From ac6e327d7fc4dba78adfc616065c22cbea316340 Mon Sep 17 00:00:00 2001
From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com>
Date: Fri, 11 Oct 2024 08:07:19 -0700
Subject: [PATCH] Mend SCA imports contain locations which are similar to
 filePaths for SAST scans (#11001)

* add impact

add impact since it is unused

* Update test_asff_parser.py

* Update parser.py

* Update parser.py

* Mend SCA imports contain locations which are similar to filePaths for the SAST scans

This code will use the 'locations' for SCA scan outputs to do the same thing that's done for SAST 'filePaths'.  Since a Finding report will either be from SAST or SCA, it is unlikely that a collision will happen, since those findings are inherently different from Mend.  Since the filepaths is already being joined for the SAST implementation, if it is indeed SCA results instead, the same thing will happen except now with the appropriate locations of the library and vulnerability.

Note: this is not from Mend Platform or the CLI Agent output, but rather the Mend SCA portal.  There is a new Platform API that combines both SAST and SCA vulnerabilities, so a new parser at some point for that would be good, and then it's possible to rename this to 'Legacy' for the Mend parser, since the 'Platform' should be the new.

* Update parser.py

* adding unit test for mend_sca_vulns from Mend SCA portal

Mend has gone through some updates.  Historically they've been SAST and then SCA, with their own separate portals.  They are joining to a Mend Platform that contains both SAST+SCA+other vulnerabilities.

This parser originally looks like it was based on Mend SAST, but I have been using it for SCA also since the vulnerabilities.json output files were similarly structured.

This parser change hopes to update this to extract the location and path from an SCA.json and provide that as the file path.  SAST calls this in a different way than SCA, which is why I think file path can be reused for both - depending on the file context found.  I hope this code reflects that goal.

To note: this was not a CLI or Unified Agent generated output file, but rather from downloading the Mend SCA portal API vulnerability data and uploading the returned vuln.json files using this parser.  There may be a need in the future to add a parser that can correctly accept the updated format from the Mend Portal which contains combined vulnerability data sets, and the API response .json is different, so the parser does not work for the new Mend Platform returned .json, as experienced.

* Update test_mend_parser.py
---
 dojo/tools/mend/parser.py               | 18 ++++++++
 unittests/scans/mend/mend_sca_vuln.json | 56 +++++++++++++++++++++++++
 unittests/tools/test_mend_parser.py     |  8 ++++
 3 files changed, 82 insertions(+)
 create mode 100644 unittests/scans/mend/mend_sca_vuln.json

diff --git a/dojo/tools/mend/parser.py b/dojo/tools/mend/parser.py
index 75ed871a6a1..6bcc96f7501 100644
--- a/dojo/tools/mend/parser.py
+++ b/dojo/tools/mend/parser.py
@@ -102,6 +102,24 @@ def _build_common_output(node, lib_name=None):
                         "Error handling local paths for vulnerability.",
                     )
 
+            locations = []
+            if "locations" in node:
+                try:
+                    locations_node = node.get("locations", [])
+                    for location in locations_node:
+                        path = location.get("path")
+                        if path is not None:
+                            locations.append(path)
+                except Exception:
+                    logger.exception(
+                        "Error handling local paths for vulnerability.",
+                    )
+
+            if locations:
+                filepaths = locations
+            else:
+                filepaths = filepaths
+
             new_finding = Finding(
                 title=title,
                 test=test,
diff --git a/unittests/scans/mend/mend_sca_vuln.json b/unittests/scans/mend/mend_sca_vuln.json
new file mode 100644
index 00000000000..6af95cb315c
--- /dev/null
+++ b/unittests/scans/mend/mend_sca_vuln.json
@@ -0,0 +1,56 @@
+{
+  "vulnerabilities": [
+    {
+      "name": "WS-2019-0379",
+      "type": "WS",
+      "severity": "medium",
+      "score": "6.5",
+      "cvss3_severity": "MEDIUM",
+      "cvss3_score": "6.5",
+      "publishDate": "2019-05-20",
+      "lastUpdatedDate": "2020-03-05",
+      "scoreMetadataVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
+      "description": "Apache commons-codec before version \\u201ccommons-codec-1.13-RC1\\u201d is vulnerable to information disclosure due to Improper Input validation.",
+      "project": "mend-test-sca-project",
+      "product": "mend-test-sca-product",
+      "cvss3Attributes": {
+        "attackVector": "NETWORK",
+        "attackComplexity": "LOW",
+        "userInteraction": "NONE",
+        "privilegesRequired": "NONE",
+        "scope": "UNCHANGED",
+        "confidentialityImpact": "LOW",
+        "integrityImpact": "LOW",
+        "availabilityImpact": "NONE"
+      },
+      "library": {
+        "keyUuid": "e4ad5291-19e0-4907-9cf1-5ce5a1746e89",
+        "filename": "commons-codec-1.6.jar",
+        "type": "JAVA_ARCHIVE",
+        "description": "",
+        "sha1": "b7f0fc8f61ecadeb3695f0b9464755eee44374d4",
+        "name": "commons-codec-1.6",
+        "artifactId": "commons-codec-1.6.jar",
+        "version": "1.6",
+        "groupId": "commons-codec-1.6",
+        "architecture": "",
+        "languageVersion": ""
+      },
+      "topFix": {
+        "vulnerability": "WS-2019-0379",
+        "type": "UPGRADE_VERSION",
+        "origin": "WHITESOURCE_EXPERT",
+        "url": "https://github.com/apache/commons-codec/commit/48b615756d1d770091ea3322eefc08011ee8b113",
+        "fixResolution": "Upgrade to version commons-codec:commons-codec:1.13",
+        "date": "2019-05-20 15:39:18",
+        "message": "Upgrade to version"
+      },
+      "locations": [
+        {
+          "matchType": "Exact Match",
+          "path": "D:\\MendRepo\\test-product\\test-project\\test-project-subcomponent\\path\\to\\the\\Java\\commons-codec-1.6_donotuse.jar"
+        }
+      ]
+    }
+  ]
+}
\ No newline at end of file
diff --git a/unittests/tools/test_mend_parser.py b/unittests/tools/test_mend_parser.py
index 393dd4097c1..1cd8cc11dd7 100644
--- a/unittests/tools/test_mend_parser.py
+++ b/unittests/tools/test_mend_parser.py
@@ -35,3 +35,11 @@ def test_parse_file_with_multiple_vuln_cli_output(self):
             parser = MendParser()
             findings = parser.get_findings(testfile, Test())
             self.assertEqual(20, len(findings))
+
+    def test_parse_file_with_one_sca_vuln_finding(self):
+        with open("unittests/scans/mend/mend_sca_vuln.json", encoding="utf-8") as testfile:
+            parser = MendParser()
+            findings = parser.get_findings(testfile, Test())
+            self.assertEqual(1, len(findings))
+            finding = list(findings)[0]
+            self.assertEqual("D:\\MendRepo\\test-product\\test-project\\test-project-subcomponent\\path\\to\\the\\Java\\commons-codec-1.6_donotuse.jar", finding.file_path)