From 716f94a0bdc4600027bc635cf7ef64ee9a55b5a2 Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Wed, 13 Nov 2024 17:00:01 -0800 Subject: [PATCH 01/57] Add new Mend Platform API 3.0 parser Existing Mend parser is for 1.0 or 2.0 and Unified Agent based 'legacy' vulnerabilities schema, whereas a new Mend Platform and API 3.0 has changed this structure, requiring a need for a new parser. This is for SCA only at the moment. --- dojo/tools/mend-sca-platform-api3/__init__.py | 0 dojo/tools/mend-sca-platform-api3/parser.py | 189 +++++ .../mend-sca-platform-api3-five-findings.json | 773 ++++++++++++++++++ .../mend-sca-platform-api3-no-findings.json | 1 + .../mend-sca-platform-api3-one-finding.json | 81 ++ .../tools/test_mend_platform_api3_parser.py | 46 ++ 6 files changed, 1090 insertions(+) create mode 100644 dojo/tools/mend-sca-platform-api3/__init__.py create mode 100644 dojo/tools/mend-sca-platform-api3/parser.py create mode 100644 unittests/scans/mend_platform_api3/mend-sca-platform-api3-five-findings.json create mode 100644 unittests/scans/mend_platform_api3/mend-sca-platform-api3-no-findings.json create mode 100644 unittests/scans/mend_platform_api3/mend-sca-platform-api3-one-finding.json create mode 100644 unittests/tools/test_mend_platform_api3_parser.py diff --git a/dojo/tools/mend-sca-platform-api3/__init__.py b/dojo/tools/mend-sca-platform-api3/__init__.py new file mode 100644 index 0000000000..e69de29bb2 diff --git a/dojo/tools/mend-sca-platform-api3/parser.py b/dojo/tools/mend-sca-platform-api3/parser.py new file mode 100644 index 0000000000..6719973256 --- /dev/null +++ b/dojo/tools/mend-sca-platform-api3/parser.py @@ -0,0 +1,189 @@ +import hashlib +import json +import logging + +from dojo.models import Finding + +__author__ = "testaccount90009 aka SH" + +logger = logging.getLogger(__name__) + + +class Mend_platform_api3Parser: + def get_scan_types(self): + return ["Mend Platform APIv3 Scan"] + + def get_label_for_scan_types(self, scan_type): + return "Mend Platform APIv3 Scan" + + def get_description_for_scan_types(self, scan_type): + return "Import JSON report" + + def get_findings(self, file, test): + if file is None: + return [] + + data = file.read() + try: + content = json.loads(str(data, "utf-8")) + except Exception: + content = json.loads(data) + + def _build_common_output(node, lib_name=None): + # project only available in manual export + # name --> CVE in manual, library name in pipeline + cve = None + component_name = None + component_version = None + impact = None + if 'component' in node: + node.get('project') + description = ( + "**Vulnerability Description** : " + + node['vulnerability'.get('description', "") + + "\n\n" + + "**Component Name** : " + + node['component'].get('name', "") + + "\n\n" + + "**Component Type** : " + + node['component'].get('componentType', "") + + "\n\n" + + "**Root Library** : " + + node['component'].get('rootLibrary', "") + + "\n\n" + + "**Library Type** : " + + node['component'].get('libraryType', "") + + "\n\n" + + "**Location Found** : " + + node['component'].get('path', "") + + "\n\n" + + "**Direct or Transitive Dependency** : " + + node['component'].get('dependencyType', "") + + "\n" + ) + lib_name = node['component'].get('name') + component_name = node['component'].get('artifactId') + component_version = node['component'].get('version') + impact = node['component'].get('dependencyType') + else: + description = node['vulnerability'].get('description') + + cve = node.get('name') + if cve is None: + title = "CVE-None | " + lib_name + else: + title = cve + " | " + lib_name + # cvss2 by default in CLI, but cvss3 in UI. Adapting to have + # homogeneous behavior. + if 'vulnerability' in node: + cvss_sev = node['vulnerability'].get('severity') + else: + cvss_sev = node['vulnerability'].get('severity') + severity = cvss_sev.lower().capitalize() + + cvss3_score = node['vulnerability'].get('score', None) + cvss3_vector = node.get('scoreMetadataVector', None) + severity_justification = "CVSS v3 score: {} ({})".format( + cvss3_score if cvss3_score is not None else "N/A", cvss3_vector if cvss3_vector is not None else "N/A", + ) + cwe = 1035 # default OWASP a9 until the report actually has them + + mitigation = "N/A" + if 'topFix' in node: + try: + topfix_node = node.get('topFix') + mitigation = "**Resolution** ({}): {}\n".format( + topfix_node.get('date'), + topfix_node.get('fixResolution'), + ) + except Exception: + logger.exception("Error handling topFix node.") + + filepaths = [] + if 'sourceFiles' in node: + try: + sourceFiles_node = node.get('sourceFiles') + for sfile in sourceFiles_node: + filepaths.append(sfile.get('localPath')) + except Exception: + logger.exception( + "Error handling local paths for vulnerability.", + ) + + locations = [] + if 'locations' in node: + try: + locations_node = node.get('locations', []) + for location in locations_node: + path = location.get('path') + if path is not None: + locations.append(path) + except Exception: + logger.exception( + "Error handling local paths for vulnerability.", + ) + + if locations: + filepaths = locations + else: + filepaths = filepaths + + new_finding = Finding( + title=title, + test=test, + description=description, + severity=severity, + cwe=cwe, + mitigation=mitigation, + file_path=", ".join(filepaths), + component_name=component_name, + component_version=component_version, + severity_justification=severity_justification, + dynamic_finding=True, + cvssv3=cvss3_vector, + cvssv3_score=float(cvss3_score) if cvss3_score is not None else None, + impact=impact, + ) + if cve: + new_finding.unsaved_vulnerability_ids = [cve] + + return new_finding + + findings = [] + if 'libraries' in content: + # we are likely dealing with a report generated from CLI with -generateScanReport, + # which will output vulnerabilities as an array of a library + # In this scenario, build up an array + tree_libs = content.get('libraries') + for lib_node in tree_libs: + # get the overall lib info here, before going into vulns + if ( + 'response' in lib_node + and len(lib_node.get('response')) > 0 + ): + for vuln in lib_node.get('response'): + findings.append( + _build_common_output(vuln, lib_node.get('name')), + ) + + elif 'response' in content: + # likely a manual json export for vulnerabilities only for a project. + # Vulns are standalone, and library is a property. + tree_node = content['response'] + for node in tree_node: + findings.append(_build_common_output(node)) + + def create_finding_key(f: Finding) -> str: + """Hashes the finding's description and title to retrieve a key for deduplication.""" + return hashlib.md5( + f.description.encode("utf-8") + + f.title.encode("utf-8"), + ).hexdigest() + + dupes = {} + for finding in findings: + dupe_key = create_finding_key(finding) + if dupe_key not in dupes: + dupes[dupe_key] = finding + + return list(dupes.values()) diff --git a/unittests/scans/mend_platform_api3/mend-sca-platform-api3-five-findings.json b/unittests/scans/mend_platform_api3/mend-sca-platform-api3-five-findings.json new file mode 100644 index 0000000000..954afdef00 --- /dev/null +++ b/unittests/scans/mend_platform_api3/mend-sca-platform-api3-five-findings.json @@ -0,0 +1,773 @@ +{ + 'additionalData': { + 'totalItems': 11, + 'paging': { } + }, + 'supportToken': '3cdb1f55250864891a790b7f324be7ddc1731541902285', + 'response': [ + { + 'uuid': '23bcab53-d599-4c2e-acce-89880a1ba8ae', + 'name': 'CVE-2022-42004', + 'type': 'SECURITY_VULNERABILITY', + 'component': { + 'uuid': 'aa25c040-953e-49c1-a824-278169adf8a4', + 'name': 'jackson-databind-2.13.3.jar', + 'description': 'Generaldata-binding functionality for Jackson: works on core streaming API', + 'componentType': 'Library', + 'libraryType': 'MAVEN_ARTIFACT', + 'rootLibrary': True, + 'references': { + 'url': 'http://fasterxml.com/', + 'pomUrl': 'https://repo.maven.apache.org/maven2/com/fasterxml/jackson/core/jackson-databind/2.13.3/jackson-databind-2.13.3.pom' + }, + 'groupId': 'com.fasterxml.jackson.core', + 'artifactId': 'jackson-databind', + 'version': '2.13.3', + 'dependencyType': 'Direct' + }, + 'findingInfo': { + 'status': 'LIBRARY_REMOVED', + 'comment': { }, + 'detectedAt': '2023-04-11T21:44:34Z', + 'modifiedAt': '2023-04-17T13:56:01Z' + }, + 'project': { + 'uuid': 'e2fffbc5-4b96-4f49-bea6-d031650fe664', + 'name': 'project-name', + 'path': 'application-name', + 'applicationUuid': 'a6d539cc-75d7-4889-9b1e-349b878bd3e7' + }, + 'application': { + 'uuid': 'a6d539cc-75d7-4889-9b1e-349b878bd3e7', + 'name': 'application-name' + }, + 'vulnerability': { + 'name': 'CVE-2022-42004', + 'type': 'CVSS_3', + 'description': 'In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.', + 'score': 7.5, + 'severity': 'HIGH', + 'publishDate': '2022-10-02T00:00:00Z', + 'modifiedDate': '2024-08-03T12:56:39Z', + 'vulnerabilityScoring': [ + { + 'score': 7.5, + 'severity': 'HIGH', + 'type': 'CVSS_3' + } + ] + }, + 'topFix': { + 'id': 109760, + 'vulnerability': 'CVE-2022-42004', + 'type': 'UPGRADE_VERSION', + 'origin': 'WHITESOURCE_EXPERT', + 'url': 'https://github.com/FasterXML/jackson-databind/issues/3582', + 'fixResolution': 'com.fasterxml.jackson.core:jackson-databind:2.13.4', + 'date': '2022-10-02T00:00:00Z', + 'message': 'Upgrade to version' + }, + 'effective': 'NO_SHIELD', + 'threatAssessment': { + 'exploitCodeMaturity': 'NOT_DEFINED', + 'epssPercentage': 0.3 + }, + 'exploitable': False, + 'scoreMetadataVector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H' + }, + { + 'uuid': '21548f3e-2a6e-48bd-998d-be6b40fed54c', + 'name': 'CVE-2018-8269', + 'type': 'SECURITY_VULNERABILITY', + 'component': { + 'uuid': 'a124f02a-e4e0-476d-8ef1-6bd3a4238245', + 'name': 'Microsoft.Data.OData-5.2.0.51212.dll', + 'description': 'Microsoft.Data.OData.dll', + 'componentType': 'Library', + 'libraryType': 'DOT_NET_AS_GENERIC_RESOURCE', + 'rootLibrary': True, + 'references': { + 'url': 'https://api.nuget.org/packages/microsoft.data.odata.5.2.0.nupkg', + 'homePage': 'http://go.microsoft.com/fwlink/?LinkId=220868', + 'genericPackageIndex': '' + }, + 'groupId': 'Microsoft.Data.OData', + 'artifactId': 'Microsoft.Data.OData-5.2.0.51212.dll', + 'version': '5.2.0.51212', + 'dependencyType': 'Direct' + }, + 'findingInfo': { + 'status': 'LIBRARY_REMOVED', + 'comment': { }, + 'detectedAt': '2023-04-11T21:44:34Z', + 'modifiedAt': '2023-04-20T10:42:50Z' + }, + 'project': { + 'uuid': 'e2fffbc5-4b96-4f49-bea6-d031650fe664', + 'name': 'project-name', + 'path': 'application-name', + 'applicationUuid': 'a6d539cc-75d7-4889-9b1e-349b878bd3e7' + }, + 'application': { + 'uuid': 'a6d539cc-75d7-4889-9b1e-349b878bd3e7', + 'name': 'application-name' + }, + 'vulnerability': { + 'name': 'CVE-2018-8269', + 'type': 'CVSS_3', + 'description': 'A denial of service vulnerability exists when OData Library improperly handles web requests, aka "OData Denial of Service Vulnerability." This affects Microsoft.Data.OData.', + 'score': 7.5, + 'severity': 'HIGH', + 'publishDate': '2018-09-13T00:00:00Z', + 'modifiedDate': '2024-08-05T06:46:13Z', + 'vulnerabilityScoring': [ + { + 'score': 7.5, + 'severity': 'HIGH', + 'type': 'CVSS_3' + } + ] + }, + 'topFix': { + 'id': 60177, + 'vulnerability': 'CVE-2018-8269', + 'type': 'UPGRADE_VERSION', + 'origin': 'WHITESOURCE_EXPERT', + 'url': 'https://github.com/aspnet/Announcements/issues/385', + 'fixResolution': 'Microsoft.Data.OData - 5.8.4', + 'date': '2018-09-13T00:00:00Z', + 'message': 'Upgrade to version' + }, + 'effective': 'NO_SHIELD', + 'threatAssessment': { + 'exploitCodeMaturity': 'NOT_DEFINED', + 'epssPercentage': 2.8999999 + }, + 'exploitable': False, + 'scoreMetadataVector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H' + }, + { + 'uuid': '07568c8b-3288-4f6e-8292-e350e8a80a84', + 'name': 'CVE-2018-8032', + 'type': 'SECURITY_VULNERABILITY', + 'component': { + 'uuid': '1da34773-6acf-4da9-b4b3-4cfca44e3163', + 'name': 'axis-1.4.jar', + 'description': '', + 'componentType': 'Library', + 'libraryType': 'JAVA_ARCHIVE', + 'rootLibrary': True, + 'references': { + 'url': 'http://archive.apache.org/dist/lenya/SOURCES/apache-lenya-2.0.4-dev-src.zip', + 'genericPackageIndex': '' + }, + 'groupId': 'axis-1', + 'artifactId': 'axis.jar', + 'version': '1.4', + 'dependencyType': 'Direct' + }, + 'findingInfo': { + 'status': 'ACTIVE', + 'comment': { }, + 'detectedAt': '2023-04-11T21:44:34Z', + 'modifiedAt': '2023-04-11T21:44:34Z' + }, + 'project': { + 'uuid': 'e2fffbc5-4b96-4f49-bea6-d031650fe664', + 'name': 'project-name', + 'path': 'application-name', + 'applicationUuid': 'a6d539cc-75d7-4889-9b1e-349b878bd3e7' + }, + 'application': { + 'uuid': 'a6d539cc-75d7-4889-9b1e-349b878bd3e7', + 'name': 'application-name' + }, + 'vulnerability': { + 'name': 'CVE-2018-8032', + 'type': 'CVSS_3', + 'description': 'Apache Axis 1.x up to and including 1.4 is vulnerable to a cross-site scripting (XSS) attack in the default servlet/services.', + 'score': 6.1, + 'severity': 'MEDIUM', + 'publishDate': '2018-08-02T13:00:00Z', + 'modifiedDate': '2024-09-16T16:29:01Z', + 'vulnerabilityScoring': [ + { + 'score': 6.1, + 'severity': 'MEDIUM', + 'type': 'CVSS_3' + } + ] + }, + 'topFix': { + 'id': 100830, + 'vulnerability': 'CVE-2018-8032', + 'type': 'UPGRADE_VERSION', + 'origin': 'WHITESOURCE_EXPERT', + 'url': 'https://nvd.nist.gov/vuln/detail/CVE-2018-8032', + 'fixResolution': 'no_fix', + 'date': '2018-07-08T00:00:00Z', + 'message': 'Upgrade to version' + }, + 'effective': 'NO_SHIELD', + 'threatAssessment': { + 'exploitCodeMaturity': 'NOT_DEFINED', + 'epssPercentage': 0.4 + }, + 'exploitable': False, + 'scoreMetadataVector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N' + }, + { + 'uuid': 'a513b00e-05cd-4843-b315-01aca5eb05ad', + 'name': 'CVE-2022-40152', + 'type': 'SECURITY_VULNERABILITY', + 'component': { + 'uuid': 'd7de9e3c-a8c8-4b15-ba92-201b514498cc', + 'name': 'woodstox-core-6.2.8.jar', + 'description': 'Woodstox is a high-performance XML processor that implements Stax (JSR-173),\nSAX2 and Stax2 APIs', + 'componentType': 'Library', + 'libraryType': 'MAVEN_ARTIFACT', + 'rootLibrary': True, + 'references': { + 'url': 'http://fasterxml.com', + 'pomUrl': 'https://nexus.opendaylight.org/content/groups/public/com/fasterxml/woodstox/woodstox-core/6.2.8/woodstox-core-6.2.8.pom' + }, + 'groupId': 'com.fasterxml.woodstox', + 'artifactId': 'woodstox-core', + 'version': '6.2.8', + 'dependencyType': 'Direct' + }, + 'findingInfo': { + 'status': 'LIBRARY_REMOVED', + 'comment': { }, + 'detectedAt': '2023-04-11T21:44:34Z', + 'modifiedAt': '2023-04-17T13:56:01Z' + }, + 'project': { + 'uuid': 'e2fffbc5-4b96-4f49-bea6-d031650fe664', + 'name': 'project-name', + 'path': 'application-name', + 'applicationUuid': 'a6d539cc-75d7-4889-9b1e-349b878bd3e7' + }, + 'application': { + 'uuid': 'a6d539cc-75d7-4889-9b1e-349b878bd3e7', + 'name': 'application-name' + }, + 'vulnerability': { + 'name': 'CVE-2022-40152', + 'type': 'CVSS_3', + 'description': 'Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.', + 'score': 6.5, + 'severity': 'MEDIUM', + 'publishDate': '2022-09-16T10:00:22Z', + 'modifiedDate': '2024-09-16T19:14:50Z', + 'vulnerabilityScoring': [ + { + 'score': 6.5, + 'severity': 'MEDIUM', + 'type': 'CVSS_3' + } + ] + }, + 'topFix': { + 'id': 110139, + 'vulnerability': 'CVE-2022-40152', + 'type': 'UPGRADE_VERSION', + 'origin': 'WHITESOURCE_EXPERT', + 'url': 'https://github.com/FasterXML/woodstox/pull/159', + 'fixResolution': 'com.fasterxml.woodstox:woodstox-core:5.4.0,6.4.0', + 'date': '2022-09-16T10:00:22Z', + 'message': 'Upgrade to version' + }, + 'effective': 'NO_SHIELD', + 'threatAssessment': { + 'exploitCodeMaturity': 'NOT_DEFINED', + 'epssPercentage': 0.8 + }, + 'exploitable': False, + 'scoreMetadataVector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H' + }, + { + 'uuid': 'eabc72c0-370f-42fc-82fa-7a8584f71a2a', + 'name': 'CVE-2022-42003', + 'type': 'SECURITY_VULNERABILITY', + 'component': { + 'uuid': 'aa25c040-953e-49c1-a824-278169adf8a4', + 'name': 'jackson-databind-2.13.3.jar', + 'description': 'General data-binding functionality for Jackson: works on core streaming API', + 'componentType': 'Library', + 'libraryType': 'MAVEN_ARTIFACT', + 'rootLibrary': True, + 'references': { + 'url': 'http://fasterxml.com/', + 'pomUrl': 'https://repo.maven.apache.org/maven2/com/fasterxml/jackson/core/jackson-databind/2.13.3/jackson-databind-2.13.3.pom' + }, + 'groupId': 'com.fasterxml.jackson.core', + 'artifactId': 'jackson-databind', + 'version': '2.13.3', + 'dependencyType': 'Direct' + }, + 'findingInfo': { + 'status': 'LIBRARY_REMOVED', + 'comment': { }, + 'detectedAt': '2023-04-11T21:44:34Z', + 'modifiedAt': '2023-04-17T13:56:01Z' + }, + 'project': { + 'uuid': 'e2fffbc5-4b96-4f49-bea6-d031650fe664', + 'name': 'project-name', + 'path': 'application-name', + 'applicationUuid': 'a6d539cc-75d7-4889-9b1e-349b878bd3e7' + }, + 'application': { + 'uuid': 'a6d539cc-75d7-4889-9b1e-349b878bd3e7', + 'name': 'application-name' + }, + 'vulnerability': { + 'name': 'CVE-2022-42003', + 'type': 'CVSS_3', + 'description': 'In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.\n Mend Note: For 2.13.4.x, the vulnerability is fixed in 2.13.4.1. A micro-patch was added in 2.13.4.2 to address issues for Gradle users. ', + 'score': 7.5, + 'severity': 'HIGH', + 'publishDate': '2022-10-02T00:00:00Z', + 'modifiedDate': '2024-08-03T12:56:39Z', + 'vulnerabilityScoring': [ + { + 'score': 7.5, + 'severity': 'HIGH', + 'type': 'CVSS_3' + } + ] + }, + 'topFix': { + 'id': 133291, + 'vulnerability': 'CVE-2022-42003', + 'type': 'UPGRADE_VERSION', + 'origin': 'WHITESOURCE_EXPERT', + 'url': 'https://github.com/advisories/GHSA-jjjh-jjxp-wpff', + 'fixResolution': 'com.fasterxml.jackson.core:jackson-databind:2.12.7.1,2.13.4.2', + 'date': '2022-10-02T00:00:00Z', + 'message': 'Upgrade to version' + }, + 'effective': 'NO_SHIELD', + 'threatAssessment': { + 'exploitCodeMaturity': 'NOT_DEFINED', + 'epssPercentage': 0.3 + }, + 'exploitable': False, + 'scoreMetadataVector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H' + }, + { + 'uuid': '59815375-eb59-460c-ae55-27c69ae9ca7d', + 'name': 'CVE-2014-3596', + 'type': 'SECURITY_VULNERABILITY', + 'component': { + 'uuid': '1da34773-6acf-4da9-b4b3-4cfca44e3163', + 'name': 'axis-1.4.jar', + 'description': '', + 'componentType': 'Library', + 'libraryType': 'JAVA_ARCHIVE', + 'rootLibrary': True, + 'references': { + 'url': 'http://archive.apache.org/dist/lenya/SOURCES/apache-lenya-2.0.4-dev-src.zip', + 'genericPackageIndex': '' + }, + 'groupId': 'axis-1', + 'artifactId': 'axis.jar', + 'version': '1.4', + 'dependencyType': 'Direct' + }, + 'findingInfo': { + 'status': 'ACTIVE', + 'comment': { }, + 'detectedAt': '2023-04-11T21:44:34Z', + 'modifiedAt': '2023-04-11T21:44:34Z' + }, + 'project': { + 'uuid': 'e2fffbc5-4b96-4f49-bea6-d031650fe664', + 'name': 'project-name', + 'path': 'application-name', + 'applicationUuid': 'a6d539cc-75d7-4889-9b1e-349b878bd3e7' + }, + 'application': { + 'uuid': 'a6d539cc-75d7-4889-9b1e-349b878bd3e7', + 'name': 'application-name' + }, + 'vulnerability': { + 'name': 'CVE-2014-3596', + 'type': 'CVSS_3', + 'description': "The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSLservers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784.", + 'score': 4.8, + 'severity': 'MEDIUM', + 'publishDate': '2014-08-27T00:00:00Z', + 'modifiedDate': '2024-08-06T10:50:17Z', + 'vulnerabilityScoring': [ + { + 'score': 4.8, + 'severity': 'MEDIUM', + 'type': 'CVSS_3' + } + ] + }, + 'topFix': { + 'id': 87936, + 'vulnerability': 'CVE-2014-3596', + 'type': 'UPGRADE_VERSION', + 'origin': 'WHITESOURCE_EXPERT', + 'url': 'https://nvd.nist.gov/vuln/detail/CVE-2014-3596', + 'fixResolution': 'axis:axis - 1.3-atlassian-1', + 'date': '2014-08-27T00:00:00Z', + 'message': 'Upgrade to version' + }, + 'effective': 'NO_SHIELD', + 'threatAssessment': { + 'exploitCodeMaturity': 'NOT_DEFINED', + 'epssPercentage': 0.2 + }, + 'exploitable': False, + 'scoreMetadataVector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N' + }, + { + 'uuid': 'b22790d4-9186-45a6-aa11-37ec13fce85f', + 'name': 'CVE-2021-24112', + 'type': 'SECURITY_VULNERABILITY', + 'component': { + 'uuid': 'e7f7552f-f9d4-4c62-9a05-ab0701d44a4e', + 'name': 'System.Drawing.Common-4.6.26515.06.dll', + 'description': 'System.Drawing.Common', + 'componentType': 'Library', + 'libraryType': 'DOT_NET_AS_GENERIC_RESOURCE', + 'rootLibrary': True, + 'references': { + 'url': 'https://api.nuget.org/packages/system.drawing.common.4.5.0.nupkg', + 'homePage': 'https://dot.net/', + 'genericPackageIndex': '' + }, + 'groupId': 'System.Drawing.Common', + 'artifactId': 'System.Drawing.Common-4.6.26515.06.dll', + 'version': '4.6.26515.06', + 'dependencyType': 'Direct' + }, + 'findingInfo': { + 'status': 'LIBRARY_REMOVED', + 'comment': { }, + 'detectedAt': '2023-04-11T21:44:34Z', + 'modifiedAt': '2023-04-13T11:40:20Z' + }, + 'project': { + 'uuid': 'e2fffbc5-4b96-4f49-bea6-d031650fe664', + 'name': 'project-name', + 'path': 'application-name', + 'applicationUuid': 'a6d539cc-75d7-4889-9b1e-349b878bd3e7' + }, + 'application': { + 'uuid': 'a6d539cc-75d7-4889-9b1e-349b878bd3e7', + 'name': 'application-name' + }, + 'vulnerability': { + 'name': 'CVE-2021-24112', + 'type': 'CVSS_3', + 'description': '.NET Core Remote Code Execution Vulnerability', + 'score': 8.1, + 'severity': 'HIGH', + 'publishDate': '2021-02-25T23:01:57Z', + 'modifiedDate': '2024-08-03T19:21:18Z', + 'vulnerabilityScoring': [ + { + 'score': 8.1, + 'severity': 'HIGH', + 'type': 'CVSS_3' + } + ] + }, + 'topFix': { + 'id': 110775, + 'vulnerability': 'CVE-2021-24112', + 'type': 'UPGRADE_VERSION', + 'origin': 'WHITESOURCE_EXPERT', + 'url': 'https://github.com/advisories/GHSA-rxg9-xrhp-64gj', + 'fixResolution': 'System.Drawing.Common - 4.7.2,5.0.3', + 'date': '2021-02-25T23:15:00Z', + 'message': 'Upgrade to version' + }, + 'effective': 'NO_SHIELD', + 'threatAssessment': { + 'exploitCodeMaturity': 'POC_CODE', + 'epssPercentage': 2.0 + }, + 'exploitable': True, + 'scoreMetadataVector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C' + }, + { + 'uuid': '1efbe99b-724e-4ff2-aa5a-81a5581aae30', + 'name': 'CVE-2021-22570', + 'type': 'SECURITY_VULNERABILITY', + 'component': { + 'uuid': 'e642b361-9c26-4be5-9ae6-15f97124ed8b', + 'name': 'Google.Protobuf-3.10.0.0.dll', + 'description': 'Google Protocol Buffers', + 'componentType': 'Library', + 'libraryType': 'DOT_NET_AS_GENERIC_RESOURCE', + 'rootLibrary': True, + 'references': { + 'url': 'https://api.nuget.org/packages/google.protobuf.3.10.0.nupkg', + 'homePage': 'https://github.com/protocolbuffers/protobuf', + 'genericPackageIndex': '' + }, + 'groupId': 'Google.Protobuf', + 'artifactId': 'Google.Protobuf-3.10.0.0.dll', + 'version': '3.10.0.0', + 'dependencyType': 'Direct' + }, + 'findingInfo': { + 'status': 'LIBRARY_REMOVED', + 'comment': { }, + 'detectedAt': '2023-04-11T21:44:34Z', + 'modifiedAt': '2023-04-13T11:40:20Z' + }, + 'project': { + 'uuid': 'e2fffbc5-4b96-4f49-bea6-d031650fe664', + 'name': 'project-name', + 'path': 'application-name', + 'applicationUuid': 'a6d539cc-75d7-4889-9b1e-349b878bd3e7' + }, + 'application': { + 'uuid': 'a6d539cc-75d7-4889-9b1e-349b878bd3e7', + 'name': 'application-name' + }, + 'vulnerability': { + 'name': 'CVE-2021-22570', + 'type': 'CVSS_3', + 'description': "Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.", + 'score': 6.5, + 'severity': 'MEDIUM', + 'publishDate': '2022-01-26T00:00:00Z', + 'modifiedDate': '2024-08-03T18:44:13Z', + 'vulnerabilityScoring': [ + { + 'score': 6.5, + 'severity': 'MEDIUM', + 'type': 'CVSS_3' + } + ] + }, + 'topFix': { + 'id': 102974, + 'vulnerability': 'CVE-2021-22570', + 'type': 'UPGRADE_VERSION', + 'origin': 'WHITESOURCE_EXPERT', + 'url': 'https://github.com/advisories/GHSA-77rm-9x9h-xj3g', + 'fixResolution': 'Google.Protobuf - 3.15.0', + 'date': '2022-01-26T00:00:00Z', + 'message': 'Upgrade to version' + }, + 'effective': 'NO_SHIELD', + 'threatAssessment': { + 'exploitCodeMaturity': 'NOT_DEFINED', + 'epssPercentage': 0.0 + }, + 'exploitable': False, + 'scoreMetadataVector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H' + }, + { + 'uuid': 'acae8e26-d778-48dc-8b26-8073c06d0572', + 'name': 'CVE-2019-0227', + 'type': 'SECURITY_VULNERABILITY', + 'component': { + 'uuid': '1da34773-6acf-4da9-b4b3-4cfca44e3163', + 'name': 'axis-1.4.jar', + 'description': '', + 'componentType': 'Library', + 'libraryType': 'JAVA_ARCHIVE', + 'rootLibrary': True, + 'references': { + 'url': 'http://archive.apache.org/dist/lenya/SOURCES/apache-lenya-2.0.4-dev-src.zip', + 'genericPackageIndex': '' + }, + 'groupId': 'axis-1', + 'artifactId': 'axis.jar', + 'version': '1.4', + 'dependencyType': 'Direct' + }, + 'findingInfo': { + 'status': 'ACTIVE', + 'comment': { }, + 'detectedAt': '2023-04-11T21:44:34Z', + 'modifiedAt': '2023-04-11T21:44:34Z' + }, + 'project': { + 'uuid': 'e2fffbc5-4b96-4f49-bea6-d031650fe664', + 'name': 'project-name', + 'path': 'application-name', + 'applicationUuid': 'a6d539cc-75d7-4889-9b1e-349b878bd3e7' + }, + 'application': { + 'uuid': 'a6d539cc-75d7-4889-9b1e-349b878bd3e7', + 'name': 'application-name' + }, + 'vulnerability': { + 'name': 'CVE-2019-0227', + 'type': 'CVSS_3', + 'description': 'A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversion repository, legacy users are encouraged to build from source. The successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not vulnerable to this issue.', + 'score': 7.5, + 'severity': 'HIGH', + 'publishDate': '2019-05-01T20:03:49Z', + 'modifiedDate': '2024-08-04T17:44:15Z', + 'vulnerabilityScoring': [ + { + 'score': 7.5, + 'severity': 'HIGH', + 'type': 'CVSS_3' + } + ] + }, + 'topFix': { + 'id': 71103, + 'vulnerability': 'CVE-2019-0227', + 'type': 'UPGRADE_VERSION', + 'origin': 'WHITESOURCE_EXPERT', + 'url': 'https://rhinosecuritylabs.com/application-security/cve-2019-0227-expired-domain-rce-apache-axis/', + 'fixResolution': 'org.apache.axis2:axis2:1.7.9', + 'date': '2019-05-01T21:29:00Z', + 'message': 'Upgrade to version' + }, + 'effective': 'NO_SHIELD', + 'threatAssessment': { + 'exploitCodeMaturity': 'NOT_DEFINED', + 'epssPercentage': 86.2 + }, + 'exploitable': False, + 'scoreMetadataVector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H' + }, + { + 'uuid': '7c1e2f26-2f2e-429d-9779-5ee2c1c34fff', + 'name': 'CVE-2023-40743', + 'type': 'SECURITY_VULNERABILITY', + 'component': { + 'uuid': '1da34773-6acf-4da9-b4b3-4cfca44e3163', + 'name': 'axis-1.4.jar', + 'description': '', + 'componentType': 'Library', + 'libraryType': 'JAVA_ARCHIVE', + 'rootLibrary': True, + 'references': { + 'url': 'http://archive.apache.org/dist/lenya/SOURCES/apache-lenya-2.0.4-dev-src.zip', + 'genericPackageIndex': '' + }, + 'groupId': 'axis-1', + 'artifactId': 'axis.jar', + 'version': '1.4', + 'dependencyType': 'Direct' + }, + 'findingInfo': { + 'status': 'ACTIVE', + 'comment': { }, + 'detectedAt': '2023-12-31T00:06:43Z', + 'modifiedAt': '2023-12-31T00:06:43Z' + }, + 'project': { + 'uuid': 'e2fffbc5-4b96-4f49-bea6-d031650fe664', + 'name': 'project-name', + 'path': 'application-name', + 'applicationUuid': 'a6d539cc-75d7-4889-9b1e-349b878bd3e7' + }, + 'application': { + 'uuid': 'a6d539cc-75d7-4889-9b1e-349b878bd3e7', + 'name': 'application-name' + }, + 'vulnerability': { + 'name': 'CVE-2023-40743', + 'type': 'CVSS_3', + 'description': '** UNSUPPORTED WHEN ASSIGNED ** When integrating Apache Axis 1.x in an application, it may not have been obvious that looking up a service through "ServiceFactory.getService" allows potentially dangerous lookup mechanisms such as LDAP. When passing untrusted input to this API method, this could expose the application to DoS, SSRF and even attacks leading to RCE.\n\nAs Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. As a workaround, you may review your code to verify no untrusted or unsanitized input is passed to "ServiceFactory.getService", or by applying the patch from https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210 . The Apache Axis project does not expect to create an Axis 1.x release fixing this problem, though contributors that would like to work towards this are welcome.\n\n', + 'score': 9.8, + 'severity': 'CRITICAL', + 'publishDate': '2023-09-05T14:42:13Z', + 'modifiedDate': '2024-08-02T19:15:56Z', + 'vulnerabilityScoring': [ + { + 'score': 9.8, + 'severity': 'CRITICAL', + 'type': 'CVSS_3' + } + ] + }, + 'topFix': { }, + 'effective': 'NO_SHIELD', + 'threatAssessment': { + 'exploitCodeMaturity': 'NOT_DEFINED', + 'epssPercentage': 0.3 + }, + 'exploitable': False, + 'scoreMetadataVector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H' + }, + { + 'uuid': 'ac04a94e-16df-4f69-a8ac-3d6a092c8091', + 'name': 'CVE-2023-51441', + 'type': 'SECURITY_VULNERABILITY', + 'component': { + 'uuid': '1da34773-6acf-4da9-b4b3-4cfca44e3163', + 'name': 'axis-1.4.jar', + 'description': '', + 'componentType': 'Library', + 'libraryType': 'JAVA_ARCHIVE', + 'rootLibrary': True, + 'references': { + 'url': 'http://archive.apache.org/dist/lenya/SOURCES/apache-lenya-2.0.4-dev-src.zip', + 'genericPackageIndex': '' + }, + 'groupId': 'axis-1', + 'artifactId': 'axis.jar', + 'version': '1.4', + 'dependencyType': 'Direct' + }, + 'findingInfo': { + 'status': 'ACTIVE', + 'comment': { }, + 'detectedAt': '2024-01-08T22:47:45Z', + 'modifiedAt': '2024-01-08T22:47:45Z' + }, + 'project': { + 'uuid': 'e2fffbc5-4b96-4f49-bea6-d031650fe664', + 'name': 'project-name', + 'path': 'application-name', + 'applicationUuid': 'a6d539cc-75d7-4889-9b1e-349b878bd3e7' + }, + 'application': { + 'uuid': 'a6d539cc-75d7-4889-9b1e-349b878bd3e7', + 'name': 'application-name' + }, + 'vulnerability': { + 'name': 'CVE-2023-51441', + 'type': 'CVSS_3', + 'description': '** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability inApache Axis allowed users with access to the admin service to perform possible SSRF\nThis issue affects Apache Axis: through 1.3.\n\nAs Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. Alternatively you could use a build of Axis with the patch from https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06 applied. The Apache Axis project does not expect to create an Axis 1.x release \nfixing this problem, though contributors that would like to work towards\nthis are welcome.\n\n', + 'score': 7.2, + 'severity': 'HIGH', + 'publishDate': '2024-01-06T11:59:37Z', + 'modifiedDate': '2024-08-02T23:15:47Z', + 'vulnerabilityScoring': [ + { + 'score': 7.2, + 'severity': 'HIGH', + 'type': 'CVSS_3' + } + ] + }, + 'topFix': { + 'id': 129844, + 'vulnerability': 'CVE-2023-51441', + 'type': 'UPGRADE_VERSION', + 'origin': 'WHITESOURCE_EXPERT', + 'url': 'https://nvd.nist.gov/vuln/detail/CVE-2023-51441', + 'fixResolution': 'no_fix', + 'date': '2024-01-06T12:15:43Z', + 'message': 'Upgrade to version' + }, + 'effective': 'NO_SHIELD', + 'threatAssessment': { + 'exploitCodeMaturity': 'NOT_DEFINED', + 'epssPercentage': 0.1 + }, + 'exploitable': False, + 'scoreMetadataVector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H' + } + ] +} \ No newline at end of file diff --git a/unittests/scans/mend_platform_api3/mend-sca-platform-api3-no-findings.json b/unittests/scans/mend_platform_api3/mend-sca-platform-api3-no-findings.json new file mode 100644 index 0000000000..9e8f84e40a --- /dev/null +++ b/unittests/scans/mend_platform_api3/mend-sca-platform-api3-no-findings.json @@ -0,0 +1 @@ +{'additionalData': {'totalItems': 0, 'paging': {}}, 'supportToken': '123442284e284dddb0652ff65c9f3ebd1731540952924', 'response': []} \ No newline at end of file diff --git a/unittests/scans/mend_platform_api3/mend-sca-platform-api3-one-finding.json b/unittests/scans/mend_platform_api3/mend-sca-platform-api3-one-finding.json new file mode 100644 index 0000000000..6e03619a8c --- /dev/null +++ b/unittests/scans/mend_platform_api3/mend-sca-platform-api3-one-finding.json @@ -0,0 +1,81 @@ +{ + 'additionalData': { + 'totalItems': 1, + 'paging': { } + }, + 'supportToken': '17da68189a2eb40ec9b5d99c8141495191731541262319', + 'response': [ + { + 'uuid': '7d60c0ad-1585-4aab-a74c-120e5819d84c', + 'name': 'CVE-2024-51744', + 'type': 'SECURITY_VULNERABILITY', + 'component': { + 'uuid': 'e8e7d995-e58a-4a02-b929-76a2963f088a', + 'name': 'github.com/golang-JWT/jwt-v3.2.2+incompatible', + 'description': '', + 'componentType': 'Library', + 'libraryType': 'GO_PACKAGE', + 'rootLibrary': True, + 'references': { + 'url': 'https://proxy.golang.org/github.com/golang-!j!w!t/jwt/@v/v3.2.2+incompatible.zip', + 'homePage': 'https://pkg.go.dev/github.com/golang-JWT/jwt@v3.2.2+incompatible', + 'genericPackageIndex': 'http://go-search.org/api?action=package&id=github.com%2Fgolang-JWT%2Fjwt' + }, + 'groupId': 'github.com/golang-JWT/jwt', + 'artifactId': 'github.com/golang-JWT/jwt', + 'version': 'v3.2.2+incompatible', + 'path': '/source/go.mod', + 'dependencyType': 'Direct / Transitive' + }, + 'findingInfo': { + 'status': 'ACTIVE', + 'comment': { }, + 'detectedAt': '2024-11-10T08:47:02Z', + 'modifiedAt': '2024-11-10T08:47:02Z' + }, + 'project': { + 'uuid': '32bff718-28a2-463b-9c4f-7f66b286b34c', + 'name': 'project-name', + 'path': 'application-name', + 'applicationUuid': '8663102a-5f11-4139-9281-c4c72a6ea402' + }, + 'application': { + 'uuid': '8663102a-5f11-4139-9281-c4c72a6ea402', + 'name': 'application-name' + }, + 'vulnerability': { + 'name': 'CVE-2024-51744', + 'type': 'CVSS_3', + 'description': 'golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by `ParseWithClaims` return both error codes. If users only check for the `jwt.ErrTokenExpired ` using `error.Is`, they willignore the embedded `jwt.ErrTokenSignatureInvalid` and thus potentially accept invalid tokens. A fix has been back-ported with the error handling logic from the `v5` branch to the `v4` branch. In this logic, the `ParseWithClaims` function will immediately return in "dangerous" situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release. We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors ("dangerous" ones first), so that you are not running in the case detailed above.', + 'score': 3.1, + 'severity': 'LOW', + 'publishDate': '2024-11-04T21:47:12Z', + 'modifiedDate': '2024-11-05T16:11:42Z', + 'vulnerabilityScoring': [ + { + 'score': 3.1, + 'severity': 'LOW', + 'type': 'CVSS_3' + } + ] + }, + 'topFix': { + 'id': 135282, + 'vulnerability': 'CVE-2024-51744', + 'type': 'UPGRADE_VERSION', + 'origin': 'WHITESOURCE_EXPERT', + 'url': 'https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r', + 'fixResolution': 'github.com/golang-jwt/jwt-v4.5.1', + 'date': '2024-11-04T21:47:12Z', + 'message': 'Upgrade to version' + }, + 'effective': 'NO_SHIELD', + 'threatAssessment': { + 'exploitCodeMaturity': 'NOT_DEFINED', + 'epssPercentage': 0.0 + }, + 'exploitable': False, + 'scoreMetadataVector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N' + } + ] +} \ No newline at end of file diff --git a/unittests/tools/test_mend_platform_api3_parser.py b/unittests/tools/test_mend_platform_api3_parser.py new file mode 100644 index 0000000000..db211b0eb1 --- /dev/null +++ b/unittests/tools/test_mend_platform_api3_parser.py @@ -0,0 +1,46 @@ +from dojo.models import Test +from dojo.tools.mend_platform_api3.parser import Mend_platform_api3Parser +from unittests.dojo_test_case import DojoTestCase, get_unit_tests_path + + +class TestMend_platform_api3Parser(DojoTestCase): + + def test_parse_file_with_no_vuln_has_no_findings(self): + with open("unittests/scans/mend_platform_api3/mend-sca-platform-api3-no-findings.json", encoding="utf-8") as testfile: + parser = Mend_platform_api3Parser() + findings = parser.get_findings(testfile, Test()) + self.assertEqual(0, len(findings)) + + def test_parse_file_with_one_vuln_has_one_findings(self): + with open("unittests/scans/mend_platform_api3/mend-sca-platform-api3-one-finding.json", encoding="utf-8") as testfile: + parser = Mend_platform_api3Parser() + findings = parser.get_findings(testfile, Test()) + self.assertEqual(1, len(findings)) + finding = list(findings)[0] + self.assertEqual(1, len(finding.unsaved_vulnerability_ids)) + self.assertEqual("CVE-2024-51744", finding.unsaved_vulnerability_ids[0]) + self.assertEqual("CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", finding.cvssv3) + self.assertEqual(3.1, finding.cvssv3_score) + + def test_parse_file_with_multiple_vuln_has_multiple_finding(self): + with open("unittests/scans/mend_platform_api3/mend-sca-platform-api3-five-findings.json", encoding="utf-8") as testfile: + parser = Mend_platform_api3Parser() + findings = parser.get_findings(testfile, Test()) + self.assertEqual(5, len(findings)) + +#The below context is TBD on if it is needed or not. +# def test_parse_file_with_multiple_vuln_cli_output(self): +# with open( +# get_unit_tests_path() + "/scans/mend_platform_api3/cli_generated_many_vulns.json", encoding="utf-8", +# ) as testfile: +# parser = mend_platform_api3Parser() +# findings = parser.get_findings(testfile, Test()) +# self.assertEqual(20, len(findings)) +# +# def test_parse_file_with_one_sca_vuln_finding(self): +# with open("unittests/scans/mend_platform_api3/mend_platform_api3_sca_vuln.json", encoding="utf-8") as testfile: +# parser = mend_platform_api3Parser() +# findings = parser.get_findings(testfile, Test()) +# self.assertEqual(1, len(findings)) +# finding = list(findings)[0] +# self.assertEqual("D:\\mend_platform_api3Repo\\test-product\\test-project\\test-project-subcomponent\\path\\to\\the\\Java\\commons-codec-1.6_donotuse.jar", finding.file_path) From b2fe0b852f21a8696e3d967bea1d602905cf169d Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Wed, 13 Nov 2024 17:01:59 -0800 Subject: [PATCH 02/57] Update test_mend_platform_api3_parser.py --- unittests/tools/test_mend_platform_api3_parser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unittests/tools/test_mend_platform_api3_parser.py b/unittests/tools/test_mend_platform_api3_parser.py index db211b0eb1..4b04e09088 100644 --- a/unittests/tools/test_mend_platform_api3_parser.py +++ b/unittests/tools/test_mend_platform_api3_parser.py @@ -43,4 +43,4 @@ def test_parse_file_with_multiple_vuln_has_multiple_finding(self): # findings = parser.get_findings(testfile, Test()) # self.assertEqual(1, len(findings)) # finding = list(findings)[0] -# self.assertEqual("D:\\mend_platform_api3Repo\\test-product\\test-project\\test-project-subcomponent\\path\\to\\the\\Java\\commons-codec-1.6_donotuse.jar", finding.file_path) +# self.assertEqual("D:\\mend_platform_api3Repo\\test-product\\test-project\\test-project-subcomponent\\path\\to\\the\\Java\\commons-codec-1.6_donotuse.jar", finding.file_path) \ No newline at end of file From 7e8a2fdb38ace0e419652886bdc54127dfe74feb Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Wed, 13 Nov 2024 17:03:00 -0800 Subject: [PATCH 03/57] Update test_mend_platform_api3_parser.py --- unittests/tools/test_mend_platform_api3_parser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unittests/tools/test_mend_platform_api3_parser.py b/unittests/tools/test_mend_platform_api3_parser.py index 4b04e09088..db211b0eb1 100644 --- a/unittests/tools/test_mend_platform_api3_parser.py +++ b/unittests/tools/test_mend_platform_api3_parser.py @@ -43,4 +43,4 @@ def test_parse_file_with_multiple_vuln_has_multiple_finding(self): # findings = parser.get_findings(testfile, Test()) # self.assertEqual(1, len(findings)) # finding = list(findings)[0] -# self.assertEqual("D:\\mend_platform_api3Repo\\test-product\\test-project\\test-project-subcomponent\\path\\to\\the\\Java\\commons-codec-1.6_donotuse.jar", finding.file_path) \ No newline at end of file +# self.assertEqual("D:\\mend_platform_api3Repo\\test-product\\test-project\\test-project-subcomponent\\path\\to\\the\\Java\\commons-codec-1.6_donotuse.jar", finding.file_path) From 82e46eed89227e6aa3c260157c46dbfca0fcdd1b Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Wed, 13 Nov 2024 17:03:57 -0800 Subject: [PATCH 04/57] Update test_mend_platform_api3_parser.py --- unittests/tools/test_mend_platform_api3_parser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unittests/tools/test_mend_platform_api3_parser.py b/unittests/tools/test_mend_platform_api3_parser.py index db211b0eb1..409d48158c 100644 --- a/unittests/tools/test_mend_platform_api3_parser.py +++ b/unittests/tools/test_mend_platform_api3_parser.py @@ -28,7 +28,7 @@ def test_parse_file_with_multiple_vuln_has_multiple_finding(self): findings = parser.get_findings(testfile, Test()) self.assertEqual(5, len(findings)) -#The below context is TBD on if it is needed or not. +# The below context is TBD on if it is needed or not. # def test_parse_file_with_multiple_vuln_cli_output(self): # with open( # get_unit_tests_path() + "/scans/mend_platform_api3/cli_generated_many_vulns.json", encoding="utf-8", From 4f45fa67e2129ae839bc8e293e08cd3e0912abd8 Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Wed, 13 Nov 2024 17:06:27 -0800 Subject: [PATCH 05/57] Update test_mend_platform_api3_parser.py --- unittests/tools/test_mend_platform_api3_parser.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/unittests/tools/test_mend_platform_api3_parser.py b/unittests/tools/test_mend_platform_api3_parser.py index 409d48158c..5f7755ed64 100644 --- a/unittests/tools/test_mend_platform_api3_parser.py +++ b/unittests/tools/test_mend_platform_api3_parser.py @@ -23,7 +23,9 @@ def test_parse_file_with_one_vuln_has_one_findings(self): self.assertEqual(3.1, finding.cvssv3_score) def test_parse_file_with_multiple_vuln_has_multiple_finding(self): - with open("unittests/scans/mend_platform_api3/mend-sca-platform-api3-five-findings.json", encoding="utf-8") as testfile: + with open( + get_unit_tests_path() + "unittests/scans/mend_platform_api3/mend-sca-platform-api3-five-findings.json", encoding="utf-8", + ) as testfile: parser = Mend_platform_api3Parser() findings = parser.get_findings(testfile, Test()) self.assertEqual(5, len(findings)) From 2eec598b83c7e3cf2b8a6178dc57b522dcb7e6d7 Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Wed, 13 Nov 2024 17:09:23 -0800 Subject: [PATCH 06/57] Update parser.py --- dojo/tools/mend-sca-platform-api3/parser.py | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/dojo/tools/mend-sca-platform-api3/parser.py b/dojo/tools/mend-sca-platform-api3/parser.py index 6719973256..f757cfd183 100644 --- a/dojo/tools/mend-sca-platform-api3/parser.py +++ b/dojo/tools/mend-sca-platform-api3/parser.py @@ -8,7 +8,6 @@ logger = logging.getLogger(__name__) - class Mend_platform_api3Parser: def get_scan_types(self): return ["Mend Platform APIv3 Scan"] @@ -37,10 +36,10 @@ def _build_common_output(node, lib_name=None): component_version = None impact = None if 'component' in node: - node.get('project') + # Fixed the issue here: changed 'vulnerability'.get() to 'vulnerability'.get() for proper access description = ( "**Vulnerability Description** : " - + node['vulnerability'.get('description', "") + + node['vulnerability'].get('description', "") + "\n\n" + "**Component Name** : " + node['component'].get('name', "") @@ -73,8 +72,8 @@ def _build_common_output(node, lib_name=None): title = "CVE-None | " + lib_name else: title = cve + " | " + lib_name - # cvss2 by default in CLI, but cvss3 in UI. Adapting to have - # homogeneous behavior. + + # Fixed the second assignment for cvss_sev. if 'vulnerability' in node: cvss_sev = node['vulnerability'].get('severity') else: From 4cd5bb3f436a34be4ce9ed7eba82f9df50ca11d6 Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Wed, 13 Nov 2024 17:13:21 -0800 Subject: [PATCH 07/57] Update parser.py --- dojo/tools/mend-sca-platform-api3/parser.py | 90 +++++++++------------ 1 file changed, 36 insertions(+), 54 deletions(-) diff --git a/dojo/tools/mend-sca-platform-api3/parser.py b/dojo/tools/mend-sca-platform-api3/parser.py index f757cfd183..51b5d7afc8 100644 --- a/dojo/tools/mend-sca-platform-api3/parser.py +++ b/dojo/tools/mend-sca-platform-api3/parser.py @@ -23,10 +23,14 @@ def get_findings(self, file, test): return [] data = file.read() + # Ensure we handle JSON formatting before attempting to parse try: - content = json.loads(str(data, "utf-8")) - except Exception: - content = json.loads(data) + # Try fixing the single quotes by replacing them with double quotes + fixed_data = data.replace("'", '"') + content = json.loads(fixed_data) + except Exception as e: + logger.exception("Failed to parse JSON data: %s", e) + return [] def _build_common_output(node, lib_name=None): # project only available in manual export @@ -35,8 +39,8 @@ def _build_common_output(node, lib_name=None): component_name = None component_version = None impact = None + if 'component' in node: - # Fixed the issue here: changed 'vulnerability'.get() to 'vulnerability'.get() for proper access description = ( "**Vulnerability Description** : " + node['vulnerability'].get('description', "") @@ -48,7 +52,7 @@ def _build_common_output(node, lib_name=None): + node['component'].get('componentType', "") + "\n\n" + "**Root Library** : " - + node['component'].get('rootLibrary', "") + + str(node['component'].get('rootLibrary', "")) + "\n\n" + "**Library Type** : " + node['component'].get('libraryType', "") @@ -65,7 +69,7 @@ def _build_common_output(node, lib_name=None): component_version = node['component'].get('version') impact = node['component'].get('dependencyType') else: - description = node['vulnerability'].get('description') + description = node['vulnerability'].get('description', "") cve = node.get('name') if cve is None: @@ -73,65 +77,56 @@ def _build_common_output(node, lib_name=None): else: title = cve + " | " + lib_name - # Fixed the second assignment for cvss_sev. - if 'vulnerability' in node: - cvss_sev = node['vulnerability'].get('severity') - else: - cvss_sev = node['vulnerability'].get('severity') - severity = cvss_sev.lower().capitalize() + cvss_sev = node.get('vulnerability', {}).get('severity', 'UNKNOWN').lower().capitalize() - cvss3_score = node['vulnerability'].get('score', None) + cvss3_score = node.get('vulnerability', {}).get('score', None) cvss3_vector = node.get('scoreMetadataVector', None) severity_justification = "CVSS v3 score: {} ({})".format( cvss3_score if cvss3_score is not None else "N/A", cvss3_vector if cvss3_vector is not None else "N/A", ) + cwe = 1035 # default OWASP a9 until the report actually has them + # Handling Mitigation (topFix) safely mitigation = "N/A" if 'topFix' in node: try: - topfix_node = node.get('topFix') + topfix_node = node.get('topFix', {}) mitigation = "**Resolution** ({}): {}\n".format( - topfix_node.get('date'), - topfix_node.get('fixResolution'), + topfix_node.get('date', 'N/A'), + topfix_node.get('fixResolution', 'N/A'), ) - except Exception: - logger.exception("Error handling topFix node.") + except Exception as ex: + logger.exception("Error handling topFix node: %s", ex) filepaths = [] if 'sourceFiles' in node: try: - sourceFiles_node = node.get('sourceFiles') + sourceFiles_node = node.get('sourceFiles', []) for sfile in sourceFiles_node: - filepaths.append(sfile.get('localPath')) - except Exception: - logger.exception( - "Error handling local paths for vulnerability.", - ) + filepaths.append(sfile.get('localPath', '')) + except Exception as ex: + logger.exception("Error handling sourceFiles for vulnerability: %s", ex) locations = [] if 'locations' in node: try: locations_node = node.get('locations', []) for location in locations_node: - path = location.get('path') - if path is not None: + path = location.get('path', '') + if path: locations.append(path) - except Exception: - logger.exception( - "Error handling local paths for vulnerability.", - ) + except Exception as ex: + logger.exception("Error handling locations for vulnerability: %s", ex) - if locations: - filepaths = locations - else: - filepaths = filepaths + # Use locations if available, otherwise fallback to filepaths + filepaths = locations if locations else filepaths new_finding = Finding( title=title, test=test, description=description, - severity=severity, + severity=cvss_sev, cwe=cwe, mitigation=mitigation, file_path=", ".join(filepaths), @@ -150,33 +145,20 @@ def _build_common_output(node, lib_name=None): findings = [] if 'libraries' in content: - # we are likely dealing with a report generated from CLI with -generateScanReport, - # which will output vulnerabilities as an array of a library - # In this scenario, build up an array - tree_libs = content.get('libraries') + tree_libs = content.get('libraries', []) for lib_node in tree_libs: - # get the overall lib info here, before going into vulns - if ( - 'response' in lib_node - and len(lib_node.get('response')) > 0 - ): - for vuln in lib_node.get('response'): - findings.append( - _build_common_output(vuln, lib_node.get('name')), - ) - + if 'response' in lib_node and len(lib_node.get('response', [])) > 0: + for vuln in lib_node.get('response', []): + findings.append(_build_common_output(vuln, lib_node.get('name'))) elif 'response' in content: - # likely a manual json export for vulnerabilities only for a project. - # Vulns are standalone, and library is a property. - tree_node = content['response'] + tree_node = content.get('response', []) for node in tree_node: findings.append(_build_common_output(node)) def create_finding_key(f: Finding) -> str: """Hashes the finding's description and title to retrieve a key for deduplication.""" return hashlib.md5( - f.description.encode("utf-8") - + f.title.encode("utf-8"), + f.description.encode("utf-8") + f.title.encode("utf-8"), ).hexdigest() dupes = {} From 6faf27fc0c8ebe170671c9139333c1b4f3df9281 Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Wed, 13 Nov 2024 17:18:53 -0800 Subject: [PATCH 08/57] add component path as file_path This is mainly for SCA anyways - SAST contains a different set of vulns and I can write that parser to differentiate SAST vs SCA. --- dojo/tools/mend-sca-platform-api3/parser.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/dojo/tools/mend-sca-platform-api3/parser.py b/dojo/tools/mend-sca-platform-api3/parser.py index 51b5d7afc8..6b0f606b54 100644 --- a/dojo/tools/mend-sca-platform-api3/parser.py +++ b/dojo/tools/mend-sca-platform-api3/parser.py @@ -39,6 +39,7 @@ def _build_common_output(node, lib_name=None): component_name = None component_version = None impact = None + file_path = None if 'component' in node: description = ( @@ -68,6 +69,7 @@ def _build_common_output(node, lib_name=None): component_name = node['component'].get('artifactId') component_version = node['component'].get('version') impact = node['component'].get('dependencyType') + file_path = node['component'].get('path') else: description = node['vulnerability'].get('description', "") From 5d6de56799264a5b8304ec924453e5a97d609ef1 Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Wed, 13 Nov 2024 17:28:45 -0800 Subject: [PATCH 09/57] updated parser --- dojo/tools/mend-sca-platform-api3/parser.py | 73 +++++++++---------- .../tools/test_mend_platform_api3_parser.py | 10 +-- 2 files changed, 41 insertions(+), 42 deletions(-) diff --git a/dojo/tools/mend-sca-platform-api3/parser.py b/dojo/tools/mend-sca-platform-api3/parser.py index 6b0f606b54..2e6afcad47 100644 --- a/dojo/tools/mend-sca-platform-api3/parser.py +++ b/dojo/tools/mend-sca-platform-api3/parser.py @@ -8,7 +8,8 @@ logger = logging.getLogger(__name__) -class Mend_platform_api3Parser: +class MendPlatformApi3Parser: + def get_scan_types(self): return ["Mend Platform APIv3 Scan"] @@ -39,50 +40,48 @@ def _build_common_output(node, lib_name=None): component_name = None component_version = None impact = None - file_path = None - if 'component' in node: + if "component" in node: description = ( "**Vulnerability Description** : " - + node['vulnerability'].get('description', "") + + node["vulnerability"].get("description", "") + "\n\n" + "**Component Name** : " - + node['component'].get('name', "") + + node["component"].get("name", "") + "\n\n" + "**Component Type** : " - + node['component'].get('componentType', "") + + node["component"].get("componentType", "") + "\n\n" + "**Root Library** : " - + str(node['component'].get('rootLibrary', "")) + + str(node["component"].get("rootLibrary", "")) + "\n\n" + "**Library Type** : " - + node['component'].get('libraryType', "") + + node["component"].get("libraryType", "") + "\n\n" + "**Location Found** : " - + node['component'].get('path', "") + + node["component"].get("path", "") + "\n\n" + "**Direct or Transitive Dependency** : " - + node['component'].get('dependencyType', "") + + node["component"].get("dependencyType", "") + "\n" ) - lib_name = node['component'].get('name') - component_name = node['component'].get('artifactId') - component_version = node['component'].get('version') - impact = node['component'].get('dependencyType') - file_path = node['component'].get('path') + lib_name = node["component"].get("name") + component_name = node["component"].get("artifactId") + component_version = node["component"].get("version") + impact = node["component"].get("dependencyType") else: - description = node['vulnerability'].get('description', "") + description = node["vulnerability"].get("description", "") - cve = node.get('name') + cve = node.get("name") if cve is None: title = "CVE-None | " + lib_name else: title = cve + " | " + lib_name - cvss_sev = node.get('vulnerability', {}).get('severity', 'UNKNOWN').lower().capitalize() + cvss_sev = node.get("vulnerability", {}).get("severity", "UNKNOWN").lower().capitalize() - cvss3_score = node.get('vulnerability', {}).get('score', None) - cvss3_vector = node.get('scoreMetadataVector', None) + cvss3_score = node.get("vulnerability", {}).get("score", None) + cvss3_vector = node.get("scoreMetadataVector", None) severity_justification = "CVSS v3 score: {} ({})".format( cvss3_score if cvss3_score is not None else "N/A", cvss3_vector if cvss3_vector is not None else "N/A", ) @@ -91,31 +90,31 @@ def _build_common_output(node, lib_name=None): # Handling Mitigation (topFix) safely mitigation = "N/A" - if 'topFix' in node: + if "topFix" in node: try: - topfix_node = node.get('topFix', {}) + topfix_node = node.get("topFix", {}) mitigation = "**Resolution** ({}): {}\n".format( - topfix_node.get('date', 'N/A'), - topfix_node.get('fixResolution', 'N/A'), + topfix_node.get("date", "N/A"), + topfix_node.get("fixResolution", "N/A"), ) except Exception as ex: logger.exception("Error handling topFix node: %s", ex) filepaths = [] - if 'sourceFiles' in node: + if "sourceFiles" in node: try: - sourceFiles_node = node.get('sourceFiles', []) + sourceFiles_node = node.get("sourceFiles", []) for sfile in sourceFiles_node: - filepaths.append(sfile.get('localPath', '')) + filepaths.append(sfile.get("localPath", "")) except Exception as ex: logger.exception("Error handling sourceFiles for vulnerability: %s", ex) locations = [] - if 'locations' in node: + if "locations" in node: try: - locations_node = node.get('locations', []) + locations_node = node.get("locations", []) for location in locations_node: - path = location.get('path', '') + path = location.get("path", "") if path: locations.append(path) except Exception as ex: @@ -146,14 +145,14 @@ def _build_common_output(node, lib_name=None): return new_finding findings = [] - if 'libraries' in content: - tree_libs = content.get('libraries', []) + if "libraries" in content: + tree_libs = content.get("libraries", []) for lib_node in tree_libs: - if 'response' in lib_node and len(lib_node.get('response', [])) > 0: - for vuln in lib_node.get('response', []): - findings.append(_build_common_output(vuln, lib_node.get('name'))) - elif 'response' in content: - tree_node = content.get('response', []) + if "response" in lib_node and len(lib_node.get("response", [])) > 0: + for vuln in lib_node.get("response", []): + findings.append(_build_common_output(vuln, lib_node.get("name"))) + elif "response" in content: + tree_node = content.get("response", []) for node in tree_node: findings.append(_build_common_output(node)) diff --git a/unittests/tools/test_mend_platform_api3_parser.py b/unittests/tools/test_mend_platform_api3_parser.py index 5f7755ed64..51d7a086f4 100644 --- a/unittests/tools/test_mend_platform_api3_parser.py +++ b/unittests/tools/test_mend_platform_api3_parser.py @@ -1,19 +1,19 @@ from dojo.models import Test -from dojo.tools.mend_platform_api3.parser import Mend_platform_api3Parser +from dojo.tools.mend_platform_api3.parser import MendPlatformApi3Parser from unittests.dojo_test_case import DojoTestCase, get_unit_tests_path -class TestMend_platform_api3Parser(DojoTestCase): +class TestMendPlatformApi3Parser(DojoTestCase): def test_parse_file_with_no_vuln_has_no_findings(self): with open("unittests/scans/mend_platform_api3/mend-sca-platform-api3-no-findings.json", encoding="utf-8") as testfile: - parser = Mend_platform_api3Parser() + parser = MendPlatformApi3Parser() findings = parser.get_findings(testfile, Test()) self.assertEqual(0, len(findings)) def test_parse_file_with_one_vuln_has_one_findings(self): with open("unittests/scans/mend_platform_api3/mend-sca-platform-api3-one-finding.json", encoding="utf-8") as testfile: - parser = Mend_platform_api3Parser() + parser = MendPlatformApi3Parser() findings = parser.get_findings(testfile, Test()) self.assertEqual(1, len(findings)) finding = list(findings)[0] @@ -26,7 +26,7 @@ def test_parse_file_with_multiple_vuln_has_multiple_finding(self): with open( get_unit_tests_path() + "unittests/scans/mend_platform_api3/mend-sca-platform-api3-five-findings.json", encoding="utf-8", ) as testfile: - parser = Mend_platform_api3Parser() + parser = MendPlatformApi3Parser() findings = parser.get_findings(testfile, Test()) self.assertEqual(5, len(findings)) From 0cbce00b2c82576eebd9410820c9132d6b0c20f5 Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Wed, 13 Nov 2024 17:34:24 -0800 Subject: [PATCH 10/57] Update parser.py --- dojo/tools/mend-sca-platform-api3/parser.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/dojo/tools/mend-sca-platform-api3/parser.py b/dojo/tools/mend-sca-platform-api3/parser.py index 2e6afcad47..ee950e982f 100644 --- a/dojo/tools/mend-sca-platform-api3/parser.py +++ b/dojo/tools/mend-sca-platform-api3/parser.py @@ -9,7 +9,6 @@ logger = logging.getLogger(__name__) class MendPlatformApi3Parser: - def get_scan_types(self): return ["Mend Platform APIv3 Scan"] @@ -120,8 +119,10 @@ def _build_common_output(node, lib_name=None): except Exception as ex: logger.exception("Error handling locations for vulnerability: %s", ex) - # Use locations if available, otherwise fallback to filepaths - filepaths = locations if locations else filepaths + if locations: + filepaths = locations + else: + filepaths = filepaths new_finding = Finding( title=title, From 2127d81fb544ded726fee849dca205ba7221b5ca Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Wed, 13 Nov 2024 17:35:59 -0800 Subject: [PATCH 11/57] Update parser.py --- dojo/tools/mend-sca-platform-api3/parser.py | 1 + 1 file changed, 1 insertion(+) diff --git a/dojo/tools/mend-sca-platform-api3/parser.py b/dojo/tools/mend-sca-platform-api3/parser.py index ee950e982f..3c01d39d32 100644 --- a/dojo/tools/mend-sca-platform-api3/parser.py +++ b/dojo/tools/mend-sca-platform-api3/parser.py @@ -8,6 +8,7 @@ logger = logging.getLogger(__name__) + class MendPlatformApi3Parser: def get_scan_types(self): return ["Mend Platform APIv3 Scan"] From f1aa0ecd842963609436eb5c6da7508b62e52f9c Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Wed, 13 Nov 2024 17:57:58 -0800 Subject: [PATCH 12/57] refactor --- .../__init__.py | 0 .../parser.py | 0 unittests/tools/test_mend_platform_api3_parser.py | 2 +- 3 files changed, 1 insertion(+), 1 deletion(-) rename dojo/tools/{mend-sca-platform-api3 => mend_sca_platform_api3}/__init__.py (100%) rename dojo/tools/{mend-sca-platform-api3 => mend_sca_platform_api3}/parser.py (100%) diff --git a/dojo/tools/mend-sca-platform-api3/__init__.py b/dojo/tools/mend_sca_platform_api3/__init__.py similarity index 100% rename from dojo/tools/mend-sca-platform-api3/__init__.py rename to dojo/tools/mend_sca_platform_api3/__init__.py diff --git a/dojo/tools/mend-sca-platform-api3/parser.py b/dojo/tools/mend_sca_platform_api3/parser.py similarity index 100% rename from dojo/tools/mend-sca-platform-api3/parser.py rename to dojo/tools/mend_sca_platform_api3/parser.py diff --git a/unittests/tools/test_mend_platform_api3_parser.py b/unittests/tools/test_mend_platform_api3_parser.py index 51d7a086f4..16b0611387 100644 --- a/unittests/tools/test_mend_platform_api3_parser.py +++ b/unittests/tools/test_mend_platform_api3_parser.py @@ -1,5 +1,5 @@ from dojo.models import Test -from dojo.tools.mend_platform_api3.parser import MendPlatformApi3Parser +from dojo.tools.mend_sca_platform_api3.parser import MendPlatformApi3Parser from unittests.dojo_test_case import DojoTestCase, get_unit_tests_path From bdc721aef4398cc2b6ebfbd12e720ac7dd747514 Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Wed, 13 Nov 2024 18:38:11 -0800 Subject: [PATCH 13/57] Update parser.py --- dojo/tools/mend_sca_platform_api3/parser.py | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/dojo/tools/mend_sca_platform_api3/parser.py b/dojo/tools/mend_sca_platform_api3/parser.py index 3c01d39d32..7dd3e6c86b 100644 --- a/dojo/tools/mend_sca_platform_api3/parser.py +++ b/dojo/tools/mend_sca_platform_api3/parser.py @@ -26,12 +26,9 @@ def get_findings(self, file, test): data = file.read() # Ensure we handle JSON formatting before attempting to parse try: - # Try fixing the single quotes by replacing them with double quotes - fixed_data = data.replace("'", '"') - content = json.loads(fixed_data) + content = json.loads(str(data, "utf-8")) except Exception as e: - logger.exception("Failed to parse JSON data: %s", e) - return [] + content = json.loads(data) def _build_common_output(node, lib_name=None): # project only available in manual export From fd76af61cd97d065fc5c6425bd2296aefcdfffe1 Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Wed, 13 Nov 2024 18:39:02 -0800 Subject: [PATCH 14/57] Update parser.py --- dojo/tools/mend_sca_platform_api3/parser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dojo/tools/mend_sca_platform_api3/parser.py b/dojo/tools/mend_sca_platform_api3/parser.py index 7dd3e6c86b..c1e72e9a19 100644 --- a/dojo/tools/mend_sca_platform_api3/parser.py +++ b/dojo/tools/mend_sca_platform_api3/parser.py @@ -27,7 +27,7 @@ def get_findings(self, file, test): # Ensure we handle JSON formatting before attempting to parse try: content = json.loads(str(data, "utf-8")) - except Exception as e: + except Exception: content = json.loads(data) def _build_common_output(node, lib_name=None): From 9f3d41ed22a4d29637612fb77e62c7f5d28b3270 Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Wed, 13 Nov 2024 20:10:16 -0800 Subject: [PATCH 15/57] Update test_mend_platform_api3_parser.py --- unittests/tools/test_mend_platform_api3_parser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unittests/tools/test_mend_platform_api3_parser.py b/unittests/tools/test_mend_platform_api3_parser.py index 16b0611387..ed6155689f 100644 --- a/unittests/tools/test_mend_platform_api3_parser.py +++ b/unittests/tools/test_mend_platform_api3_parser.py @@ -24,7 +24,7 @@ def test_parse_file_with_one_vuln_has_one_findings(self): def test_parse_file_with_multiple_vuln_has_multiple_finding(self): with open( - get_unit_tests_path() + "unittests/scans/mend_platform_api3/mend-sca-platform-api3-five-findings.json", encoding="utf-8", + get_unit_tests_path() + "unittests/scans/mend_platform_api3/mend-sca-platform-api3-five-findings.json", encoding="utf-8" ) as testfile: parser = MendPlatformApi3Parser() findings = parser.get_findings(testfile, Test()) From 726f8c3b39b7531a3720f25fc42bbddb44d2b9f3 Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Wed, 13 Nov 2024 20:12:16 -0800 Subject: [PATCH 16/57] Update test_mend_platform_api3_parser.py --- unittests/tools/test_mend_platform_api3_parser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unittests/tools/test_mend_platform_api3_parser.py b/unittests/tools/test_mend_platform_api3_parser.py index ed6155689f..16b0611387 100644 --- a/unittests/tools/test_mend_platform_api3_parser.py +++ b/unittests/tools/test_mend_platform_api3_parser.py @@ -24,7 +24,7 @@ def test_parse_file_with_one_vuln_has_one_findings(self): def test_parse_file_with_multiple_vuln_has_multiple_finding(self): with open( - get_unit_tests_path() + "unittests/scans/mend_platform_api3/mend-sca-platform-api3-five-findings.json", encoding="utf-8" + get_unit_tests_path() + "unittests/scans/mend_platform_api3/mend-sca-platform-api3-five-findings.json", encoding="utf-8", ) as testfile: parser = MendPlatformApi3Parser() findings = parser.get_findings(testfile, Test()) From 3977cd9b60893311d06d9fc454c0da9ed7e8d596 Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Wed, 13 Nov 2024 20:50:47 -0800 Subject: [PATCH 17/57] Update test_mend_platform_api3_parser.py --- unittests/tools/test_mend_platform_api3_parser.