[Feature Request] Allow the override of a rule's severity score

[pavelt-addepar]

This is mostly relevant to security scans than code quality scans, but it would be good if we could override the severity/score of a rule - for example if I wanted to report all SQLInjection results as CVSS 10.0 and XSS as CVSS 9.0. At the moment, the scanner returns 1-3 (High/Medium/Low) and there is no way (that I've found) to even modify that - in short, severity for each finding is hardcoded.

PMD offers something similar where you can set the priority of a rule in its XML, but it's not possible to set those options for the PMD-AppExchange engine.

Describe the solution that you want:

Ideally, we could pass a "mapping" file as an argument which will look something like this:

severityScores:
    - rule: ApexBadCrypto
        severity: 7.0
    - rule: ApexCRUDViolation
        severity: 4.0
    - rule: ApexSOQLInjection
        severity: 9.0
    - rule: ApexOpenRedirect
        severity: 2.1
    - rule: default
        severity: 3.3

After the scan and before generating the output, it could update its findings with the mapping above. The file doesn't have to be yaml, this is just for illustration.

Describe alternatives that you've considered: None

Additional Context: N/A

Workaround:

At the moment we use a script to parse and update the results.

Urgency: Highly Beneficial

[johnbelosf]

Thank you - we are covering this as part of #1287. We definitely agree that you should have the ability to define your own severity levels.

Closing as duplicate

[pavelt-addepar]

Thank you for the response, I'll keep an eye on that ticket