Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update impact or defaultSeverity to match each other #4444

Merged
merged 3 commits into from
Nov 11, 2024

Conversation

martin-strecker-sonarsource
Copy link
Contributor

@martin-strecker-sonarsource martin-strecker-sonarsource commented Oct 28, 2024

Review

A dedicated reviewer checked the rule description successfully for:

  • logical errors and incorrect information
  • information gaps and missing content
  • text style and tone
  • PR summary and labels follow the guidelines

Rules updated

Reviewer: please mark as checked after review.

Discrepancies

  • S6667
  • S6668
  • S6669
  • S6670
  • S6672
  • S6674
  • S6675
  • S6776 -> Python also affected
  • S6798
  • S6800
  • S6930
  • S6931
  • S6934
  • S6960
  • S6964
  • S6968

Multiple CCT:

  • S1523 -> Security multi-language rule. Not changed
  • S2077 -> Security multi-language rule. Not changed
  • S6932
  • S6967 -> defaultSeverity changed to Critical because two impacts are High

Sources

https://trello.com/c/uPdUhaFh

Discrepencies.txt

Historical defaultSeverity was Minor but CCT is MEDIUM for S1441 in javascript
Historical defaultSeverity was Major but CCT is HIGH for S2259 in cfamily
Historical defaultSeverity was Critical but CCT is MEDIUM for S2310 in javascript
Historical defaultSeverity was Critical but CCT is MEDIUM for S3523 in javascript
Historical defaultSeverity was Minor but CCT is MEDIUM for S3723 in javascript
Historical defaultSeverity was Major but CCT is LOW for S6485 in java
Historical defaultSeverity was Minor but CCT is MEDIUM for S6524 in kotlin
Historical defaultSeverity was Major but CCT is LOW for S6527 in kotlin
Historical defaultSeverity was Major but CCT is LOW for S6528 in kotlin
Historical defaultSeverity was Minor but CCT is MEDIUM for S6661 in javascript
Historical defaultSeverity was Minor but CCT is MEDIUM for S6666 in javascript
Historical defaultSeverity was Minor but CCT is MEDIUM for S6667 in csharp
Historical defaultSeverity was Minor but CCT is MEDIUM for S6668 in csharp
Historical defaultSeverity was Minor but CCT is MEDIUM for S6669 in csharp
Historical defaultSeverity was Minor but CCT is MEDIUM for S6670 in csharp
Historical defaultSeverity was Minor but CCT is MEDIUM for S6671 in javascript
Historical defaultSeverity was Minor but CCT is MEDIUM for S6672 in csharp
Historical defaultSeverity was Critical but CCT is MEDIUM for S6674 in csharp
Historical defaultSeverity was Minor but CCT is MEDIUM for S6675 in csharp
Historical defaultSeverity was Minor but CCT is MEDIUM for S6676 in javascript
Historical defaultSeverity was Minor but CCT is MEDIUM for S6679 in javascript
Historical defaultSeverity was Major but CCT is HIGH for S6735 in python
Historical defaultSeverity was Major but CCT is LOW for S6749 in javascript
Historical defaultSeverity was Major but CCT is LOW for S6754 in javascript
Historical defaultSeverity was Major but CCT is LOW for S6759 in javascript
Historical defaultSeverity was Major but CCT is LOW for S6767 in javascript
Historical defaultSeverity was Major but CCT is LOW for S6770 in javascript
Historical defaultSeverity was Major but CCT is LOW for S6775 in javascript
Historical defaultSeverity was Major but CCT is LOW for S6776 in csharp
Historical defaultSeverity was Major but CCT is HIGH for S6798 in csharp
Historical defaultSeverity was Major but CCT is HIGH for S6800 in csharp
Historical defaultSeverity was Major but CCT is HIGH for S6809 in java
Historical defaultSeverity was Major but CCT is HIGH for S6814 in java
Historical defaultSeverity was Major but CCT is HIGH for S6816 in java
Historical defaultSeverity was Major but CCT is HIGH for S6817 in java
Historical defaultSeverity was Minor but CCT is MEDIUM for S6830 in java
Historical defaultSeverity was Minor but CCT is MEDIUM for S6836 in javascript
Historical defaultSeverity was Major but CCT is LOW for S6837 in java
Historical defaultSeverity was Minor but CCT is MEDIUM for S6849 in javascript
Historical defaultSeverity was Major but CCT is HIGH for S6857 in java
Historical defaultSeverity was Major but CCT is LOW for S6863 in java
Historical defaultSeverity was Major but CCT is HIGH for S6876 in java
Historical defaultSeverity was Major but CCT is HIGH for S6877 in java
Historical defaultSeverity was Minor but CCT is MEDIUM for S6878 in java
Historical defaultSeverity was Major but CCT is HIGH for S6881 in java
Historical defaultSeverity was Major but CCT is HIGH for S6886 in python
Historical defaultSeverity was Major but CCT is LOW for S6889 in java
Historical defaultSeverity was Major but CCT is LOW for S6891 in java
Historical defaultSeverity was Major but CCT is LOW for S6898 in java
Historical defaultSeverity was Major but CCT is HIGH for S6899 in python
Historical defaultSeverity was Major but CCT is LOW for S6904 in java
Historical defaultSeverity was Major but CCT is LOW for S6905 in java
Historical defaultSeverity was Major but CCT is HIGH for S6908 in python
Historical defaultSeverity was Major but CCT is LOW for S6909 in java
Historical defaultSeverity was Major but CCT is HIGH for S6911 in python
Historical defaultSeverity was Major but CCT is LOW for S6912 in java
Historical defaultSeverity was Major but CCT is LOW for S6914 in java
Historical defaultSeverity was Major but CCT is HIGH for S6918 in python
Historical defaultSeverity was Major but CCT is LOW for S6923 in java
Historical defaultSeverity was Major but CCT is LOW for S6926 in java
Historical defaultSeverity was Major but CCT is HIGH for S6930 in csharp
Historical defaultSeverity was Major but CCT is HIGH for S6931 in csharp
Historical defaultSeverity was Major but CCT is HIGH for S6934 in csharp
Historical defaultSeverity was Blocker but CCT is MEDIUM for S6936 in cfamily
Historical defaultSeverity was Major but CCT is HIGH for S6960 in csharp
Historical defaultSeverity was Major but CCT is HIGH for S6964 in csharp
Historical defaultSeverity was Major but CCT is HIGH for S6968 in csharp
Historical defaultSeverity was Major but CCT is LOW for S6969 in python
Historical defaultSeverity was Major but CCT is HIGH for S6972 in python
Historical defaultSeverity was Major but CCT is HIGH for S6978 in python
Historical defaultSeverity was Major but CCT is HIGH for S6984 in python
Historical defaultSeverity was Major but CCT is HIGH for S6985 in python
Historical defaultSeverity was Major but CCT is LOW for S6996 in cfamily
Historical defaultSeverity was Major but CCT is HIGH for S7020 in docker
Historical defaultSeverity was Major but CCT is HIGH for S7021 in docker
Historical defaultSeverity was Minor but CCT is MEDIUM for S7026 in docker
Historical defaultSeverity was Major but CCT is HIGH for S7027 in java
Historical defaultSeverity was Major but CCT is HIGH for S7031 in docker
Historical defaultSeverity was Major but CCT is HIGH for S7032 in cfamily
Historical defaultSeverity was Minor but CCT is MEDIUM for S7040 in family

