Mend SCA imports contain locations which are similar to filePaths for SAST scans

dojo/tools/mend/parser.py

@@ -102,6 +102,24 @@ def _build_common_output(node, lib_name=None):
                         "Error handling local paths for vulnerability.",
                     )
 
+            locations = []
+            if "locations" in node:
+                try:
+                    locations_node = node.get("locations", [])
+                    for location in locations_node:
+                        path = location.get("path")
+                        if path is not None:
+                            locations.append(path)
+                except Exception:
+                    logger.exception(
+                        "Error handling local paths for vulnerability.",
+                    )
+
+            if locations:
+                filepaths = locations
+            else:
+                filepaths = filepaths
+
             new_finding = Finding(
                 title=title,
                 test=test,

unittests/scans/mend/mend_sca_vuln.json

@@ -0,0 +1,56 @@
+{
+  "vulnerabilities": [
+    {
+      "name": "WS-2019-0379",
+      "type": "WS",
+      "severity": "medium",
+      "score": "6.5",
+      "cvss3_severity": "MEDIUM",
+      "cvss3_score": "6.5",
+      "publishDate": "2019-05-20",
+      "lastUpdatedDate": "2020-03-05",
+      "scoreMetadataVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
+      "description": "Apache commons-codec before version \\u201ccommons-codec-1.13-RC1\\u201d is vulnerable to information disclosure due to Improper Input validation.",
+      "project": "mend-test-sca-project",
+      "product": "mend-test-sca-product",
+      "cvss3Attributes": {
+        "attackVector": "NETWORK",
+        "attackComplexity": "LOW",
+        "userInteraction": "NONE",
+        "privilegesRequired": "NONE",
+        "scope": "UNCHANGED",
+        "confidentialityImpact": "LOW",
+        "integrityImpact": "LOW",
+        "availabilityImpact": "NONE"
+      },
+      "library": {
+        "keyUuid": "e4ad5291-19e0-4907-9cf1-5ce5a1746e89",
+        "filename": "commons-codec-1.6.jar",
+        "type": "JAVA_ARCHIVE",
+        "description": "",
+        "sha1": "b7f0fc8f61ecadeb3695f0b9464755eee44374d4",
+        "name": "commons-codec-1.6",
+        "artifactId": "commons-codec-1.6.jar",
+        "version": "1.6",
+        "groupId": "commons-codec-1.6",
+        "architecture": "",
+        "languageVersion": ""
+      },
+      "topFix": {
+        "vulnerability": "WS-2019-0379",
+        "type": "UPGRADE_VERSION",
+        "origin": "WHITESOURCE_EXPERT",
+        "url": "https://github.com/apache/commons-codec/commit/48b615756d1d770091ea3322eefc08011ee8b113",
+        "fixResolution": "Upgrade to version commons-codec:commons-codec:1.13",
+        "date": "2019-05-20 15:39:18",
+        "message": "Upgrade to version"
+      },
+      "locations": [
+        {
+          "matchType": "Exact Match",
+          "path": "D:\\MendRepo\\test-product\\test-project\\test-project-subcomponent\\path\\to\\the\\Java\\commons-codec-1.6_donotuse.jar"
+        }
+      ]
+    }
+  ]
+}

unittests/tools/test_mend_parser.py

@@ -35,3 +35,11 @@ def test_parse_file_with_multiple_vuln_cli_output(self):
             parser = MendParser()
             findings = parser.get_findings(testfile, Test())
             self.assertEqual(20, len(findings))
+
+    def test_parse_file_with_one_sca_vuln_finding(self):
+        with open("unittests/scans/mend/mend_sca_vuln.json", encoding="utf-8") as testfile:
+            parser = MendParser()
+            findings = parser.get_findings(testfile, Test())
+            self.assertEqual(1, len(findings))
+            finding = list(findings)[0]
+            self.assertEqual("D:\\MendRepo\\test-product\\test-project\\test-project-subcomponent\\path\\to\\the\\Java\\commons-codec-1.6_donotuse.jar", finding.file_path)