[BUG] Sarif file is missing the Severity level
sourabhsy opened this issue · 2 comments
Describe the bug
The build output Sarif file is missing the Severity level even if the rule-Id shows as an error in build output. It happens for most of the rules with Severity 2 or 3 defined in the BuiltInRules.json .
Below are the fields missing rules[x].defaultConfiguration.level and results[x].level.
Example of Rule Section
"rules": [
{
"id": "TA-000001",
"name": "AppService.EnableDiagnosticLogs",
"fullDescription": {
"text": "Enable auditing of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised."
},
"help": {
"text": "Enable diagnostic logs in App Service."
},
"shortDescription": {
"text": "Diagnostic logs in App Service should be enabled."
},
"messageStrings": {
"default": {
"text": "Enable auditing of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised."
}
},
"helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000001-diagnostic-logs-in-app-service-should-be-enabled"
},
{
"id": "TA-000003",
"name": "AppServiceAPIApp.OnlyFTPS",
"fullDescription": {
"text": "Enable FTPS enforcement for enhanced security."
},
"help": {
"text": "Enable FTPS enforcement for enhanced security."
},
"shortDescription": {
"text": "FTPS only should be required in your API app."
},
"messageStrings": {
"default": {
"text": "Enable FTPS enforcement for enhanced security."
}
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000003-ftps-only-should-be-required-in-your-api-app"
}
]Example of Result Section:
"results": [
{
"ruleId": "TA-000001",
"ruleIndex": 0,
"message": {
"id": "default"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "x/xxx.json",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 200
}
}
}
],
"fingerprints": {
"gdnPrimarySignature": "06051a4",
"gdnAlternativeSignature0": "274a50"
}
},
{
"ruleId": "TA-000003",
"ruleIndex": 1,
"level": "error",
"message": {
"id": "default"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "x/xx.json",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 120
}
}
}
],
"fingerprints": {
"gdnPrimarySignature": "4e3",
"gdnAlternativeSignature0": "da0"
}
}
]Expected behavior
Severity level fields should be presesnt for all rules (rules[x].defaultConfiguration.level and results[x].level) .
Reproduction Steps
Setup build pipeline with MSDO task and IaC vulenerabilities in the Repo.
Environment
tool: Template Analyzer
version: 0.5.2
According to the SARIF spec, level is an optional field.
When level is not present in a result, it is interpreted to be the default value, which in the case of Template Analyzer should be warning.
Can you share an example where level is absent but should be something other than warning?
Looks like there is unexpected error output when running with MSDO build task, which is translating Template Analyzer results. Please investigate the MSDO task.