Customize the Descriptions of Findings

This article will show you how to create a policy that customizes the description of individual findings in NG SAST.

To do this, you'll need the CONCLUSION and WHEN blocks for the categories you want to modify (e.g., xss-to-header); you can obtain these from ShiftLeft.

IMPORT io.shiftleft/default
IMPORT io.shiftleft/defaultdict
CONCLUSION xss-to-header = FLOW IO (http OR $http) -> IO (httpHeader)
WHEN CONCLUSION xss-to-header => EMIT {
title: "XSS: HTTP data to header {{via `$paramname`}} {{in `$methodname`}}",
category: "a7-XSS",
description: "Data from HTTP request parameters is stored in HTTP headers. Unless the string is validated, this may result in a XSS attack.
## Countermeasures
This vulnerability can be prevented by using input sanitization/validation techniques (e.g., whitelisting) on the HTTP data before using it inside another HTTP header.
## Internal help
Visit the slack channel #team-xss to learn more about XSS. We have a wealth of resources in our [Confluence page]( on XSS.
## Additional information
score: "8.0",
vulnerability_description: "XSS",
owasp_link: "",
link: "",
cwe_link: ""

Now, NG SAST will use your custom descriptions when reporting its findings.

Finding with Custom Description

The description field supports Markdown syntax.