DefectDojo · mtesauro · Mar 4, 2024 · Feb 18, 2024 · Feb 18, 2024 · Feb 18, 2024
diff --git a/docs/content/en/integrations/parsers/file/osv_scanner.md b/docs/content/en/integrations/parsers/file/osv_scanner.md
@@ -0,0 +1,8 @@
+---
+title: "OSV Scanner"
+toc_hide: true
+---
+Use [OSV-Scanner](https://github.com/google/osv-scanner) to find existing vulnerabilities affecting your project's dependencies.
+
+### Sample Scan Data
+Sample OSV Scanner output can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/osv_scanner).
diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py
@@ -1244,6 +1244,7 @@ def saml2_attrib_map_format(dict):
     'HCLAppScan XML': ['title', 'description'],
     'KICS Scan': ['file_path', 'line', 'severity', 'description', 'title'],
     'MobSF Scan': ['title', 'description', 'severity'],
+    'OSV Scan': ['title', 'description', 'severity'],
     'Snyk Code Scan': ['vuln_id_from_tool', 'file_path']
 }
 
@@ -1455,6 +1456,7 @@ def saml2_attrib_map_format(dict):
     'HCLAppScan XML': DEDUPE_ALGO_HASH_CODE,
     'KICS Scan': DEDUPE_ALGO_HASH_CODE,
     'MobSF Scan': DEDUPE_ALGO_HASH_CODE,
+    'OSV Scan': DEDUPE_ALGO_HASH_CODE,
     'Nosey Parker Scan': DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE,
 }
 

diff --git a/dojo/tools/osv_scanner/__init__.py b/dojo/tools/osv_scanner/__init__.py
@@ -0,0 +1 @@
+__author__ = "manuel-sommer"
diff --git a/dojo/tools/osv_scanner/parser.py b/dojo/tools/osv_scanner/parser.py
@@ -0,0 +1,73 @@
+import json
+from dojo.models import Finding
+
+
+class OSVScannerParser(object):
+
+    def get_scan_types(self):
+        return ["OSV Scan"]
+
+    def get_label_for_scan_types(self, scan_type):
+        return "OSV Scan"
+
+    def get_description_for_scan_types(self, scan_type):
+        return "OSV scan output can be imported in JSON format (option --format json)."
+
+    def classify_severity(self, input):
+        if input != "":
+            if input == "MODERATE":
+                severity = "Medium"
+            else:
+                severity = input.lower().capitalize()
+        else:
+            severity = "Low"
+        return severity
+
+    def get_findings(self, file, test):
+        try:
+            data = json.load(file)
+        except json.decoder.JSONDecodeError:
+            return []
+        findings = list()
+        for result in data["results"]:
+            source_path = result["source"]["path"]
+            source_type = result["source"]["type"]
+            for package in result["packages"]:
+                package_name = package["package"]["name"]
+                package_version = package["package"]["version"]
+                package_ecosystem = package["package"]["ecosystem"]
+                for vulnerability in package["vulnerabilities"]:
+                    vulnerabilityid = vulnerability["id"]
+                    vulnerabilitysummary = vulnerability.get("summary", "")
+                    vulnerabilitydetails = vulnerability["details"]
+                    vulnerabilitypackagepurl = vulnerability["affected"][0].get("package", "")
+                    if vulnerabilitypackagepurl != "":
+                        vulnerabilitypackagepurl = vulnerabilitypackagepurl["purl"]
+                    cwe = vulnerability["affected"][0]["database_specific"].get("cwes", None)
+                    if cwe is not None:
+                        cwe = cwe[0]["cweId"]
+                    reference = ""
+                    for ref in vulnerability.get("references"):
+                        reference += ref.get("url") + "\n"
+                    description = vulnerabilitysummary + "\n"
+                    description += "**source_type**: " + source_type + "\n"
+                    description += "**package_ecosystem**: " + package_ecosystem + "\n"
+                    description += "**vulnerabilitydetails**: " + vulnerabilitydetails + "\n"
+                    description += "**vulnerabilitypackagepurl**: " + vulnerabilitypackagepurl + "\n"
+                    sev = vulnerability.get("database_specific", {}).get("severity", "")
+                    finding = Finding(
+                        title=vulnerabilityid + "_" + package_name,
+                        test=test,
+                        description=description,
+                        severity=self.classify_severity(sev),
+                        static_finding=True,
+                        dynamic_finding=False,
+                        component_name=package_name,
+                        component_version=package_version,
+                        cwe=cwe,
+                        cve=vulnerabilityid,
+                        file_path=source_path,
+                        references=reference,
+                    )
+                    findings.append(finding)
+        return findings