Multiple CCT

multi cct for S1523 in csharp
multi cct for S2077 in csharp
multi cct for S3281 in xml
multi cct for S3355 in xml
multi cct for S5782 in cfamily
multi cct for S6709 in python
multi cct for S6714 in python
multi cct for S6727 in python
multi cct for S6729 in python
multi cct for S6734 in python
multi cct for S6740 in python
multi cct for S6741 in python
multi cct for S6746 in javascript
multi cct for S6747 in javascript
multi cct for S6748 in javascript
multi cct for S6750 in javascript
multi cct for S6756 in javascript
multi cct for S6757 in javascript
multi cct for S6761 in javascript
multi cct for S6763 in javascript
multi cct for S6766 in javascript
multi cct for S6772 in javascript
multi cct for S6774 in javascript
multi cct for S6788 in javascript
multi cct for S6789 in javascript
multi cct for S6790 in javascript
multi cct for S6791 in javascript
multi cct for S6804 in java
multi cct for S6806 in java
multi cct for S6813 in java
multi cct for S6818 in java
multi cct for S6821 in html
multi cct for S6829 in java
multi cct for S6831 in java
multi cct for S6859 in javascript
multi cct for S6861 in javascript
multi cct for S6864 in kubernetes
multi cct for S6865 in kubernetes
multi cct for S6867 in kubernetes
multi cct for S6868 in kubernetes
multi cct for S6869 in kubernetes
multi cct for S6870 in kubernetes
multi cct for S6873 in kubernetes
multi cct for S6882 in python
multi cct for S6883 in python
multi cct for S6887 in python
multi cct for S6890 in python
multi cct for S6892 in kubernetes
multi cct for S6894 in python
multi cct for S6897 in kubernetes
multi cct for S6900 in python
multi cct for S6903 in python
multi cct for S6907 in kubernetes
multi cct for S6919 in python
multi cct for S6925 in python
multi cct for S6928 in python
multi cct for S6929 in python
multi cct for S6932 in csharp
multi cct for S6967 in csharp
multi cct for S6971 in python
multi cct for S6973 in python
multi cct for S6974 in python
multi cct for S6982 in python
multi cct for S6991 in cfamily
multi cct for S7012 in cfamily
multi cct for S7018 in docker
multi cct for S7019 in docker
multi cct for S7023 in docker
multi cct for S7029 in docker
multi cct for S7030 in docker
multi cct for S7038 in cfamily
multi cct for S7042 in cfamily
multi cct for S7059 in javascript
multi cct for S7060 in javascript

@denis-troller
Copy link

Is it normal that S6967 is categorized as CODE_SMELL/Critical when it has HIGH impact on both Security and Relibability (and MEDIUM on Maintainability)?

@martin-strecker-sonarsource
Copy link
Contributor Author

martin-strecker-sonarsource commented Oct 28, 2024

Is it normal that S6967 is categorized as CODE_SMELL/Critical when it has HIGH impact on both Security and Relibability (and MEDIUM on Maintainability)?

This is how I read the information given by @andrei-epure-sonarsource. The mapping is like so:

CCT-based severities: Info (new) / Low / Medium / High / Blocker (new)
Legacy severities: Info / Minor / Major / Critical / Blocker

  • Info <-> Info
  • Low <-> Minor
  • Medium <-> Major
  • High <-> Critical
  • Blocker <-> Blocker

I assumed that if there are multiple impacts the most severe one should be the one chosen for severity.

@denis-troller
Copy link

My question is more: If the most severe impact is on Security and Reliability, does it make sense to categorize it as a code smell?

I could see the rule changing from Code Smell/Major to Vulnerability/Critical or Bug/Critical, or the maybe the impacts on Reliability and Security being lowered, if it is indeed a code smell. It just strikes me as odd.

I guess on some level it validates the idea of CCT.

@costin-zaharia-sonarsource
Copy link
Member

As far as I know, we usually keep the Bug category for symbolic execution rules due to increased precision.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good so far but I cannot find the changes for S6932

@@ -41,7 +41,7 @@
"quickfix": "unknown",
"code": {
"impacts": {
"SECURITY": "LOW"
"SECURITY": "MEDIUM"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@daniel-teuchert-sonarsource and @hendrik-buchwald-sonarsource can you please confirm this RSpec change? The "defaultSeverity" of the rule is "Major" and "MEDIUM" corresponds with that.
See also this comment for some background info regarding the purpose of the PR.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would probably change the default severity to minor then and keep the impact at low.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done in d5d926a

@martin-strecker-sonarsource
Copy link
Contributor Author

Looks good so far but I cannot find the changes for S6932

You probably meant S6776. It was pushed in f8dcac7. I pinged Daniel and Hendrik for confirmation of that change.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Copy link

sonarqube-next bot commented Nov 6, 2024

Quality Gate passed Quality Gate passed for 'rspec-tools'

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube

Copy link

sonarqube-next bot commented Nov 6, 2024

Quality Gate passed Quality Gate passed for 'rspec-frontend'

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube

@martin-strecker-sonarsource martin-strecker-sonarsource merged commit 65c443e into master Nov 11, 2024
8 of 9 checks passed
@martin-strecker-sonarsource martin-strecker-sonarsource deleted the Martin/Dotnet_UpdateImpacts branch November 11, 2024 09:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants