JS: Lower security-severity of queries with speculative threat model

In the CVSS calculator we model this by setting 'Attack Complexity' to High and 'User Interaction' to Low (as opposed to None). CVSS vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N
2026-03-06 15:49:08 +01:00 · 2021-10-05 08:11:57 +02:00
parent 4a16be2cba
commit 83ca4ef6d9
5 changed files with 5 additions and 5 deletions
--- a/javascript/ql/src/Security/CWE-078/IndirectCommandInjection.ql
+++ b/javascript/ql/src/Security/CWE-078/IndirectCommandInjection.ql
@@ -5,7 +5,7 @@
 *              command-line injection vulnerabilities.
 * @kind path-problem
 * @problem.severity warning
- * @security-severity 9.8
+ * @security-severity 6.3
 * @precision medium
 * @id js/indirect-command-line-injection
 * @tags correctness
--- a/javascript/ql/src/Security/CWE-078/ShellCommandInjectionFromEnvironment.ql
+++ b/javascript/ql/src/Security/CWE-078/ShellCommandInjectionFromEnvironment.ql
@@ -4,7 +4,7 @@
 *              environment may cause subtle bugs or vulnerabilities.
 * @kind path-problem
 * @problem.severity warning
- * @security-severity 9.8
+ * @security-severity 6.3
 * @precision high
 * @id js/shell-command-injection-from-environment
 * @tags correctness
--- a/javascript/ql/src/Security/CWE-078/UnsafeShellCommandConstruction.ql
+++ b/javascript/ql/src/Security/CWE-078/UnsafeShellCommandConstruction.ql
@@ -4,7 +4,7 @@
 *              user to change the meaning of the command.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 9.8
+ * @security-severity 6.3
 * @precision high
 * @id js/shell-command-constructed-from-input
 * @tags correctness
--- a/javascript/ql/src/Security/CWE-078/UselessUseOfCat.ql
+++ b/javascript/ql/src/Security/CWE-078/UselessUseOfCat.ql
@@ -3,7 +3,7 @@
 * @description Using the  `cat` process to read a file is unnecessarily complex, inefficient, unportable, and can lead to subtle bugs, or even security vulnerabilities.
 * @kind problem
 * @problem.severity error
- * @security-severity 9.8
+ * @security-severity 6.3
 * @precision high
 * @id js/unnecessary-use-of-cat
 * @tags correctness
--- a/javascript/ql/src/Security/CWE-912/HttpToFileAccess.ql
+++ b/javascript/ql/src/Security/CWE-912/HttpToFileAccess.ql
@@ -3,7 +3,7 @@
 * @description Writing network data directly to the file system allows arbitrary file upload and might indicate a backdoor.
 * @kind path-problem
 * @problem.severity warning
- * @security-severity 9.8
+ * @security-severity 6.3
 * @precision medium
 * @id js/http-to-file-access
 * @tags security