diff --git a/dojo/tools/mend/parser.py b/dojo/tools/mend/parser.py index 6bcc96f7501..bf9095e959c 100644 --- a/dojo/tools/mend/parser.py +++ b/dojo/tools/mend/parser.py @@ -4,7 +4,7 @@ from dojo.models import Finding -__author__ = "dr3dd589" +__author__ = "dr3dd589 + testaccount90009 aka SH" logger = logging.getLogger(__name__) @@ -35,7 +35,55 @@ def _build_common_output(node, lib_name=None): cve = None component_name = None component_version = None - if "library" in node: + impact = None + description = "No Description Available" + cvss3_score = None + mitigation = "N/A" + if "component" in node: + description = ( + "**Vulnerability Description**: " + + node["vulnerability"].get("description", "No Description Available") + + "\n\n" + + "**Component Name**: " + + node["component"].get("name", "") + + "\n" + + "**Component Type**: " + + node["component"].get("componentType", "") + + "\n" + + "**Root Library**: " + + str(node["component"].get("rootLibrary", "")) + + "\n" + + "**Library Type**: " + + node["component"].get("libraryType", "") + + "\n" + + "**Location Found**: " + + node["component"].get("path", "") + + "\n" + + "**Direct or Transitive Dependency**: " + + node["component"].get("dependencyType", "") + + "\n" + ) + lib_name = node["component"].get("name") + component_name = node["component"].get("artifactId") + component_version = node["component"].get("version") + impact = node["component"].get("dependencyType") + cvss3_score = node["vulnerability"].get("score", None) + if "topFix" in node: + try: + topfix_node = node.get("topFix") + mitigation = ( + "**Resolution**: " + + topfix_node.get("date", "") + + "\n" + + topfix_node.get("message", "") + + "\n" + + topfix_node.get("fixResolution", "") + + "\n" + ) + except Exception: + logger.exception("Error handling topFix node.") + + elif "library" in node: node.get("project") description = ( "**Description** : " @@ -57,8 +105,18 @@ def _build_common_output(node, lib_name=None): lib_name = node["library"].get("filename") component_name = node["library"].get("artifactId") component_version = node["library"].get("version") + cvss3_score = node.get("cvss3_score", None) + if "topFix" in node: + try: + topfix_node = node.get("topFix") + mitigation = "**Resolution** ({}): {}\n".format( + topfix_node.get("date"), + topfix_node.get("fixResolution"), + ) + except Exception: + logger.exception("Error handling topFix node.") else: - description = node.get("description") + description = node.get("description", "Unknown") cve = node.get("name") if cve is None: @@ -69,27 +127,29 @@ def _build_common_output(node, lib_name=None): # homogeneous behavior. if "cvss3_severity" in node: cvss_sev = node.get("cvss3_severity") + elif "vulnerability" in node: + cvss_sev = node["vulnerability"].get("severity") else: cvss_sev = node.get("severity") severity = cvss_sev.lower().capitalize() - cvss3_score = node.get("cvss3_score", None) cvss3_vector = node.get("scoreMetadataVector", None) severity_justification = "CVSS v3 score: {} ({})".format( cvss3_score if cvss3_score is not None else "N/A", cvss3_vector if cvss3_vector is not None else "N/A", ) cwe = 1035 # default OWASP a9 until the report actually has them - mitigation = "N/A" - if "topFix" in node: - try: - topfix_node = node.get("topFix") - mitigation = "**Resolution** ({}): {}\n".format( - topfix_node.get("date"), - topfix_node.get("fixResolution"), - ) - except Exception: - logger.exception("Error handling topFix node.") + # comment out the below for now - working on adding this into the above conditional statements since format can be slightly different + # mitigation = "N/A" + # if "topFix" in node: + # try: + # topfix_node = node.get("topFix") + # mitigation = "**Resolution** ({}): {}\n".format( + # topfix_node.get("date"), + # topfix_node.get("fixResolution"), + # ) + # except Exception: + # logger.exception("Error handling topFix node.") filepaths = [] if "sourceFiles" in node: @@ -134,6 +194,7 @@ def _build_common_output(node, lib_name=None): dynamic_finding=True, cvssv3=cvss3_vector, cvssv3_score=float(cvss3_score) if cvss3_score is not None else None, + impact=impact, ) if cve: new_finding.unsaved_vulnerability_ids = [cve] @@ -164,8 +225,29 @@ def _build_common_output(node, lib_name=None): for node in tree_node: findings.append(_build_common_output(node)) + elif "components" in content: + # likely a Mend Platform or 3.0 API SCA output - "library" is replaced as "component" + tree_components = content.get("components") + for comp_node in tree_components: + # get component info here, before going into vulns + if ( + "response" in comp_node + and len(comp_node.get("response")) > 0 + ): + for vuln in comp_node.get("response"): + findings.append( + _build_common_output(vuln, comp_node.get("name")), + ) + + elif "response" in content: + # New schema: handle response array + tree_node = content["response"] + if tree_node: + for node in tree_node: + findings.append(_build_common_output(node)) + def create_finding_key(f: Finding) -> str: - """Hashes the finding's description and title to retrieve a key for deduplication.""" + # """Hashes the finding's description and title to retrieve a key for deduplication.""" return hashlib.md5( f.description.encode("utf-8") + f.title.encode("utf-8"), diff --git a/unittests/scans/mend/mend-sca-platform-api3-eleven-findings.json b/unittests/scans/mend/mend-sca-platform-api3-eleven-findings.json new file mode 100644 index 00000000000..73441a7297c --- /dev/null +++ b/unittests/scans/mend/mend-sca-platform-api3-eleven-findings.json @@ -0,0 +1,773 @@ +{ + "additionalData": { + "totalItems": 11, + "paging": { } + }, + "supportToken": "3cdb1f55250864891a790b7f324be7ddc1731541902285", + "response": [ + { + "uuid": "23bcab53-d599-4c2e-acce-89880a1ba8ae", + "name": "CVE-2022-42004", + "type": "SECURITY_VULNERABILITY", + "component": { + "uuid": "aa25c040-953e-49c1-a824-278169adf8a4", + "name": "jackson-databind-2.13.3.jar", + "description": "Generaldata-binding functionality for Jackson: works on core streaming API", + "componentType": "Library", + "libraryType": "MAVEN_ARTIFACT", + "rootLibrary": true, + "references": { + "url": "http://fasterxml.com/", + "pomUrl": "https://repo.maven.apache.org/maven2/com/fasterxml/jackson/core/jackson-databind/2.13.3/jackson-databind-2.13.3.pom" + }, + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind", + "version": "2.13.3", + "dependencyType": "Direct" + }, + "findingInfo": { + "status": "LIBRARY_REMOVED", + "comment": { }, + "detectedAt": "2023-04-11T21:44:34Z", + "modifiedAt": "2023-04-17T13:56:01Z" + }, + "project": { + "uuid": "e2fffbc5-4b96-4f49-bea6-d031650fe664", + "name": "project-name", + "path": "application-name", + "applicationUuid": "a6d539cc-75d7-4889-9b1e-349b878bd3e7" + }, + "application": { + "uuid": "a6d539cc-75d7-4889-9b1e-349b878bd3e7", + "name": "application-name" + }, + "vulnerability": { + "name": "CVE-2022-42004", + "type": "CVSS_3", + "description": "In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.", + "score": 7.5, + "severity": "HIGH", + "publishDate": "2022-10-02T00:00:00Z", + "modifiedDate": "2024-08-03T12:56:39Z", + "vulnerabilityScoring": [ + { + "score": 7.5, + "severity": "HIGH", + "type": "CVSS_3" + } + ] + }, + "topFix": { + "id": 109760, + "vulnerability": "CVE-2022-42004", + "type": "UPGRADE_VERSION", + "origin": "WHITESOURCE_EXPERT", + "url": "https://github.com/FasterXML/jackson-databind/issues/3582", + "fixResolution": "com.fasterxml.jackson.core:jackson-databind:2.13.4", + "date": "2022-10-02T00:00:00Z", + "message": "Upgrade to version" + }, + "effective": "NO_SHIELD", + "threatAssessment": { + "exploitCodeMaturity": "NOT_DEFINED", + "epssPercentage": 0.3 + }, + "exploitable": false, + "scoreMetadataVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "uuid": "21548f3e-2a6e-48bd-998d-be6b40fed54c", + "name": "CVE-2018-8269", + "type": "SECURITY_VULNERABILITY", + "component": { + "uuid": "a124f02a-e4e0-476d-8ef1-6bd3a4238245", + "name": "Microsoft.Data.OData-5.2.0.51212.dll", + "description": "Microsoft.Data.OData.dll", + "componentType": "Library", + "libraryType": "DOT_NET_AS_GENERIC_RESOURCE", + "rootLibrary": true, + "references": { + "url": "https://api.nuget.org/packages/microsoft.data.odata.5.2.0.nupkg", + "homePage": "http://go.microsoft.com/fwlink/?LinkId=220868", + "genericPackageIndex": "" + }, + "groupId": "Microsoft.Data.OData", + "artifactId": "Microsoft.Data.OData-5.2.0.51212.dll", + "version": "5.2.0.51212", + "dependencyType": "Direct" + }, + "findingInfo": { + "status": "LIBRARY_REMOVED", + "comment": { }, + "detectedAt": "2023-04-11T21:44:34Z", + "modifiedAt": "2023-04-20T10:42:50Z" + }, + "project": { + "uuid": "e2fffbc5-4b96-4f49-bea6-d031650fe664", + "name": "project-name", + "path": "application-name", + "applicationUuid": "a6d539cc-75d7-4889-9b1e-349b878bd3e7" + }, + "application": { + "uuid": "a6d539cc-75d7-4889-9b1e-349b878bd3e7", + "name": "application-name" + }, + "vulnerability": { + "name": "CVE-2018-8269", + "type": "CVSS_3", + "description": "A