fix: enforce correct type for security-severity in sarif output (#5091)

src/lib/formatters/open-source-sarif-output.ts

@@ -88,7 +88,7 @@ ${vuln.description}`.replace(/##\s/g, '# '),
             testResult.packageManager!,
           ],
           cvssv3_baseScore: vuln.cvssScore, // AWS
-          'security-severity': vuln.cvssScore, // GitHub
+          'security-severity': String(vuln.cvssScore), // GitHub
         },
       };
     },

src/lib/formatters/sarif-output.ts

@@ -83,7 +83,7 @@ export function getTool(testResult): sarif.Tool {
             testResult.packageManager!,
           ],
           cvssv3_baseScore: vuln.cvssScore, // AWS
-          'security-severity': vuln.cvssScore, // GitHub
+          'security-severity': String(vuln.cvssScore), // GitHub
         },
       };
     })

test/fixtures/docker/sarif-container-result.json

@@ -31,7 +31,7 @@
                   "deb"
                 ],
                 "cvssv3_baseScore": 6.5,
-                "security-severity": 6.5
+                "security-severity": "6.5"
               }
             }
           ]

test/fixtures/docker/sarif-with-file-container-result.json

@@ -31,7 +31,7 @@
                   "deb"
                 ],
                 "cvssv3_baseScore": 6.5,
-                "security-severity": 6.5
+                "security-severity": "6.5"
               }
             }
           ]

test/jest/acceptance/snyk-test/output-formats/sarif.spec.ts

@@ -51,7 +51,7 @@ describe('snyk test --sarif', () => {
 
     expect(stdout).toContain('"artifactsScanned": 1');
     expect(stdout).toContain('"cvssv3_baseScore": 5.3');
-    expect(stdout).toContain('"security-severity": 5.3');
+    expect(stdout).toContain('"security-severity": "5.3"');
     expect(stdout).toContain('"fullyQualifiedName": "lodash@4.17.15"');
     expect(stdout).toContain('Upgrade to lodash@4.17.17');
   });

test/jest/unit/lib/formatters/__snapshots__/open-source-sarif-output.spec.ts.snap

@@ -79,7 +79,7 @@ Object {
               "id": "SNYK-JS-AJV-584908",
               "properties": Object {
                 "cvssv3_baseScore": 7.5,
-                "security-severity": 7.5,
+                "security-severity": "7.5",
                 "tags": Array [
                   "security",
                   "CWE-400",

test/jest/unit/lib/formatters/__snapshots__/sarif-output.spec.ts.snap

@@ -71,7 +71,7 @@ In libexpat in Expat before 2.2.7, XML input including XML names that contain a
               "id": "SNYK-LINUX-EXPAT-450908",
               "properties": Object {
                 "cvssv3_baseScore": 7.5,
-                "security-severity": 7.5,
+                "security-severity": "7.5",
                 "tags": Array [
                   "security",
                   "CWE-611",
@@ -162,7 +162,7 @@ In libexpat in Expat before 2.2.7, XML input including XML names that contain a
               "id": "SNYK-LINUX-EXPAT-450908",
               "properties": Object {
                 "cvssv3_baseScore": 7.5,
-                "security-severity": 7.5,
+                "security-severity": "7.5",
                 "tags": Array [
                   "security",
                   "npm",
@@ -252,7 +252,7 @@ In libexpat in Expat before 2.2.7, XML input including XML names that contain a
               "id": "SNYK-LINUX-EXPAT-450908",
               "properties": Object {
                 "cvssv3_baseScore": 7.5,
-                "security-severity": 7.5,
+                "security-severity": "7.5",
                 "tags": Array [
                   "security",
                   "CWE-611",