Introducing a mechanism to extract and include mitigation information…

… (fixed versions)
DefectDojo · Dec 23, 2024 · f933c89 · f933c89
1 parent a23d126
commit f933c89
Showing 1 changed file with 35 additions and 41 deletions.
diff --git a/dojo/tools/osv_scanner/parser.py b/dojo/tools/osv_scanner/parser.py
@@ -1,7 +1,19 @@
 import json
 
-# Définition de la classe du parser OSV directement dans le script
+from dojo.models import Finding
+
+
 class OSVScannerParser:
+
+    def get_scan_types(self):
+        return ["OSV Scan"]
+
+    def get_label_for_scan_types(self, scan_type):
+        return "OSV Scan"
+
+    def get_description_for_scan_types(self, scan_type):
+        return "OSV scan output can be imported in JSON format (option --format json)."
+
     def classify_severity(self, input):
         return ("Medium" if input == "MODERATE" else input.lower().capitalize()) if input != "" else "Low"
 
@@ -12,6 +24,7 @@ def get_findings(self, file, test):
             return []
         findings = []
         for result in data.get("results", []):
+            # Extract source locations if present
             source_path = result.get("source", {}).get("path", "")
             source_type = result.get("source", {}).get("type", "")
             for package in result.get("packages", []):
@@ -25,13 +38,14 @@ def get_findings(self, file, test):
                     vulnerabilitypackagepurl = ""
                     cwe = None
                     mitigation = None
+                    # Make sure we have an affected section to work with
                     if (affected := vulnerability.get("affected")) is not None:
                         if len(affected) > 0:
+                            # Pull the package purl if present
                             if (vulnerabilitypackage := affected[0].get("package", "")) != "":
                                 vulnerabilitypackagepurl = vulnerabilitypackage.get("purl", "")
                             if (cwe := affected[0].get("database_specific", {}).get("cwes", None)) is not None:
                                 cwe = cwe[0]["cweId"]
-                            # Extraire la version corrigée (mitigation)
                             ranges = affected[0].get("ranges", [])
                             for range_item in ranges:
                                 for event in range_item.get("events", []):
@@ -41,52 +55,32 @@ def get_findings(self, file, test):
                     reference = ""
                     for ref in vulnerability.get("references", []):
                         reference += ref.get("url") + "\n"
-
+                    # Define the description
                     description = vulnerabilitysummary + "\n"
                     description += "**source_type**: " + source_type + "\n"
                     description += "**package_ecosystem**: " + package_ecosystem + "\n"
                     description += "**vulnerabilitydetails**: " + vulnerabilitydetails + "\n"
                     description += "**vulnerabilitypackagepurl**: " + vulnerabilitypackagepurl + "\n"
 
                     sev = vulnerability.get("database_specific", {}).get("severity", "")
-                    finding = {
-                        "title": vulnerabilityid + "_" + package_name,
-                        "description": description,
-                        "severity": self.classify_severity(sev),
-                        "component_name": package_name,
-                        "component_version": package_version,
-                        "cwe": cwe,
-                        "file_path": source_path,
-                        "references": reference,
-                        "mitigation": mitigation,
-                    }
+                    finding = Finding(
+                        title=vulnerabilityid + "_" + package_name,
+                        test=test,
+                        description=description,
+                        severity=self.classify_severity(sev),
+                        static_finding=True,
+                        dynamic_finding=False,
+                        component_name=package_name,
+                        component_version=package_version,
+                        cwe=cwe,
+                        file_path=source_path,
+                        references=reference,
+                    )
+                    if mitigation:
+                        finding.mitigation = mitigation
+                    if vulnerabilityid != "":
+                        finding.unsaved_vulnerability_ids = []
+                        finding.unsaved_vulnerability_ids.append(vulnerabilityid)
                     findings.append(finding)
         return findings
 
-# Fonction principale pour exécuter le test
-def test_osv_parser(json_file_path):
-    parser = OSVScannerParser()
-
-    with open(json_file_path, "r") as file:
-        findings = parser.get_findings(file, test="Test")
-
-    if findings:
-        print(f"Nombre de findings : {len(findings)}\n")
-        for finding in findings:
-            print(f"--- Finding ---")
-            print(f"Title: {finding['title']}")
-            print(f"Severity: {finding['severity']}")
-            print(f"Description: {finding['description']}")
-            print(f"Mitigation: {finding['mitigation'] if finding['mitigation'] else 'Non spécifié'}")
-            print(f"References: {finding['references']}")
-            print(f"Component Name: {finding['component_name']}")
-            print(f"Component Version: {finding['component_version']}")
-            print(f"--- Fin du Finding ---\n")
-    else:
-        print("Aucun finding détecté.")
-
-# Remplacez par le chemin vers votre fichier JSON de test
-json_file_path = "test.json"
-
-# Exécuter le test
-test_osv_parser(json_file_path)