denial of service vulnerability exists when OData Library improperly handles web requests, aka 'OData Denial of Service Vulnerability.' This affects Microsoft.Data.OData.", + "score": 7.5, + "severity": "HIGH", + "publishDate": "2018-09-13T00:00:00Z", + "modifiedDate": "2024-08-05T06:46:13Z", + "vulnerabilityScoring": [ + { + "score": 7.5, + "severity": "HIGH", + "type": "CVSS_3" + } + ] + }, + "topFix": { + "id": 60177, + "vulnerability": "CVE-2018-8269", + "type": "UPGRADE_VERSION", + "origin": "WHITESOURCE_EXPERT", + "url": "https://github.com/aspnet/Announcements/issues/385", + "fixResolution": "Microsoft.Data.OData - 5.8.4", + "date": "2018-09-13T00:00:00Z", + "message": "Upgrade to version" + }, + "effective": "NO_SHIELD", + "threatAssessment": { + "exploitCodeMaturity": "NOT_DEFINED", + "epssPercentage": 2.8999999 + }, + "exploitable": false, + "scoreMetadataVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "uuid": "07568c8b-3288-4f6e-8292-e350e8a80a84", + "name": "CVE-2018-8032", + "type": "SECURITY_VULNERABILITY", + "component": { + "uuid": "1da34773-6acf-4da9-b4b3-4cfca44e3163", + "name": "axis-1.4.jar", + "description": "", + "componentType": "Library", + "libraryType": "JAVA_ARCHIVE", + "rootLibrary": true, + "references": { + "url": "http://archive.apache.org/dist/lenya/SOURCES/apache-lenya-2.0.4-dev-src.zip", + "genericPackageIndex": "" + }, + "groupId": "axis-1", + "artifactId": "axis.jar", + "version": "1.4", + "dependencyType": "Direct" + }, + "findingInfo": { + "status": "ACTIVE", + "comment": { }, + "detectedAt": "2023-04-11T21:44:34Z", + "modifiedAt": "2023-04-11T21:44:34Z" + }, + "project": { + "uuid": "e2fffbc5-4b96-4f49-bea6-d031650fe664", + "name": "project-name", + "path": "application-name", + "applicationUuid": "a6d539cc-75d7-4889-9b1e-349b878bd3e7" + }, + "application": { + "uuid": "a6d539cc-75d7-4889-9b1e-349b878bd3e7", + "name": "application-name" + }, + "vulnerability": { + "name": "CVE-2018-8032", + "type": "CVSS_3", + "description": "Apache Axis 1.x up to and including 1.4 is vulnerable to a cross-site scripting (XSS) attack in the default servlet/services.", + "score": 6.1, + "severity": "MEDIUM", + "publishDate": "2018-08-02T13:00:00Z", + "modifiedDate": "2024-09-16T16:29:01Z", + "vulnerabilityScoring": [ + { + "score": 6.1, + "severity": "MEDIUM", + "type": "CVSS_3" + } + ] + }, + "topFix": { + "id": 100830, + "vulnerability": "CVE-2018-8032", + "type": "UPGRADE_VERSION", + "origin": "WHITESOURCE_EXPERT", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8032", + "fixResolution": "no_fix", + "date": "2018-07-08T00:00:00Z", + "message": "Upgrade to version" + }, + "effective": "NO_SHIELD", + "threatAssessment": { + "exploitCodeMaturity": "NOT_DEFINED", + "epssPercentage": 0.4 + }, + "exploitable": false, + "scoreMetadataVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, + { + "uuid": "a513b00e-05cd-4843-b315-01aca5eb05ad", + "name": "CVE-2022-40152", + "type": "SECURITY_VULNERABILITY", + "component": { + "uuid": "d7de9e3c-a8c8-4b15-ba92-201b514498cc", + "name": "woodstox-core-6.2.8.jar", + "description": "Woodstox is a high-performance XML processor that implements Stax (JSR-173),\nSAX2 and Stax2 APIs", + "componentType": "Library", + "libraryType": "MAVEN_ARTIFACT", + "rootLibrary": true, + "references": { + "url": "http://fasterxml.com", + "pomUrl": "https://nexus.opendaylight.org/content/groups/public/com/fasterxml/woodstox/woodstox-core/6.2.8/woodstox-core-6.2.8.pom" + }, + "groupId": "com.fasterxml.woodstox", + "artifactId": "woodstox-core", + "version": "6.2.8", + "dependencyType": "Direct" + }, + "findingInfo": { + "status": "LIBRARY_REMOVED", + "comment": { }, + "detectedAt": "2023-04-11T21:44:34Z", + "modifiedAt": "2023-04-17T13:56:01Z" + }, + "project": { + "uuid": "e2fffbc5-4b96-4f49-bea6-d031650fe664", + "name": "project-name", + "path": "application-name", + "applicationUuid": "a6d539cc-75d7-4889-9b1e-349b878bd3e7" + }, + "application": { + "uuid": "a6d539cc-75d7-4889-9b1e-349b878bd3e7", + "name": "application-name" + }, + "vulnerability": { + "name": "CVE-2022-40152", + "type": "CVSS_3", + "description": "Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.", + "score": 