Merge pull request #331 from damoasis/fix-sarif-level

cyberchen1995 · web-flow · commit bbb5ef076ab4 · 2025-12-26T09:48:09.000+08:00
fix: sarif level
diff --git a/cmd/detail/detail.go b/cmd/detail/detail.go
@@ -170,6 +170,19 @@ func (v *Vuln) SecurityLevel() string {
 	return "Unknown"
 }
 
+// SarifLevel 返回SARIF格式的漏洞级别
+func (v *Vuln) SarifLevel() string {
+	switch v.SecurityLevelId {
+	case 1, 2: // Critical, High
+		return "error"
+	case 3: // Medium
+		return "warning"
+	case 4: // Low
+		return "note"
+	}
+	return "warning" // Unknown
+}
+
 func vulnLanguageKey(language model.Language) []string {
 	switch language {
 	case model.Lan_Java:
diff --git a/cmd/format/sarif.go b/cmd/format/sarif.go
@@ -103,7 +103,7 @@ func Sarif(report Report, out string) {
 
 			result := sarifResult{
 				RuleId: vuln.Id,
-				Level:  "warning",
+				Level:  vuln.SarifLevel(),
 			}
 			result.Message.Text = fmt.Sprintf("引入的组件 %s 中存在 %s", n.Dep.Key()[:strings.LastIndex(n.Dep.Key(), ":")], vuln.Name)
 			for i, path := range n.Paths {

Original file line number	Diff line number	Diff line change
`@@ -103,7 +103,7 @@ func Sarif(report Report, out string) {`
`103`	`103`
`104`	`104`	`result := sarifResult{`
`105`	`105`	`RuleId: vuln.Id,`
`106`		`- Level: "warning",`
	`106`	`+ Level: vuln.SarifLevel(),`
`107`	`107`	`}`
`108`	`108`	`result.Message.Text = fmt.Sprintf("引入的组件 %s 中存在 %s", n.Dep.Key()[:strings.LastIndex(n.Dep.Key(), ":")], vuln.Name)`
`109`	`109`	`for i, path := range n.Paths {`