Merge pull request #176 from TNG/severity-in-report

ChristophNiehoff · web-flow · commit 1c14206c9cdf · 2022-01-28T11:06:27.000+01:00
Added severity to markdown report
diff --git a/src/server/__tests__/server.test.js b/src/server/__tests__/server.test.js
@@ -326,62 +326,38 @@ it('Download threat file', async () => {
   expect(response.text).toBe(`Threats ${date}
 =======
 
-**1. title**
-
-  - *Author:*       Player 1
-
-  - *Description:*  &lt;img src="" onerror="alert\\('XSS'\\) alt="Uh oh..."&gt;
-
-  - *Mitigation:*   mitigation
-
-
-**2. title**
-
-  - *Author:*       Player 1
-
-  - *Description:*  description
-
-  - *Mitigation:*   mitigation
-
-
-**3. title**
-
-  - *Author:*       Player 1
-
-  - *Description:*  description
-
-  - *Mitigation:*   mitigation
-
-
-**4. Accessing DB credentials**
-
-  - *Description:*  The Background Worker configuration stores the credentials used by the worker to access the DB. An attacker could compromise the Background Worker and get access to the DB credentials.
-
-  - *Mitigation:*   \\[Click Me\\]\\(javascript:alert\\('XSS'\\)\\)
-
-
-**5. Unauthorised access**
-
-  - *Description:*  An attacker could make an query call on the DB,
-
-  - *Mitigation:*   Require all queries to be authenticated.
-
-
-**6. Credential theft**
-
-  - *Author:*       The Model
-
-  - *Description:*  An attacker could obtain the DB credentials ans use them to make unauthorised queries.
-
-  - *Mitigation:*   Use a firewall to restrict access to the DB to only the Background Worker IP address.
-
-
-**7. \\!\\[Uh oh...\\]\\(https://www.example.com/image.png"onload="alert\\('XSS'\\)\\)**
-
-  - *Description:*  The Web Application Config stores credentials used  by the Web App to access the message queue. These could be stolen by an attacker and used to read confidential data or place poison message on the queue.
-
-  - *Mitigation:*   The Message Queue credentials should be encrypted. newlines shouldn't break the formatting
-
+1. **title**
+    - *Severity:* High
+    - *Author:* Player 1
+    - *Description:* &lt;img src="" onerror="alert\\('XSS'\\) alt="Uh oh..."&gt;
+    - *Mitigation:* mitigation
+2. **title**
+    - *Severity:* High
+    - *Author:* Player 1
+    - *Description:* description
+    - *Mitigation:* mitigation
+3. **title**
+    - *Severity:* High
+    - *Author:* Player 1
+    - *Description:* description
+    - *Mitigation:* mitigation
+4. **Accessing DB credentials**
+    - *Severity:* High
+    - *Description:* The Background Worker configuration stores the credentials used by the worker to access the DB. An attacker could compromise the Background Worker and get access to the DB credentials.
+    - *Mitigation:* \\[Click Me\\]\\(javascript:alert\\('XSS'\\)\\)
+5. **Unauthorised access**
+    - *Severity:* High
+    - *Description:* An attacker could make an query call on the DB,
+    - *Mitigation:* Require all queries to be authenticated.
+6. **Credential theft**
+    - *Severity:* Medium
+    - *Author:* The Model
+    - *Description:* An attacker could obtain the DB credentials ans use them to make unauthorised queries.
+    - *Mitigation:* Use a firewall to restrict access to the DB to only the Background Worker IP address.
+7. **\\!\\[Uh oh...\\]\\(https://www.example.com/image.png"onload="alert\\('XSS'\\)\\)**
+    - *Severity:* High
+    - *Description:* The Web Application Config stores credentials used  by the Web App to access the message queue. These could be stolen by an attacker and used to read confidential data or place poison message on the queue.
+    - *Mitigation:* The Message Queue credentials should be encrypted. newlines shouldn't break the formatting
 `);
 });
 
diff --git a/src/server/endpoints.js b/src/server/endpoints.js
@@ -277,32 +277,42 @@ function getThreats(gameState, metadata, model) {
 function formatThreats(threats, date) {
   return `Threats ${date}
 =======
-${threats
-  .map(
-    (threat, index) => `
-**${index + 1}. ${escapeMarkdownText(threat.title.trim())}**
-${
-  'owner' in threat
-    ? `
-  - *Author:*       ${escapeMarkdownText(threat.owner)}
-`
-    : ''
+
+${threats.map(formatSingleThreat).join('\n')}
+`;
 }
-  - *Description:*  ${
-    escapeMarkdownText(
-      threat.description.replace(/(\r|\n)+/gm, ' '),
-    ) /* Stops newlines breaking md formatting */
+
+function formatSingleThreat(threat, index) {
+  const lines = [
+    `${index + 1}. **${escapeMarkdownText(threat.title.trim())}**`,
+  ];
+
+  if ('severity' in threat) {
+    lines.push(`    - *Severity:* ${escapeMarkdownText(threat.severity)}`);
+  }
+
+  if ('owner' in threat) {
+    lines.push(`    - *Author:* ${escapeMarkdownText(threat.owner)}`);
   }
 
-${
-  threat.mitigation !== `No mitigation provided.`
-    ? `  - *Mitigation:*   ${escapeMarkdownText(
+  if ('description' in threat) {
+    lines.push(
+      `    - *Description:* ${escapeMarkdownText(
+        threat.description.replace(/(\r|\n)+/gm, ' '),
+      )}`,
+    );
+  }
+
+  if (
+    'mitigation' in threat &&
+    threat.mitigation !== `No mitigation provided.`
+  ) {
+    lines.push(
+      `    - *Mitigation:* ${escapeMarkdownText(
         threat.mitigation.replace(/(\r|\n)+/gm, ' '),
-      )}
+      )}`,
+    );
+  }
 
-`
-    : ''
-}`,
-  )
-  .join('')}`;
+  return lines.join('\n');
 }
