populating these enum values using the new property instead of the numeric values it does today.cc @michaelcfanning
The text was updated successfully, but these errors were encountered: