ruleConfiguration.defaultLevel should not contain an 'open' value #288
Comments
|
Related, just to emphasize, there is a significant problem with allowing the log file producer to specify a default level as 'open', this recategorizes the result as a non-result. That is, all the results in a log file, if they do not have an explicit level, and if the rule they're associated with has 'open' as a value, are not actually results, they are a marker that whether or not we have a result is an open question. This is very non-obvious. In the absence of any explicit other information directly applied to a result, it is helpful if users can assume the result is a positive indicator of a problem. |
|
The backwards compatible transformation for this spec change: Walk all results. if they have no explicit indicator of result.level and if the rule.configuration.defaultLevel was previously marked 'open', mark result.level explicitly as 'open'. |
ghost
changed the title
|
I support this message. |
ghost
self-assigned this
ghost
added
bug
impact-breaks-producers
triage-approved
2.1.0-CSD.1
|
Change draft looks good from my perspective. |
Our result levels divide into two groups, a set of rough severities in cases where a result is detected, plus an additional set of values that allow for some signal to be comprehensively generated for all scan targets (this latter category is for compliance purposes).
The ruleConfiguration.defaultLevel should only contain values for the former case. That is, the property represents the default severity of a problem when one is detected.
'open' simply means 'we don't know yet', so it is not an actual level of interest to configure as a default for a rule.
The text was updated successfully, but these errors were encountered: