-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SARIF parsing error on security-severity field #10191
Labels
Comments
manuel-sommer
added a commit
to manuel-sommer/django-DefectDojo
that referenced
this issue
May 14, 2024
Maffooch
pushed a commit
that referenced
this issue
May 20, 2024
This can be closed @mtesauro. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Bug description
The SARIF parser for reports will attempt to parse the value of a
properties.security-severity
field of a report as a float because some scanners store the CVSS value in it:django-DefectDojo/dojo/tools/sarif/parser.py
Lines 416 to 422 in 2c7b506
However, other scanners may also produce a
properties.security-severity
field that contains something else.Namely using GitLabs' Semgrep rules with the Semgrep scanner and SARIF output can produce properties like the following:
Trying to import a SARIF report like it will result in a
400 Bad Request
:{"message":"[\"could not convert string to float: 'MEDIUM'\"]"}
Steps to reproduce
Steps to reproduce the behavior:
semgrep ci --config=sast-rules/javascript/ --sarif > gitlab-rules.sarif.json
Expected behavior
The importing should not give an error.
Deployment method (select with an
X
)Environment information
Logs
Sample scan files
SARIF report produced from scanning against OWASP Juice Shop which will give the error:
gitlab-rules.sarif.json
The text was updated successfully, but these errors were encountered: