From 547045046e8610c1271458aadd9a2070ce6115e5 Mon Sep 17 00:00:00 2001
From: jabaran <jabaran@gmail.com>
Date: Sun, 11 Aug 2024 20:40:19 -0400
Subject: [PATCH] License output for SARIF output

When a licenses item are found the `security-severity` set to undefined and the output for uploading to GH's GHAS fails unless there is a post-process of the SARIF. Since there is a comment next to both entries for `security-severity` it seems like it would follow that this is better and more expected result than the SARIF upload failing.
---
 src/lib/formatters/open-source-sarif-output.ts | 2 +-
 src/lib/formatters/sarif-output.ts             | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/lib/formatters/open-source-sarif-output.ts b/src/lib/formatters/open-source-sarif-output.ts
index 0388674197..7989dcb586 100644
--- a/src/lib/formatters/open-source-sarif-output.ts
+++ b/src/lib/formatters/open-source-sarif-output.ts
@@ -93,7 +93,7 @@ ${vuln.description}`.replace(/##\s/g, '# '),
             testResult.packageManager!,
           ],
           cvssv3_baseScore: vuln.cvssScore, // AWS
-          'security-severity': String(vuln.cvssScore), // GitHub
+          'security-severity': String(!!vuln.cvssScore? vuln.cvssScore : 0), // GitHub
         },
       };
     },
diff --git a/src/lib/formatters/sarif-output.ts b/src/lib/formatters/sarif-output.ts
index 7af459f9c5..52e4f83c0b 100644
--- a/src/lib/formatters/sarif-output.ts
+++ b/src/lib/formatters/sarif-output.ts
@@ -87,7 +87,7 @@ export function getTool(testResult): sarif.Tool {
             testResult.packageManager!,
           ],
           cvssv3_baseScore: vuln.cvssScore, // AWS
-          'security-severity': String(vuln.cvssScore), // GitHub
+          'security-severity': String(!!vuln.cvssScore? vuln.cvssScore : 0), // GitHub
         },
       };
     })