6.5, + "severity": "MEDIUM", + "publishDate": "2022-09-16T10:00:22Z", + "modifiedDate": "2024-09-16T19:14:50Z", + "vulnerabilityScoring": [ + { + "score": 6.5, + "severity": "MEDIUM", + "type": "CVSS_3" + } + ] + }, + "topFix": { + "id": 110139, + "vulnerability": "CVE-2022-40152", + "type": "UPGRADE_VERSION", + "origin": "WHITESOURCE_EXPERT", + "url": "https://github.com/FasterXML/woodstox/pull/159", + "fixResolution": "com.fasterxml.woodstox:woodstox-core:5.4.0,6.4.0", + "date": "2022-09-16T10:00:22Z", + "message": "Upgrade to version" + }, + "effective": "NO_SHIELD", + "threatAssessment": { + "exploitCodeMaturity": "NOT_DEFINED", + "epssPercentage": 0.8 + }, + "exploitable": false, + "scoreMetadataVector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + }, + { + "uuid": "eabc72c0-370f-42fc-82fa-7a8584f71a2a", + "name": "CVE-2022-42003", + "type": "SECURITY_VULNERABILITY", + "component": { + "uuid": "aa25c040-953e-49c1-a824-278169adf8a4", + "name": "jackson-databind-2.13.3.jar", + "description": "General data-binding functionality for Jackson: works on core streaming API", + "componentType": "Library", + "libraryType": "MAVEN_ARTIFACT", + "rootLibrary": true, + "references": { + "url": "http://fasterxml.com/", + "pomUrl": "https://repo.maven.apache.org/maven2/com/fasterxml/jackson/core/jackson-databind/2.13.3/jackson-databind-2.13.3.pom" + }, + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind", + "version": "2.13.3", + "dependencyType": "Direct" + }, + "findingInfo": { + "status": "LIBRARY_REMOVED", + "comment": { }, + "detectedAt": "2023-04-11T21:44:34Z", + "modifiedAt": "2023-04-17T13:56:01Z" + }, + "project": { + "uuid": "e2fffbc5-4b96-4f49-bea6-d031650fe664", + "name": "project-name", + "path": "application-name", + "applicationUuid": "a6d539cc-75d7-4889-9b1e-349b878bd3e7" + }, + "application": { + "uuid": "a6d539cc-75d7-4889-9b1e-349b878bd3e7", + "name": "application-name" + }, + "vulnerability": { + "name": "CVE-2022-42003", + "type": "CVSS_3", + "description": "In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.\n Mend Note: For 2.13.4.x, the vulnerability is fixed in 2.13.4.1. A micro-patch was added in 2.13.4.2 to address issues for Gradle users. ", + "score": 7.5, + "severity": "HIGH", + "publishDate": "2022-10-02T00:00:00Z", + "modifiedDate": "2024-08-03T12:56:39Z", + "vulnerabilityScoring": [ + { + "score": 7.5, + "severity": "HIGH", + "type": "CVSS_3" + } + ] + }, + "topFix": { + "id": 133291, + "vulnerability": "CVE-2022-42003", + "type": "UPGRADE_VERSION", + "origin": "WHITESOURCE_EXPERT", + "url": "https://github.com/advisories/GHSA-jjjh-jjxp-wpff", + "fixResolution": "com.fasterxml.jackson.core:jackson-databind:2.12.7.1,2.13.4.2", + "date": "2022-10-02T00:00:00Z", + "message": "Upgrade to version" + }, + "effective": "NO_SHIELD", + "threatAssessment": { + "exploitCodeMaturity": "NOT_DEFINED", + "epssPercentage": 0.3 + }, + "exploitable": false, + "scoreMetadataVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "uuid": "59815375-eb59-460c-ae55-27c69ae9ca7d", + "name": "CVE-2014-3596", + "type": "SECURITY_VULNERABILITY", + "component": { + "uuid": "1da34773-6acf-4da9-b4b3-4cfca44e3163", + "name": "axis-1.4.jar", + "description": "", + "componentType": "Library", + "libraryType": "JAVA_ARCHIVE", + "rootLibrary": true, + "references": { + "url": "http://archive.apache.org/dist/lenya/SOURCES/apache-lenya-2.0.4-dev-src.zip", + "genericPackageIndex": "" + }, + "groupId": "axis-1", + "artifactId": "axis.jar", + "version": "1.4", + "dependencyType": "Direct" + }, + "findingInfo": { + "status": "ACTIVE", + "comment": { }, + "detectedAt": "2023-04-11T21:44:34Z", + "modifiedAt": "2023-04-11T21:44:34Z" + }, + "project": { + "uuid": "e2fffbc5-4b96-4f49-bea6-d031650fe664", + "name": "project-name", + "path": "application-name", + "applicationUuid": "a6d539cc-75d7-4889-9b1e-349b878bd3e7" + }, + "application": { + "uuid": "a6d539cc-75d7-4889-9b1e-349b878bd3e7", + "name": "application-name" + }, + "vulnerability": { + "name": "CVE-2014-3596", + "type": "CVSS_3", + "description": "The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSLservers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784.", + "score": 