Customize the Descriptions of Findings

This article will show you how to create a policy that customizes the description of individual findings in NG SAST.

To do this, you'll need the CONCLUSION and WHEN blocks for the categories you want to modify (e.g., xss-to-header); you can obtain these from ShiftLeft.

IMPORT io.shiftleft/default
IMPORT io.shiftleft/defaultdict
CONCLUSION xss-to-header = FLOW IO (http OR $http) -> IO (httpHeader)
WHEN CONCLUSION xss-to-header => EMIT {
title: "XSS: HTTP data to header {{via `$paramname`}} {{in `$methodname`}}",
category: "a7-XSS",
description: "Data from HTTP request parameters is stored in HTTP headers. Unless the string is validated, this may result in a XSS attack.
## Countermeasures
This vulnerability can be prevented by using input sanitization/validation techniques (e.g., whitelisting) on the HTTP data before using it inside another HTTP header.
## Internal help
Visit the slack channel #team-xss to learn more about XSS. We have a wealth of resources in our [Confluence page](http://example.com) on XSS.
## Additional information
**[CWE-79](https://cwe.mitre.org/data/definitions/79.html)**
**[OWASP-A7](https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A7-Cross-Site_Scripting_(XSS))**",
score: "8.0",
vulnerability_description: "XSS",
owasp_link: "https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A7-Cross-Site_Scripting_(XSS)",
link: "https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A7-Cross-Site_Scripting_(XSS)",
cwe_link: "https://cwe.mitre.org/data/definitions/79.html"
}

Now, NG SAST will use your custom descriptions when reporting its findings.

Finding with Custom Description

The description field supports Markdown syntax.