Problem
There are two parallel severity ranking definitions that are inconsistent:
1. severityOrder in src/constants.ts:3
export const severityOrder: Record<SeverityLabel, number> = {
none: 0, low: 1, medium: 2, high: 3, critical: 4, unknown: 1
};
Used by: scan path (src/index.ts:710), multi-folder scan (src/scan/multi-folder-scan.ts:175), create-pr (src/utils/create-pr.ts:45), and minSeverity filtering (src/output/finding-display.ts:8).
2. Local rank in src/cli/overrides.ts:87
const rank: Record<string, number> = { info: 0, low: 1, medium: 2, high: 3, critical: 4 };
Used only by: standalone cve-lite overrides --fail-on command.
Inconsistencies
| Key |
severityOrder (constants.ts) |
rank (overrides.ts) |
Issue |
info |
missing |
0 |
Not in SeverityLabel; treated as valid threshold in overrides, silently ignored in scan |
none |
0 |
missing (?? 0) |
Same de facto value (0), but implicit in overrides |
unknown |
1 (same as low) |
missing (?? 0) |
Bug: override finding with unknown severity won't trigger --fail-on low |
Concrete risk
If an override finding has severity unknown, the standalone cve-lite overrides --fail-on low path evaluates it as rank 0 (via ?? 0), which is below the low threshold (1). But the scan path treats unknown as rank 1 (same as low). This means:
cve-lite overrides --fail-on low — finding with unknown severity does NOT trigger exit code 1
cve-lite scan --fail-on low --check-overrides — same finding DOES trigger exit code 1 (uses severityOrder)
This is an exit-code inconsistency, so it can affect CI gating — a pipeline gated on --fail-on low would pass for standalone overrides but fail for the same check via scan --check-overrides.
Suggested approach
- Make standalone
cve-lite overrides --fail-on reuse the same severity threshold logic as scan path (normalizeSeverity + severityOrder).
- Treat
unknown consistently with severityOrder (unknown: 1, same as low), unless maintainers decide otherwise.
- Decide separately whether
info should become a real severity type.
Open questions
- Should
info be added to the SeverityLabel union type, or should overrides use its own abstraction?
- Is
unknown: 1 (same as low) the correct default? Should it be different?
Problem
There are two parallel severity ranking definitions that are inconsistent:
1.
severityOrderinsrc/constants.ts:3Used by: scan path (
src/index.ts:710), multi-folder scan (src/scan/multi-folder-scan.ts:175), create-pr (src/utils/create-pr.ts:45), and minSeverity filtering (src/output/finding-display.ts:8).2. Local
rankinsrc/cli/overrides.ts:87Used only by: standalone
cve-lite overrides --fail-oncommand.Inconsistencies
severityOrder(constants.ts)rank(overrides.ts)infoSeverityLabel; treated as valid threshold in overrides, silently ignored in scannone?? 0)unknown?? 0)unknownseverity won't trigger--fail-on lowConcrete risk
If an override finding has severity
unknown, the standalonecve-lite overrides --fail-on lowpath evaluates it as rank 0 (via?? 0), which is below thelowthreshold (1). But the scan path treatsunknownas rank 1 (same aslow). This means:cve-lite overrides --fail-on low— finding withunknownseverity does NOT trigger exit code 1cve-lite scan --fail-on low --check-overrides— same finding DOES trigger exit code 1 (usesseverityOrder)This is an exit-code inconsistency, so it can affect CI gating — a pipeline gated on
--fail-on lowwould pass for standalone overrides but fail for the same check viascan --check-overrides.Suggested approach
cve-lite overrides --fail-onreuse the same severity threshold logic as scan path (normalizeSeverity+severityOrder).unknownconsistently withseverityOrder(unknown: 1, same aslow), unless maintainers decide otherwise.infoshould become a real severity type.Open questions
infobe added to theSeverityLabelunion type, or should overrides use its own abstraction?unknown: 1(same aslow) the correct default? Should it be different?