4.8, + "severity": "MEDIUM", + "publishDate": "2014-08-27T00:00:00Z", + "modifiedDate": "2024-08-06T10:50:17Z", + "vulnerabilityScoring": [ + { + "score": 4.8, + "severity": "MEDIUM", + "type": "CVSS_3" + } + ] + }, + "topFix": { + "id": 87936, + "vulnerability": "CVE-2014-3596", + "type": "UPGRADE_VERSION", + "origin": "WHITESOURCE_EXPERT", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3596", + "fixResolution": "axis:axis - 1.3-atlassian-1", + "date": "2014-08-27T00:00:00Z", + "message": "Upgrade to version" + }, + "effective": "NO_SHIELD", + "threatAssessment": { + "exploitCodeMaturity": "NOT_DEFINED", + "epssPercentage": 0.2 + }, + "exploitable": false, + "scoreMetadataVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" + }, + { + "uuid": "b22790d4-9186-45a6-aa11-37ec13fce85f", + "name": "CVE-2021-24112", + "type": "SECURITY_VULNERABILITY", + "component": { + "uuid": "e7f7552f-f9d4-4c62-9a05-ab0701d44a4e", + "name": "System.Drawing.Common-4.6.26515.06.dll", + "description": "System.Drawing.Common", + "componentType": "Library", + "libraryType": "DOT_NET_AS_GENERIC_RESOURCE", + "rootLibrary": true, + "references": { + "url": "https://api.nuget.org/packages/system.drawing.common.4.5.0.nupkg", + "homePage": "https://dot.net/", + "genericPackageIndex": "" + }, + "groupId": "System.Drawing.Common", + "artifactId": "System.Drawing.Common-4.6.26515.06.dll", + "version": "4.6.26515.06", + "dependencyType": "Direct" + }, + "findingInfo": { + "status": "LIBRARY_REMOVED", + "comment": { }, + "detectedAt": "2023-04-11T21:44:34Z", + "modifiedAt": "2023-04-13T11:40:20Z" + }, + "project": { + "uuid": "e2fffbc5-4b96-4f49-bea6-d031650fe664", + "name": "project-name", + "path": "application-name", + "applicationUuid": "a6d539cc-75d7-4889-9b1e-349b878bd3e7" + }, + "application": { + "uuid": "a6d539cc-75d7-4889-9b1e-349b878bd3e7", + "name": "application-name" + }, + "vulnerability": { + "name": "CVE-2021-24112", + "type": "CVSS_3", + "description": ".NET Core Remote Code Execution Vulnerability", + "score": 8.1, + "severity": "HIGH", + "publishDate": "2021-02-25T23:01:57Z", + "modifiedDate": "2024-08-03T19:21:18Z", + "vulnerabilityScoring": [ + { + "score": 8.1, + "severity": "HIGH", + "type": "CVSS_3" + } + ] + }, + "topFix": { + "id": 110775, + "vulnerability": "CVE-2021-24112", + "type": "UPGRADE_VERSION", + "origin": "WHITESOURCE_EXPERT", + "url": "https://github.com/advisories/GHSA-rxg9-xrhp-64gj", + "fixResolution": "System.Drawing.Common - 4.7.2,5.0.3", + "date": "2021-02-25T23:15:00Z", + "message": "Upgrade to version" + }, + "effective": "NO_SHIELD", + "threatAssessment": { + "exploitCodeMaturity": "POC_CODE", + "epssPercentage": 2.0 + }, + "exploitable": true, + "scoreMetadataVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C" + }, + { + "uuid": "1efbe99b-724e-4ff2-aa5a-81a5581aae30", + "name": "CVE-2021-22570", + "type": "SECURITY_VULNERABILITY", + "component": { + "uuid": "e642b361-9c26-4be5-9ae6-15f97124ed8b", + "name": "Google.Protobuf-3.10.0.0.dll", + "description": "Google Protocol Buffers", + "componentType": "Library", + "libraryType": "DOT_NET_AS_GENERIC_RESOURCE", + "rootLibrary": true, + "references": { + "url": "https://api.nuget.org/packages/google.protobuf.3.10.0.nupkg", + "homePage": "https://github.com/protocolbuffers/protobuf", + "genericPackageIndex": "" + }, + "groupId": "Google.Protobuf", + "artifactId": "Google.Protobuf-3.10.0.0.dll", + "version": "3.10.0.0", + "dependencyType": "Direct" + }, + "findingInfo": { + "status": "LIBRARY_REMOVED", + "comment": { }, + "detectedAt": "2023-04-11T21:44:34Z", + "modifiedAt": "2023-04-13T11:40:20Z" + }, + "project": { + "uuid": "e2fffbc5-4b96-4f49-bea6-d031650fe664", + "name": "project-name", + "path": "application-name", + "applicationUuid": "a6d539cc-75d7-4889-9b1e-349b878bd3e7" + }, + "application": { + "uuid": "a6d539cc-75d7-4889-9b1e-349b878bd3e7", + "name": "application-name" + }, + "vulnerability": { + "name": "CVE-2021-22570", + "type": "CVSS_3", + "description": "Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.", + "score": 