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/unittests/tools/test_mend_platform_api3_parser.py b/unittests/tools/test_mend_platform_api3_parser.py index 16b0611387..36136b1e55 100644 --- a/unittests/tools/test_mend_platform_api3_parser.py +++ b/unittests/tools/test_mend_platform_api3_parser.py @@ -23,9 +23,7 @@ def test_parse_file_with_one_vuln_has_one_findings(self): self.assertEqual(3.1, finding.cvssv3_score) def test_parse_file_with_multiple_vuln_has_multiple_finding(self): - with open( - get_unit_tests_path() + "unittests/scans/mend_platform_api3/mend-sca-platform-api3-five-findings.json", encoding="utf-8", - ) as testfile: + with open("unittests/scans/mend_platform_api3/mend-sca-platform-api3-five-findings.json", encoding="utf-8") as testfile: parser = MendPlatformApi3Parser() findings = parser.get_findings(testfile, Test()) self.assertEqual(5, len(findings)) From 66d00c5e68596b0c9adc461e6c02303b33648116 Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Wed, 13 Nov 2024 20:55:21 -0800 Subject: [PATCH 18/57] Update test_mend_platform_api3_parser.py --- unittests/tools/test_mend_platform_api3_parser.py | 1 - 1 file changed, 1 deletion(-) diff --git a/unittests/tools/test_mend_platform_api3_parser.py b/unittests/tools/test_mend_platform_api3_parser.py index 36136b1e55..84de6c992b 100644 --- a/unittests/tools/test_mend_platform_api3_parser.py +++ b/unittests/tools/test_mend_platform_api3_parser.py @@ -1,6 +1,5 @@ from dojo.models import Test from dojo.tools.mend_sca_platform_api3.parser import MendPlatformApi3Parser -from unittests.dojo_test_case import DojoTestCase, get_unit_tests_path class TestMendPlatformApi3Parser(DojoTestCase): From 9605700423df47c309f79d8823b47361ab8346ba Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Wed, 13 Nov 2024 20:57:01 -0800 Subject: [PATCH 19/57] Update test_mend_platform_api3_parser.py --- unittests/tools/test_mend_platform_api3_parser.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/unittests/tools/test_mend_platform_api3_parser.py b/unittests/tools/test_mend_platform_api3_parser.py index 84de6c992b..50972dc4ae 100644 --- a/unittests/tools/test_mend_platform_api3_parser.py +++ b/unittests/tools/test_mend_platform_api3_parser.py @@ -1,5 +1,6 @@ from dojo.models import Test from dojo.tools.mend_sca_platform_api3.parser import MendPlatformApi3Parser +from unittests.dojo_test_case import DojoTestCase, get_unit_tests_path class TestMendPlatformApi3Parser(DojoTestCase): @@ -22,7 +23,9 @@ def test_parse_file_with_one_vuln_has_one_findings(self): self.assertEqual(3.1, finding.cvssv3_score) def test_parse_file_with_multiple_vuln_has_multiple_finding(self): - with open("unittests/scans/mend_platform_api3/mend-sca-platform-api3-five-findings.json", encoding="utf-8") as testfile: + with open( + get_unit_tests_path() + "/scans/mend_platform_api3/mend-sca-platform-api3-five-findings.json", encoding="utf-8", + ) as testfile: parser = MendPlatformApi3Parser() findings = parser.get_findings(testfile, Test()) self.assertEqual(5, len(findings)) From 8003d1f3419f77c49654e11e7383761e341f9c3b Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Wed, 13 Nov 2024 21:14:05 -0800 Subject: [PATCH 20/57] Update parser.py --- dojo/tools/mend_sca_platform_api3/parser.py | 1 - 1 file changed, 1 deletion(-) diff --git a/dojo/tools/mend_sca_platform_api3/parser.py b/dojo/tools/mend_sca_platform_api3/parser.py index c1e72e9a19..07f7f3bc68 100644 --- a/dojo/tools/mend_sca_platform_api3/parser.py +++ b/dojo/tools/mend_sca_platform_api3/parser.py @@ -24,7 +24,6 @@ def get_findings(self, file, test): return [] data = file.read() - # Ensure we handle JSON formatting before attempting to parse try: content = json.loads(str(data, "utf-8")) except Exception: From e2911e2824db4b796254390d553890633d949fa2 Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Wed, 13 Nov 2024 21:30:44 -0800 Subject: [PATCH 21/57] change single quotes to double quotes - reformat broken json --- .../mend-sca-platform-api3-five-findings.json | 1382 ++++++++--------- .../mend-sca-platform-api3-no-findings.json | 2 +- .../mend-sca-platform-api3-one-finding.json | 128 +- 3 files changed, 756 insertions(+), 756 deletions(-) diff --git a/unittests/scans/mend_platform_api3/mend-sca-platform-api3-five-findings.json b/unittests/scans/mend_platform_api3/mend-sca-platform-api3-five-findings.json index 954afdef00..73441a7297 100644 --- a/unittests/scans/mend_platform_api3/mend-sca-platform-api3-five-findings.json +++ b/unittests/scans/mend_platform_api3/mend-sca-platform-api3-five-findings.json @@ -1,773 +1,773 @@ { - 'additionalData': { - 'totalItems': 11, - 'paging': { } + "additionalData": { + "totalItems": 11, + "paging": { } }, - 'supportToken': '3cdb1f55250864891a790b7f324be7ddc1731541902285', - 'response': [ + "supportToken": "3cdb1f55250864891a790b7f324be7ddc1731541902285", + "response": [ { - 'uuid': '23bcab53-d599-4c2e-acce-89880a1ba8ae', - 'name': 'CVE-2022-42004', - 'type': 'SECURITY_VULNERABILITY', - 'component': { - 'uuid': 'aa25c040-953e-49c1-a824-278169adf8a4', - 'name': 'jackson-databind-2.13.3.jar', - 'description': 'Generaldata-binding functionality for Jackson: works on core streaming API', - 'componentType': 'Library', - 'libraryType': 'MAVEN_ARTIFACT', - 'rootLibrary': True, - 'references': { - 'url': 'http://fasterxml.com/', - 'pomUrl': 'https://repo.maven.apache.org/maven2/com/fasterxml/jackson/core/jackson-databind/2.13.3/jackson-databind-2.13.3.pom' + "uuid": "23bcab53-d599-4c2e-acce-89880a1ba8ae", + "name": "CVE-2022-42004", + "type": "SECURITY_VULNERABILITY", + "component": { + "uuid": "aa25c040-953e-49c1-a824-278169adf8a4", + "name": "jackson-databind-2.13.3.jar", + "description": "Generaldata-binding functionality for Jackson: works on core streaming API", + "componentType": "Library", + "libraryType": "MAVEN_ARTIFACT", + "rootLibrary": true, + "references": { + "url": "http://fasterxml.com/", + "pomUrl": "https://repo.maven.apache.org/maven2/com/fasterxml/jackson/core/jackson-databind/2.13.3/jackson-databind-2.13.3.pom" }, - 'groupId': 'com.fasterxml.jackson.core', - 'artifactId': 'jackson-databind', - 'version': '2.13.3', - 'dependencyType': 'Direct' - }, - 'findingInfo': { - 'status': 'LIBRARY_REMOVED', - 'comment': { }, - 'detectedAt': '2023-04-11T21:44:34Z', - 'modifiedAt': '2023-04-17T13:56:01Z' - }, - 'project': { - 'uuid': 'e2fffbc5-4b96-4f49-bea6-d031650fe664', - 'name': 'project-name', - 'path': 'application-name', - 'applicationUuid': 'a6d539cc-75d7-4889-9b1e-349b878bd3e7' - }, - 'application': { - 'uuid': 'a6d539cc-75d7-4889-9b1e-349b878bd3e7', - 'name': 'application-name' - }, - 'vulnerability': { - 'name': 'CVE-2022-42004', - 'type': 'CVSS_3', - 'description': 'In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.', - 'score': 7.5, - 'severity': 'HIGH', - 'publishDate': '2022-10-02T00:00:00Z', - 'modifiedDate': '2024-08-03T12:56:39Z', - 'vulnerabilityScoring': [ + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind", + "version": "2.13.3", + "dependencyType": "Direct" + }, + "findingInfo": { + "status": "LIBRARY_REMOVED", + "comment": { }, + "detectedAt": "2023-04-11T21:44:34Z", + "modifiedAt": "2023-04-17T13:56:01Z" + }, + "project": { + "uuid": "e2fffbc5-4b96-4f49-bea6-d031650fe664", + "name": "project-name", + "path": "application-name", + "applicationUuid": "a6d539cc-75d7-4889-9b1e-349b878bd3e7" + }, + "application": { + "uuid": "a6d539cc-75d7-4889-9b1e-349b878bd3e7", + "name": "application-name" + }, + "vulnerability": { + "name": "CVE-2022-42004", + "type": "CVSS_3", + "description": "In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.", + "score": 7.5, + "severity": "HIGH", + "publishDate": "2022-10-02T00:00:00Z", + "modifiedDate": "2024-08-03T12:56:39Z", + "vulnerabilityScoring": [ { - 'score': 7.5, - 'severity': 'HIGH', - 'type': 'CVSS_3' + "score": 7.5, + "severity": "HIGH", + "type": "CVSS_3" } ] }, - 'topFix': { - 'id': 109760, - 'vulnerability': 'CVE-2022-42004', - 'type': 'UPGRADE_VERSION', - 'origin': 'WHITESOURCE_EXPERT', - 'url': 'https://github.com/FasterXML/jackson-databind/issues/3582', - 'fixResolution': 'com.fasterxml.jackson.core:jackson-databind:2.13.4', - 'date': '2022-10-02T00:00:00Z', - 'message': 'Upgrade to version' - }, - 'effective': 'NO_SHIELD', - 'threatAssessment': { - 'exploitCodeMaturity': 'NOT_DEFINED', - 'epssPercentage': 0.3 - }, - 'exploitable': False, - 'scoreMetadataVector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H' + "topFix": { + "id": 109760, + "vulnerability": "CVE-2022-42004", + "type": "UPGRADE_VERSION", + "origin": "WHITESOURCE_EXPERT", + "url": "https://github.com/FasterXML/jackson-databind/issues/3582", + "fixResolution": "com.fasterxml.jackson.core:jackson-databind:2.13.4", + "date": "2022-10-02T00:00:00Z", + "message": "Upgrade to version" + }, + "effective": "NO_SHIELD", + "threatAssessment": { + "exploitCodeMaturity": "NOT_DEFINED", + "epssPercentage": 0.3 + }, + "exploitable": false, + "scoreMetadataVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { - 'uuid': '21548f3e-2a6e-48bd-998d-be6b40fed54c', - 'name': 'CVE-2018-8269', - 'type': 'SECURITY_VULNERABILITY', - 'component': { - 'uuid': 'a124f02a-e4e0-476d-8ef1-6bd3a4238245', - 'name': 'Microsoft.Data.OData-5.2.0.51212.dll', - 'description': 'Microsoft.Data.OData.dll', - 'componentType': 'Library', - 'libraryType': 'DOT_NET_AS_GENERIC_RESOURCE', - 'rootLibrary': True, - 'references': { - 'url': 'https://api.nuget.org/packages/microsoft.data.odata.5.2.0.nupkg', - 'homePage': 'http://go.microsoft.com/fwlink/?LinkId=220868', - 'genericPackageIndex': '' + "uuid": "21548f3e-2a6e-48bd-998d-be6b40fed54c", + "name": "CVE-2018-8269", + "type": "SECURITY_VULNERABILITY", + "component": { + "uuid": "a124f02a-e4e0-476d-8ef1-6bd3a4238245", + "name": "Microsoft.Data.OData-5.2.0.51212.dll", + "description": "Microsoft.Data.OData.dll", + "componentType": "Library", + "libraryType": "DOT_NET_AS_GENERIC_RESOURCE", + "rootLibrary": true, + "references": { + "url": "https://api.nuget.org/packages/microsoft.data.odata.5.2.0.nupkg", + "homePage": "http://go.microsoft.com/fwlink/?LinkId=220868", + "genericPackageIndex": "" }, - 'groupId': 'Microsoft.Data.OData', - 'artifactId': 'Microsoft.Data.OData-5.2.0.51212.dll', - 'version': '5.2.0.51212', - 'dependencyType': 'Direct' - }, - 'findingInfo': { - 'status': 'LIBRARY_REMOVED', - 'comment': { }, - 'detectedAt': '2023-04-11T21:44:34Z', - 'modifiedAt': '2023-04-20T10:42:50Z' - }, - 'project': { - 'uuid': 'e2fffbc5-4b96-4f49-bea6-d031650fe664', - 'name': 'project-name', - 'path': 'application-name', - 'applicationUuid': 'a6d539cc-75d7-4889-9b1e-349b878bd3e7' - }, - 'application': { - 'uuid': 'a6d539cc-75d7-4889-9b1e-349b878bd3e7', - 'name': 'application-name' - }, - 'vulnerability': { - 'name': 'CVE-2018-8269', - 'type': 'CVSS_3', - 'description': 'A denial of service vulnerability exists when OData Library improperly handles web requests, aka "OData Denial of Service Vulnerability." This affects Microsoft.Data.OData.', - 'score': 7.5, - 'severity': 'HIGH', - 'publishDate': '2018-09-13T00:00:00Z', - 'modifiedDate': '2024-08-05T06:46:13Z', - 'vulnerabilityScoring': [ + "groupId": "Microsoft.Data.OData", + "artifactId": "Microsoft.Data.OData-5.2.0.51212.dll", + "version": "5.2.0.51212", + "dependencyType": "Direct" + }, + "findingInfo": { + "status": "LIBRARY_REMOVED", + "comment": { }, + "detectedAt": "2023-04-11T21:44:34Z", + "modifiedAt": "2023-04-20T10:42:50Z" + }, + "project": { + "uuid": "e2fffbc5-4b96-4f49-bea6-d031650fe664", + "name": "project-name", + "path": "application-name", + "applicationUuid": "a6d539cc-75d7-4889-9b1e-349b878bd3e7" + }, + "application": { + "uuid": "a6d539cc-75d7-4889-9b1e-349b878bd3e7", + "name": "application-name" + }, + "vulnerability": { + "name": "CVE-2018-8269", + "type": "CVSS_3", + "description": "A denial of service vulnerability exists when OData Library improperly handles web requests, aka 'OData Denial of Service Vulnerability.' This affects Microsoft.Data.OData.", + "score": 7.5, + "severity": "HIGH", + "publishDate": "2018-09-13T00:00:00Z", + "modifiedDate": "2024-08-05T06:46:13Z", + "vulnerabilityScoring": [ { - 'score': 7.5, - 'severity': 'HIGH', - 'type': 'CVSS_3' + "score": 7.5, + "severity": "HIGH", + "type": "CVSS_3" } ] }, - 'topFix': { - 'id': 60177, - 'vulnerability': 'CVE-2018-8269', - 'type': 'UPGRADE_VERSION', - 'origin': 'WHITESOURCE_EXPERT', - 'url': 'https://github.com/aspnet/Announcements/issues/385', - 'fixResolution': 'Microsoft.Data.OData - 5.8.4', - 'date': '2018-09-13T00:00:00Z', - 'message': 'Upgrade to version' - }, - 'effective': 'NO_SHIELD', - 'threatAssessment': { - 'exploitCodeMaturity': 'NOT_DEFINED', - 'epssPercentage': 2.8999999 - }, - 'exploitable': False, - 'scoreMetadataVector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H' + "topFix": { + "id": 60177, + "vulnerability": "CVE-2018-8269", + "type": "UPGRADE_VERSION", + "origin": "WHITESOURCE_EXPERT", + "url": "https://github.com/aspnet/Announcements/issues/385", + "fixResolution": "Microsoft.Data.OData - 5.8.4", + "date": "2018-09-13T00:00:00Z", + "message": "Upgrade to version" + }, + "effective": "NO_SHIELD", + "threatAssessment": { + "exploitCodeMaturity": "NOT_DEFINED", + "epssPercentage": 2.8999999 + }, + "exploitable": false, + "scoreMetadataVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { - 'uuid': '07568c8b-3288-4f6e-8292-e350e8a80a84', - 'name': 'CVE-2018-8032', - 'type': 'SECURITY_VULNERABILITY', - 'component': { - 'uuid': '1da34773-6acf-4da9-b4b3-4cfca44e3163', - 'name': 'axis-1.4.jar', - 'description': '', - 'componentType': 'Library', - 'libraryType': 'JAVA_ARCHIVE', - 'rootLibrary': True, - 'references': { - 'url': 'http://archive.apache.org/dist/lenya/SOURCES/apache-lenya-2.0.4-dev-src.zip', - 'genericPackageIndex': '' + "uuid": "07568c8b-3288-4f6e-8292-e350e8a80a84", + "name": "CVE-2018-8032", + "type": "SECURITY_VULNERABILITY", + "component": { + "uuid": "1da34773-6acf-4da9-b4b3-4cfca44e3163", + "name": "axis-1.4.jar", + "description": "", + "componentType": "Library", + "libraryType": "JAVA_ARCHIVE", + "rootLibrary": true, + "references": { + "url": "http://archive.apache.org/dist/lenya/SOURCES/apache-lenya-2.0.4-dev-src.zip", + "genericPackageIndex": "" }, - 'groupId': 'axis-1', - 'artifactId': 'axis.jar', - 'version': '1.4', - 'dependencyType': 'Direct' - }, - 'findingInfo': { - 'status': 'ACTIVE', - 'comment': { }, - 'detectedAt': '2023-04-11T21:44:34Z', - 'modifiedAt': '2023-04-11T21:44:34Z' - }, - 'project': { - 'uuid': 'e2fffbc5-4b96-4f49-bea6-d031650fe664', - 'name': 'project-name', - 'path': 'application-name', - 'applicationUuid': 'a6d539cc-75d7-4889-9b1e-349b878bd3e7' - }, - 'application': { - 'uuid': 'a6d539cc-75d7-4889-9b1e-349b878bd3e7', - 'name': 'application-name' - }, - 'vulnerability': { - 'name': 'CVE-2018-8032', - 'type': 'CVSS_3', - 'description': 'Apache Axis 1.x up to and including 1.4 is vulnerable to a cross-site scripting (XSS) attack in the default servlet/services.', - 'score': 6.1, - 'severity': 'MEDIUM', - 'publishDate': '2018-08-02T13:00:00Z', - 'modifiedDate': '2024-09-16T16:29:01Z', - 'vulnerabilityScoring': [ + "groupId": "axis-1", + "artifactId": "axis.jar", + "version": "1.4", + "dependencyType": "Direct" + }, + "findingInfo": { + "status": "ACTIVE", + "comment": { }, + "detectedAt": "2023-04-11T21:44:34Z", + "modifiedAt": "2023-04-11T21:44:34Z" + }, + "project": { + "uuid": "e2fffbc5-4b96-4f49-bea6-d031650fe664", + "name": "project-name", + "path": "application-name", + "applicationUuid": "a6d539cc-75d7-4889-9b1e-349b878bd3e7" + }, + "application": { + "uuid": "a6d539cc-75d7-4889-9b1e-349b878bd3e7", + "name": "application-name" + }, + "vulnerability": { + "name": "CVE-2018-8032", + "type": "CVSS_3", + "description": "Apache Axis 1.x up to and including 1.4 is vulnerable to a cross-site scripting (XSS) attack in the default servlet/services.", + "score": 6.1, + "severity": "MEDIUM", + "publishDate": "2018-08-02T13:00:00Z", + "modifiedDate": "2024-09-16T16:29:01Z", + "vulnerabilityScoring": [ { - 'score': 6.1, - 'severity': 'MEDIUM', - 'type': 'CVSS_3' + "score": 6.1, + "severity": "MEDIUM", + "type": "CVSS_3" } ] }, - 'topFix': { - 'id': 100830, - 'vulnerability': 'CVE-2018-8032', - 'type': 'UPGRADE_VERSION', - 'origin': 'WHITESOURCE_EXPERT', - 'url': 'https://nvd.nist.gov/vuln/detail/CVE-2018-8032', - 'fixResolution': 'no_fix', - 'date': '2018-07-08T00:00:00Z', - 'message': 'Upgrade to version' - }, - 'effective': 'NO_SHIELD', - 'threatAssessment': { - 'exploitCodeMaturity': 'NOT_DEFINED', - 'epssPercentage': 0.4 - }, - 'exploitable': False, - 'scoreMetadataVector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N' + "topFix": { + "id": 100830, + "vulnerability": "CVE-2018-8032", + "type": "UPGRADE_VERSION", + "origin": "WHITESOURCE_EXPERT", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8032", + "fixResolution": "no_fix", + "date": "2018-07-08T00:00:00Z", + "message": "Upgrade to version" + }, + "effective": "NO_SHIELD", + "threatAssessment": { + "exploitCodeMaturity": "NOT_DEFINED", + "epssPercentage": 0.4 + }, + "exploitable": false, + "scoreMetadataVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { - 'uuid': 'a513b00e-05cd-4843-b315-01aca5eb05ad', - 'name': 'CVE-2022-40152', - 'type': 'SECURITY_VULNERABILITY', - 'component': { - 'uuid': 'd7de9e3c-a8c8-4b15-ba92-201b514498cc', - 'name': 'woodstox-core-6.2.8.jar', - 'description': 'Woodstox is a high-performance XML processor that implements Stax (JSR-173),\nSAX2 and Stax2 APIs', - 'componentType': 'Library', - 'libraryType': 'MAVEN_ARTIFACT', - 'rootLibrary': True, - 'references': { - 'url': 'http://fasterxml.com', - 'pomUrl': 'https://nexus.opendaylight.org/content/groups/public/com/fasterxml/woodstox/woodstox-core/6.2.8/woodstox-core-6.2.8.pom' + "uuid": "a513b00e-05cd-4843-b315-01aca5eb05ad", + "name": "CVE-2022-40152", + "type": "SECURITY_VULNERABILITY", + "component": { + "uuid": "d7de9e3c-a8c8-4b15-ba92-201b514498cc", + "name": "woodstox-core-6.2.8.jar", + "description": "Woodstox is a high-performance XML processor that implements Stax (JSR-173),\nSAX2 and Stax2 APIs", + "componentType": "Library", + "libraryType": "MAVEN_ARTIFACT", + "rootLibrary": true, + "references": { + "url": "http://fasterxml.com", + "pomUrl": "https://nexus.opendaylight.org/content/groups/public/com/fasterxml/woodstox/woodstox-core/6.2.8/woodstox-core-6.2.8.pom" }, - 'groupId': 'com.fasterxml.woodstox', - 'artifactId': 'woodstox-core', - 'version': '6.2.8', - 'dependencyType': 'Direct' - }, - 'findingInfo': { - 'status': 'LIBRARY_REMOVED', - 'comment': { }, - 'detectedAt': '2023-04-11T21:44:34Z', - 'modifiedAt': '2023-04-17T13:56:01Z' - }, - 'project': { - 'uuid': 'e2fffbc5-4b96-4f49-bea6-d031650fe664', - 'name': 'project-name', - 'path': 'application-name', - 'applicationUuid': 'a6d539cc-75d7-4889-9b1e-349b878bd3e7' - }, - 'application': { - 'uuid': 'a6d539cc-75d7-4889-9b1e-349b878bd3e7', - 'name': 'application-name' - }, - 'vulnerability': { - 'name': 'CVE-2022-40152', - 'type': 'CVSS_3', - 'description': 'Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.', - 'score': 6.5, - 'severity': 'MEDIUM', - 'publishDate': '2022-09-16T10:00:22Z', - 'modifiedDate': '2024-09-16T19:14:50Z', - 'vulnerabilityScoring': [ + "groupId": "com.fasterxml.woodstox", + "artifactId": "woodstox-core", + "version": "6.2.8", + "dependencyType": "Direct" + }, + "findingInfo": { + "status": "LIBRARY_REMOVED", + "comment": { }, + "detectedAt": "2023-04-11T21:44:34Z", + "modifiedAt": "2023-04-17T13:56:01Z" + }, + "project": { + "uuid": "e2fffbc5-4b96-4f49-bea6-d031650fe664", + "name": "project-name", + "path": "application-name", + "applicationUuid": "a6d539cc-75d7-4889-9b1e-349b878bd3e7" + }, + "application": { + "uuid": "a6d539cc-75d7-4889-9b1e-349b878bd3e7", + "name": "application-name" + }, + "vulnerability": { + "name": "CVE-2022-40152", + "type": "CVSS_3", + "description": "Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.", + "score": 6.5, + "severity": "MEDIUM", + "publishDate": "2022-09-16T10:00:22Z", + "modifiedDate": "2024-09-16T19:14:50Z", + "vulnerabilityScoring": [ { - 'score': 6.5, - 'severity': 'MEDIUM', - 'type': 'CVSS_3' + "score": 6.5, + "severity": "MEDIUM", + "type": "CVSS_3" } ] }, - 'topFix': { - 'id': 110139, - 'vulnerability': 'CVE-2022-40152', - 'type': 'UPGRADE_VERSION', - 'origin': 'WHITESOURCE_EXPERT', - 'url': 'https://github.com/FasterXML/woodstox/pull/159', - 'fixResolution': 'com.fasterxml.woodstox:woodstox-core:5.4.0,6.4.0', - 'date': '2022-09-16T10:00:22Z', - 'message': 'Upgrade to version' - }, - 'effective': 'NO_SHIELD', - 'threatAssessment': { - 'exploitCodeMaturity': 'NOT_DEFINED', - 'epssPercentage': 0.8 - }, - 'exploitable': False, - 'scoreMetadataVector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H' + "topFix": { + "id": 110139, + "vulnerability": "CVE-2022-40152", + "type": "UPGRADE_VERSION", + "origin": "WHITESOURCE_EXPERT", + "url": "https://github.com/FasterXML/woodstox/pull/159", + "fixResolution": "com.fasterxml.woodstox:woodstox-core:5.4.0,6.4.0", + "date": "2022-09-16T10:00:22Z", + "message": "Upgrade to version" + }, + "effective": "NO_SHIELD", + "threatAssessment": { + "exploitCodeMaturity": "NOT_DEFINED", + "epssPercentage": 0.8 + }, + "exploitable": false, + "scoreMetadataVector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { - 'uuid': 'eabc72c0-370f-42fc-82fa-7a8584f71a2a', - 'name': 'CVE-2022-42003', - 'type': 'SECURITY_VULNERABILITY', - 'component': { - 'uuid': 'aa25c040-953e-49c1-a824-278169adf8a4', - 'name': 'jackson-databind-2.13.3.jar', - 'description': 'General data-binding functionality for Jackson: works on core streaming API', - 'componentType': 'Library', - 'libraryType': 'MAVEN_ARTIFACT', - 'rootLibrary': True, - 'references': { - 'url': 'http://fasterxml.com/', - 'pomUrl': 'https://repo.maven.apache.org/maven2/com/fasterxml/jackson/core/jackson-databind/2.13.3/jackson-databind-2.13.3.pom' + "uuid": "eabc72c0-370f-42fc-82fa-7a8584f71a2a", + "name": "CVE-2022-42003", + "type": "SECURITY_VULNERABILITY", + "component": { + "uuid": "aa25c040-953e-49c1-a824-278169adf8a4", + "name": "jackson-databind-2.13.3.jar", + "description": "General data-binding functionality for Jackson: works on core streaming API", + "componentType": "Library", + "libraryType": "MAVEN_ARTIFACT", + "rootLibrary": true, + "references": { + "url": "http://fasterxml.com/", + "pomUrl": "https://repo.maven.apache.org/maven2/com/fasterxml/jackson/core/jackson-databind/2.13.3/jackson-databind-2.13.3.pom" }, - 'groupId': 'com.fasterxml.jackson.core', - 'artifactId': 'jackson-databind', - 'version': '2.13.3', - 'dependencyType': 'Direct' - }, - 'findingInfo': { - 'status': 'LIBRARY_REMOVED', - 'comment': { }, - 'detectedAt': '2023-04-11T21:44:34Z', - 'modifiedAt': '2023-04-17T13:56:01Z' - }, - 'project': { - 'uuid': 'e2fffbc5-4b96-4f49-bea6-d031650fe664', - 'name': 'project-name', - 'path': 'application-name', - 'applicationUuid': 'a6d539cc-75d7-4889-9b1e-349b878bd3e7' - }, - 'application': { - 'uuid': 'a6d539cc-75d7-4889-9b1e-349b878bd3e7', - 'name': 'application-name' - }, - 'vulnerability': { - 'name': 'CVE-2022-42003', - 'type': 'CVSS_3', - 'description': 'In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.