Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mend SCA imports contain locations which are similar to filePaths for SAST scans #11001

Merged
merged 17 commits into from
Oct 11, 2024
Merged

Mend SCA imports contain locations which are similar to filePaths for SAST scans #11001

merged 17 commits into from
Oct 11, 2024

Conversation

testaccount90009
Copy link
Contributor

This code will use the 'locations' for SCA scan outputs to do the same thing that's done for SAST 'filePaths'. Since a Finding report will either be from SAST or SCA, it is unlikely that a collision will happen, since those findings are inherently different from Mend. Since the filepaths is already being joined for the SAST implementation, if it is indeed SCA results instead, the same thing will happen except now with the appropriate locations of the library and vulnerability.

Note: this is not from Mend Platform or the CLI Agent output, but rather the Mend SCA portal. There is a new Platform API that combines both SAST and SCA vulnerabilities, so a new parser at some point for that would be good, and then it's possible to rename this to 'Legacy' for the Mend parser, since the 'Platform' should be the new.

Test results

I've added a scrubbed sample file and unit test.

Documentation

I can update the respective documentation with regards to these changes.

@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Oct 4, 2024
edited
Loading

DryRun Security Summary

The provided code changes address several security-related improvements to the application's security scanning and vulnerability reporting capabilities, including the introduction of a new JSON file containing information about a security vulnerability, improvements to the parsing and deduplication logic in the dojo/tools/mend/parser.py file, and the addition of a new unit test case to verify the parsing of a Mend scan report that includes a Software Composition Analysis (SCA) vulnerability finding.

Expand for full summary

Summary:

The provided code changes address several security-related improvements to the application's security scanning and vulnerability reporting capabilities.

The first change introduces a new JSON file containing information about a security vulnerability found in the commons-codec-1.6.jar library. The vulnerability is classified as a medium-severity "Improper Input Validation" issue that can lead to information disclosure. The recommended fix is to upgrade the library to version 1.13, which resolves the vulnerability.

The second change improves the parsing and deduplication logic in the dojo/tools/mend/parser.py file. The new changes ensure that the parser can correctly extract file path information from the "locations" field in the Mend scan report, and it introduces a deduplication mechanism to prevent the same vulnerability from being reported multiple times. These improvements enhance the accuracy and usefulness of the vulnerability reports generated by the application security tool.

The third change introduces a new unit test case to verify the parsing of a Mend scan report that includes a Software Composition Analysis (SCA) vulnerability finding. This helps to ensure the robustness and reliability of the MendParser class, which is crucial for maintaining the integrity of the security scanning process.

Files Changed:

  1. unittests/scans/mend/mend_sca_vuln.json: This file contains details about a security vulnerability in the commons-codec-1.6.jar library, including the vulnerability name, severity, description, and the recommended fix.

  2. dojo/tools/mend/parser.py: The changes in this file improve the parsing and deduplication logic in the _build_common_output function, which is responsible for generating findings from the Mend scan report. The new changes ensure that file path information is correctly extracted and that duplicate findings are removed.

  3. unittests/tools/test_mend_parser.py: This file contains a new test case, test_parse_file_with_one_sca_vuln_finding, which verifies that the MendParser class can correctly parse a Mend scan report that includes a Software Composition Analysis (SCA) vulnerability finding.

Code Analysis

We ran 9 analyzers against 3 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@testaccount90009
Copy link
Contributor Author

The force push was to rebase my branch against upstream/dev, vs upstream/master, as I accidentally made my branch originally off of the master branch and not dev. Apologies.

mtesauro
mtesauro reviewed Oct 9, 2024
View reviewed changes
requirements.txt Outdated Show resolved Hide resolved
@testaccount90009
Merge branch 'DefectDojo:dev' into dev
65878f6
@testaccount90009
Mend SCA imports contain locations which are similar to filePaths for…
89ab77b 
… the SAST scans

This code will use the 'locations' for SCA scan outputs to do the same thing that's done for SAST 'filePaths'.  Since a Finding report will either be from SAST or SCA, it is unlikely that a collision will happen, since those findings are inherently different from Mend.  Since the filepaths is already being joined for the SAST implementation, if it is indeed SCA results instead, the same thing will happen except now with the appropriate locations of the library and vulnerability.

Note: this is not from Mend Platform or the CLI Agent output, but rather the Mend SCA portal.  There is a new Platform API that combines both SAST and SCA vulnerabilities, so a new parser at some point for that would be good, and then it's possible to rename this to 'Legacy' for the Mend parser, since the 'Platform' should be the new.
@testaccount90009
Update parser.py
62ea5ab
@testaccount90009
adding unit test for mend_sca_vulns from Mend SCA portal
8b26b28 
Mend has gone through some updates.  Historically they've been SAST and then SCA, with their own separate portals.  They are joining to a Mend Platform that contains both SAST+SCA+other vulnerabilities.

This parser originally looks like it was based on Mend SAST, but I have been using it for SCA also since the vulnerabilities.json output files were similarly structured.

This parser change hopes to update this to extract the location and path from an SCA.json and provide that as the file path.  SAST calls this in a different way than SCA, which is why I think file path can be reused for both - depending on the file context found.  I hope this code reflects that goal.

To note: this was not a CLI or Unified Agent generated output file, but rather from downloading the Mend SCA portal API vulnerability data and uploading the returned vuln.json files using this parser.  There may be a need in the future to add a parser that can correctly accept the updated format from the Mend Portal which contains combined vulnerability data sets, and the API response .json is different, so the parser does not work for the new Mend Platform returned .json, as experienced.
@testaccount90009
Update test_mend_parser.py
72c6a87
mtesauro
mtesauro approved these changes Oct 10, 2024
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@Maffooch Maffooch merged commit ac6e327 into DefectDojo:dev Oct 11, 2024
73 checks passed
@testaccount90009 testaccount90009 deleted the update-mend-parser branch November 13, 2024 21:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@blakeaowens blakeaowens blakeaowens approved these changes

@Maffooch Maffooch Maffooch approved these changes

@hblankenship hblankenship hblankenship approved these changes

@mtesauro mtesauro mtesauro approved these changes

@grendel513 grendel513 grendel513 approved these changes

Assignees
No one assigned
Labels
parser unittests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@testaccount90009 @grendel513 @mtesauro @hblankenship @Maffooch @blakeaowens