Skip to content

Commit

Permalink
advance harbor to show also CWE #8632 (#8634)
Browse files Browse the repository at this point in the history
* advance harbor to show also CWE #8632

* add unittest

* flake8

* 🐛 fix unittest

* trim harbor-results-file

* fix

* fix
  • Loading branch information
manuel-sommer authored Sep 27, 2023
1 parent 1d199e1 commit d19a88a
Show file tree
Hide file tree
Showing 3 changed files with 142 additions and 0 deletions.
7 changes: 7 additions & 0 deletions dojo/tools/harbor_vulnerability/parser.py
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ def get_findings(self, filename, test):
severity = item.get("severity")
fix_version = item.get("fix_version")
links = item.get("links")
cwe_ids = item.get("cwe_ids")

title = f"{id} - {package_name} ({package_version})"
severity = transpose_severity(severity)
Expand All @@ -61,6 +62,11 @@ def get_findings(self, filename, test):
else:
references = None

if cwe_ids and cwe_ids[0] != "":
cwe = cwe_ids[0].strip("CWE-")
else:
cwe = None

if id and id.startswith("CVE"):
vulnerability_id = id
else:
Expand All @@ -83,6 +89,7 @@ def get_findings(self, filename, test):
static_finding=True,
component_name=package_name,
component_version=package_version,
cwe=cwe,
)
if vulnerability_id:
find.unsaved_vulnerability_ids = [vulnerability_id]
Expand Down
125 changes: 125 additions & 0 deletions unittests/scans/harbor_vulnerability/harbor-trivy-vuln.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,125 @@
{
"application/vnd.security.vulnerability.report; version=1.1": {
"generated_at": "2023-09-08T00:19:11.258693685Z",
"scanner": {
"name": "Trivy",
"vendor": "Aqua Security",
"version": "v0.44.0"
},
"severity": "Critical",
"vulnerabilities": [
{
"id": "CVE-2022-1304",
"package": "e2fsprogs",
"version": "1.46.2-2",
"fix_version": "",
"severity": "High",
"description": "An out-of-bounds read/write vulnerability was found in e2fsprogs 1.46.5. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.",
"links": [
"https://avd.aquasec.com/nvd/cve-2022-1304"
],
"artifact_digests": [
"sha256:711103cfce07dc03d61f51e819fad7d6fbbad20fc99caa039cc8da77e7a1c51b"
],
"preferred_cvss": {
"score_v3": 7.8,
"score_v2": null,
"vector_v3": "",
"vector_v2": ""
},
"cwe_ids": [
"CWE-125",
"CWE-787"
],
"vendor_attributes": {
"CVSS": {
"nvd": {
"V2Score": 6.8,
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"V3Score": 7.8,
"V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
},
"redhat": {
"V3Score": 5.8,
"V3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H"
}
}
}
},
{
"id": "CVE-2019-1010023",
"package": "libc6",
"version": "2.31-13+deb11u3",
"fix_version": "",
"severity": "Low",
"description": "** DISPUTED ** GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.\"",
"links": [
"https://avd.aquasec.com/nvd/cve-2019-1010023"
],
"artifact_digests": [
"sha256:711103cfce07dc03d61f51e819fad7d6fbbad20fc99caa039cc8da77e7a1c51b"
],
"preferred_cvss": {
"score_v3": 8.8,
"score_v2": null,
"vector_v3": "",
"vector_v2": ""
},
"cwe_ids": [
""
],
"vendor_attributes": {
"CVSS": {
"nvd": {
"V2Score": 6.8,
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"V3Score": 8.8,
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
},
"redhat": {
"V3Score": 7.8,
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
}
}
}
},
{
"id": "CVE-2019-1010024",
"package": "libc6",
"version": "2.31-13+deb11u3",
"fix_version": "",
"severity": "Low",
"description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.\"",
"links": [
"https://avd.aquasec.com/nvd/cve-2019-1010024"
],
"artifact_digests": [
"sha256:711103cfce07dc03d61f51e819fad7d6fbbad20fc99caa039cc8da77e7a1c51b"
],
"preferred_cvss": {
"score_v3": 5.3,
"score_v2": null,
"vector_v3": "",
"vector_v2": ""
},
"cwe_ids": [
"CWE-200"
],
"vendor_attributes": {
"CVSS": {
"nvd": {
"V2Score": 5,
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V3Score": 5.3,
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
},
"redhat": {
"V3Score": 5.3,
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
}
}
}
}
]
}
}
10 changes: 10 additions & 0 deletions unittests/tools/test_harbor_vulnerability_parser.py
Original file line number Diff line number Diff line change
Expand Up @@ -44,3 +44,13 @@ def test_parse_file_with_multiple_vuln_has_multiple_findings(self):
self.assertEqual(finding.severity, 'High')
self.assertIsNone(finding.mitigation)
self.assertIsNone(finding.references)

# Sample with Trivy Test
def test_parse_file_with_multiple_vuln_has_multiple_trivy_findings(self):
testfile = open("unittests/scans/harbor_vulnerability/harbor-trivy-vuln.json")
parser = HarborVulnerabilityParser()
findings = parser.get_findings(testfile, Test())

finding = findings[0]
self.assertEqual(finding.severity, 'High')
self.assertEqual(finding.cwe, '125')

0 comments on commit d19a88a

Please sign in to comment.