🐛 fix hcl_appscan, handle severity is None #10074

[manuel-sommer]

see #10074

However, the scanfile was not very helpful as a lot of values were rotated (e.g. also severity and cwe) and I had to rotate those back to get something useful.
I figured out that some severity values were None and fixed it with the scan file.

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Configured Codepaths Analyzer	✅	0 findings
Sensitive Files Analyzer	✅	0 findings
AppSec Analyzer	✅	0 findings
Authn/Authz Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖.
Note that this summary is auto-generated and not meant to be a definitive list of security issues
but rather a helpful summary from a security perspective.

Summary:

The changes in this pull request focus on improving the quality and reliability of the HCL AppScan parser, which is an essential component for effectively integrating application security scanning into the development process. The key changes include:

1. Addition of a new test case (test_issue_10074) to the TestHCLAppScanParser class, which verifies the parser's ability to handle scan results with a lower severity level (i.e., "Info"). This demonstrates the development team's commitment to expanding the test coverage and ensuring the parser's robustness.

2. Updates to the dojo/tools/hcl_appscan/parser.py file to handle cases where the input.text is None and where the severity element in the XML is empty or missing. These changes aim to improve the parser's ability to handle edge cases and potential errors in the input data.

3. Extraction of additional information from the XML, such as CWE, remediation, advisory, and various location-related details. This additional data can provide more context and details about the identified findings, which is crucial for effective security analysis and prioritization.

While the changes appear to be focused on improving the parser's functionality, it's important to ensure that the parsing process is robust and secure, as vulnerabilities in the parser could potentially lead to security issues in the overall application security monitoring and reporting process.

Files Changed:

1. unittests/tools/test_hcl_appscan_parser.py: This file has been updated with a new test case (test_issue_10074) that verifies the parser's ability to handle scan results with a lower severity level.

2. unittests/scans/hcl_appscan/issue_10074.xml: This file is a sample AppScan report that identifies various security issues, including SQL Injection, Integer Overflow, and Improper Assets Management. The report provides detailed information on each issue, including the severity, CVSS score, CWE, and the specific locations where the issues were found.

3. dojo/tools/hcl_appscan/parser.py: The changes in this file focus on improving the handling of null text and null severity in the XML parsing process. Additionally, the code has been updated to extract more detailed information from the XML, such as CWE, remediation, advisory, and various location-related details.

Powered by DryRun Security

[mtesauro]

Approved

Approved before tests finished running... will give it a moment to complete