G203 Cross-site Scripting Explanation SARIF Report Issue

[Jeeppler]

Summary

While scanning go-test-bench with GoSec 2.11.0, GoSec outputs the following help message for G203 in the SARIF report:

"fullDescription": {
  "text": "this method will not auto-escape HTML. Verify data is well formed."
},

this is not very helpful.
The CWE-79 name for G203 is:

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Based on the current description from GoSec the user does not know this is a potential 'Cross-site Scripting' vulnerability (weakness, security flaw). It would be better to tell the user this is all about 'Cross-site Scripting'. As the user can search for the term 'Cross-site Scripting', which leads to results. For example: https://owasp.org/www-community/attacks/xss/.

Steps to reproduce the behavior

Scan go-test-bench using GoSec. Make sure GoSec outputs a SARIF report.

gosec version

2.11.0

Go version (output of 'go version')

go version go1.18 linux/amd64

Operating system / Environment

GNU/Linux, Distribution: Ubuntu

Expected behavior

Provide a proper explanation of the finding G203. The finding should explain, what the problem is in a complete sentence.

"this method will not auto-escape HTML. Verify data is well formed."

better would be:

"The template.HTML() method does not auto-escape HTML.  This can lead to potential 'Cross-site Scripting' vulnerabilities."

or

"The used method does not auto-escape HTML. In case, the user can influence the input. This can lead to potential 'Cross-site Scripting' vulnerabilities."

Actual behavior

While scanning all G203 findings look like this:

{
	"runs": [
		{
			"results": [
				{
					"level": "error",
					"locations": [
						{
							"physicalLocation": {
								"artifactLocation": {
									"uri": "go-test-bench/pkg/servestd/servestd.go"
								},
								"region": {
									"endColumn": 14,
									"endLine": 69,
									"snippet": {
										"text": "var data = template.HTML(v.TmplFile)"
									},
									"sourceLanguage": "go",
									"startColumn": 14,
									"startLine": 69
								}
							}
						}
					],
					"message": {
						"text": "this method will not auto-escape HTML. Verify data is well formed."
					},
					"ruleId": "G203"
				},

Rule mapping from GoSec G203 to MITRE CWE 79:

{
							"defaultConfiguration": {
								"level": "error"
							},
							"fullDescription": {
								"text": "this method will not auto-escape HTML. Verify data is well formed."
							},
							"help": {
								"text": "this method will not auto-escape HTML. Verify data is well formed.\nSeverity: MEDIUM\nConfidence: LOW\n"
							},
							"id": "G203",
							"name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
							"properties": {
								"precision": "low",
								"tags": [
									"security",
									"MEDIUM"
								]
							},
							"relationships": [
								{
									"kinds": [
										"superset"
									],
									"target": {
										"guid": "25e839d4-f25e-382a-9390-cf419bcd5969",
										"id": "79",
										"toolComponent": {
										"guid": "f2856fc0-85b7-373f-83e7-6f8582243547",
										"name": "CWE"
										}
									}
								}
							],
							"shortDescription": {
								"text": "this method will not auto-escape HTML. Verify data is well formed."
							}
						},

[Jeeppler]

@ccojocar thanks, the description is a lot easier to understand 👍