MobSF
Include `security-severity` as property of each rule
Overview
This PR includes changes to support the security-severity property of a given code scanning alert. By doing this, a given alert will be assigned a severity of low, medium, high, or critical.
Details
To calculate the security-severity of an alert, first all the CVEs reported by the CWE assigned to the given rule are grouped. Then the 75th percentile of the CVSS score for those CVEs is calculated.
The data files from https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2020.json.gz (replacing 2020 with the years 2004-2020) are used to get a list of CVEs for a CWE. This list is then sorted by score (ascending), and the 75th percentile score of that list is used as the rule security-severity. Numerical scores translate to the below severities in the Security tab.
| Severity | Score Range |
|---|---|
| None | 0.0 |
| Low | 0.1 – 3.9 |
| Medium | 4.0 – 6.9 |
| High | 7.0 – 8.9 |
| Critical | 9.0 – 10.0 |
Notes
In some cases a given CWE does not have any particular CVEs associated with it. This is likely due to the CWE being a parent or reference for others. In particular CWE-919 is a commonly referenced CWE in mobsfscan rules, but does not have any CVEs associated with it. In this case, a security-severity of 6.5 is assigned.
