Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add new Mend Platform API 3.0 file types to existing Mend parser #11259

Merged
merged 64 commits into from
Nov 22, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
64 commits
Select commit Hold shift + click to select a range
716f94a
Add new Mend Platform API 3.0 parser
testaccount90009 Nov 14, 2024
b2fe0b8
Update test_mend_platform_api3_parser.py
testaccount90009 Nov 14, 2024
7e8a2fd
Update test_mend_platform_api3_parser.py
testaccount90009 Nov 14, 2024
82e46ee
Update test_mend_platform_api3_parser.py
testaccount90009 Nov 14, 2024
4f45fa6
Update test_mend_platform_api3_parser.py
testaccount90009 Nov 14, 2024
2eec598
Update parser.py
testaccount90009 Nov 14, 2024
4cd5bb3
Update parser.py
testaccount90009 Nov 14, 2024
6faf27f
add component path as file_path
testaccount90009 Nov 14, 2024
5d6de56
updated parser
testaccount90009 Nov 14, 2024
0cbce00
Update parser.py
testaccount90009 Nov 14, 2024
2127d81
Update parser.py
testaccount90009 Nov 14, 2024
f1aa0ec
refactor
testaccount90009 Nov 14, 2024
bdc721a
Update parser.py
testaccount90009 Nov 14, 2024
fd76af6
Update parser.py
testaccount90009 Nov 14, 2024
9f3d41e
Update test_mend_platform_api3_parser.py
testaccount90009 Nov 14, 2024
726f8c3
Update test_mend_platform_api3_parser.py
testaccount90009 Nov 14, 2024
3977cd9
Update test_mend_platform_api3_parser.py
testaccount90009 Nov 14, 2024
66d00c5
Update test_mend_platform_api3_parser.py
testaccount90009 Nov 14, 2024
9605700
Update test_mend_platform_api3_parser.py
testaccount90009 Nov 14, 2024
8003d1f
Update parser.py
testaccount90009 Nov 14, 2024
e2911e2
change single quotes to double quotes - reformat broken json
testaccount90009 Nov 14, 2024
1e2cc67
Try to refactor to harden Mend parser instead of creating additional …
testaccount90009 Nov 14, 2024
bf8f9ce
Update parser.py
testaccount90009 Nov 14, 2024
f119ef7
Merge branch 'DefectDojo:dev' into dev
testaccount90009 Nov 14, 2024
64eaa50
adding author update
testaccount90009 Nov 14, 2024
5a9f279
Update parser.py
testaccount90009 Nov 14, 2024
52776b1
Add elif for "component" in content for list of Findings
testaccount90009 Nov 14, 2024
b97c5da
Update parser.py
testaccount90009 Nov 14, 2024
0acd9ee
Update parser.py
testaccount90009 Nov 14, 2024
6451542
Update parser.py
testaccount90009 Nov 14, 2024
132ec4d
Update parser.py
testaccount90009 Nov 14, 2024
7b33df5
Update parser.py
testaccount90009 Nov 14, 2024
e52d08c
Update parser.py
testaccount90009 Nov 14, 2024
2272d46
preserve the original else statement for grabbing severity
testaccount90009 Nov 14, 2024
45e723a
update parser to capture component_node array
testaccount90009 Nov 14, 2024
79d56b8
Update parser.py
testaccount90009 Nov 14, 2024
ee24c36
change how vulnerability description is retrieved
testaccount90009 Nov 14, 2024
1b1b242
Update parser.py
testaccount90009 Nov 14, 2024
b661790
Update parser.py
testaccount90009 Nov 14, 2024
2744a5f
updating vuln count
testaccount90009 Nov 14, 2024
b48a356
Update parser.py
testaccount90009 Nov 14, 2024
9313c2f
Update parser.py
testaccount90009 Nov 14, 2024
9313a86
Update parser.py
testaccount90009 Nov 14, 2024
f137019
Update parser.py
testaccount90009 Nov 14, 2024
c9477f9
Update parser.py
testaccount90009 Nov 14, 2024
503b7a1
Update parser.py
testaccount90009 Nov 14, 2024
f489b0e
Update parser.py
testaccount90009 Nov 14, 2024
6538d8a
Update parser.py
testaccount90009 Nov 14, 2024
d4f162f
Update parser.py
testaccount90009 Nov 14, 2024
29e8dd7
Update parser.py
testaccount90009 Nov 15, 2024
ba9dc02
Merge branch 'DefectDojo:dev' into dev
testaccount90009 Nov 15, 2024
b7c9d3d
Update parser.py
testaccount90009 Nov 18, 2024
75d9e7d
Merge branch 'DefectDojo:dev' into dev
testaccount90009 Nov 18, 2024
7404f44
Merge branch 'DefectDojo:dev' into dev
testaccount90009 Nov 18, 2024
9bd5f03
Merge branch 'DefectDojo:dev' into dev
testaccount90009 Nov 18, 2024
a705a5b
Fix spacing and formatting for easier readability
testaccount90009 Nov 18, 2024
8a396a3
Merge branch 'dev' of https://github.com/testaccount90009/django-Defe…
testaccount90009 Nov 18, 2024
a6c2db3
Rework Mitigation field - slight adjustment in formatting and edited …
testaccount90009 Nov 18, 2024
9e8f540
Fix comma and indents
testaccount90009 Nov 18, 2024
aeabdd4
Fix typo
testaccount90009 Nov 18, 2024
6202162
fix commas
testaccount90009 Nov 18, 2024
d221e3c
fix spacing
testaccount90009 Nov 18, 2024
a4b14f3
fix spacing for readability
testaccount90009 Nov 18, 2024
d2a612d
Merge branch 'DefectDojo:dev' into dev
testaccount90009 Nov 21, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
112 changes: 97 additions & 15 deletions dojo/tools/mend/parser.py
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@

from dojo.models import Finding

__author__ = "dr3dd589"
__author__ = "dr3dd589 + testaccount90009 aka SH"

logger = logging.getLogger(__name__)

