feat: remove dynamic severity (#1469)

* feat: remove dynamic severity

* docs: remove dynamic severity

* test: update snapshots

docs/_data/nav.js

@@ -70,10 +70,6 @@ module.exports = [
         name: "Sensitive data flow",
         url: "/explanations/discovery-and-classification/",
       },
-      {
-        name: "Dynamic severity levels",
-        url: "/explanations/severity/",
-      },
     ],
   },
   {

docs/docs.md

@@ -63,7 +63,6 @@ Explanations dive into the rational behind Bearer CLI and explain some of its he
 - [Bearer CLI's scanner types](/explanations/scanners/)
 - [Bearer CLI's report types](/explanations/reports/)
 - [How Bearer CLI discovers and classifies data](/explanations/discovery-and-classification/)
-- [How Bearer CLI sets severity levels](/explanations/severity/)
 
 ## Reference
 

e2e/rules/.snapshots/TestSimpleRuby-testdata-data-simple_ruby

@@ -1,4 +1,4 @@
-medium:
+low:
     - rule:
         cwe_ids:
             - "319"

internal/report/output/security/.snapshots/TestAddReportData

@@ -67,7 +67,7 @@
       }
     }
   },
-  (string) (len=4) "high": ([]types.Finding) (len=1) {
+  (string) (len=6) "medium": ([]types.Finding) (len=1) {
     (types.Finding) {
       Rule: (*types.Rule)({
         CWEIDs: ([]string) (len=1) {
@@ -117,15 +117,12 @@
       },
       SeverityMeta: (types.SeverityMeta) {
         RuleSeverity: (string) (len=6) "medium",
-        SensitiveDataCategories: ([]string) (len=2) {
-          (string) (len=3) "PII",
-          (string) (len=13) "Personal Data"
-        },
-        HasLocalDataTypes: (*bool)(false),
-        SensitiveDataCategoryWeighting: (int) 2,
-        RuleSeverityWeighting: (int) 3,
-        FinalWeighting: (int) 5,
-        DisplaySeverity: (string) (len=4) "high"
+        SensitiveDataCategories: ([]string) <nil>,
+        HasLocalDataTypes: (*bool)(<nil>),
+        SensitiveDataCategoryWeighting: (int) 0,
+        RuleSeverityWeighting: (int) 0,
+        FinalWeighting: (int) 0,
+        DisplaySeverity: (string) (len=6) "medium"
       }
     }
   }

internal/report/output/security/.snapshots/TestBuildReportString

@@ -18,7 +18,7 @@ File: :1
 
 
 
-HIGH: Missing SSL certificate verification detected. [CWE-295]
+MEDIUM: Missing SSL certificate verification detected. [CWE-295]
 https://docs.bearer.com/reference/rules/ruby_lang_ssl_verification
 To ignore this finding, run: bearer ignore add 9005ef3db844b32c1a0317e032f4a16a_0
 
@@ -30,8 +30,8 @@ File: :2
 3 checks, 2 findings
 
 CRITICAL: 1 (CWE-209, CWE-532)
-HIGH: 1 (CWE-295)
-MEDIUM: 0
+HIGH: 0
+MEDIUM: 1 (CWE-295)
 LOW: 0
 WARNING: 0
 

internal/report/output/security/.snapshots/TestCalculateSeverity

@@ -13,25 +13,21 @@
   },
   (types.SeverityMeta) {
     RuleSeverity: (string) (len=3) "low",
-    SensitiveDataCategories: ([]string) (len=1) {
-      (string) (len=25) "Personal Data (Sensitive)"
-    },
-    HasLocalDataTypes: (*bool)(false),
-    SensitiveDataCategoryWeighting: (int) 3,
-    RuleSeverityWeighting: (int) 2,
-    FinalWeighting: (int) 5,
-    DisplaySeverity: (string) (len=4) "high"
+    SensitiveDataCategories: ([]string) <nil>,
+    HasLocalDataTypes: (*bool)(<nil>),
+    SensitiveDataCategoryWeighting: (int) 0,
+    RuleSeverityWeighting: (int) 0,
+    FinalWeighting: (int) 0,
+    DisplaySeverity: (string) (len=3) "low"
   },
   (types.SeverityMeta) {
     RuleSeverity: (string) (len=3) "low",
-    SensitiveDataCategories: ([]string) (len=1) {
-      (string) (len=13) "Personal Data"
-    },
-    HasLocalDataTypes: (*bool)(false),
-    SensitiveDataCategoryWeighting: (int) 2,
-    RuleSeverityWeighting: (int) 2,
-    FinalWeighting: (int) 4,
-    DisplaySeverity: (string) (len=6) "medium"
+    SensitiveDataCategories: ([]string) <nil>,
+    HasLocalDataTypes: (*bool)(<nil>),
+    SensitiveDataCategoryWeighting: (int) 0,
+    RuleSeverityWeighting: (int) 0,
+    FinalWeighting: (int) 0,
+    DisplaySeverity: (string) (len=3) "low"
   },
   (types.SeverityMeta) {
     RuleSeverity: (string) (len=7) "warning",

internal/report/output/security/security.go

@@ -472,6 +472,13 @@ func CalculateSeverity(groups []string, severity string, hasLocalDataTypes bool)
 		}
 	}
 
+	if !hasLocalDataTypes {
+		return types.SeverityMeta{
+			RuleSeverity:    severity,
+			DisplaySeverity: severity,
+		}
+	}
+
 	// highest sensitive data category
 	sensitiveDataCategoryWeighting := 0
 	if slices.Contains(groups, "PHI") {
@@ -496,10 +503,7 @@ func CalculateSeverity(groups []string, severity string, hasLocalDataTypes bool)
 		ruleSeverityWeighting = 2 // low weighting as default
 	}
 
-	triggerWeighting := 1
-	if hasLocalDataTypes {
-		triggerWeighting = 2
-	}
+	triggerWeighting := 2
 
 	var displaySeverity string
 	finalWeighting := ruleSeverityWeighting + (sensitiveDataCategoryWeighting * triggerWeighting)

internal/report/output/security/security_test.go

@@ -140,12 +140,31 @@ func TestAddReportDataWithFailOnSeverity(t *testing.T) {
 		Severity string
 		Expected bool
 	}{
-		{FailOnSeverity: globaltypes.LevelCritical, Expected: true},
-		{FailOnSeverity: globaltypes.LevelHigh, Expected: true},
-		{FailOnSeverity: globaltypes.LevelHigh, Severity: globaltypes.LevelCritical, Expected: false},
-		{FailOnSeverity: globaltypes.LevelMedium, Expected: false},
-		{FailOnSeverity: globaltypes.LevelLow, Expected: false},
-		{FailOnSeverity: globaltypes.LevelWarning, Expected: false},
+		{
+			FailOnSeverity: globaltypes.LevelCritical,
+			Expected:       true,
+		},
+		{
+			FailOnSeverity: globaltypes.LevelHigh,
+			Expected:       false,
+		},
+		{
+			FailOnSeverity: globaltypes.LevelHigh,
+			Severity:       globaltypes.LevelCritical,
+			Expected:       false,
+		},
+		{
+			FailOnSeverity: globaltypes.LevelMedium,
+			Expected:       true,
+		},
+		{
+			FailOnSeverity: globaltypes.LevelLow,
+			Expected:       false,
+		},
+		{
+			FailOnSeverity: globaltypes.LevelWarning,
+			Expected:       false,
+		},
 	} {
 		t.Run(test.FailOnSeverity, func(tt *testing.T) {
 			failOnSeverity := set.New[string]()