fix for sarif which maps level from issue severity

Author: wolfeidau

output/formatter.go

@@ -196,7 +196,7 @@ func convertToSarifReport(rootPaths []string, data *reportInfo) (*sarifReport, e
 		result := &sarifResult{
 			RuleID:    fmt.Sprintf("%s (CWE-%s)", issue.RuleID, issue.Cwe.ID),
 			RuleIndex: index,
-			Level:     sarifWarning,
+			Level:     getSarifLevel(issue.Severity.String()),
 			Message: &sarifMessage{
 				Text: issue.What,
 			},

output/sarif_format.go

@@ -155,3 +155,20 @@ func buildSarifLocation(issue *gosec.Issue, rootPaths []string) (*sarifLocation,
 
 	return location, nil
 }
+
+// From https://docs.oasis-open.org/sarif/sarif/v2.0/csprd02/sarif-v2.0-csprd02.html#_Toc10127839
+// * "warning": The rule specified by ruleId was evaluated and a problem was found.
+// * "error": The rule specified by ruleId was evaluated and a serious problem was found.
+// * "note": The rule specified by ruleId was evaluated and a minor problem or an opportunity to improve the code was found.
+func getSarifLevel(s string) sarifLevel {
+	switch s {
+	case "LOW":
+		return sarifWarning
+	case "MEDIUM":
+		return sarifError
+	case "HIGH":
+		return sarifError
+	default:
+		return sarifNote
+	}
+}