\n Mend Note: For 2.13.4.x, the vulnerability is fixed in 2.13.4.1. A micro-patch was added in 2.13.4.2 to address issues for Gradle users. ', - 'score': 7.5, - 'severity': 'HIGH', - 'publishDate': '2022-10-02T00:00:00Z', - 'modifiedDate': '2024-08-03T12:56:39Z', - 'vulnerabilityScoring': [ + "groupId": "com.fasterxml.jackson.core", + "artifactId": "jackson-databind", + "version": "2.13.3", + "dependencyType": "Direct" + }, + "findingInfo": { + "status": "LIBRARY_REMOVED", + "comment": { }, + "detectedAt": "2023-04-11T21:44:34Z", + "modifiedAt": "2023-04-17T13:56:01Z" + }, + "project": { + "uuid": "e2fffbc5-4b96-4f49-bea6-d031650fe664", + "name": "project-name", + "path": "application-name", + "applicationUuid": "a6d539cc-75d7-4889-9b1e-349b878bd3e7" + }, + "application": { + "uuid": "a6d539cc-75d7-4889-9b1e-349b878bd3e7", + "name": "application-name" + }, + "vulnerability": { + "name": "CVE-2022-42003", + "type": "CVSS_3", + "description": "In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.\n Mend Note: For 2.13.4.x, the vulnerability is fixed in 2.13.4.1. A micro-patch was added in 2.13.4.2 to address issues for Gradle users. ", + "score": 7.5, + "severity": "HIGH", + "publishDate": "2022-10-02T00:00:00Z", + "modifiedDate": "2024-08-03T12:56:39Z", + "vulnerabilityScoring": [ { - 'score': 7.5, - 'severity': 'HIGH', - 'type': 'CVSS_3' + "score": 7.5, + "severity": "HIGH", + "type": "CVSS_3" } ] }, - 'topFix': { - 'id': 133291, - 'vulnerability': 'CVE-2022-42003', - 'type': 'UPGRADE_VERSION', - 'origin': 'WHITESOURCE_EXPERT', - 'url': 'https://github.com/advisories/GHSA-jjjh-jjxp-wpff', - 'fixResolution': 'com.fasterxml.jackson.core:jackson-databind:2.12.7.1,2.13.4.2', - 'date': '2022-10-02T00:00:00Z', - 'message': 'Upgrade to version' - }, - 'effective': 'NO_SHIELD', - 'threatAssessment': { - 'exploitCodeMaturity': 'NOT_DEFINED', - 'epssPercentage': 0.3 - }, - 'exploitable': False, - 'scoreMetadataVector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H' + "topFix": { + "id": 133291, + "vulnerability": "CVE-2022-42003", + "type": "UPGRADE_VERSION", + "origin": "WHITESOURCE_EXPERT", + "url": "https://github.com/advisories/GHSA-jjjh-jjxp-wpff", + "fixResolution": "com.fasterxml.jackson.core:jackson-databind:2.12.7.1,2.13.4.2", + "date": "2022-10-02T00:00:00Z", + "message": "Upgrade to version" + }, + "effective": "NO_SHIELD", + "threatAssessment": { + "exploitCodeMaturity": "NOT_DEFINED", + "epssPercentage": 0.3 + }, + "exploitable": false, + "scoreMetadataVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { - 'uuid': '59815375-eb59-460c-ae55-27c69ae9ca7d', - 'name': 'CVE-2014-3596', - 'type': 'SECURITY_VULNERABILITY', - 'component': { - 'uuid': '1da34773-6acf-4da9-b4b3-4cfca44e3163', - 'name': 'axis-1.4.jar', - 'description': '', - 'componentType': 'Library', - 'libraryType': 'JAVA_ARCHIVE', - 'rootLibrary': True, - 'references': { - 'url': 'http://archive.apache.org/dist/lenya/SOURCES/apache-lenya-2.0.4-dev-src.zip', - 'genericPackageIndex': '' + "uuid": "59815375-eb59-460c-ae55-27c69ae9ca7d", + "name": "CVE-2014-3596", + "type": "SECURITY_VULNERABILITY", + "component": { + "uuid": "1da34773-6acf-4da9-b4b3-4cfca44e3163", + "name": "axis-1.4.jar", + "description": "", + "componentType": "Library", + "libraryType": "JAVA_ARCHIVE", + "rootLibrary": true, + "references": { + "url": "http://archive.apache.org/dist/lenya/SOURCES/apache-lenya-2.0.4-dev-src.zip", + "genericPackageIndex": "" }, - 'groupId': 'axis-1', - 'artifactId': 'axis.jar', - 'version': '1.4', - 'dependencyType': 'Direct' - }, - 'findingInfo': { - 'status': 'ACTIVE', - 'comment': { }, - 'detectedAt': '2023-04-11T21:44:34Z', - 'modifiedAt': '2023-04-11T21:44:34Z' - }, - 'project': { - 'uuid': 'e2fffbc5-4b96-4f49-bea6-d031650fe664', - 'name': 'project-name', - 'path': 'application-name', - 'applicationUuid': 'a6d539cc-75d7-4889-9b1e-349b878bd3e7' - }, - 'application': { - 'uuid': 'a6d539cc-75d7-4889-9b1e-349b878bd3e7', - 'name': 'application-name' - }, - 'vulnerability': { - 'name': 'CVE-2014-3596', - 'type': 'CVSS_3', - 'description': "The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSLservers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784.", - 'score': 4.8, - 'severity': 'MEDIUM', - 'publishDate': '2014-08-27T00:00:00Z', - 'modifiedDate': '2024-08-06T10:50:17Z', - 'vulnerabilityScoring': [ + "groupId": "axis-1", + "artifactId": "axis.jar", + "version": "1.4", + "dependencyType": "Direct" + }, + "findingInfo": { + "status": "ACTIVE", + "comment": { }, + "detectedAt": "2023-04-11T21:44:34Z", + "modifiedAt": "2023-04-11T21:44:34Z" + }, + "project": { + "uuid": "e2fffbc5-4b96-4f49-bea6-d031650fe664", + "name": "project-name", + "path": "application-name", + "applicationUuid": "a6d539cc-75d7-4889-9b1e-349b878bd3e7" + }, + "application": { + "uuid": "a6d539cc-75d7-4889-9b1e-349b878bd3e7", + "name": "application-name" + }, + "vulnerability": { + "name": "CVE-2014-3596", + "type": "CVSS_3", + "description": "The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSLservers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784.", + "score": 4.8, + "severity": "MEDIUM", + "publishDate": "2014-08-27T00:00:00Z", + "modifiedDate": "2024-08-06T10:50:17Z", + "vulnerabilityScoring": [ { - 'score': 4.8, - 'severity': 'MEDIUM', - 'type': 'CVSS_3' + "score": 4.8, + "severity": "MEDIUM", + "type": "CVSS_3" } ] }, - 'topFix': { - 'id': 87936, - 'vulnerability': 'CVE-2014-3596', - 'type': 'UPGRADE_VERSION', - 'origin': 'WHITESOURCE_EXPERT', - 'url': 'https://nvd.nist.gov/vuln/detail/CVE-2014-3596', - 'fixResolution': 'axis:axis - 1.3-atlassian-1', - 'date': '2014-08-27T00:00:00Z', - 'message': 'Upgrade to version' - }, - 'effective': 'NO_SHIELD', - 'threatAssessment': { - 'exploitCodeMaturity': 'NOT_DEFINED', - 'epssPercentage': 0.2 - }, - 'exploitable': False, - 'scoreMetadataVector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N' + "topFix": { + "id": 87936, + "vulnerability": "CVE-2014-3596", + "type": "UPGRADE_VERSION", + "origin": "WHITESOURCE_EXPERT", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3596", + "fixResolution": "axis:axis - 1.3-atlassian-1", + "date": "2014-08-27T00:00:00Z", + "message": "Upgrade to version" + }, + "effective": "NO_SHIELD", + "threatAssessment": { + "exploitCodeMaturity": "NOT_DEFINED", + "epssPercentage": 0.2 + }, + "exploitable": false, + "scoreMetadataVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { - 'uuid': 'b22790d4-9186-45a6-aa11-37ec13fce85f', - 'name': 'CVE-2021-24112', - 'type': 'SECURITY_VULNERABILITY', - 'component': { - 'uuid': 'e7f7552f-f9d4-4c62-9a05-ab0701d44a4e', - 'name': 'System.Drawing.Common-4.6.26515.06.dll', - 'description': 'System.Drawing.Common', - 'componentType': 'Library', - 'libraryType': 'DOT_NET_AS_GENERIC_RESOURCE', - 'rootLibrary': True, - 'references': { - 'url': 'https://api.nuget.org/packages/system.drawing.common.4.5.0.nupkg', - 'homePage': 'https://dot.net/', - 'genericPackageIndex': '' + "uuid": "b22790d4-9186-45a6-aa11-37ec13fce85f", + "name": "CVE-2021-24112", + "type": "SECURITY_VULNERABILITY", + "component": { + "uuid": "e7f7552f-f9d4-4c62-9a05-ab0701d44a4e", + "name": "System.Drawing.Common-4.6.26515.06.dll", + "description": "System.Drawing.Common", + "componentType": "Library", + "libraryType": "DOT_NET_AS_GENERIC_RESOURCE", + "rootLibrary": true, + "references": { + "url": "https://api.nuget.org/packages/system.drawing.common.4.5.0.nupkg", + "homePage": "https://dot.net/", + "genericPackageIndex": "" }, - 'groupId': 'System.Drawing.Common', - 'artifactId': 'System.Drawing.Common-4.6.26515.06.dll', - 'version': '4.6.26515.06', - 'dependencyType': 'Direct' - }, - 'findingInfo': { - 'status': 'LIBRARY_REMOVED', - 'comment': { }, - 'detectedAt': '2023-04-11T21:44:34Z', - 'modifiedAt': '2023-04-13T11:40:20Z' - }, - 'project': { - 'uuid': 'e2fffbc5-4b96-4f49-bea6-d031650fe664', - 'name': 'project-name', - 'path': 'application-name', - 'applicationUuid': 'a6d539cc-75d7-4889-9b1e-349b878bd3e7' - }, - 'application': { - 'uuid': 'a6d539cc-75d7-4889-9b1e-349b878bd3e7', - 'name': 'application-name' - }, - 'vulnerability': { - 'name': 'CVE-2021-24112', - 'type': 'CVSS_3', - 'description': '.NET Core Remote Code Execution Vulnerability', - 'score': 8.1, - 'severity': 'HIGH', - 'publishDate': '2021-02-25T23:01:57Z', - 'modifiedDate': '2024-08-03T19:21:18Z', - 'vulnerabilityScoring': [ + "groupId": "System.Drawing.Common", + "artifactId": "System.Drawing.Common-4.6.26515.06.dll", + "version": "4.6.26515.06", + "dependencyType": "Direct" + }, + "findingInfo": { + "status": "LIBRARY_REMOVED", + "comment": { }, + "detectedAt": "2023-04-11T21:44:34Z", + "modifiedAt": "2023-04-13T11:40:20Z" + }, + "project": { + "uuid": "e2fffbc5-4b96-4f49-bea6-d031650fe664", + "name": "project-name", + "path": "application-name", + "applicationUuid": "a6d539cc-75d7-4889-9b1e-349b878bd3e7" + }, + "application": { + "uuid": "a6d539cc-75d7-4889-9b1e-349b878bd3e7", + "name": "application-name" + }, + "vulnerability": { + "name": "CVE-2021-24112", + "type": "CVSS_3", + "description": ".NET Core Remote Code Execution Vulnerability", + "score": 8.1, + "severity": "HIGH", + "publishDate": "2021-02-25T23:01:57Z", + "modifiedDate": "2024-08-03T19:21:18Z", + "vulnerabilityScoring": [ { - 'score': 8.1, - 'severity': 'HIGH', - 'type': 'CVSS_3' + "score": 8.1, + "severity": "HIGH", + "type": "CVSS_3" } ] }, - 'topFix': { - 'id': 110775, - 'vulnerability': 'CVE-2021-24112', - 'type': 'UPGRADE_VERSION', - 'origin': 'WHITESOURCE_EXPERT', - 'url': 'https://github.com/advisories/GHSA-rxg9-xrhp-64gj', - 'fixResolution': 'System.Drawing.Common - 4.7.2,5.0.3', - 'date': '2021-02-25T23:15:00Z', - 'message': 'Upgrade to version' - }, - 'effective': 'NO_SHIELD', - 'threatAssessment': { - 'exploitCodeMaturity': 'POC_CODE', - 'epssPercentage': 2.0 - }, - 'exploitable': True, - 'scoreMetadataVector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C' + "topFix": { + "id": 110775, + "vulnerability": "CVE-2021-24112", + "type": "UPGRADE_VERSION", + "origin": "WHITESOURCE_EXPERT", + "url": "https://github.com/advisories/GHSA-rxg9-xrhp-64gj", + "fixResolution": "System.Drawing.Common - 4.7.2,5.0.3", + "date": "2021-02-25T23:15:00Z", + "message": "Upgrade to version" + }, + "effective": "NO_SHIELD", + "threatAssessment": { + "exploitCodeMaturity": "POC_CODE", + "epssPercentage": 2.0 + }, + "exploitable": true, + "scoreMetadataVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C" }, { - 'uuid': '1efbe99b-724e-4ff2-aa5a-81a5581aae30', - 'name': 'CVE-2021-22570', - 'type': 'SECURITY_VULNERABILITY', - 'component': { - 'uuid': 'e642b361-9c26-4be5-9ae6-15f97124ed8b', - 'name': 'Google.Protobuf-3.10.0.0.dll', - 'description': 'Google Protocol Buffers', - 'componentType': 'Library', - 'libraryType': 'DOT_NET_AS_GENERIC_RESOURCE', - 'rootLibrary': True, - 'references': { - 'url': 'https://api.nuget.org/packages/google.protobuf.3.10.0.nupkg', - 'homePage': 'https://github.com/protocolbuffers/protobuf', - 'genericPackageIndex': '' + "uuid": "1efbe99b-724e-4ff2-aa5a-81a5581aae30", + "name": "CVE-2021-22570", + "type": "SECURITY_VULNERABILITY", + "component": { + "uuid": "e642b361-9c26-4be5-9ae6-15f97124ed8b", + "name": "Google.Protobuf-3.10.0.0.dll", + "description": "Google Protocol Buffers", + "componentType": "Library", + "libraryType": "DOT_NET_AS_GENERIC_RESOURCE", + "rootLibrary": true, + "references": { + "url": "https://api.nuget.org/packages/google.protobuf.3.10.0.nupkg", + "homePage": "https://github.com/protocolbuffers/protobuf", + "genericPackageIndex": "" }, - 'groupId': 'Google.Protobuf', - 'artifactId': 'Google.Protobuf-3.10.0.0.dll', - 'version': '3.10.0.0', - 'dependencyType': 'Direct' - }, - 'findingInfo': { - 'status': 'LIBRARY_REMOVED', - 'comment': { }, - 'detectedAt': '2023-04-11T21:44:34Z', - 'modifiedAt': '2023-04-13T11:40:20Z' - }, - 'project': { - 'uuid': 'e2fffbc5-4b96-4f49-bea6-d031650fe664', - 'name': 'project-name', - 'path': 'application-name', - 'applicationUuid': 'a6d539cc-75d7-4889-9b1e-349b878bd3e7' - }, - 'application': { - 'uuid': 'a6d539cc-75d7-4889-9b1e-349b878bd3e7', - 'name': 'application-name' - }, - 'vulnerability': { - 'name': 'CVE-2021-22570', - 'type': 'CVSS_3', - 'description': "Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.", - 'score': 6.5, - 'severity': 'MEDIUM', - 'publishDate': '2022-01-26T00:00:00Z', - 'modifiedDate': '2024-08-03T18:44:13Z', - 'vulnerabilityScoring': [ + "groupId": "Google.Protobuf", + "artifactId": "Google.Protobuf-3.10.0.0.dll", + "version": "3.10.0.0", + "dependencyType": "Direct" + }, + "findingInfo": { + "status": "LIBRARY_REMOVED", + "comment": { }, + "detectedAt": "2023-04-11T21:44:34Z", + "modifiedAt": "2023-04-13T11:40:20Z" + }, + "project": { + "uuid": "e2fffbc5-4b96-4f49-bea6-d031650fe664", + "name": "project-name", + "path": "application-name", + "applicationUuid": "a6d539cc-75d7-4889-9b1e-349b878bd3e7" + }, + "application": { + "uuid": "a6d539cc-75d7-4889-9b1e-349b878bd3e7", + "name": "application-name" + }, + "vulnerability": { + "name": "CVE-2021-22570", + "type": "CVSS_3", + "description": "Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.", + "score": 6.5, + "severity": "MEDIUM", + "publishDate": "2022-01-26T00:00:00Z", + "modifiedDate": "2024-08-03T18:44:13Z", + "vulnerabilityScoring": [ { - 'score': 6.5, - 'severity': 'MEDIUM', - 'type': 'CVSS_3' + "score": 6.5, + "severity": "MEDIUM", + "type": "CVSS_3" } ] }, - 'topFix': { - 'id': 102974, - 'vulnerability': 'CVE-2021-22570', - 'type': 'UPGRADE_VERSION', - 'origin': 'WHITESOURCE_EXPERT', - 'url': 'https://github.com/advisories/GHSA-77rm-9x9h-xj3g', - 'fixResolution': 'Google.Protobuf - 3.15.0', - 'date': '2022-01-26T00:00:00Z', - 'message': 'Upgrade to version' - }, - 'effective': 'NO_SHIELD', - 'threatAssessment': { - 'exploitCodeMaturity': 'NOT_DEFINED', - 'epssPercentage': 0.0 - }, - 'exploitable': False, - 'scoreMetadataVector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H' + "topFix": { + "id": 102974, + "vulnerability": "CVE-2021-22570", + "type": "UPGRADE_VERSION", + "origin": "WHITESOURCE_EXPERT", + "url": "https://github.com/advisories/GHSA-77rm-9x9h-xj3g", + "fixResolution": "Google.Protobuf - 3.15.0", + "date": "2022-01-26T00:00:00Z", + "message": "Upgrade to version" + }, + "effective": "NO_SHIELD", + "threatAssessment": { + "exploitCodeMaturity": "NOT_DEFINED", + "epssPercentage": 0.0 + }, + "exploitable": false, + "scoreMetadataVector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { - 'uuid': 'acae8e26-d778-48dc-8b26-8073c06d0572', - 'name': 'CVE-2019-0227', - 'type': 'SECURITY_VULNERABILITY', - 'component': { - 'uuid': '1da34773-6acf-4da9-b4b3-4cfca44e3163', - 'name': 'axis-1.4.jar', - 'description': '', - 'componentType': 'Library', - 'libraryType': 'JAVA_ARCHIVE', - 'rootLibrary': True, - 'references': { - 'url': 'http://archive.apache.org/dist/lenya/SOURCES/apache-lenya-2.0.4-dev-src.zip', - 'genericPackageIndex': '' + "uuid": "acae8e26-d778-48dc-8b26-8073c06d0572", + "name": "CVE-2019-0227", + "type": "SECURITY_VULNERABILITY", + "component": { + "uuid": "1da34773-6acf-4da9-b4b3-4cfca44e3163", + "name": "axis-1.4.jar", + "description": "", + "componentType": "Library", + "libraryType": "JAVA_ARCHIVE", + "rootLibrary": true, + "references": { + "url": "http://archive.apache.org/dist/lenya/SOURCES/apache-lenya-2.0.4-dev-src.zip", + "genericPackageIndex": "" }, - 'groupId': 'axis-1', - 'artifactId': 'axis.jar', - 'version': '1.4', - 'dependencyType': 'Direct' - }, - 'findingInfo': { - 'status': 'ACTIVE', - 'comment': { }, - 'detectedAt': '2023-04-11T21:44:34Z', - 'modifiedAt': '2023-04-11T21:44:34Z' - }, - 'project': { - 'uuid': 'e2fffbc5-4b96-4f49-bea6-d031650fe664', - 'name': 'project-name', - 'path': 'application-name', - 'applicationUuid': 'a6d539cc-75d7-4889-9b1e-349b878bd3e7' - }, - 'application': { - 'uuid': 'a6d539cc-75d7-4889-9b1e-349b878bd3e7', - 'name': 'application-name' - }, - 'vulnerability': { - 'name': 'CVE-2019-0227', - 'type': 'CVSS_3', - 'description': 'A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversion repository, legacy users are encouraged to build from source. The successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not vulnerable to this issue.', - 'score': 7.5, - 'severity': 'HIGH', - 'publishDate': '2019-05-01T20:03:49Z', - 'modifiedDate': '2024-08-04T17:44:15Z', - 'vulnerabilityScoring': [ + "groupId": "axis-1", + "artifactId": "axis.jar", + "version": "1.4", + "dependencyType": "Direct" + }, + "findingInfo": { + "status": "ACTIVE", + "comment": { }, + "detectedAt": "2023-04-11T21:44:34Z", + "modifiedAt": "2023-04-11T21:44:34Z" + }, + "project": { + "uuid": "e2fffbc5-4b96-4f49-bea6-d031650fe664", + "name": "project-name", + "path": "application-name", + "applicationUuid": "a6d539cc-75d7-4889-9b1e-349b878bd3e7" + }, + "application": { + "uuid": "a6d539cc-75d7-4889-9b1e-349b878bd3e7", + "name": "application-name" + }, + "vulnerability": { + "name": "CVE-2019-0227", + "type": "CVSS_3", + "description": "A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversion repository, legacy users are encouraged to build from source. The successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not vulnerable to this issue.", + "score": 7.5, + "severity": "HIGH", + "publishDate": "2019-05-01T20:03:49Z", + "modifiedDate": "2024-08-04T17:44:15Z", + "vulnerabilityScoring": [ { - 'score': 7.5, - 'severity': 'HIGH', - 'type': 'CVSS_3' + "score": 7.5, + "severity": "HIGH", + "type": "CVSS_3" } ] }, - 'topFix': { - 'id': 71103, - 'vulnerability': 'CVE-2019-0227', - 'type': 'UPGRADE_VERSION', - 'origin': 'WHITESOURCE_EXPERT', - 'url': 'https://rhinosecuritylabs.com/application-security/cve-2019-0227-expired-domain-rce-apache-axis/', - 'fixResolution': 'org.apache.axis2:axis2:1.7.9', - 'date': '2019-05-01T21:29:00Z', - 'message': 'Upgrade to version' - }, - 'effective': 'NO_SHIELD', - 'threatAssessment': { - 'exploitCodeMaturity': 'NOT_DEFINED', - 'epssPercentage': 86.2 - }, - 'exploitable': False, - 'scoreMetadataVector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H' + "topFix": { + "id": 71103, + "vulnerability": "CVE-2019-0227", + "type": "UPGRADE_VERSION", + "origin": "WHITESOURCE_EXPERT", + "url": "https://rhinosecuritylabs.com/application-security/cve-2019-0227-expired-domain-rce-apache-axis/", + "fixResolution": "org.apache.axis2:axis2:1.7.9", + "date": "2019-05-01T21:29:00Z", + "message": "Upgrade to version" + }, + "effective": "NO_SHIELD", + "threatAssessment": { + "exploitCodeMaturity": "NOT_DEFINED", + "epssPercentage": 86.2 + }, + "exploitable": false, + "scoreMetadataVector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { - 'uuid': '7c1e2f26-2f2e-429d-9779-5ee2c1c34fff', - 'name': 'CVE-2023-40743', - 'type': 'SECURITY_VULNERABILITY', - 'component': { - 'uuid': '1da34773-6acf-4da9-b4b3-4cfca44e3163', - 'name': 'axis-1.4.jar', - 'description': '', - 'componentType': 'Library', - 'libraryType': 'JAVA_ARCHIVE', - 'rootLibrary': True, - 'references': { - 'url': 'http://archive.apache.org/dist/lenya/SOURCES/apache-lenya-2.0.4-dev-src.zip', - 'genericPackageIndex': '' + "uuid": "7c1e2f26-2f2e-429d-9779-5ee2c1c34fff", + "name": "CVE-2023-40743", + "type": "SECURITY_VULNERABILITY", + "component": { + "uuid": "1da34773-6acf-4da9-b4b3-4cfca44e3163", + "name": "axis-1.4.jar", + "description": "", + "componentType": "Library", + "libraryType": "JAVA_ARCHIVE", + "rootLibrary": true, + "references": { + "url": "http://archive.apache.org/dist/lenya/SOURCES/apache-lenya-2.0.4-dev-src.zip", + "genericPackageIndex": "" }, - 'groupId': 'axis-1', - 'artifactId': 'axis.jar', - 'version': '1.4', - 'dependencyType': 'Direct' - }, - 'findingInfo': { - 'status': 'ACTIVE', - 'comment': { }, - 'detectedAt': '2023-12-31T00:06:43Z', - 'modifiedAt': '2023-12-31T00:06:43Z' - }, - 'project': { - 'uuid': 'e2fffbc5-4b96-4f49-bea6-d031650fe664', - 'name': 'project-name', - 'path': 'application-name', - 'applicationUuid': 'a6d539cc-75d7-4889-9b1e-349b878bd3e7' - }, - 'application': { - 'uuid': 'a6d539cc-75d7-4889-9b1e-349b878bd3e7', - 'name': 'application-name' - }, - 'vulnerability': { - 'name': 'CVE-2023-40743', - 'type': 'CVSS_3', - 'description': '** UNSUPPORTED WHEN ASSIGNED ** When integrating Apache Axis 1.x in an application, it may not have been obvious that looking up a service through "ServiceFactory.getService" allows potentially dangerous lookup mechanisms such as LDAP. When passing untrusted input to this API method, this could expose the application to DoS, SSRF and even attacks leading to RCE.\n\nAs Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. As a workaround, you may review your code to verify no untrusted or unsanitized input is passed to "ServiceFactory.getService", or by applying the patch from https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210 . The Apache Axis project does not expect to create an Axis 1.x release fixing this problem, though contributors that would like to work towards this are welcome.\n\n', - 'score': 9.8, - 'severity': 'CRITICAL', - 'publishDate': '2023-09-05T14:42:13Z', - 'modifiedDate': '2024-08-02T19:15:56Z', - 'vulnerabilityScoring': [ + "groupId": "axis-1", + "artifactId": "axis.jar", + "version": "1.4", + "dependencyType": "Direct" + }, + "findingInfo": { + "status": "ACTIVE", + "comment": { }, + "detectedAt": "2023-12-31T00:06:43Z", + "modifiedAt": "2023-12-31T00:06:43Z" + }, + "project": { + "uuid": "e2fffbc5-4b96-4f49-bea6-d031650fe664", + "name": "project-name", + "path": "application-name", + "applicationUuid": "a6d539cc-75d7-4889-9b1e-349b878bd3e7" + }, + "application": { + "uuid": "a6d539cc-75d7-4889-9b1e-349b878bd3e7", + "name": "application-name" + }, + "vulnerability": { + "name": "CVE-2023-40743", + "type": "CVSS_3", + "description": "** UNSUPPORTED WHEN ASSIGNED ** When integrating Apache Axis 1.x in an application, it may not have been obvious that looking up a service through 'ServiceFactory.getService' allows potentially dangerous lookup mechanisms such as LDAP. When passing untrusted input to this API method, this could expose the application to DoS, SSRF and even attacks leading to RCE.\n\nAs Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. As a workaround, you may review your code to verify no untrusted or unsanitized input is passed to 'ServiceFactory.getService', or by applying the patch from https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210 . The Apache Axis project does not expect to create an Axis 1.x release fixing this problem, though contributors that would like to work towards this are welcome.\n\n", + "score": 9.8, + "severity": "CRITICAL", + "publishDate": "2023-09-05T14:42:13Z", + "modifiedDate": "2024-08-02T19:15:56Z", + "vulnerabilityScoring": [ { - 'score': 9.8, - 'severity': 'CRITICAL', - 'type': 'CVSS_3' + "score": 9.8, + "severity": "CRITICAL", + "type": "CVSS_3" } ] }, - 'topFix': { }, - 'effective': 'NO_SHIELD', - 'threatAssessment': { - 'exploitCodeMaturity': 'NOT_DEFINED', - 'epssPercentage': 0.3 + "topFix": { }, + "effective": "NO_SHIELD", + "threatAssessment": { + "exploitCodeMaturity": "NOT_DEFINED", + "epssPercentage": 0.3 }, - 'exploitable': False, - 'scoreMetadataVector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H' + "exploitable": false, + "scoreMetadataVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { - 'uuid': 'ac04a94e-16df-4f69-a8ac-3d6a092c8091', - 'name': 'CVE-2023-51441', - 'type': 'SECURITY_VULNERABILITY', - 'component': { - 'uuid': '1da34773-6acf-4da9-b4b3-4cfca44e3163', - 'name': 'axis-1.4.jar', - 'description': '', - 'componentType': 'Library', - 'libraryType': 'JAVA_ARCHIVE', - 'rootLibrary': True, - 'references': { - 'url': 'http://archive.apache.org/dist/lenya/SOURCES/apache-lenya-2.0.4-dev-src.zip', - 'genericPackageIndex': '' + "uuid": "ac04a94e-16df-4f69-a8ac-3d6a092c8091", + "name": "CVE-2023-51441", + "type": "SECURITY_VULNERABILITY", + "component": { + "uuid": "1da34773-6acf-4da9-b4b3-4cfca44e3163", + "name": "axis-1.4.jar", + "description": "", + "componentType": "Library", + "libraryType": "JAVA_ARCHIVE", + "rootLibrary": true, + "references": { + "url": "http://archive.apache.org/dist/lenya/SOURCES/apache-lenya-2.0.4-dev-src.zip", + "genericPackageIndex": "" }, - 'groupId': 'axis-1', - 'artifactId': 'axis.jar', - 'version': '1.4', - 'dependencyType': 'Direct' - }, - 'findingInfo': { - 'status': 'ACTIVE', - 'comment': { }, - 'detectedAt': '2024-01-08T22:47:45Z', - 'modifiedAt': '2024-01-08T22:47:45Z' - }, - 'project': { - 'uuid': 'e2fffbc5-4b96-4f49-bea6-d031650fe664', - 'name': 'project-name', - 'path': 'application-name', - 'applicationUuid': 'a6d539cc-75d7-4889-9b1e-349b878bd3e7' - }, - 'application': { - 'uuid': 'a6d539cc-75d7-4889-9b1e-349b878bd3e7', - 'name': 'application-name' - }, - 'vulnerability': { - 'name': 'CVE-2023-51441', - 'type': 'CVSS_3', - 'description': '** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability inApache Axis allowed users with access to the admin service to perform possible SSRF\nThis issue affects Apache Axis: through 1.3.\n\nAs Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. Alternatively you could use a build of Axis with the patch from https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06 applied. The Apache Axis project does not expect to create an Axis 1.x release \nfixing this problem, though contributors that would like to work towards\nthis are welcome.\n\n', - 'score': 7.2, - 'severity': 'HIGH', - 'publishDate': '2024-01-06T11:59:37Z', - 'modifiedDate': '2024-08-02T23:15:47Z', - 'vulnerabilityScoring': [ + "groupId": "axis-1", + "artifactId": "axis.jar", + "version": "1.4", + "dependencyType": "Direct" + }, + "findingInfo": { + "status": "ACTIVE", + "comment": { }, + "detectedAt": "2024-01-08T22:47:45Z", + "modifiedAt": "2024-01-08T22:47:45Z" + }, + "project": { + "uuid": "e2fffbc5-4b96-4f49-bea6-d031650fe664", + "name": "project-name", + "path": "application-name", + "applicationUuid": "a6d539cc-75d7-4889-9b1e-349b878bd3e7" + }, + "application": { + "uuid": "a6d539cc-75d7-4889-9b1e-349b878bd3e7", + "name": "application-name" + }, + "vulnerability": { + "name": "CVE-2023-51441", + "type": "CVSS_3", + "description": "** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability inApache Axis allowed users with access to the admin service to perform possible SSRF\nThis issue affects Apache Axis: through 1.3.\n\nAs Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. Alternatively you could use a build of Axis with the patch from https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06 applied. The Apache Axis project does not expect to create an Axis 1.x release \nfixing this problem, though contributors that would like to work towards\nthis are welcome.\n\n", + "score": 7.2, + "severity": "HIGH", + "publishDate": "2024-01-06T11:59:37Z", + "modifiedDate": "2024-08-02T23:15:47Z", + "vulnerabilityScoring": [ { - 'score': 7.2, - 'severity': 'HIGH', - 'type': 'CVSS_3' + "score": 7.2, + "severity": "HIGH", + "type": "CVSS_3" } ] }, - 'topFix': { - 'id': 129844, - 'vulnerability': 'CVE-2023-51441', - 'type': 'UPGRADE_VERSION', - 'origin': 'WHITESOURCE_EXPERT', - 'url': 'https://nvd.nist.gov/vuln/detail/CVE-2023-51441', - 'fixResolution': 'no_fix', - 'date': '2024-01-06T12:15:43Z', - 'message': 'Upgrade to version' - }, - 'effective': 'NO_SHIELD', - 'threatAssessment': { - 'exploitCodeMaturity': 'NOT_DEFINED', - 'epssPercentage': 0.1 - }, - 'exploitable': False, - 'scoreMetadataVector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H' + "topFix": { + "id": 129844, + "vulnerability": "CVE-2023-51441", + "type": "UPGRADE_VERSION", + "origin": "WHITESOURCE_EXPERT", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51441", + "fixResolution": "no_fix", + "date": "2024-01-06T12:15:43Z", + "message": "Upgrade to version" + }, + "effective": "NO_SHIELD", + "threatAssessment": { + "exploitCodeMaturity": "NOT_DEFINED", + "epssPercentage": 0.1 + }, + "exploitable": false, + "scoreMetadataVector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" } ] } \ No newline at end of file diff --git a/unittests/scans/mend_platform_api3/mend-sca-platform-api3-no-findings.json b/unittests/scans/mend_platform_api3/mend-sca-platform-api3-no-findings.json index 9e8f84e40a..9df1c1c1a2 100644 --- a/unittests/scans/mend_platform_api3/mend-sca-platform-api3-no-findings.json +++ b/unittests/scans/mend_platform_api3/mend-sca-platform-api3-no-findings.json @@ -1 +1 @@ -{'additionalData': {'totalItems': 0, 'paging': {}}, 'supportToken': '123442284e284dddb0652ff65c9f3ebd1731540952924', 'response': []} \ No newline at end of file +{"additionalData": {"totalItems": 0, "paging": {}}, "supportToken": "123442284e284dddb0652ff65c9f3ebd1731540952924", "response": []} \ No newline at end of file diff --git a/unittests/scans/mend_platform_api3/mend-sca-platform-api3-one-finding.json b/unittests/scans/mend_platform_api3/mend-sca-platform-api3-one-finding.json index 6e03619a8c..c8e65ae111 100644 --- a/unittests/scans/mend_platform_api3/mend-sca-platform-api3-one-finding.json +++ b/unittests/scans/mend_platform_api3/mend-sca-platform-api3-one-finding.json @@ -1,81 +1,81 @@ { - 'additionalData': { - 'totalItems': 1, - 'paging': { } + "additionalData": { + "totalItems": 1, + "paging": { } }, - 'supportToken': '17da68189a2eb40ec9b5d99c8141495191731541262319', - 'response': [ + "supportToken": "17da68189a2eb40ec9b5d99c8141495191731541262319", + "response": [ { - 'uuid': '7d60c0ad-1585-4aab-a74c-120e5819d84c', - 'name': 'CVE-2024-51744', - 'type': 'SECURITY_VULNERABILITY', - 'component': { - 'uuid': 'e8e7d995-e58a-4a02-b929-76a2963f088a', - 'name': 'github.com/golang-JWT/jwt-v3.2.2+incompatible', - 'description': '', - 'componentType': 'Library', - 'libraryType': 'GO_PACKAGE', - 'rootLibrary': True, - 'references': { - 'url': 'https://proxy.golang.org/github.com/golang-!j!w!t/jwt/@v/v3.2.2+incompatible.zip', - 'homePage': 'https://pkg.go.dev/github.com/golang-JWT/jwt@v3.2.2+incompatible', - 'genericPackageIndex': 'http://go-search.org/api?action=package&id=github.com%2Fgolang-JWT%2Fjwt' + "uuid": "7d60c0ad-1585-4aab-a74c-120e5819d84c", + "name": "CVE-2024-51744", + "type": "SECURITY_VULNERABILITY", + "component": { + "uuid": "e8e7d995-e58a-4a02-b929-76a2963f088a", + "name": "github.com/golang-JWT/jwt-v3.2.2+incompatible", + "description": "", + "componentType": "Library", + "libraryType": "GO_PACKAGE", + "rootLibrary": "True", + "references": { + "url": "https://proxy.golang.org/github.com/golang-!j!w!t/jwt/@v/v3.2.2+incompatible.zip", + "homePage": "https://pkg.go.dev/github.com/golang-JWT/jwt@v3.2.2+incompatible", + "genericPackageIndex": "http://go-search.org/api?action=package&id=github.com%2Fgolang-JWT%2Fjwt" }, - 'groupId': 'github.com/golang-JWT/jwt', - 'artifactId': 'github.com/golang-JWT/jwt', - 'version': 'v3.2.2+incompatible', - 'path': '/source/go.mod', - 'dependencyType': 'Direct / Transitive' + "groupId": "github.com/golang-JWT/jwt", + "artifactId": "github.com/golang-JWT/jwt", + "version": "v3.2.2+incompatible", + "path": "/source/go.mod", + "dependencyType": "Direct / Transitive" }, - 'findingInfo': { - 'status': 'ACTIVE', - 'comment': { }, - 'detectedAt': '2024-11-10T08:47:02Z', - 'modifiedAt': '2024-11-10T08:47:02Z' + "findingInfo": { + "status": "ACTIVE", + "comment": { }, + "detectedAt": "2024-11-10T08:47:02Z", + "modifiedAt": "2024-11-10T08:47:02Z" }, - 'project': { - 'uuid': '32bff718-28a2-463b-9c4f-7f66b286b34c', - 'name': 'project-name', - 'path': 'application-name', - 'applicationUuid': '8663102a-5f11-4139-9281-c4c72a6ea402' + "project": { + "uuid": "32bff718-28a2-463b-9c4f-7f66b286b34c", + "name": "project-name", + "path": "application-name", + "applicationUuid": "8663102a-5f11-4139-9281-c4c72a6ea402" }, - 'application': { - 'uuid': '8663102a-5f11-4139-9281-c4c72a6ea402', - 'name': 'application-name' + "application": { + "uuid": "8663102a-5f11-4139-9281-c4c72a6ea402", + "name": "application-name" }, - 'vulnerability': { - 'name': 'CVE-2024-51744', - 'type': 'CVSS_3', - 'description': 'golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by `ParseWithClaims` return both error codes. If users only check for the `jwt.ErrTokenExpired ` using `error.Is`, they willignore the embedded `jwt.ErrTokenSignatureInvalid` and thus potentially accept invalid tokens. A fix has been back-ported with the error handling logic from the `v5` branch to the `v4` branch. In this logic, the `ParseWithClaims` function will immediately return in "dangerous" situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release. We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors ("dangerous" ones first), so that you are not running in the case detailed above.', - 'score': 3.1, - 'severity': 'LOW', - 'publishDate': '2024-11-04T21:47:12Z', - 'modifiedDate': '2024-11-05T16:11:42Z', - 'vulnerabilityScoring': [ + "vulnerability": { + "name": "CVE-2024-51744", + "type": "CVSS_3", + "description": "golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by `ParseWithClaims` return both error codes. If users only check for the `jwt.ErrTokenExpired ` using `error.Is`, they willignore the embedded `jwt.ErrTokenSignatureInvalid` and thus potentially accept invalid tokens. A fix has been back-ported with the error handling logic from the `v5` branch to the `v4` branch. In this logic, the `ParseWithClaims` function will immediately return in 'dangerous' situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release. We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors ('dangerous' ones first), so that you are not running in the case detailed above.", + "score": 3.1, + "severity": "LOW", + "publishDate": "2024-11-04T21:47:12Z", + "modifiedDate": "2024-11-05T16:11:42Z", + "vulnerabilityScoring": [ { - 'score': 3.1, - 'severity': 'LOW', - 'type': 'CVSS_3' + "score": 3.1, + "severity": "LOW", + "type": "CVSS_3" } ] }, - 'topFix': { - 'id': 135282, - 'vulnerability': 'CVE-2024-51744', - 'type': 'UPGRADE_VERSION', - 'origin': 'WHITESOURCE_EXPERT', - 'url': 'https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r', - 'fixResolution': 'github.com/golang-jwt/jwt-v4.5.1', - 'date': '2024-11-04T21:47:12Z', - 'message': 'Upgrade to version' + "topFix": { + "id": 135282, + "vulnerability": "CVE-2024-51744", + "type": "UPGRADE_VERSION", + "origin": "WHITESOURCE_EXPERT", + "url": "https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r", + "fixResolution": "github.com/golang-jwt/jwt-v4.5.1", + "date": "2024-11-04T21:47:12Z", + "message": "Upgrade to version" }, - 'effective': 'NO_SHIELD', - 'threatAssessment': { - 'exploitCodeMaturity': 'NOT_DEFINED', - 'epssPercentage': 0.0 + "effective": "NO_SHIELD", + "threatAssessment": { + "exploitCodeMaturity": "NOT_DEFINED", + "epssPercentage": 0.0 }, - 'exploitable': False, - 'scoreMetadataVector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N' + "exploitable": "False", + "scoreMetadataVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N" } ] } \ No newline at end of file From 1e2cc67b45f00284cbbcfda568b37f2b976d3c73 Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Thu, 14 Nov 2024 08:53:45 -0800 Subject: [PATCH 22/57] Try to refactor to harden Mend parser instead of creating additional parser --- dojo/tools/mend/parser.py | 33 ++++ dojo/tools/mend_sca_platform_api3/__init__.py | 0 dojo/tools/mend_sca_platform_api3/parser.py | 169 ------------------ .../mend-sca-platform-api3-five-findings.json | 0 .../mend-sca-platform-api3-no-findings.json | 0 .../mend-sca-platform-api3-one-finding.json | 0 unittests/tools/test_mend_parser.py | 23 +++ .../tools/test_mend_platform_api3_parser.py | 48 ----- 8 files changed, 56 insertions(+), 217 deletions(-) delete mode 100644 dojo/tools/mend_sca_platform_api3/__init__.py delete mode 100644 dojo/tools/mend_sca_platform_api3/parser.py rename unittests/scans/{mend_platform_api3 => mend}/mend-sca-platform-api3-five-findings.json (100%) rename unittests/scans/{mend_platform_api3 => mend}/mend-sca-platform-api3-no-findings.json (100%) rename unittests/scans/{mend_platform_api3 => mend}/mend-sca-platform-api3-one-finding.json (100%) delete mode 100644 unittests/tools/test_mend_platform_api3_parser.py diff --git a/dojo/tools/mend/parser.py b/dojo/tools/mend/parser.py index 6bcc96f750..9a63e77023 100644 --- a/dojo/tools/mend/parser.py +++ b/dojo/tools/mend/parser.py @@ -35,6 +35,38 @@ def _build_common_output(node, lib_name=None): cve = None component_name = None component_version = None + if "component" in node: + node["project"].get("name", "") + description = ( + "**Vulnerability Description** : " + + node["vulnerability"].get("description", "") + + "\n\n" + + "**Component Name** : " + + node["component"].get("name", "") + + "\n\n" + + "**Component Type** : " + + node["component"].get("componentType", "") + + "\n\n" + + "**Root Library** : " + + str(node["component"].get("rootLibrary", "")) + + "\n\n" + + "**Library Type** : " + + node["component"].get("libraryType", "") + + "\n\n" + + "**Location Found** : " + + node["component"].get("path", "") + + "\n\n" + + "**Direct or Transitive Dependency** : " + + node["component"].get("dependencyType", "") + + "\n" + ) + lib_name = node["component"].get("name") + component_name = node["component"].get("artifactId") + component_version = node["component"].get("version") + impact = node["component"].get("dependencyType") + else: + description = node["vulnerability"].get("description", "") + if "library" in node: node.get("project") description = ( @@ -134,6 +166,7 @@ def _build_common_output(node, lib_name=None): dynamic_finding=True, cvssv3=cvss3_vector, cvssv3_score=float(cvss3_score) if cvss3_score is not None else None, + impact=impact, ) if cve: new_finding.unsaved_vulnerability_ids = [cve] diff --git a/dojo/tools/mend_sca_platform_api3/__init__.py b/dojo/tools/mend_sca_platform_api3/__init__.py deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/dojo/tools/mend_sca_platform_api3/parser.py b/dojo/tools/mend_sca_platform_api3/parser.py deleted file mode 100644 index 07f7f3bc68..0000000000 --- a/dojo/tools/mend_sca_platform_api3/parser.py +++ /dev/null @@ -1,169 +0,0 @@ -import hashlib -import json -import logging - -from dojo.models import Finding - -__author__ = "testaccount90009 aka SH" - -logger = logging.getLogger(__name__) - - -class MendPlatformApi3Parser: - def get_scan_types(self): - return ["Mend Platform APIv3 Scan"] - - def get_label_for_scan_types(self, scan_type): - return "Mend Platform APIv3 Scan" - - def get_description_for_scan_types(self, scan_type): - return "Import JSON report" - - def get_findings(self, file, test): - if file is None: - return [] - - data = file.read() - try: - content = json.loads(str(data, "utf-8")) - except Exception: - content = json.loads(data) - - def _build_common_output(node, lib_name=None): - # project only available in manual export - # name --> CVE in manual, library name in pipeline - cve = None - component_name = None - component_version = None - impact = None - - if "component" in node: - description = ( - "**Vulnerability Description** : " - + node["vulnerability"].get("description", "") - + "\n\n" - + "**Component Name** : " - + node["component"].get("name", "") - + "\n\n" - + "**Component Type** : " - + node["component"].get("componentType", "") - + "\n\n" - + "**Root Library** : " - + str(node["component"].get("rootLibrary", "")) - + "\n\n" - + "**Library Type** : " - + node["component"].get("libraryType", "") - + "\n\n" - + "**Location Found** : " - + node["component"].get("path", "") - + "\n\n" - + "**Direct or Transitive Dependency** : " - + node["component"].get("dependencyType", "") - + "\n" - ) - lib_name = node["component"].get("name") - component_name = node["component"].get("artifactId") - component_version = node["component"].get("version") - impact = node["component"].get("dependencyType") - else: - description = node["vulnerability"].get("description", "") - - cve = node.get("name") - if cve is None: - title = "CVE-None | " + lib_name - else: - title = cve + " | " + lib_name - - cvss_sev = node.get("vulnerability", {}).get("severity", "UNKNOWN").lower().capitalize() - - cvss3_score = node.get("vulnerability", {}).get("score", None) - cvss3_vector = node.get("scoreMetadataVector", None) - severity_justification = "CVSS v3 score: {} ({})".format( - cvss3_score if cvss3_score is not None else "N/A", cvss3_vector if cvss3_vector is not None else "N/A", - ) - - cwe = 1035 # default OWASP a9 until the report actually has them - - # Handling Mitigation (topFix) safely - mitigation = "N/A" - if "topFix" in node: - try: - topfix_node = node.get("topFix", {}) - mitigation = "**Resolution** ({}): {}\n".format( - topfix_node.get("date", "N/A"), - topfix_node.get("fixResolution", "N/A"), - ) - except Exception as ex: - logger.exception("Error handling topFix node: %s", ex) - - filepaths = [] - if "sourceFiles" in node: - try: - sourceFiles_node = node.get("sourceFiles", []) - for sfile in sourceFiles_node: - filepaths.append(sfile.get("localPath", "")) - except Exception as ex: - logger.exception("Error handling sourceFiles for vulnerability: %s", ex) - - locations = [] - if "locations" in node: - try: - locations_node = node.get("locations", []) - for location in locations_node: - path = location.get("path", "") - if path: - locations.append(path) - except Exception as ex: - logger.exception("Error handling locations for vulnerability: %s", ex) - - if locations: - filepaths = locations - else: - filepaths = filepaths - - new_finding = Finding( - title=title, - test=test, - description=description, - severity=cvss_sev, - cwe=cwe, - mitigation=mitigation, - file_path=", ".join(filepaths), - component_name=component_name, - component_version=component_version, - severity_justification=severity_justification, - dynamic_finding=True, - cvssv3=cvss3_vector, - cvssv3_score=float(cvss3_score) if cvss3_score is not None else None, - impact=impact, - ) - if cve: - new_finding.unsaved_vulnerability_ids = [cve] - - return new_finding - - findings = [] - if "libraries" in content: - tree_libs = content.get("libraries", []) - for lib_node in tree_libs: - if "response" in lib_node and len(lib_node.get("response", [])) > 0: - for vuln in lib_node.get("response", []): - findings.append(_build_common_output(vuln, lib_node.get("name"))) - elif "response" in content: - tree_node = content.get("response", []) - for node in tree_node: - findings.append(_build_common_output(node)) - - def create_finding_key(f: Finding) -> str: - """Hashes the finding's description and title to retrieve a key for deduplication.""" - return hashlib.md5( - f.description.encode("utf-8") + f.title.encode("utf-8"), - ).hexdigest() - - dupes = {} - for finding in findings: - dupe_key = create_finding_key(finding) - if dupe_key not in dupes: - dupes[dupe_key] = finding - - return list(dupes.values()) diff --git a/unittests/scans/mend_platform_api3/mend-sca-platform-api3-five-findings.json b/unittests/scans/mend/mend-sca-platform-api3-five-findings.json similarity index 100% rename from unittests/scans/mend_platform_api3/mend-sca-platform-api3-five-findings.json rename to unittests/scans/mend/mend-sca-platform-api3-five-findings.json diff --git a/unittests/scans/mend_platform_api3/mend-sca-platform-api3-no-findings.json b/unittests/scans/mend/mend-sca-platform-api3-no-findings.json similarity index 100% rename from unittests/scans/mend_platform_api3/mend-sca-platform-api3-no-findings.json rename to unittests/scans/mend/mend-sca-platform-api3-no-findings.json diff --git a/unittests/scans/mend_platform_api3/mend-sca-platform-api3-one-finding.json b/unittests/scans/mend/mend-sca-platform-api3-one-finding.json similarity index 100% rename from unittests/scans/mend_platform_api3/mend-sca-platform-api3-one-finding.json rename to unittests/scans/mend/mend-sca-platform-api3-one-finding.json diff --git a/unittests/tools/test_mend_parser.py b/unittests/tools/test_mend_parser.py index 1cd8cc11dd..7ac6eed6a5 100644 --- a/unittests/tools/test_mend_parser.py +++ b/unittests/tools/test_mend_parser.py @@ -43,3 +43,26 @@ def test_parse_file_with_one_sca_vuln_finding(self): self.assertEqual(1, len(findings)) finding = list(findings)[0] self.assertEqual("D:\\MendRepo\\test-product\\test-project\\test-project-subcomponent\\path\\to\\the\\Java\\commons-codec-1.6_donotuse.jar", finding.file_path) + + def test_parse_file_with_no_vuln_has_no_findings_platform(self): + with open("unittests/scans/mend/mend-sca-platform-api3-no-findings.json", encoding="utf-8") as testfile: + parser = MendParser() + findings = parser.get_findings(testfile, Test()) + self.assertEqual(0, len(findings)) + + def test_parse_file_with_one_vuln_has_one_findings_platform(self): + with open("unittests/scans/mend/mend-sca-platform-api3-one-finding.json", encoding="utf-8") as testfile: + parser = MendParser() + findings = parser.get_findings(testfile, Test()) + self.assertEqual(1, len(findings)) + finding = list(findings)[0] + self.assertEqual(1, len(finding.unsaved_vulnerability_ids)) + self.assertEqual("CVE-2024-51744", finding.unsaved_vulnerability_ids[0]) + self.assertEqual("CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", finding.cvssv3) + self.assertEqual(3.1, finding.cvssv3_score) + + def test_parse_file_with_multiple_vuln_has_multiple_finding_platform(self): + with open("unittests/scans/mend/mend-sca-platform-api3-five-findings.json", encoding="utf-8") as testfile: + parser = MendParser() + findings = parser.get_findings(testfile, Test()) + self.assertEqual(5, len(findings)) diff --git a/unittests/tools/test_mend_platform_api3_parser.py b/unittests/tools/test_mend_platform_api3_parser.py deleted file mode 100644 index 50972dc4ae..0000000000 --- a/unittests/tools/test_mend_platform_api3_parser.py +++ /dev/null @@ -1,48 +0,0 @@ -from dojo.models import Test -from dojo.tools.mend_sca_platform_api3.parser import MendPlatformApi3Parser -from unittests.dojo_test_case import DojoTestCase, get_unit_tests_path - - -class TestMendPlatformApi3Parser(DojoTestCase): - - def test_parse_file_with_no_vuln_has_no_findings(self): - with open("unittests/scans/mend_platform_api3/mend-sca-platform-api3-no-findings.json", encoding="utf-8") as testfile: - parser = MendPlatformApi3Parser() - findings = parser.get_findings(testfile, Test()) - self.assertEqual(0, len(findings)) - - def test_parse_file_with_one_vuln_has_one_findings(self): - with open("unittests/scans/mend_platform_api3/mend-sca-platform-api3-one-finding.json", encoding="utf-8") as testfile: - parser = MendPlatformApi3Parser() - findings = parser.get_findings(testfile, Test()) - self.assertEqual(1, len(findings)) - finding = list(findings)[0] - self.assertEqual(1, len(finding.unsaved_vulnerability_ids)) - self.assertEqual("CVE-2024-51744", finding.unsaved_vulnerability_ids[0]) - self.assertEqual("CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", finding.cvssv3) - self.assertEqual(3.1, finding.cvssv3_score) - - def test_parse_file_with_multiple_vuln_has_multiple_finding(self): - with open( - get_unit_tests_path() + "/scans/mend_platform_api3/mend-sca-platform-api3-five-findings.json", encoding="utf-8", - ) as testfile: - parser = MendPlatformApi3Parser() - findings = parser.get_findings(testfile, Test()) - self.assertEqual(5, len(findings)) - -# The below context is TBD on if it is needed or not. -# def test_parse_file_with_multiple_vuln_cli_output(self): -# with open( -# get_unit_tests_path() + "/scans/mend_platform_api3/cli_generated_many_vulns.json", encoding="utf-8", -# ) as testfile: -# parser = mend_platform_api3Parser() -# findings = parser.get_findings(testfile, Test()) -# self.assertEqual(20, len(findings)) -# -# def test_parse_file_with_one_sca_vuln_finding(self): -# with open("unittests/scans/mend_platform_api3/mend_platform_api3_sca_vuln.json", encoding="utf-8") as testfile: -# parser = mend_platform_api3Parser() -# findings = parser.get_findings(testfile, Test()) -# self.assertEqual(1, len(findings)) -# finding = list(findings)[0] -# self.assertEqual("D:\\mend_platform_api3Repo\\test-product\\test-project\\test-project-subcomponent\\path\\to\\the\\Java\\commons-codec-1.6_donotuse.jar", finding.file_path) From bf8f9ced6c472fe3a7a9f9cfe1d19975fa0f233e Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Thu, 14 Nov 2024 08:54:45 -0800 Subject: [PATCH 23/57] Update parser.py --- dojo/tools/mend/parser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dojo/tools/mend/parser.py b/dojo/tools/mend/parser.py index 9a63e77023..4eb86c94d5 100644 --- a/dojo/tools/mend/parser.py +++ b/dojo/tools/mend/parser.py @@ -66,7 +66,7 @@ def _build_common_output(node, lib_name=None): impact = node["component"].get("dependencyType") else: description = node["vulnerability"].get("description", "") - + if "library" in node: node.get("project") description = ( From 64eaa500dd4ff6f8d54e68ba2360d38887da36ea Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Thu, 14 Nov 2024 08:58:34 -0800 Subject: [PATCH 24/57] adding author update --- dojo/tools/mend/parser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dojo/tools/mend/parser.py b/dojo/tools/mend/parser.py index 4eb86c94d5..41ff40c637 100644 --- a/dojo/tools/mend/parser.py +++ b/dojo/tools/mend/parser.py @@ -4,7 +4,7 @@ from dojo.models import Finding -__author__ = "dr3dd589" +__author__ = "dr3dd589 + testaccount90009 aka SH" logger = logging.getLogger(__name__) From 5a9f27956b8a1a29fec249665fbd6b2763e00f09 Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Thu, 14 Nov 2024 09:17:00 -0800 Subject: [PATCH 25/57] Update parser.py --- dojo/tools/mend/parser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dojo/tools/mend/parser.py b/dojo/tools/mend/parser.py index 41ff40c637..9fdca7e8b9 100644 --- a/dojo/tools/mend/parser.py +++ b/dojo/tools/mend/parser.py @@ -65,7 +65,7 @@ def _build_common_output(node, lib_name=None): component_version = node["component"].get("version") impact = node["component"].get("dependencyType") else: - description = node["vulnerability"].get("description", "") + description = node.get("description") if "library" in node: node.get("project") From 52776b1253957586331aee5a857f32e11801c6ed Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Thu, 14 Nov 2024 09:29:33 -0800 Subject: [PATCH 26/57] Add elif for "component" in content for list of Findings "vulnerabilities" is replaced with "response" since it is an API 3.0 Platform call to retrieve a project SCA dependency vulns. Furthermore, "libraries" is replaced with "component" in the updated 3.0 Platform output --- dojo/tools/mend/parser.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/dojo/tools/mend/parser.py b/dojo/tools/mend/parser.py index 9fdca7e8b9..3c49e70988 100644 --- a/dojo/tools/mend/parser.py +++ b/dojo/tools/mend/parser.py @@ -196,6 +196,12 @@ def _build_common_output(node, lib_name=None): tree_node = content["vulnerabilities"] for node in tree_node: findings.append(_build_common_output(node)) + + elif "component" in content: + # likely a Mend Platform or 3.0 API SCA output - "library" is replaced as "component" + tree_node = content["response"] + for node in tree_node: + findings.append(_build_common_output(node)) def create_finding_key(f: Finding) -> str: """Hashes the finding's description and title to retrieve a key for deduplication.""" From b97c5da3cf54765d142e6eb62e33d7cda9068df9 Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Thu, 14 Nov 2024 09:30:06 -0800 Subject: [PATCH 27/57] Update parser.py --- dojo/tools/mend/parser.py | 1 + 1 file changed, 1 insertion(+) diff --git a/dojo/tools/mend/parser.py b/dojo/tools/mend/parser.py index 3c49e70988..73bab079f5 100644 --- a/dojo/tools/mend/parser.py +++ b/dojo/tools/mend/parser.py @@ -35,6 +35,7 @@ def _build_common_output(node, lib_name=None): cve = None component_name = None component_version = None + impact = None if "component" in node: node["project"].get("name", "") description = ( From 0acd9eeaefabae82f50b3c577c5ac5114b081b71 Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Thu, 14 Nov 2024 09:31:56 -0800 Subject: [PATCH 28/57] Update parser.py --- dojo/tools/mend/parser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dojo/tools/mend/parser.py b/dojo/tools/mend/parser.py index 73bab079f5..8ef0a30892 100644 --- a/dojo/tools/mend/parser.py +++ b/dojo/tools/mend/parser.py @@ -205,7 +205,7 @@ def _build_common_output(node, lib_name=None): findings.append(_build_common_output(node)) def create_finding_key(f: Finding) -> str: - """Hashes the finding's description and title to retrieve a key for deduplication.""" + # """Hashes the finding's description and title to retrieve a key for deduplication.""" return hashlib.md5( f.description.encode("utf-8") + f.title.encode("utf-8"), From 6451542dce5a7abfe486116f5497d9fe29455cf3 Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Thu, 14 Nov 2024 09:32:08 -0800 Subject: [PATCH 29/57] Update parser.py --- dojo/tools/mend/parser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dojo/tools/mend/parser.py b/dojo/tools/mend/parser.py index 8ef0a30892..64f4ff1409 100644 --- a/dojo/tools/mend/parser.py +++ b/dojo/tools/mend/parser.py @@ -197,7 +197,7 @@ def _build_common_output(node, lib_name=None): tree_node = content["vulnerabilities"] for node in tree_node: findings.append(_build_common_output(node)) - + elif "component" in content: # likely a Mend Platform or 3.0 API SCA output - "library" is replaced as "component" tree_node = content["response"] From 132ec4d50e71d7309dd56542c1a6f6b092ae3922 Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Thu, 14 Nov 2024 09:55:34 -0800 Subject: [PATCH 30/57] Update parser.py --- dojo/tools/mend/parser.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dojo/tools/mend/parser.py b/dojo/tools/mend/parser.py index 64f4ff1409..ffec45a1f8 100644 --- a/dojo/tools/mend/parser.py +++ b/dojo/tools/mend/parser.py @@ -200,8 +200,8 @@ def _build_common_output(node, lib_name=None): elif "component" in content: # likely a Mend Platform or 3.0 API SCA output - "library" is replaced as "component" - tree_node = content["response"] - for node in tree_node: + tree_node_platform = content["response"] + for node in tree_node_platform: findings.append(_build_common_output(node)) def create_finding_key(f: Finding) -> str: From 7b33df54d83b59c53d61e40073280aac35db5ae0 Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Thu, 14 Nov 2024 10:28:35 -0800 Subject: [PATCH 31/57] Update parser.py --- dojo/tools/mend/parser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dojo/tools/mend/parser.py b/dojo/tools/mend/parser.py index ffec45a1f8..478aa3b812 100644 --- a/dojo/tools/mend/parser.py +++ b/dojo/tools/mend/parser.py @@ -198,7 +198,7 @@ def _build_common_output(node, lib_name=None): for node in tree_node: findings.append(_build_common_output(node)) - elif "component" in content: + elif "response" in content: # likely a Mend Platform or 3.0 API SCA output - "library" is replaced as "component" tree_node_platform = content["response"] for node in tree_node_platform: From e52d08cbd792bbe9b76e3f0fc0cde53103735b44 Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Thu, 14 Nov 2024 10:45:52 -0800 Subject: [PATCH 32/57] Update parser.py --- dojo/tools/mend/parser.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dojo/tools/mend/parser.py b/dojo/tools/mend/parser.py index 478aa3b812..781966e2d4 100644 --- a/dojo/tools/mend/parser.py +++ b/dojo/tools/mend/parser.py @@ -102,8 +102,8 @@ def _build_common_output(node, lib_name=None): # homogeneous behavior. if "cvss3_severity" in node: cvss_sev = node.get("cvss3_severity") - else: - cvss_sev = node.get("severity") + elif "vulnerability" in node: + cvss_sev = node["vulnerability"].get("severity") severity = cvss_sev.lower().capitalize() cvss3_score = node.get("cvss3_score", None) From 2272d46dfdbe7169eaca445589e9c2ff2350f315 Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Thu, 14 Nov 2024 10:46:49 -0800 Subject: [PATCH 33/57] preserve the original else statement for grabbing severity --- dojo/tools/mend/parser.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/dojo/tools/mend/parser.py b/dojo/tools/mend/parser.py index 781966e2d4..37d622cab2 100644 --- a/dojo/tools/mend/parser.py +++ b/dojo/tools/mend/parser.py @@ -104,6 +104,8 @@ def _build_common_output(node, lib_name=None): cvss_sev = node.get("cvss3_severity") elif "vulnerability" in node: cvss_sev = node["vulnerability"].get("severity") + else: + cvss_sev = node.get("severity") severity = cvss_sev.lower().capitalize() cvss3_score = node.get("cvss3_score", None) From 45e723ae41c4b1ed69bbc4bd1e7e77c3e081909b Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Thu, 14 Nov 2024 11:09:42 -0800 Subject: [PATCH 34/57] update parser to capture component_node array --- dojo/tools/mend/parser.py | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/dojo/tools/mend/parser.py b/dojo/tools/mend/parser.py index 37d622cab2..5df122243b 100644 --- a/dojo/tools/mend/parser.py +++ b/dojo/tools/mend/parser.py @@ -202,9 +202,17 @@ def _build_common_output(node, lib_name=None): elif "response" in content: # likely a Mend Platform or 3.0 API SCA output - "library" is replaced as "component" - tree_node_platform = content["response"] - for node in tree_node_platform: - findings.append(_build_common_output(node)) + tree_components = content.get("components") + for comp_node in tree_components: + # get component info here, before going into vulns + if ( + "response" in comp_node + and len(comp_node.get("response")) > 0 + ): + for vuln in comp_node.get("response"): + findings.append( + _build_common_output(vuln, comp_node.get("name")), + ) def create_finding_key(f: Finding) -> str: # """Hashes the finding's description and title to retrieve a key for deduplication.""" From 79d56b878c72f9ab270fba04130fc4701937255c Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Thu, 14 Nov 2024 11:12:15 -0800 Subject: [PATCH 35/57] Update parser.py --- dojo/tools/mend/parser.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/dojo/tools/mend/parser.py b/dojo/tools/mend/parser.py index 5df122243b..022ffee864 100644 --- a/dojo/tools/mend/parser.py +++ b/dojo/tools/mend/parser.py @@ -200,7 +200,7 @@ def _build_common_output(node, lib_name=None): for node in tree_node: findings.append(_build_common_output(node)) - elif "response" in content: + elif "components" in content: # likely a Mend Platform or 3.0 API SCA output - "library" is replaced as "component" tree_components = content.get("components") for comp_node in tree_components: @@ -214,6 +214,11 @@ def _build_common_output(node, lib_name=None): _build_common_output(vuln, comp_node.get("name")), ) + elif "response" in content: + tree_node = content["response"] + for node in tree_node: + findings.append(_build_common_output(node)) + def create_finding_key(f: Finding) -> str: # """Hashes the finding's description and title to retrieve a key for deduplication.""" return hashlib.md5( From ee24c3626a9e67814d501a1db81fdd102aaba907 Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Thu, 14 Nov 2024 11:44:46 -0800 Subject: [PATCH 36/57] change how vulnerability description is retrieved --- dojo/tools/mend/parser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dojo/tools/mend/parser.py b/dojo/tools/mend/parser.py index 022ffee864..96c7d6f2b6 100644 --- a/dojo/tools/mend/parser.py +++ b/dojo/tools/mend/parser.py @@ -40,7 +40,7 @@ def _build_common_output(node, lib_name=None): node["project"].get("name", "") description = ( "**Vulnerability Description** : " - + node["vulnerability"].get("description", "") + + node.get("vulnerability", {}).get("description", "") + "\n\n" + "**Component Name** : " + node["component"].get("name", "") From 1b1b242ef2c72c5166ce84ab4c39d8486fa553ee Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Thu, 14 Nov 2024 12:04:26 -0800 Subject: [PATCH 37/57] Update parser.py --- dojo/tools/mend/parser.