Added severity to markdown report and convert to proper commonmark

ChristophNiehoff · ChristophNiehoff · commit ad3970537944 · 2022-01-26T21:33:49.000+01:00
diff --git a/src/server/__tests__/server.test.js b/src/server/__tests__/server.test.js
@@ -326,62 +326,38 @@ it('Download threat file', async () => {
   expect(response.text).toBe(`Threats ${date}
 =======
 
-**1. title**
-
-  - *Author:*       Player 1
-
-  - *Description:*  &lt;img src="" onerror="alert\\('XSS'\\) alt="Uh oh..."&gt;
-
-  - *Mitigation:*   mitigation
-
-
-**2. title**
-
-  - *Author:*       Player 1
-
-  - *Description:*  description
-
-  - *Mitigation:*   mitigation
-
-
-**3. title**
-
-  - *Author:*       Player 1
-
-  - *Description:*  description
-
-  - *Mitigation:*   mitigation
-
-
-**4. Accessing DB credentials**
-
-  - *Description:*  The Background Worker configuration stores the credentials used by the worker to access the DB. An attacker could compromise the Background Worker and get access to the DB credentials.
-
-  - *Mitigation:*   \\[Click Me\\]\\(javascript:alert\\('XSS'\\)\\)
-
-
-**5. Unauthorised access**
-
-  - *Description:*  An attacker could make an query call on the DB,
-
-  - *Mitigation:*   Require all queries to be authenticated.
-
-
-**6. Credential theft**
-
-  - *Author:*       The Model
-
-  - *Description:*  An attacker could obtain the DB credentials ans use them to make unauthorised queries.
-
-  - *Mitigation:*   Use a firewall to restrict access to the DB to only the Background Worker IP address.
-
-
-**7. \\!\\[Uh oh...\\]\\(https://www.example.com/image.png"onload="alert\\('XSS'\\)\\)**
-
-  - *Description:*  The Web Application Config stores credentials used  by the Web App to access the message queue. These could be stolen by an attacker and used to read confidential data or place poison message on the queue.
-
-  - *Mitigation:*   The Message Queue credentials should be encrypted. newlines shouldn't break the formatting
-
+1. **title**
+    - *Severity:* High
+    - *Author:* Player 1
+    - *Description:* &lt;img src="" onerror="alert\\('XSS'\\) alt="Uh oh..."&gt;
+    - *Mitigation:* mitigation
+2. **title**
+    - *Severity:* High
+    - *Author:* Player 1
+    - *Description:* description
+    - *Mitigation:* mitigation
+3. **title**
+    - *Severity:* High
+    - *Author:* Player 1
+    - *Description:* description
+    - *Mitigation:* mitigation
+4. **Accessing DB credentials**
+    - *Severity:* High
+    - *Description:* The Background Worker configuration stores the credentials used by the worker to access the DB. An attacker could compromise the Background Worker and get access to the DB credentials.
+    - *Mitigation:* \\[Click Me\\]\\(javascript:alert\\('XSS'\\)\\)
+5. **Unauthorised access**
+    - *Severity:* High
+    - *Description:* An attacker could make an query call on the DB,
+    - *Mitigation:* Require all queries to be authenticated.
+6. **Credential theft**
+    - *Severity:* Medium
+    - *Author:* The Model
+    - *Description:* An attacker could obtain the DB credentials ans use them to make unauthorised queries.
+    - *Mitigation:* Use a firewall to restrict access to the DB to only the Background Worker IP address.
+7. **\\!\\[Uh oh...\\]\\(https://www.example.com/image.png"onload="alert\\('XSS'\\)\\)**
+    - *Severity:* High
+    - *Description:* The Web Application Config stores credentials used  by the Web App to access the message queue. These could be stolen by an attacker and used to read confidential data or place poison message on the queue.
+    - *Mitigation:* The Message Queue credentials should be encrypted. newlines shouldn't break the formatting
 `);
 });
 
diff --git a/src/server/endpoints.js b/src/server/endpoints.js
@@ -277,32 +277,38 @@ function getThreats(gameState, metadata, model) {
 function formatThreats(threats, date) {
   return `Threats ${date}
 =======
+
 ${threats
   .map(
-    (threat, index) => `
-**${index + 1}. ${escapeMarkdownText(threat.title.trim())}**
-${
-  'owner' in threat
-    ? `
-  - *Author:*       ${escapeMarkdownText(threat.owner)}
-`
-    : ''
-}
-  - *Description:*  ${
-    escapeMarkdownText(
+    (threat, index) =>
+      `${index + 1}. **${escapeMarkdownText(threat.title.trim())}**${
+        'severity' in threat
+          ? `
+    - *Severity:* ${escapeMarkdownText(threat.severity)}`
+          : ``
+      }${
+        'owner' in threat
+          ? `
+    - *Author:* ${escapeMarkdownText(threat.owner)}`
+          : ``
+      }${
+        'description' in threat
+          ? `
+    - *Description:* ${escapeMarkdownText(
       threat.description.replace(/(\r|\n)+/gm, ' '),
-    ) /* Stops newlines breaking md formatting */
-  }
-
-${
-  threat.mitigation !== `No mitigation provided.`
-    ? `  - *Mitigation:*   ${escapeMarkdownText(
-        threat.mitigation.replace(/(\r|\n)+/gm, ' '),
-      )}
-
+    )}`
+          : ``
+      }${
+        'mitigation' in threat &&
+        threat.mitigation !== `No mitigation provided.`
+          ? `
+    - *Mitigation:* ${escapeMarkdownText(
+      threat.mitigation.replace(/(\r|\n)+/gm, ' '),
+    )}
+`
+          : `
 `
-    : ''
-}`,
+      }`,
   )
   .join('')}`;
 }
