Merge pull request #20671 from github/napalys/adjust_query_severity

Adjust query severity ratings
2025-12-16 16:53:25 +01:00 · 2025-11-11 12:37:31 +01:00
parent 8624f9c660 9c70ae04fb
commit d122534398
10 changed files with 24 additions and 6 deletions
--- a/java/ql/src/Security/CWE/CWE-020/OverlyLargeRange.ql
+++ b/java/ql/src/Security/CWE/CWE-020/OverlyLargeRange.ql
@@ -4,7 +4,7 @@
 *              This may allow an attacker to bypass a filter or sanitizer.
 * @kind problem
 * @problem.severity warning
- * @security-severity 5.0
+ * @security-severity 4.0
 * @precision high
 * @id java/overly-large-range
 * @tags correctness
--- a/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql
+++ b/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql
@@ -4,7 +4,7 @@
 *              interception.
 * @kind problem
 * @problem.severity error
- * @security-severity 5.0
+ * @security-severity 4.0
 * @precision high
 * @id java/insecure-cookie
 * @tags security
--- a/java/ql/src/change-notes/2025-10-22-adjust-query-severity.md
+++ b/java/ql/src/change-notes/2025-10-22-adjust-query-severity.md
@@ -0,0 +1,5 @@
 ---
 category: queryMetadata
 ---
 * Reduced the `security-severity` score of the `java/overly-large-range` query from 5.0 to 4.0 to better reflect its impact.
 * Reduced the `security-severity` score of the `java/insecure-cookie` query from 5.0 to 4.0 to better reflect its impact.
--- a/javascript/ql/src/Security/CWE-020/OverlyLargeRange.ql
+++ b/javascript/ql/src/Security/CWE-020/OverlyLargeRange.ql
@@ -4,7 +4,7 @@
 *              This may allow an attacker to bypass a filter or sanitizer.
 * @kind problem
 * @problem.severity warning
- * @security-severity 5.0
+ * @security-severity 4.0
 * @precision high
 * @id js/overly-large-range
 * @tags correctness
--- a/javascript/ql/src/Security/CWE-079/XssThroughDom.ql
+++ b/javascript/ql/src/Security/CWE-079/XssThroughDom.ql
@@ -4,7 +4,7 @@
 *              can lead to a cross-site scripting vulnerability.
 * @kind path-problem
 * @problem.severity warning
- * @security-severity 6.1
+ * @security-severity 7.8
 * @precision high
 * @id js/xss-through-dom
 * @tags security
--- a/javascript/ql/src/change-notes/2025-10-22-adjust-query-severity.md
+++ b/javascript/ql/src/change-notes/2025-10-22-adjust-query-severity.md
@@ -0,0 +1,5 @@
 ---
 category: queryMetadata
 ---
 * Increased the `security-severity` score of the `js/xss-through-dom` query from 6.1 to 7.8 to align with other XSS queries.
 * Reduced the `security-severity` score of the `js/overly-large-range` query from 5.0 to 4.0 to better reflect its impact.
--- a/python/ql/src/Security/CWE-020/OverlyLargeRange.ql
+++ b/python/ql/src/Security/CWE-020/OverlyLargeRange.ql
@@ -4,7 +4,7 @@
 *              This may allow an attacker to bypass a filter or sanitizer.
 * @kind problem
 * @problem.severity warning
- * @security-severity 5.0
+ * @security-severity 4.0
 * @precision high
 * @id py/overly-large-range
 * @tags correctness
--- a/python/ql/src/change-notes/2025-10-22-adjust-query-severity.md
+++ b/python/ql/src/change-notes/2025-10-22-adjust-query-severity.md
@@ -0,0 +1,4 @@
 ---
 category: queryMetadata
 ---
 * Reduced the `security-severity` score of the `py/overly-large-range` query from 5.0 to 4.0 to better reflect its impact.
--- a/ruby/ql/src/change-notes/2025-10-22-adjust-query-severity.md
+++ b/ruby/ql/src/change-notes/2025-10-22-adjust-query-severity.md
@@ -0,0 +1,4 @@
 ---
 category: queryMetadata
 ---
 * Reduced the `security-severity` score of the `rb/overly-large-range` query from 5.0 to 4.0 to better reflect its impact. 
--- a/ruby/ql/src/queries/security/cwe-020/OverlyLargeRange.ql
+++ b/ruby/ql/src/queries/security/cwe-020/OverlyLargeRange.ql
@@ -4,7 +4,7 @@
 *              This may allow an attacker to bypass a filter or sanitizer.
 * @kind problem
 * @problem.severity warning
- * @security-severity 5.0
+ * @security-severity 4.0
 * @precision high
 * @id rb/overly-large-range
 * @tags correctness