From 732f759e4f7e2fe5486d026f2d12059aef8f59a0 Mon Sep 17 00:00:00 2001
From: Mark Wolfe <mark@wolfe.id.au>
Date: Fri, 22 Jan 2021 03:51:27 +1100
Subject: [PATCH] fix for sarif which maps level from issue severity

---
 output/formatter.go    |  2 +-
 output/sarif_format.go | 17 +++++++++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/output/formatter.go b/output/formatter.go
index 5631b86..850de9a 100644
--- a/output/formatter.go
+++ b/output/formatter.go
@@ -196,7 +196,7 @@ func convertToSarifReport(rootPaths []string, data *reportInfo) (*sarifReport, e
 		result := &sarifResult{
 			RuleID:    fmt.Sprintf("%s (CWE-%s)", issue.RuleID, issue.Cwe.ID),
 			RuleIndex: index,
-			Level:     sarifWarning,
+			Level:     getSarifLevel(issue.Severity.String()),
 			Message: &sarifMessage{
 				Text: issue.What,
 			},
diff --git a/output/sarif_format.go b/output/sarif_format.go
index 7070233..6a5ca73 100644
--- a/output/sarif_format.go
+++ b/output/sarif_format.go
@@ -155,3 +155,20 @@ func buildSarifLocation(issue *gosec.Issue, rootPaths []string) (*sarifLocation,
 
 	return location, nil
 }
+
+// From https://docs.oasis-open.org/sarif/sarif/v2.0/csprd02/sarif-v2.0-csprd02.html#_Toc10127839
+// * "warning": The rule specified by ruleId was evaluated and a problem was found.
+// * "error": The rule specified by ruleId was evaluated and a serious problem was found.
+// * "note": The rule specified by ruleId was evaluated and a minor problem or an opportunity to improve the code was found.
+func getSarifLevel(s string) sarifLevel {
+	switch s {
+	case "LOW":
+		return sarifWarning
+	case "MEDIUM":
+		return sarifError
+	case "HIGH":
+		return sarifError
+	default:
+		return sarifNote
+	}
+}