-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add new Mend Platform API 3.0 file types to existing Mend parser #11259
Conversation
Existing Mend parser is for 1.0 or 2.0 and Unified Agent based 'legacy' vulnerabilities schema, whereas a new Mend Platform and API 3.0 has changed this structure, requiring a need for a new parser. This is for SCA only at the moment.
DryRun Security SummaryThe provided code changes focus on improving the parsing and processing of Mend (formerly WhiteSource) Software Composition Analysis (SCA) scan results, including handling different schema structures, enhancing vulnerability descriptions, and adding new unit tests to verify the correct handling of various Mend scan output scenarios, in order to provide more comprehensive and reliable vulnerability data for effective application security management. Expand for full summarySummary: The provided code changes cover several updates to the application's security-related functionality, including improvements to the parsing and processing of Mend (formerly WhiteSource) Software Composition Analysis (SCA) scan results, as well as the addition of new unit tests to verify the correct handling of various Mend scan output scenarios. The key changes and their security implications are as follows:
Files Changed:
Code AnalysisWe ran Riskiness🟢 Risk threshold not exceeded. |
This is mainly for SCA anyways - SAST contains a different set of vulns and I can write that parser to differentiate SAST vs SCA.
@manuel-sommer I will try this tomorrow in my dev environment, along with an import of the new File Type to see how DefectDojo accepts it or not. Thank you again for the suggestion! |
I have tried this on my local dev stack and everything works, except for the Description field.. It is defaulting to the 'Unknown' value. Will look at fixing that and writing a unit test of some kind for it perhaps. |
@testaccount90009 great job making sense of the combination of formats. Once you get the description issue figured out, I think this one will be good to go |
@Maffooch thank you, I appreciate it! Currently the description is returning 'Unknown' and I am going to shut down for the weekend -- but I will get back to this next week and eventually figure out why it's returning 'Unknown'. My guess is that it's having an issue with the schema of the new json structure... "response": ["vulnerability"{} node get "description"] is an example of the layout of the new schema, whereas the old schema is a bit simpler with just "vulnerabilities": {"description"}. I have not yet figured it out, but I'll get it on my test stack and input those changes here, likely with a unit test to make sure. |
@Maffooch I believe this works now - Description is correctly populating with the newly added changes. I no longer get 'Unknown' on the new platform parser SCA json document and it correctly builds the description similarly to how the legacy json schema does. |
To confirm -- I have already built this in my dev stack and have imported a json findings file with multiple, one, etc.. and it populates description now correctly. I think what I set out to implement at this time has been accomplished. Please let me know if there's anything I overlooked or I may be missing. |
Ok, I believe I am done making changes. This is a good finishing point for the Mend Platform SCA specific parser. ToDo in future PRs (that I, or someone else can take care of -- though I don't mind and will get to it soon anyways): 1 parser to rule them all :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approved
Existing Mend parser is for 1.0 or 2.0 and Unified Agent based 'legacy' vulnerabilities schema, whereas a new Mend Platform and API 3.0 has changed this structure, requiring a need for a new parser. This is for SCA only at the moment.
We are narrowing the scope of acceptable enhancements to DefectDojo in preparation for v3. Learn more here:
https://github.com/DefectDojo/django-DefectDojo/blob/master/readme-docs/CONTRIBUTING.md
Description
Describe the feature / bug fix implemented by this PR.
If this is a new parser, the parser guide may be worth (re)reading.
Test results
Ideally you extend the test suite in
tests/
anddojo/unittests
to cover the changed in this PR.Alternatively, describe what you have and haven't tested.
Documentation
Please update any documentation when needed in the documentation folder)
Checklist
This checklist is for your information.
dev
.dev
.bugfix
branch.Extra information
Please clear everything below when submitting your pull request, it's here purely for your information.
Moderators: Labels currently accepted for PRs:
Contributors: Git Tips
Rebase on dev branch
If the dev branch has changed since you started working on it, please rebase your work after the current dev.
On your working branch
mybranch
:In case of conflict:
When everything's fine on your local branch, force push to your
myOrigin
remote:To cancel everything:
Squashing commits
pick
byfixup
on the commits you want squashed outpick
byreword
on the first commit if you want to change the commit messageForce push to your
myOrigin
remote: