From 335b311d9f24f588f949eae0d6b94cb54f8fa79d Mon Sep 17 00:00:00 2001
From: David Roe <dave.roe@bearer.sh>
Date: Thu, 26 Oct 2023 10:05:04 +0100
Subject: [PATCH] fix: account for severity flag in fail-on-severity logic
 (#1354)

---
 internal/report/output/security/security.go   |  8 +++----
 .../report/output/security/security_test.go   | 23 +++++++++++++------
 2 files changed, 20 insertions(+), 11 deletions(-)

diff --git a/internal/report/output/security/security.go b/internal/report/output/security/security.go
index 4927f73bd..5ee646099 100644
--- a/internal/report/output/security/security.go
+++ b/internal/report/output/security/security.go
@@ -228,11 +228,11 @@ func evaluateRules(
 						ignoredOutputFindings[severity] = append(ignoredOutputFindings[severity], types.IgnoredFinding{Finding: finding, IgnoreMeta: ignoredFingerprint})
 					} else {
 						outputFindings[severity] = append(outputFindings[severity], finding)
-					}
-				}
 
-				if config.Report.FailOnSeverity.Has(severity) && !ignored {
-					failed = true
+						if config.Report.FailOnSeverity.Has(severity) {
+							failed = true
+						}
+					}
 				}
 			}
 		}
diff --git a/internal/report/output/security/security_test.go b/internal/report/output/security/security_test.go
index fe5276a0e..95cf84f3c 100644
--- a/internal/report/output/security/security_test.go
+++ b/internal/report/output/security/security_test.go
@@ -133,21 +133,30 @@ func TestAddReportDataWithSeverity(t *testing.T) {
 
 func TestAddReportDataWithFailOnSeverity(t *testing.T) {
 	for _, test := range []struct {
+		FailOnSeverity,
 		Severity string
 		Expected bool
 	}{
-		{Severity: globaltypes.LevelCritical, Expected: true},
-		{Severity: globaltypes.LevelHigh, Expected: true},
-		{Severity: globaltypes.LevelMedium, Expected: false},
-		{Severity: globaltypes.LevelLow, Expected: false},
-		{Severity: globaltypes.LevelWarning, Expected: false},
+		{FailOnSeverity: globaltypes.LevelCritical, Expected: true},
+		{FailOnSeverity: globaltypes.LevelHigh, Expected: true},
+		{FailOnSeverity: globaltypes.LevelHigh, Severity: globaltypes.LevelCritical, Expected: false},
+		{FailOnSeverity: globaltypes.LevelMedium, Expected: false},
+		{FailOnSeverity: globaltypes.LevelLow, Expected: false},
+		{FailOnSeverity: globaltypes.LevelWarning, Expected: false},
 	} {
-		t.Run(test.Severity, func(tt *testing.T) {
+		t.Run(test.FailOnSeverity, func(tt *testing.T) {
 			failOnSeverity := set.New[string]()
-			failOnSeverity.Add(test.Severity)
+			failOnSeverity.Add(test.FailOnSeverity)
+
+			var severity set.Set[string]
+			if test.Severity != "" {
+				severity = set.New[string]()
+				severity.Add(test.Severity)
+			}
 
 			config, err := generateConfig(flag.ReportOptions{
 				Report:         "security",
+				Severity:       severity,
 				FailOnSeverity: failOnSeverity,
 			})