🐛 fix npm audit v7+, issue #10801

[manuel-sommer]

#10801

[dryrunsecurity]

DryRun Security Summary

The pull request focuses on improving the security and reliability of the NPM Audit v7+ Scan parser by adding a new test case, updating a vulnerability file, and modifying the parser to better handle the parsing of the Common Weakness Enumeration (CWE) field in the scan results.

Expand for full summary

Summary:

The code changes in this pull request focus on improving the security and reliability of the NPM Audit v7+ Scan parser. The changes include adding a new test case to verify the parser's handling of a specific vulnerability scenario, updating the issue_10801.json file to include a real-world vulnerability, and modifying the parser.py file to better handle the parsing of the Common Weakness Enumeration (CWE) field in the scan results.

These changes demonstrate the developers' commitment to thoroughly testing the parser's functionality and ensuring that it can accurately process various types of NPM audit reports, including edge cases and specific issues. The improvements to the CWE handling in the parser.py file are particularly noteworthy, as the CWE is an important piece of information for understanding and remediating security vulnerabilities.

Overall, the code changes in this pull request appear to be a positive contribution that will help to enhance the security and reliability of the application's dependency management and vulnerability scanning capabilities.

Files Changed:

1. unittests/tools/test_npm_audit_7_plus_parser.py:

   • A new test case, test_npm_audit_7_plus_parser_issue_10801, has been added to the TestNpmAudit7PlusParser class. This test case verifies the parser's handling of a specific JSON file, issue_10801.json, which contains a vulnerability with a "Medium" severity and a CWE of 0.
   • The addition of this test case demonstrates the developers' commitment to comprehensive testing of the parser's functionality, which is crucial for maintaining the security and reliability of the application.

2. unittests/scans/npm_audit_7_plus/issue_10801.json:

   • This file has been updated to include the results of an NPM audit report, which identifies a vulnerability in the "got" package with a CVSS score of 5.3.
   • The presence of this vulnerability in the project's dependencies is a concern from an application security perspective, and it is important to ensure that the vulnerability is addressed appropriately, either by upgrading the affected dependency or implementing alternative mitigations.

3. dojo/tools/npm_audit_7_plus/parser.py:

   • The changes in this file focus on improving the handling of the CWE field in the findings generated from the NPM Audit v7+ Scan.
   • The patch adds a check to ensure that the cwe field is not empty, sets the cwe variable to None if it is empty, and moves the CWE assignment to the dojo_finding object after the Finding instance is created.
   • These changes help to ensure that the CWE is properly extracted and assigned to the Finding object, improving the overall quality and usefulness of the security findings generated by the parser.

Code Analysis

We ran 9 analyzers against 3 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[mtesauro]

Approved