Question
The Contrast CLI allows you to export Contrast Assess findings in a Static Analysis Results Interchange Format (SARIF) file. How do the Assess severities map to SARIF severities?
Answer
SARIF has its own set of severities which are not a direct mapping to Contrast Assess severities.
The SARIF spec defines these as:
- "warning": The rule specified by ruleId was evaluated and a problem was found.
- "error": The rule specified by ruleId was evaluated and a serious problem was found.
- "note": The rule specified by ruleId was evaluated and a minor problem or an opportunity to improve the code was found.
- "none": The concept of “severity” does not apply to this result because the kind property (§3.27.9) has a value other than "fail".
See - Static Analysis Results Interchange Format (SARIF) Version 2.0 - for more details.
This is how Contrast maps these severities:
| Contrast Assess Severity | SARIF Severity |
| Critical | error |
| High | warning |
| Medium | note |
| Low | note |
| Note | note |
| default | none |