Expand Down Expand Up @@ -35,7 +35,55 @@ def _build_common_output(node, lib_name=None):
cve = None
component_name = None
component_version = None
if "library" in node:
impact = None
description = "No Description Available"
cvss3_score = None
mitigation = "N/A"
if "component" in node:
description = (
"**Vulnerability Description**: "
+ node["vulnerability"].get("description", "No Description Available")
+ "\n\n"
+ "**Component Name**: "
+ node["component"].get("name", "")
+ "\n"
+ "**Component Type**: "
+ node["component"].get("componentType", "")
+ "\n"
+ "**Root Library**: "
+ str(node["component"].get("rootLibrary", ""))
+ "\n"
+ "**Library Type**: "
+ node["component"].get("libraryType", "")
+ "\n"
+ "**Location Found**: "
+ node["component"].get("path", "")
+ "\n"
+ "**Direct or Transitive Dependency**: "
+ node["component"].get("dependencyType", "")
+ "\n"
)
lib_name = node["component"].get("name")
component_name = node["component"].get("artifactId")
component_version = node["component"].get("version")
impact = node["component"].get("dependencyType")
cvss3_score = node["vulnerability"].get("score", None)
if "topFix" in node:
try:
topfix_node = node.get("topFix")
mitigation = (
"**Resolution**: "
+ topfix_node.get("date", "")
+ "\n"
+ topfix_node.get("message", "")
+ "\n"
+ topfix_node.get("fixResolution", "")
+ "\n"
)
except Exception:
logger.exception("Error handling topFix node.")

elif "library" in node:
node.get("project")
description = (
"**Description** : "
Expand All @@ -57,8 +105,18 @@ def _build_common_output(node, lib_name=None):
lib_name = node["library"].get("filename")
component_name = node["library"].get("artifactId")
component_version = node["library"].get("version")
cvss3_score = node.get("cvss3_score", None)
if "topFix" in node:
try:
topfix_node = node.get("topFix")
mitigation = "**Resolution** ({}): {}\n".format(
topfix_node.get("date"),
topfix_node.get("fixResolution"),
)
except Exception:
logger.exception("Error handling topFix node.")
else:
description = node.get("description")
description = node.get("description", "Unknown")

cve = node.get("name")
if cve is None:
Expand All @@ -69,27 +127,29 @@ def _build_common_output(node, lib_name=None):
# homogeneous behavior.
if "cvss3_severity" in node:
cvss_sev = node.get("cvss3_severity")
elif "vulnerability" in node:
cvss_sev = node["vulnerability"].get("severity")
else:
cvss_sev = node.get("severity")
severity = cvss_sev.lower().capitalize()

cvss3_score = node.get("cvss3_score", None)
cvss3_vector = node.get("scoreMetadataVector", None)
severity_justification = "CVSS v3 score: {} ({})".format(
cvss3_score if cvss3_score is not None else "N/A", cvss3_vector if cvss3_vector is not None else "N/A",
)
cwe = 1035 # default OWASP a9 until the report actually has them

mitigation = "N/A"
if "topFix" in node:
try:
topfix_node = node.get("topFix")
mitigation = "**Resolution** ({}): {}\n".format(
topfix_node.get("date"),
topfix_node.get("fixResolution"),
)
except Exception:
logger.exception("Error handling topFix node.")
# comment out the below for now - working on adding this into the above conditional statements since format can be slightly different
# mitigation = "N/A"
# if "topFix" in node:
# try:
# topfix_node = node.get("topFix")
# mitigation = "**Resolution** ({}): {}\n".format(
# topfix_node.get("date"),
# topfix_node.get("fixResolution"),
# )
# except Exception:
# logger.exception("Error handling topFix node.")

filepaths = []
if "sourceFiles" in node:
Expand Down Expand Up @@ -134,6 +194,7 @@ def _build_common_output(node, lib_name=None):
dynamic_finding=True,
cvssv3=cvss3_vector,
cvssv3_score=float(cvss3_score) if cvss3_score is not None else None,
impact=impact,
)
if cve:
new_finding.unsaved_vulnerability_ids = [cve]
Expand Down Expand Up @@ -164,8 +225,29 @@ def _build_common_output(node, lib_name=None):
for node in tree_node:
findings.append(_build_common_output(node))

elif "components" in content:
# likely a Mend Platform or 3.0 API SCA output - "library" is replaced as "component"
tree_components = content.get("components")
for comp_node in tree_components:
# get component info here, before going into vulns
if (
"response" in comp_node
and len(comp_node.get("response")) > 0
):
for vuln in comp_node.get("response"):
findings.append(
_build_common_output(vuln, comp_node.get("name")),
)

elif "response" in content:
# New schema: handle response array
tree_node = content["response"]
if tree_node:
for node in tree_node:
findings.append(_build_common_output(node))

def create_finding_key(f: Finding) -> str:
"""Hashes the finding's description and title to retrieve a key for deduplication."""
# """Hashes the finding's description and title to retrieve a key for deduplication."""
return hashlib.md5(
f.description.encode("utf-8")
+ f.title.encode("utf-8"),
Expand Down
Loading