https://github.com/advanced-security/adjust-cvss

https://github.com/advanced-security/adjust-cvss

Last synced: 2 months ago
JSON representation

• Host: GitHub
• URL: https://github.com/advanced-security/adjust-cvss
• Owner: advanced-security
• License: apache-2.0
• Created: 2023-03-01T05:30:01.000Z (over 1 year ago)
• Default Branch: master
• Last Pushed: 2024-03-27T20:52:12.000Z (6 months ago)
• Last Synced: 2024-04-14T11:42:59.777Z (6 months ago)
• Language: Java
• Size: 40 KB
• Stars: 2
• Watchers: 1
• Forks: 3
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

• awesome-codeql - adjust-cvss - Adjust the severity of the CVSS score assigned to a result in SARIF file (CodeQL Actions Helpers)

README

        
# adjust-cvss

Takes a SARIF file and a list of query id patterns as input and assigns custom [cvss scores](https://github.blog/changelog/2021-07-19-codeql-code-scanning-new-severity-levels-for-security-alerts/) (aka `security-severity`) to those queries. This allows to make specific queries less or more severe, which affects how they are displayed (`Low`, `High`, `Critical`, ...) and whether they cause pull request checks to fail.

# Example

The following example sets the cvss score of all queries to `1.2` except for the query with the id `java/xss`. Note that this only affects queries with a `security-severity` metadata field. Therefore, most code quality related queries are not affected:

```yaml

name: "CodeQL"

on:

  push:

    branches: [ master ]

  pull_request:

    branches: [ master ]

jobs:

  analyze:

    name: Analyze

    runs-on: ubuntu-latest

    permissions:

      actions: read

      contents: read

      security-events: write

    strategy:

      fail-fast: false

      matrix:

        language: [ 'java' ]

    steps:

    - name: Checkout repository

      uses: actions/checkout@v2

    - name: Initialize CodeQL

      uses: github/codeql-action/init@v1

      with:

        languages: ${{ matrix.language }}

        queries: security-and-quality

    - run: |

        javatest/build

    - name: Perform CodeQL Analysis

      uses: github/codeql-action/analyze@v1

      with:

        output: sarif-results

        upload: False

    - name: adjust-cvss

      uses: advanced-security/adjust-cvss@master

      with:

        patterns: |

          **:1.2

          java/xss:9.9

        input: sarif-results/${{ matrix.language }}.sarif

        output: sarif-results/${{ matrix.language }}.sarif

    - name: Upload SARIF

      uses: github/codeql-action/upload-sarif@v1

      with:

        sarif_file: sarif-results/${{ matrix.language }}.sarif

```

Note how we provided `upload: False` and `output: sarif-results` to the `analyze` action. That way we can filter the SARIF with the `adjust-cvss` action before uploading it via `upload-sarif`.

# Patterns

Each pattern line is of the form:

```

:

```

for example:

```

**:1.2                           # all queries shall have a cvss of `1.2`.

java/xss:9.9                     # the Java XSS query should have a score of `9.9`

java/**:5.4                      # all Java queries have a score of `5.4`

```