Heimdall Grype Scan - Severity Display #6005
Labels
enhancement
New feature or request
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
Grype scan output in SARIF format contain "security-severity" fields with CVSS scores. When these are imported into Heimdall, all findings are displayed as low, regardless of CVSS score. Even if the scan output contained "SARIF Levels", critical findings would still not be accounted for:
SARIF level to HDF impact Mapping:
SARIF level error -> HDF impact 0.7
SARIF level warning -> HDF impact 0.5
SARIF level note -> HDF impact 0.3
SARIF level none -> HDF impact 0.1
SARIF level not provided -> HDF impact 0.1 as default
Describe the solution you'd like
I would like for the CVSS scores in the Grype SARIF output to be displayed properly in Heimdall.
Describe alternatives you've considered
Attempting to script conversion of CVSS scores to HDF impact scores, but I am unsure of how to implement the converted score into the data to be loaded into heimdall....
CVSS SCORES
0.1-3.9 = low
4.0-6.9 = medium
7.0-8.9 = high
9.0-10.0 = critical
HDF IMPACT SCORES
0-0.3 = low
0.4-0.6 = medium
0.7-0.8 = high
0.9-1 = critical
The text was updated successfully, but these errors were encountered: