Summary

Currently, when alerts are detected/resolved using the CodeQL tool (the default Github tool), the field "alert.rule.security_severity_level" is present in the webhook payload. Github for Jira Cloud uses this field value to determine the severity of the Security vulnerability sent from Github.

However, if the alerts are scanned or resolved using a Third-Party scan tool (such as PMD) and the scan results are in SARIF format that needs to be uploaded to Github, the field "alert.rule.security_severity_level" is not included in the webhook payload. Due to this behaviour, Github for Jira Cloud is unable to determine the severity of the vulnerability and hence marks it as an "Unknown" severity.

Suggestion

Enhance the Github for Jira Cloud addon to manage the specific scenario where code-scan alerts from Third-Party tools which do not contain the required field (alert.rule.security_severity_level)

Workaround

The workaround would be to try to perform a re-sync, but please note that this will sync all vulnerabilities, not just the one that has the unknown severity.