When looking at the API output of a rule, we see a “severity” value and an “impact severity” value. Below is an output for a Java security rule. Why are the two 'severity" values different?
“rule”: {
“key”: “javasecurity:S6096”,
“repo”: “javasecurity”,
“name”: “Extracting archives should not lead to zip slip vulnerabilities”,
“createdAt”: “2025-01-07T23:10:22+0000”,
“severity”: “BLOCKER”,
“status”: “READY”,
“isTemplate”: false,
“tags”: ,
“sysTags”: [
“cwe”
],
“impacts”: [
{
“softwareQuality”: “SECURITY”,
“severity”: “HIGH”
}
]
The new MQR Mode aims to more accurately represent the impact an issue has on all software qualities. It does this by assigning a separate severity to a rule for each software quality it might impact. This approach focuses on ensuring the impact on all affected software qualities is clear, not just the one most severely impacted.
So the “Blocker” severity is the severity assigned in Standard Mode, while the one in Impacts would be for the MQR mode. I hope that helps.
Hi Jason,
A followup question. If we change the severity on the rule (using a custom quality profile), which severity value does it change - the Standard Mode severity or the MQR mode impact severity?