DefectDojo · Maffooch · Nov 13, 2024 · Oct 12, 2024 · Oct 12, 2024 · Oct 12, 2024
diff --git a/docs/content/en/integrations/parsers/file/mobsf_scorecard.md b/docs/content/en/integrations/parsers/file/mobsf_scorecard.md
@@ -0,0 +1,8 @@
+---
+title: "MobSF Scorecard Scanner"
+toc_hide: true
+---
+Export a JSON file using the API, api/v1/report_json.
+
+### Sample Scan Data
+Sample MobSF Scorecard Scanner scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/mobsf_scorecard).
diff --git a/dojo/settings/.settings.dist.py.sha256sum b/dojo/settings/.settings.dist.py.sha256sum
@@ -1 +1 @@
-6b9365d002880ae64ab54da905ede076db5a8661960f8f1e2793b7f4d25ff7e8
+97583d4261240a4363d91cb2affffa34df80bd449cc4a5c0ab1ab6cb9b7d0e6a
diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py
@@ -1274,6 +1274,7 @@ def saml2_attrib_map_format(dict):
     "HCLAppScan XML": ["title", "description"],
     "KICS Scan": ["file_path", "line", "severity", "description", "title"],
     "MobSF Scan": ["title", "description", "severity"],
+    "MobSF Scorecard Scan": ["title", "description", "severity"],
     "OSV Scan": ["title", "description", "severity"],
     "Snyk Code Scan": ["vuln_id_from_tool", "file_path"],
     "Deepfence Threatmapper Report": ["title", "description", "severity"],
@@ -1505,6 +1506,7 @@ def saml2_attrib_map_format(dict):
     "HCLAppScan XML": DEDUPE_ALGO_HASH_CODE,
     "KICS Scan": DEDUPE_ALGO_HASH_CODE,
     "MobSF Scan": DEDUPE_ALGO_HASH_CODE,
+    "MobSF Scorecard Scan": DEDUPE_ALGO_HASH_CODE,
     "OSV Scan": DEDUPE_ALGO_HASH_CODE,
     "Nosey Parker Scan": DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE,
     "Bearer CLI": DEDUPE_ALGO_HASH_CODE,

diff --git a/dojo/tools/mobsf_scorecard/__init__.py b/dojo/tools/mobsf_scorecard/__init__.py
@@ -0,0 +1 @@
+__author__ = "Dmitrii Mariushkin"
diff --git a/dojo/tools/mobsf_scorecard/parser.py b/dojo/tools/mobsf_scorecard/parser.py
@@ -0,0 +1,106 @@
+import json
+from datetime import datetime
+
+from dateutil import parser as date_parser
+
+from dojo.models import Finding
+
+
+class MobSFScorecardParser:
+
+    def get_scan_types(self):
+        return ["MobSF Scorecard Scan"]
+
+    def get_label_for_scan_types(self, scan_type):
+        return "MobSF Scorecard Scan"
+
+    def get_description_for_scan_types(self, scan_type):
+        return "Export a JSON file using the API, api/v1/report_json."
+
+    def get_findings(self, filename, test):
+
+        tree = filename.read()
+
+        try:
+            data = json.loads(str(tree, "utf-8"))
+        except:
+            data = json.loads(tree)
+
+        if "timestamp" in data:
+            try:
+                find_date = date_parser.parse(data["timestamp"])
+            except date_parser.ParserError:
+                find_date = datetime.now()
+        else:
+            find_date = datetime.now()
+
+        appsec_fields_for_test_desc = [
+            "file_name",
+            "hash",
+            "security_score",
+            "app_name",
+            "version_name",
+        ]
+
+        main_fields_for_test_desc = [
+            "app_type",
+            "package_name",
+            "bundle_id",
+            "sdk_name",
+            "platform",
+        ]
+
+        test_description = ""
+
+        for field in appsec_fields_for_test_desc:
+
+            field_value = str(data.get("appsec", {}).get(field, ""))
+
+            if field_value:
+                test_description = f"{test_description}  **{field}:** {field_value}\n"
+
+        for field in main_fields_for_test_desc:
+
+            field_value = str(data.get(field, ""))
+
+            if field_value:
+                test_description = f"{test_description}  **{field}:** {field_value}\n"
+
+        test.description = test_description
+
+        finding_severities = {
+            "high": "High",
+            "warning": "Medium",
+            "info": "Info",
+            "secure": "Info",
+            "hotspot": "Low",
+        }
+
+        dd_findings = {}
+
+        for finding_severity in finding_severities.keys():
+            if finding_severity in data.get("appsec", {}):
+                for mobsf_finding in data["appsec"][finding_severity]:
+
+                    section = str(mobsf_finding.get("section", ""))
+                    title = str(mobsf_finding.get("title", ""))
+                    description = str(mobsf_finding.get("description", ""))
+
+                    unique_key = f"{finding_severity}-{section}-{title}-{description}"
+
+                    finding = Finding(
+                            title=title,
+                            cwe=919,  # Weaknesses in Mobile Applications
+                            test=test,
+                            description=f"**Category:** {section}\n\n{description}",
+                            severity=finding_severities[finding_severity],
+                            references=None,
+                            date=find_date,
+                            static_finding=True,
+                            dynamic_finding=False,
+                            nb_occurences=1,
+                        )
+
+                    dd_findings[unique_key] = finding
+
+        return list(dd_findings.values())
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		6b9365d002880ae64ab54da905ede076db5a8661960f8f1e2793b7f4d25ff7e8
		97583d4261240a4363d91cb2affffa34df80bd449cc4a5c0ab1ab6cb9b7d0e6a