Skip to content

Commit

Permalink
Mend SCA imports contain locations which are similar to filePaths for…
Browse files Browse the repository at this point in the history 
… SAST scans (#11001)

* add impact

add impact since it is unused

* Update test_asff_parser.py

* Update parser.py

* Update parser.py

* Mend SCA imports contain locations which are similar to filePaths for the SAST scans

This code will use the 'locations' for SCA scan outputs to do the same thing that's done for SAST 'filePaths'.  Since a Finding report will either be from SAST or SCA, it is unlikely that a collision will happen, since those findings are inherently different from Mend.  Since the filepaths is already being joined for the SAST implementation, if it is indeed SCA results instead, the same thing will happen except now with the appropriate locations of the library and vulnerability.

Note: this is not from Mend Platform or the CLI Agent output, but rather the Mend SCA portal.  There is a new Platform API that combines both SAST and SCA vulnerabilities, so a new parser at some point for that would be good, and then it's possible to rename this to 'Legacy' for the Mend parser, since the 'Platform' should be the new.

* Update parser.py

* adding unit test for mend_sca_vulns from Mend SCA portal

Mend has gone through some updates.  Historically they've been SAST and then SCA, with their own separate portals.  They are joining to a Mend Platform that contains both SAST+SCA+other vulnerabilities.

This parser originally looks like it was based on Mend SAST, but I have been using it for SCA also since the vulnerabilities.json output files were similarly structured.

This parser change hopes to update this to extract the location and path from an SCA.json and provide that as the file path.  SAST calls this in a different way than SCA, which is why I think file path can be reused for both - depending on the file context found.  I hope this code reflects that goal.

To note: this was not a CLI or Unified Agent generated output file, but rather from downloading the Mend SCA portal API vulnerability data and uploading the returned vuln.json files using this parser.  There may be a need in the future to add a parser that can correctly accept the updated format from the Mend Portal which contains combined vulnerability data sets, and the API response .json is different, so the parser does not work for the new Mend Platform returned .json, as experienced.

* Update test_mend_parser.py
  • Loading branch information
@testaccount90009
testaccount90009 authored Oct 11, 2024
1 parent 2ec7cb5 commit ac6e327
Show file tree
Hide file tree
Showing 3 changed files with 82 additions and 0 deletions.
18 changes: 18 additions & 0 deletions dojo/tools/mend/parser.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,24 @@ def _build_common_output(node, lib_name=None):
"Error handling local paths for vulnerability.",
)

locations = []
if "locations" in node:
try:
locations_node = node.get("locations", [])
for location in locations_node:
path = location.get("path")
if path is not None:
locations.append(path)
except Exception:
logger.exception(
"Error handling local paths for vulnerability.",
)

if locations:
filepaths = locations
else:
filepaths = filepaths

new_finding = Finding(
title=title,
test=test,
Expand Down
56 changes: 56 additions & 0 deletions unittests/scans/mend/mend_sca_vuln.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
{
"vulnerabilities": [
{
"name": "WS-2019-0379",
"type": "WS",
"severity": "medium",
"score": "6.5",
"cvss3_severity": "MEDIUM",
"cvss3_score": "6.5",
"publishDate": "2019-05-20",
"lastUpdatedDate": "2020-03-05",
"scoreMetadataVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"description": "Apache commons-codec before version \\u201ccommons-codec-1.13-RC1\\u201d is vulnerable to information disclosure due to Improper Input validation.",
"project": "mend-test-sca-project",
"product": "mend-test-sca-product",
"cvss3Attributes": {
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"userInteraction": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"availabilityImpact": "NONE"
},
"library": {
"keyUuid": "e4ad5291-19e0-4907-9cf1-5ce5a1746e89",
"filename": "commons-codec-1.6.jar",
"type": "JAVA_ARCHIVE",
"description": "",
"sha1": "b7f0fc8f61ecadeb3695f0b9464755eee44374d4",
"name": "commons-codec-1.6",
"artifactId": "commons-codec-1.6.jar",
"version": "1.6",
"groupId": "commons-codec-1.6",
"architecture": "",
"languageVersion": ""
},
"topFix": {
"vulnerability": "WS-2019-0379",
"type": "UPGRADE_VERSION",
"origin": "WHITESOURCE_EXPERT",
"url": "https://github.com/apache/commons-codec/commit/48b615756d1d770091ea3322eefc08011ee8b113",
"fixResolution": "Upgrade to version commons-codec:commons-codec:1.13",
"date": "2019-05-20 15:39:18",
"message": "Upgrade to version"
},
"locations": [
{
"matchType": "Exact Match",
"path": "D:\\MendRepo\\test-product\\test-project\\test-project-subcomponent\\path\\to\\the\\Java\\commons-codec-1.6_donotuse.jar"
}
]
}
]
}
8 changes: 8 additions & 0 deletions unittests/tools/test_mend_parser.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,3 +35,11 @@ def test_parse_file_with_multiple_vuln_cli_output(self):
parser = MendParser()
findings = parser.get_findings(testfile, Test())
self.assertEqual(20, len(findings))

def test_parse_file_with_one_sca_vuln_finding(self):
with open("unittests/scans/mend/mend_sca_vuln.json", encoding="utf-8") as testfile:
parser = MendParser()
findings = parser.get_findings(testfile, Test())
self.assertEqual(1, len(findings))
finding = list(findings)[0]
self.assertEqual("D:\\MendRepo\\test-product\\test-project\\test-project-subcomponent\\path\\to\\the\\Java\\commons-codec-1.6_donotuse.jar", finding.file_path)

0 comments on commit ac6e327

Please sign in to comment.