6.5, + "severity": "MEDIUM", + "publishDate": "2022-01-26T00:00:00Z", + "modifiedDate": "2024-08-03T18:44:13Z", + "vulnerabilityScoring": [ + { + "score": 6.5, + "severity": "MEDIUM", + "type": "CVSS_3" + } + ] + }, + "topFix": { + "id": 102974, + "vulnerability": "CVE-2021-22570", + "type": "UPGRADE_VERSION", + "origin": "WHITESOURCE_EXPERT", + "url": "https://github.com/advisories/GHSA-77rm-9x9h-xj3g", + "fixResolution": "Google.Protobuf - 3.15.0", + "date": "2022-01-26T00:00:00Z", + "message": "Upgrade to version" + }, + "effective": "NO_SHIELD", + "threatAssessment": { + "exploitCodeMaturity": "NOT_DEFINED", + "epssPercentage": 0.0 + }, + "exploitable": false, + "scoreMetadataVector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + }, + { + "uuid": "acae8e26-d778-48dc-8b26-8073c06d0572", + "name": "CVE-2019-0227", + "type": "SECURITY_VULNERABILITY", + "component": { + "uuid": "1da34773-6acf-4da9-b4b3-4cfca44e3163", + "name": "axis-1.4.jar", + "description": "", + "componentType": "Library", + "libraryType": "JAVA_ARCHIVE", + "rootLibrary": true, + "references": { + "url": "http://archive.apache.org/dist/lenya/SOURCES/apache-lenya-2.0.4-dev-src.zip", + "genericPackageIndex": "" + }, + "groupId": "axis-1", + "artifactId": "axis.jar", + "version": "1.4", + "dependencyType": "Direct" + }, + "findingInfo": { + "status": "ACTIVE", + "comment": { }, + "detectedAt": "2023-04-11T21:44:34Z", + "modifiedAt": "2023-04-11T21:44:34Z" + }, + "project": { + "uuid": "e2fffbc5-4b96-4f49-bea6-d031650fe664", + "name": "project-name", + "path": "application-name", + "applicationUuid": "a6d539cc-75d7-4889-9b1e-349b878bd3e7" + }, + "application": { + "uuid": "a6d539cc-75d7-4889-9b1e-349b878bd3e7", + "name": "application-name" + }, + "vulnerability": { + "name": "CVE-2019-0227", + "type": "CVSS_3", + "description": "A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversion repository, legacy users are encouraged to build from source. The successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not vulnerable to this issue.", + "score": 7.5, + "severity": "HIGH", + "publishDate": "2019-05-01T20:03:49Z", + "modifiedDate": "2024-08-04T17:44:15Z", + "vulnerabilityScoring": [ + { + "score": 7.5, + "severity": "HIGH", + "type": "CVSS_3" + } + ] + }, + "topFix": { + "id": 71103, + "vulnerability": "CVE-2019-0227", + "type": "UPGRADE_VERSION", + "origin": "WHITESOURCE_EXPERT", + "url": "https://rhinosecuritylabs.com/application-security/cve-2019-0227-expired-domain-rce-apache-axis/", + "fixResolution": "org.apache.axis2:axis2:1.7.9", + "date": "2019-05-01T21:29:00Z", + "message": "Upgrade to version" + }, + "effective": "NO_SHIELD", + "threatAssessment": { + "exploitCodeMaturity": "NOT_DEFINED", + "epssPercentage": 86.2 + }, + "exploitable": false, + "scoreMetadataVector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "uuid": "7c1e2f26-2f2e-429d-9779-5ee2c1c34fff", + "name": "CVE-2023-40743", + "type": "SECURITY_VULNERABILITY", + "component": { + "uuid": "1da34773-6acf-4da9-b4b3-4cfca44e3163", + "name": "axis-1.4.jar", + "description": "", + "componentType": "Library", + "libraryType": "JAVA_ARCHIVE", + "rootLibrary": true, + "references": { + "url": "http://archive.apache.org/dist/lenya/SOURCES/apache-lenya-2.0.4-dev-src.zip", + "genericPackageIndex": "" + }, + "groupId": "axis-1", + "artifactId": "axis.jar", + "version": "1.4", + "dependencyType": "Direct" + }, + "findingInfo": { + "status": "ACTIVE", + "comment": { }, + "detectedAt": "2023-12-31T00:06:43Z", + "modifiedAt": "2023-12-31T00:06:43Z" + }, + "project": { + "uuid": "e2fffbc5-4b96-4f49-bea6-d031650fe664", + "name": "project-name", + "path": "application-name", + "applicationUuid": "a6d539cc-75d7-4889-9b1e-349b878bd3e7" + }, + "application": { + "uuid": "a6d539cc-75d7-4889-9b1e-349b878bd3e7", + "name": "application-name" + }, + "vulnerability": { + "name": "CVE-2023-40743", + "type": "CVSS_3", + "description": "** UNSUPPORTED WHEN ASSIGNED ** When integrating Apache Axis 1.x in an application, it may not have been obvious that looking up a service through 'ServiceFactory.getService' allows potentially dangerous lookup mechanisms such as LDAP. When passing untrusted input to this API method, this could expose the application to DoS, SSRF and even attacks leading to RCE.