Migrations

Beginning July 2022, ShiftLeft CORE features changes to the product with regards to:

  • Build rules
  • Support for severity classifications based on CVSS 3.1
  • Support for OWASP 2021

Build rules

We've updated the build rules engine to support the ability to fail builds based on the finding of OSS vulnerabilities and to add templating functionality that you can use to customize the report ShiftLeft generates of your results.

The build rules that you defined using v1 should continue to work; however, we recommend migrating over to v2 as soon as possible. Currently, you can invoke the use of the build rules v2 engine by including --v2 when running sl check-analysis (e.g., sl check-analysis --v2 [command options]), though we will eventually update the CLI so that v2 is the default.

CVSS 3.1

Previously, ShiftLeft CORE had classified the severity of findings as info, moderate, and critical. However, the severity levels with which the findings are tagged now are based on the CVSS 3.1 score associated with the finding:

CVSS ScoreSeverity level
CVSS score between 0.1 and 4Low
CVSS score between 4.0 and 7Medium
CVSS score between 7.0 and 9High
CVSS score above 9.0Critical

If you use any of the following features, you can update your definitions to reflect the new severity rating system:

If you use critical and moderate in your existing build rules, you must change these to critical and high, respectively.

OWASP 2021

ShiftLeft CORE now supports the finding of issues classified as the OWASP 2021 Top 10.

Mapping OWASP 2017 Top 10 to OWASP 2021 Top 10

Previously, findings would be tagged with the owasp_category parameter as follows:

  • a1-injection
  • a2-broken-authentication
  • a3-sensitive-data-exposure
  • a4-xxe
  • a5-broken-access-control
  • a6-misconfiguration
  • a6-security-misconfiguration
  • a7-cross-site-scripting
  • a7-xss
  • a8-deserialization

With the introduction of support for the OWASP 2021 categories, ShiftLeft accepts the following tags with the owasp_category parameter:

  • a01-2021-broken-access-control
  • a02-2021-cryptographic-failures
  • a03-2021-injection
  • a04-2021-insecure-design
  • a05-2021-security-misconfiguration
  • a06-2021-vulnerable-and-outdated-components
  • a07-2021-identification-and-authentication-failures
  • a08-2021-software-and-data-integrity-failures
  • a09-2021-security-logging-and-monitoring-failures
  • a10-2021-server-side-request-forgery-(ssrf)

If you use any of the following features, you can update your definitions to reflect the OWASP parameters names available: