From bcb3dd2717af4cab78d582a8fd72c2664fe0445c Mon Sep 17 00:00:00 2001
From: Yevhen Zavhorodnii <yevhen.zavhorodnii@ticketmaster.co.uk>
Date: Wed, 29 May 2024 13:39:43 +0100
Subject: [PATCH] Refactoring for better readability and Go-like code

---
 .../cross_site_request_forgery_rule.go        | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/pkg/security/risks/builtin/cross_site_request_forgery_rule.go b/pkg/security/risks/builtin/cross_site_request_forgery_rule.go
index 91a62713..f165f7bd 100644
--- a/pkg/security/risks/builtin/cross_site_request_forgery_rule.go
+++ b/pkg/security/risks/builtin/cross_site_request_forgery_rule.go
@@ -51,25 +51,23 @@ func (r *CrossSiteRequestForgeryRule) GenerateRisks(parsedModel *types.Model) ([
 		}
 		incomingFlows := parsedModel.IncomingTechnicalCommunicationLinksMappedByTargetId[technicalAsset.Id]
 		for _, incomingFlow := range incomingFlows {
-			if incomingFlow.Protocol.IsPotentialWebAccessProtocol() {
-				likelihood := types.VeryLikely
-				if incomingFlow.Usage == types.DevOps {
-					likelihood = types.Likely
-				}
-				risks = append(risks, r.createRisk(parsedModel, technicalAsset, incomingFlow, likelihood))
+			if !incomingFlow.Protocol.IsPotentialWebAccessProtocol() {
+				continue
 			}
+			risks = append(risks, r.createRisk(parsedModel, technicalAsset, incomingFlow))
 		}
 	}
 	return risks, nil
 }
 
-func (r *CrossSiteRequestForgeryRule) createRisk(parsedModel *types.Model, technicalAsset *types.TechnicalAsset, incomingFlow *types.CommunicationLink, likelihood types.RiskExploitationLikelihood) *types.Risk {
+func (r *CrossSiteRequestForgeryRule) createRisk(parsedModel *types.Model, technicalAsset *types.TechnicalAsset, incomingFlow *types.CommunicationLink) *types.Risk {
 	sourceAsset := parsedModel.TechnicalAssets[incomingFlow.SourceId]
 	title := "<b>Cross-Site Request Forgery (CSRF)</b> risk at <b>" + technicalAsset.Title + "</b> via <b>" + incomingFlow.Title + "</b> from <b>" + sourceAsset.Title + "</b>"
 	impact := types.LowImpact
 	if incomingFlow.HighestIntegrity(parsedModel) == types.MissionCritical {
 		impact = types.MediumImpact
 	}
+	likelihood := r.likelihoodFromUsage(incomingFlow)
 	risk := &types.Risk{
 		CategoryId:                      r.Category().ID,
 		Severity:                        types.CalculateSeverity(likelihood, impact),
@@ -84,3 +82,10 @@ func (r *CrossSiteRequestForgeryRule) createRisk(parsedModel *types.Model, techn
 	risk.SyntheticId = risk.CategoryId + "@" + technicalAsset.Id + "@" + incomingFlow.Id
 	return risk
 }
+
+func (*CrossSiteRequestForgeryRule) likelihoodFromUsage(cl *types.CommunicationLink) types.RiskExploitationLikelihood {
+	if cl.Usage == types.DevOps {
+		return types.Likely
+	}
+	return types.VeryLikely
+}