Summary:

The provided code changes focus on enhancing the RustyhogParser class, which is responsible for parsing the output of the "Rusty Hog" security tool. The changes include improvements to the test suite, which covers various scenarios related to the detection of sensitive information disclosure, such as SSH private keys, passwords, and other confidential data found in code repositories, configuration files, and collaboration tools. Additionally, the code changes in the parser.py file aim to provide more detailed and informative vulnerability descriptions, including specific details about the identified issues, such as commit information, file paths, line numbers, diffs, and relevant IDs from JIRA and Confluence. These enhancements improve the overall quality and usefulness of the vulnerability reporting, making it more effective in identifying and addressing potential security issues.

Files Changed:

1. unittests/tools/test_rusty_hog_parser.py:

   • This file contains the test suite for the RustyhogParser class, which covers various scenarios, including files with no vulnerabilities, files with a single vulnerability, and files with multiple vulnerabilities.
   • The test cases highlight the parser's ability to detect sensitive information, such as SSH private keys, passwords, and other confidential data found in different locations (e.g., Confluence pages, file paths, JIRA tickets).
   • The test cases also demonstrate the parser's ability to extract detailed information about the commits associated with the identified vulnerabilities, including the commit message, commit hash, parent commit hash, and the file changes.
   • The test cases show that the parser provides mitigation recommendations for the identified issues, guiding developers and security teams on how to address the vulnerabilities.

2. dojo/tools/rusty_hog/parser.py:

   • The changes in this file focus on improving the handling and presentation of the vulnerability information obtained from various "Hog" scanners (Choctaw Hog, Duroc Hog, Gottingen Hog, and Essex Hog).
   • The code now ensures that the "reason" and "stringsFound" information are properly handled and included in the vulnerability description, even if they are None or empty.
   • The code extracts and includes additional relevant details in the vulnerability description, such as commit information, file paths, line numbers, diffs, JIRA issue IDs, and Confluence page IDs, depending on the scanner type.
   • The code provides specific mitigation recommendations based on the scanner type, advising the user to ensure that no secret material or confidential information is kept in clear within the respective locations (Git repositories, directories/files/archives, JIRA tickets, or Confluence pages).
   • If the file path is not available from the vulnerability information, the code attempts to use the provided URL as a fallback.