\n\nAs Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. As a workaround, you may review your code to verify no untrusted or unsanitized input is passed to 'ServiceFactory.getService', or by applying the patch from https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210 . The Apache Axis project does not expect to create an Axis 1.x release fixing this problem, though contributors that would like to work towards this are welcome.\n\n", + "score": 9.8, + "severity": "CRITICAL", + "publishDate": "2023-09-05T14:42:13Z", + "modifiedDate": "2024-08-02T19:15:56Z", + "vulnerabilityScoring": [ + { + "score": 9.8, + "severity": "CRITICAL", + "type": "CVSS_3" + } + ] + }, + "topFix": { }, + "effective": "NO_SHIELD", + "threatAssessment": { + "exploitCodeMaturity": "NOT_DEFINED", + "epssPercentage": 0.3 + }, + "exploitable": false, + "scoreMetadataVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "uuid": "ac04a94e-16df-4f69-a8ac-3d6a092c8091", + "name": "CVE-2023-51441", + "type": "SECURITY_VULNERABILITY", + "component": { + "uuid": "1da34773-6acf-4da9-b4b3-4cfca44e3163", + "name": "axis-1.4.jar", + "description": "", + "componentType": "Library", + "libraryType": "JAVA_ARCHIVE", + "rootLibrary": true, + "references": { + "url": "http://archive.apache.org/dist/lenya/SOURCES/apache-lenya-2.0.4-dev-src.zip", + "genericPackageIndex": "" + }, + "groupId": "axis-1", + "artifactId": "axis.jar", + "version": "1.4", + "dependencyType": "Direct" + }, + "findingInfo": { + "status": "ACTIVE", + "comment": { }, + "detectedAt": "2024-01-08T22:47:45Z", + "modifiedAt": "2024-01-08T22:47:45Z" + }, + "project": { + "uuid": "e2fffbc5-4b96-4f49-bea6-d031650fe664", + "name": "project-name", + "path": "application-name", + "applicationUuid": "a6d539cc-75d7-4889-9b1e-349b878bd3e7" + }, + "application": { + "uuid": "a6d539cc-75d7-4889-9b1e-349b878bd3e7", + "name": "application-name" + }, + "vulnerability": { + "name": "CVE-2023-51441", + "type": "CVSS_3", + "description": "** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability inApache Axis allowed users with access to the admin service to perform possible SSRF\nThis issue affects Apache Axis: through 1.3.\n\nAs Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. Alternatively you could use a build of Axis with the patch from https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06 applied. The Apache Axis project does not expect to create an Axis 1.x release \nfixing this problem, though contributors that would like to work towards\nthis are welcome.\n\n", + "score": 7.2, + "severity": "HIGH", + "publishDate": "2024-01-06T11:59:37Z", + "modifiedDate": "2024-08-02T23:15:47Z", + "vulnerabilityScoring": [ + { + "score": 7.2, + "severity": "HIGH", + "type": "CVSS_3" + } + ] + }, + "topFix": { + "id": 129844, + "vulnerability": "CVE-2023-51441", + "type": "UPGRADE_VERSION", + "origin": "WHITESOURCE_EXPERT", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51441", + "fixResolution": "no_fix", + "date": "2024-01-06T12:15:43Z", + "message": "Upgrade to version" + }, + "effective": "NO_SHIELD", + "threatAssessment": { + "exploitCodeMaturity": "NOT_DEFINED", + "epssPercentage": 0.1 + }, + "exploitable": false, + "scoreMetadataVector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ] +} \ No newline at end of file diff --git a/unittests/scans/mend/mend-sca-platform-api3-no-findings.json b/unittests/scans/mend/mend-sca-platform-api3-no-findings.json new file mode 100644 index 00000000000..9df1c1c1a27 --- /dev/null +++ b/unittests/scans/mend/mend-sca-platform-api3-no-findings.json @@ -0,0 +1 @@ +{"additionalData": {"totalItems": 0, "paging": {}}, "supportToken": "123442284e284dddb0652ff65c9f3ebd1731540952924", "response": []} \ No newline at end of file diff --git a/unittests/scans/mend/mend-sca-platform-api3-one-finding.json b/unittests/scans/mend/mend-sca-platform-api3-one-finding.json new file mode 100644 index 00000000000..c8e65ae1115 --- /dev/null +++ b/unittests/scans/mend/mend-sca-platform-api3-one-finding.json @@ -0,0 +1,81 @@ +{ + "additionalData": { + "totalItems": 1, + "paging": { } + }, + "supportToken": "17da68189a2eb40ec9b5d99c8141495191731541262319", + "response": [ + { + "uuid": "7d60c0ad-1585-4aab-a74c-120e5819d84c", + "name": "CVE-2024-51744", + "type": "SECURITY_VULNERABILITY", + "component": { + "uuid": "e8e7d995-e58a-4a02-b929-76a2963f088a", + "name": "github.com/golang-JWT/jwt-v3.2.2+incompatible", + "description": "", + "componentType": "Library", + "libraryType": "GO_PACKAGE", + "rootLibrary": "True", + "references": { + "url": "https://proxy.golang.org/github.com/golang-!j!w!t/jwt/@v/v3.2.2+incompatible.zip", + "homePage": "https://pkg.go.dev/github.com/golang-JWT/jwt@v3.2.2+incompatible", + "genericPackageIndex": "http://go-search.org/api?action=package&id=github.com%2Fgolang-JWT%2Fjwt" + }, + "groupId": "github.com/golang-JWT/jwt", + "artifactId": "github.com/golang-JWT/jwt", + "version": "v3.2.2+incompatible", + "path": "/source/go.mod", + "dependencyType": "Direct / Transitive" + }, + "findingInfo": { + "status": "ACTIVE", + "comment": { }, + "detectedAt": "2024-11-10T08:47:02Z", + "modifiedAt": "2024-11-10T08:47:02Z" + }, + "project": { + "uuid": "32bff718-28a2-463b-9c4f-7f66b286b34c", + "name": "project-name", + "path": "application-name", + "applicationUuid": "8663102a-5f11-4139-9281-c4c72a6ea402" + }, + "application": { + "uuid": "8663102a-5f11-4139-9281-c4c72a6ea402", + "name": "application-name" + }, + "vulnerability": { + "name": "CVE-2024-51744", + "type": "CVSS_3", + "description": "golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by `ParseWithClaims` return both error codes. If users only check for the `jwt.ErrTokenExpired ` using `error.Is`, they willignore the embedded `jwt.ErrTokenSignatureInvalid` and thus potentially accept invalid tokens. A fix has been back-ported with the error handling logic from the `v5` branch to the `v4` branch. In this logic, the `ParseWithClaims` function will immediately return in 'dangerous' situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release. We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors ('dangerous' ones first), so that you are not running in the case detailed above.", + "score": 3.1, + "severity": "LOW", + "publishDate": "2024-11-04T21:47:12Z", + "modifiedDate": "2024-11-05T16:11:42Z", + "vulnerabilityScoring": [ + { + "score": 3.1, + "severity": "LOW", + "type": "CVSS_3" + } + ] + }, + "topFix": { + "id": 135282, + "vulnerability": "CVE-2024-51744", + "type": "UPGRADE_VERSION", + "origin": "WHITESOURCE_EXPERT", + "url": "https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r", + "fixResolution": "github.com/golang-jwt/jwt-v4.5.1", + "date": "2024-11-04T21:47:12Z", + "message": "Upgrade to version" + }, + "effective": "NO_SHIELD", + "threatAssessment": { + "exploitCodeMaturity": "NOT_DEFINED", + "epssPercentage": 0.0 + }, + "exploitable": "False", + "scoreMetadataVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N" + } + ] +} \ No newline at end of file diff --git a/unittests/tools/test_mend_parser.py b/unittests/tools/test_mend_parser.py index 1cd8cc11dd7..cd544d503c1 100644 --- a/unittests/tools/test_mend_parser.py +++ b/unittests/tools/test_mend_parser.py @@ -43,3 +43,26 @@ def test_parse_file_with_one_sca_vuln_finding(self): self.assertEqual(1, len(findings)) finding = list(findings)[0] self.assertEqual("D:\\MendRepo\\test-product\\test-project\\test-project-subcomponent\\path\\to\\the\\Java\\commons-codec-1.6_donotuse.jar", finding.file_path) + + def test_parse_file_with_no_vuln_has_no_findings_platform(self): + with open("unittests/scans/mend/mend-sca-platform-api3-no-findings.json", encoding="utf-8") as testfile: + parser = MendParser() + findings = parser.get_findings(testfile, Test()) + self.assertEqual(0, len(findings)) + + def test_parse_file_with_one_vuln_has_one_findings_platform(self): + with open("unittests/scans/mend/mend-sca-platform-api3-one-finding.json", encoding="utf-8") as testfile: + parser = MendParser() + findings = parser.get_findings(testfile, Test()) + self.assertEqual(1, len(findings)) + finding = list(findings)[0] + self.assertEqual(1, len(finding.unsaved_vulnerability_ids)) + self.assertEqual("CVE-2024-51744", finding.unsaved_vulnerability_ids[0]) + self.assertEqual("CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", finding.cvssv3) + self.assertEqual(3.1, finding.cvssv3_score) + + def test_parse_file_with_multiple_vuln_has_multiple_finding_platform(self): + with open("unittests/scans/mend/mend-sca-platform-api3-eleven-findings.json", encoding="utf-8") as testfile: + parser = MendParser() + findings = parser.get_findings(testfile, Test()) + self.assertEqual(11, len(findings))