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dojo/tools/mend/parser.py b/dojo/tools/mend/parser.py index 96c7d6f2b6..55f692b12c 100644 --- a/dojo/tools/mend/parser.py +++ b/dojo/tools/mend/parser.py @@ -37,10 +37,10 @@ def _build_common_output(node, lib_name=None): component_version = None impact = None if "component" in node: - node["project"].get("name", "") + node["project"].get("name") description = ( "**Vulnerability Description** : " - + node.get("vulnerability", {}).get("description", "") + + node["vulnerability"].get("description", "") + "\n\n" + "**Component Name** : " + node["component"].get("name", "") From b6617905c27cb93e4bfd8682befdca77ac36ac99 Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Thu, 14 Nov 2024 12:07:08 -0800 Subject: [PATCH 38/57] Update parser.py --- dojo/tools/mend/parser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dojo/tools/mend/parser.py b/dojo/tools/mend/parser.py index 55f692b12c..ca4f970ba1 100644 --- a/dojo/tools/mend/parser.py +++ b/dojo/tools/mend/parser.py @@ -66,7 +66,7 @@ def _build_common_output(node, lib_name=None): component_version = node["component"].get("version") impact = node["component"].get("dependencyType") else: - description = node.get("description") + description = node["vulnerability"].get("description") if "library" in node: node.get("project") From 2744a5f2946b10bad6965878ad1ae290c4479fa2 Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Thu, 14 Nov 2024 12:13:39 -0800 Subject: [PATCH 39/57] updating vuln count --- ...dings.json => mend-sca-platform-api3-eleven-findings.json} | 0 unittests/tools/test_mend_parser.py | 4 ++-- 2 files changed, 2 insertions(+), 2 deletions(-) rename unittests/scans/mend/{mend-sca-platform-api3-five-findings.json => mend-sca-platform-api3-eleven-findings.json} (100%) diff --git a/unittests/scans/mend/mend-sca-platform-api3-five-findings.json b/unittests/scans/mend/mend-sca-platform-api3-eleven-findings.json similarity index 100% rename from unittests/scans/mend/mend-sca-platform-api3-five-findings.json rename to unittests/scans/mend/mend-sca-platform-api3-eleven-findings.json diff --git a/unittests/tools/test_mend_parser.py b/unittests/tools/test_mend_parser.py index 7ac6eed6a5..cd544d503c 100644 --- a/unittests/tools/test_mend_parser.py +++ b/unittests/tools/test_mend_parser.py @@ -62,7 +62,7 @@ def test_parse_file_with_one_vuln_has_one_findings_platform(self): self.assertEqual(3.1, finding.cvssv3_score) def test_parse_file_with_multiple_vuln_has_multiple_finding_platform(self): - with open("unittests/scans/mend/mend-sca-platform-api3-five-findings.json", encoding="utf-8") as testfile: + with open("unittests/scans/mend/mend-sca-platform-api3-eleven-findings.json", encoding="utf-8") as testfile: parser = MendParser() findings = parser.get_findings(testfile, Test()) - self.assertEqual(5, len(findings)) + self.assertEqual(11, len(findings)) From b48a35623c0fcca9b1eb00de928afe7a6c32f235 Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Thu, 14 Nov 2024 14:12:36 -0800 Subject: [PATCH 40/57] Update parser.py --- dojo/tools/mend/parser.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/dojo/tools/mend/parser.py b/dojo/tools/mend/parser.py index ca4f970ba1..edffefe700 100644 --- a/dojo/tools/mend/parser.py +++ b/dojo/tools/mend/parser.py @@ -36,6 +36,7 @@ def _build_common_output(node, lib_name=None): component_name = None component_version = None impact = None + description = "" if "component" in node: node["project"].get("name") description = ( @@ -215,6 +216,7 @@ def _build_common_output(node, lib_name=None): ) elif "response" in content: + # New schema: handle response array tree_node = content["response"] for node in tree_node: findings.append(_build_common_output(node)) From 9313c2f8e9628420cdc09d67678b3ca26fe81a2e Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Thu, 14 Nov 2024 14:43:50 -0800 Subject: [PATCH 41/57] Update parser.py --- dojo/tools/mend/parser.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dojo/tools/mend/parser.py b/dojo/tools/mend/parser.py index edffefe700..ffece04cac 100644 --- a/dojo/tools/mend/parser.py +++ b/dojo/tools/mend/parser.py @@ -36,7 +36,7 @@ def _build_common_output(node, lib_name=None): component_name = None component_version = None impact = None - description = "" + description = "No Description Available" if "component" in node: node["project"].get("name") description = ( @@ -67,7 +67,7 @@ def _build_common_output(node, lib_name=None): component_version = node["component"].get("version") impact = node["component"].get("dependencyType") else: - description = node["vulnerability"].get("description") + description = node["vulnerability"].get("description", "Unknown") if "library" in node: node.get("project") @@ -92,7 +92,7 @@ def _build_common_output(node, lib_name=None): component_name = node["library"].get("artifactId") component_version = node["library"].get("version") else: - description = node.get("description") + description = node.get("description", "Unknown") cve = node.get("name") if cve is None: From 9313a863bf4bbf8ada701bb7c294115f93534fa3 Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Thu, 14 Nov 2024 14:51:28 -0800 Subject: [PATCH 42/57] Update parser.py --- dojo/tools/mend/parser.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/dojo/tools/mend/parser.py b/dojo/tools/mend/parser.py index ffece04cac..5db347ad0c 100644 --- a/dojo/tools/mend/parser.py +++ b/dojo/tools/mend/parser.py @@ -218,8 +218,9 @@ def _build_common_output(node, lib_name=None): elif "response" in content: # New schema: handle response array tree_node = content["response"] - for node in tree_node: - findings.append(_build_common_output(node)) + if tree_node: + for node in tree_node: + findings.append(_build_common_output(node)) def create_finding_key(f: Finding) -> str: # """Hashes the finding's description and title to retrieve a key for deduplication.""" From f1370195a480532153a7cb6a902a88635e0eb214 Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Thu, 14 Nov 2024 15:14:32 -0800 Subject: [PATCH 43/57] Update parser.py --- dojo/tools/mend/parser.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/dojo/tools/mend/parser.py b/dojo/tools/mend/parser.py index 5db347ad0c..d9d3fc7e72 100644 --- a/dojo/tools/mend/parser.py +++ b/dojo/tools/mend/parser.py @@ -41,7 +41,7 @@ def _build_common_output(node, lib_name=None): node["project"].get("name") description = ( "**Vulnerability Description** : " - + node["vulnerability"].get("description", "") + + node["vulnerability"].get("description", "No Description Available") + "\n\n" + "**Component Name** : " + node["component"].get("name", "") @@ -224,8 +224,9 @@ def _build_common_output(node, lib_name=None): def create_finding_key(f: Finding) -> str: # """Hashes the finding's description and title to retrieve a key for deduplication.""" + description = f.description if f.description else "" return hashlib.md5( - f.description.encode("utf-8") + description.encode("utf-8") + f.title.encode("utf-8"), ).hexdigest() From c9477f9a9de56f89c3ba8bd6f06f2cbce325b6f1 Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Thu, 14 Nov 2024 15:21:10 -0800 Subject: [PATCH 44/57] Update parser.py --- dojo/tools/mend/parser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dojo/tools/mend/parser.py b/dojo/tools/mend/parser.py index d9d3fc7e72..383eadb46f 100644 --- a/dojo/tools/mend/parser.py +++ b/dojo/tools/mend/parser.py @@ -67,7 +67,7 @@ def _build_common_output(node, lib_name=None): component_version = node["component"].get("version") impact = node["component"].get("dependencyType") else: - description = node["vulnerability"].get("description", "Unknown") + description = node.get("vulnerability", {}).get("description", "Unknown") if "library" in node: node.get("project") From 503b7a112304dd0c1c6182ea9623db46cc06955e Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Thu, 14 Nov 2024 15:21:50 -0800 Subject: [PATCH 45/57] Update parser.py --- dojo/tools/mend/parser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dojo/tools/mend/parser.py b/dojo/tools/mend/parser.py index 383eadb46f..9d1cfb4eaf 100644 --- a/dojo/tools/mend/parser.py +++ b/dojo/tools/mend/parser.py @@ -224,7 +224,7 @@ def _build_common_output(node, lib_name=None): def create_finding_key(f: Finding) -> str: # """Hashes the finding's description and title to retrieve a key for deduplication.""" - description = f.description if f.description else "" + description = f.description or f.description else "" return hashlib.md5( description.encode("utf-8") + f.title.encode("utf-8"), From f489b0ebba0ff07b13713fcee6a8e3879b1e3951 Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Thu, 14 Nov 2024 15:27:51 -0800 Subject: [PATCH 46/57] Update parser.py --- dojo/tools/mend/parser.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/dojo/tools/mend/parser.py b/dojo/tools/mend/parser.py index 9d1cfb4eaf..74c5a7a997 100644 --- a/dojo/tools/mend/parser.py +++ b/dojo/tools/mend/parser.py @@ -66,6 +66,7 @@ def _build_common_output(node, lib_name=None): component_name = node["component"].get("artifactId") component_version = node["component"].get("version") impact = node["component"].get("dependencyType") + cvss3_score = node["vulnerability"].get("score", None) else: description = node.get("vulnerability", {}).get("description", "Unknown") @@ -91,6 +92,7 @@ def _build_common_output(node, lib_name=None): lib_name = node["library"].get("filename") component_name = node["library"].get("artifactId") component_version = node["library"].get("version") + cvss3_score = node.get("cvss3_score", None) else: description = node.get("description", "Unknown") @@ -109,7 +111,7 @@ def _build_common_output(node, lib_name=None): cvss_sev = node.get("severity") severity = cvss_sev.lower().capitalize() - cvss3_score = node.get("cvss3_score", None) + cvss3_vector = node.get("scoreMetadataVector", None) severity_justification = "CVSS v3 score: {} ({})".format( cvss3_score if cvss3_score is not None else "N/A", cvss3_vector if cvss3_vector is not None else "N/A", @@ -224,7 +226,7 @@ def _build_common_output(node, lib_name=None): def create_finding_key(f: Finding) -> str: # """Hashes the finding's description and title to retrieve a key for deduplication.""" - description = f.description or f.description else "" + description = f.description if f.description else "" return hashlib.md5( description.encode("utf-8") + f.title.encode("utf-8"), From 6538d8a45b076d5dd435916a2749066848a5595e Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Thu, 14 Nov 2024 15:29:14 -0800 Subject: [PATCH 47/57] Update parser.py --- dojo/tools/mend/parser.py | 1 - 1 file changed, 1 deletion(-) diff --git a/dojo/tools/mend/parser.py b/dojo/tools/mend/parser.py index 74c5a7a997..0dd7af5d41 100644 --- a/dojo/tools/mend/parser.py +++ b/dojo/tools/mend/parser.py @@ -111,7 +111,6 @@ def _build_common_output(node, lib_name=None): cvss_sev = node.get("severity") severity = cvss_sev.lower().capitalize() - cvss3_vector = node.get("scoreMetadataVector", None) severity_justification = "CVSS v3 score: {} ({})".format( cvss3_score if cvss3_score is not None else "N/A", cvss3_vector if cvss3_vector is not None else "N/A", From d4f162f7d3a8bae683c926af32cd9c1c8b0bcbfa Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Thu, 14 Nov 2024 15:29:58 -0800 Subject: [PATCH 48/57] Update parser.py --- dojo/tools/mend/parser.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/dojo/tools/mend/parser.py b/dojo/tools/mend/parser.py index 0dd7af5d41..ec247f66c6 100644 --- a/dojo/tools/mend/parser.py +++ b/dojo/tools/mend/parser.py @@ -225,9 +225,8 @@ def _build_common_output(node, lib_name=None): def create_finding_key(f: Finding) -> str: # """Hashes the finding's description and title to retrieve a key for deduplication.""" - description = f.description if f.description else "" return hashlib.md5( - description.encode("utf-8") + f.description.encode("utf-8") + f.title.encode("utf-8"), ).hexdigest() From 29e8dd7566b5caff14f30e5974a45033b89c2e4f Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Thu, 14 Nov 2024 16:04:41 -0800 Subject: [PATCH 49/57] Update parser.py --- dojo/tools/mend/parser.py | 1 + 1 file changed, 1 insertion(+) diff --git a/dojo/tools/mend/parser.py b/dojo/tools/mend/parser.py index ec247f66c6..03a776654f 100644 --- a/dojo/tools/mend/parser.py +++ b/dojo/tools/mend/parser.py @@ -37,6 +37,7 @@ def _build_common_output(node, lib_name=None): component_version = None impact = None description = "No Description Available" + cvss3_score = None if "component" in node: node["project"].get("name") description = ( From b7c9d3d4ea7382b2d49c9a903acb8cf08cc01032 Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Mon, 18 Nov 2024 08:19:20 -0800 Subject: [PATCH 50/57] Update parser.py --- dojo/tools/mend/parser.py | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/dojo/tools/mend/parser.py b/dojo/tools/mend/parser.py index 03a776654f..fe8e44fe8c 100644 --- a/dojo/tools/mend/parser.py +++ b/dojo/tools/mend/parser.py @@ -39,7 +39,6 @@ def _build_common_output(node, lib_name=None): description = "No Description Available" cvss3_score = None if "component" in node: - node["project"].get("name") description = ( "**Vulnerability Description** : " + node["vulnerability"].get("description", "No Description Available") @@ -68,10 +67,8 @@ def _build_common_output(node, lib_name=None): component_version = node["component"].get("version") impact = node["component"].get("dependencyType") cvss3_score = node["vulnerability"].get("score", None) - else: - description = node.get("vulnerability", {}).get("description", "Unknown") - if "library" in node: + elif "library" in node: node.get("project") description = ( "**Description** : " From a705a5b1521032389f2592d7aa2ace6994b8b7e2 Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Mon, 18 Nov 2024 14:59:07 -0800 Subject: [PATCH 51/57] Fix spacing and formatting for easier readability --- dojo/tools/mend/parser.py | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/dojo/tools/mend/parser.py b/dojo/tools/mend/parser.py index fe8e44fe8c..d7674ffad7 100644 --- a/dojo/tools/mend/parser.py +++ b/dojo/tools/mend/parser.py @@ -40,25 +40,25 @@ def _build_common_output(node, lib_name=None): cvss3_score = None if "component" in node: description = ( - "**Vulnerability Description** : " + "**Vulnerability Description**: " + node["vulnerability"].get("description", "No Description Available") + "\n\n" - + "**Component Name** : " + + "**Component Name**: " + node["component"].get("name", "") - + "\n\n" - + "**Component Type** : " + + "\n" + + "**Component Type**: " + node["component"].get("componentType", "") - + "\n\n" + + "\n" + "**Root Library** : " + str(node["component"].get("rootLibrary", "")) - + "\n\n" - + "**Library Type** : " + + "\n" + + "**Library Type**: " + node["component"].get("libraryType", "") - + "\n\n" - + "**Location Found** : " + + "\n" + + "**Location Found**: " + node["component"].get("path", "") - + "\n\n" - + "**Direct or Transitive Dependency** : " + + "\n" + + "**Direct or Transitive Dependency**: " + node["component"].get("dependencyType", "") + "\n" ) From a6c2db368cf0216ecafd13e3a3cc663cb341352f Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Mon, 18 Nov 2024 15:14:18 -0800 Subject: [PATCH 52/57] Rework Mitigation field - slight adjustment in formatting and edited for readability --- dojo/tools/mend/parser.py | 46 ++++++++++++++++++++++++++++++--------- 1 file changed, 36 insertions(+), 10 deletions(-) diff --git a/dojo/tools/mend/parser.py b/dojo/tools/mend/parser.py index d7674ffad7..5923c0189e 100644 --- a/dojo/tools/mend/parser.py +++ b/dojo/tools/mend/parser.py @@ -38,6 +38,7 @@ def _build_common_output(node, lib_name=None): impact = None description = "No Description Available" cvss3_score = None + migiation = "N/A" if "component" in node: description = ( "**Vulnerability Description**: " @@ -67,6 +68,21 @@ def _build_common_output(node, lib_name=None): component_version = node["component"].get("version") impact = node["component"].get("dependencyType") cvss3_score = node["vulnerability"].get("score", None) + if "topFix" in node: + try: + topfix_node = node.get("topFix") + mitigation = ( + "**Resolution**: " + + "\n" + + topfix_node.get("date"), + + "\n" + + topfix_node.get("message"), + + "\n" + + topfix_node.get("fixResolution"), + + "\n" + ) + except Exception: + logger.exception("Error handling topFix node.") elif "library" in node: node.get("project") @@ -91,6 +107,15 @@ def _build_common_output(node, lib_name=None): component_name = node["library"].get("artifactId") component_version = node["library"].get("version") cvss3_score = node.get("cvss3_score", None) + if "topFix" in node: + try: + topfix_node = node.get("topFix") + mitigation = "**Resolution** ({}): {}\n".format( + topfix_node.get("date"), + topfix_node.get("fixResolution"), + ) + except Exception: + logger.exception("Error handling topFix node.") else: description = node.get("description", "Unknown") @@ -115,16 +140,17 @@ def _build_common_output(node, lib_name=None): ) cwe = 1035 # default OWASP a9 until the report actually has them - mitigation = "N/A" - if "topFix" in node: - try: - topfix_node = node.get("topFix") - mitigation = "**Resolution** ({}): {}\n".format( - topfix_node.get("date"), - topfix_node.get("fixResolution"), - ) - except Exception: - logger.exception("Error handling topFix node.") + # comment out the below for now - working on adding this into the above conditional statements since format can be slightly different + # mitigation = "N/A" + # if "topFix" in node: + # try: + # topfix_node = node.get("topFix") + # mitigation = "**Resolution** ({}): {}\n".format( + # topfix_node.get("date"), + # topfix_node.get("fixResolution"), + # ) + # except Exception: + # logger.exception("Error handling topFix node.") filepaths = [] if "sourceFiles" in node: From 9e8f5402c4d576a642c261e438f9e3c47795139a Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Mon, 18 Nov 2024 15:19:11 -0800 Subject: [PATCH 53/57] Fix comma and indents --- dojo/tools/mend/parser.py | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/dojo/tools/mend/parser.py b/dojo/tools/mend/parser.py index 5923c0189e..e70c37f545 100644 --- a/dojo/tools/mend/parser.py +++ b/dojo/tools/mend/parser.py @@ -74,11 +74,11 @@ def _build_common_output(node, lib_name=None): mitigation = ( "**Resolution**: " + "\n" - + topfix_node.get("date"), + + topfix_node.get("date", ""), + "\n" - + topfix_node.get("message"), + + topfix_node.get("message", ""), + "\n" - + topfix_node.get("fixResolution"), + + topfix_node.get("fixResolution", ""), + "\n" ) except Exception: @@ -140,17 +140,17 @@ def _build_common_output(node, lib_name=None): ) cwe = 1035 # default OWASP a9 until the report actually has them - # comment out the below for now - working on adding this into the above conditional statements since format can be slightly different - # mitigation = "N/A" - # if "topFix" in node: - # try: - # topfix_node = node.get("topFix") - # mitigation = "**Resolution** ({}): {}\n".format( - # topfix_node.get("date"), - # topfix_node.get("fixResolution"), - # ) - # except Exception: - # logger.exception("Error handling topFix node.") + # comment out the below for now - working on adding this into the above conditional statements since format can be slightly different + # mitigation = "N/A" + # if "topFix" in node: + # try: + # topfix_node = node.get("topFix") + # mitigation = "**Resolution** ({}): {}\n".format( + # topfix_node.get("date"), + # topfix_node.get("fixResolution"), + # ) + # except Exception: + # logger.exception("Error handling topFix node.") filepaths = [] if "sourceFiles" in node: From aeabdd407c442f6aa07059d5555baca03b786ce8 Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Mon, 18 Nov 2024 15:20:55 -0800 Subject: [PATCH 54/57] Fix typo --- dojo/tools/mend/parser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dojo/tools/mend/parser.py b/dojo/tools/mend/parser.py index e70c37f545..e5ecb8c766 100644 --- a/dojo/tools/mend/parser.py +++ b/dojo/tools/mend/parser.py @@ -38,7 +38,7 @@ def _build_common_output(node, lib_name=None): impact = None description = "No Description Available" cvss3_score = None - migiation = "N/A" + mitigation = "N/A" if "component" in node: description = ( "**Vulnerability Description**: " From 620216222e9d1240379223726b230c83640b882e Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Mon, 18 Nov 2024 15:23:21 -0800 Subject: [PATCH 55/57] fix commas --- dojo/tools/mend/parser.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dojo/tools/mend/parser.py b/dojo/tools/mend/parser.py index e5ecb8c766..41cfa5ae8a 100644 --- a/dojo/tools/mend/parser.py +++ b/dojo/tools/mend/parser.py @@ -74,11 +74,11 @@ def _build_common_output(node, lib_name=None): mitigation = ( "**Resolution**: " + "\n" - + topfix_node.get("date", ""), + + topfix_node.get("date", "") + "\n" - + topfix_node.get("message", ""), + + topfix_node.get("message", "") + "\n" - + topfix_node.get("fixResolution", ""), + + topfix_node.get("fixResolution", "") + "\n" ) except Exception: From d221e3c4e37f05f48e40f32e3ce1b3d9e2dd164e Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Mon, 18 Nov 2024 15:37:01 -0800 Subject: [PATCH 56/57] fix spacing --- dojo/tools/mend/parser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dojo/tools/mend/parser.py b/dojo/tools/mend/parser.py index 41cfa5ae8a..de00e60b87 100644 --- a/dojo/tools/mend/parser.py +++ b/dojo/tools/mend/parser.py @@ -50,7 +50,7 @@ def _build_common_output(node, lib_name=None): + "**Component Type**: " + node["component"].get("componentType", "") + "\n" - + "**Root Library** : " + + "**Root Library**: " + str(node["component"].get("rootLibrary", "")) + "\n" + "**Library Type**: " From a4b14f3fcae0121bba7e38b36fe52769df546f24 Mon Sep 17 00:00:00 2001 From: testaccount90009 <122134756+testaccount90009@users.noreply.github.com> Date: Mon, 18 Nov 2024 15:38:11 -0800 Subject: [PATCH 57/57] fix spacing for readability --- dojo/tools/mend/parser.py | 1 - 1 file changed, 1 deletion(-) diff --git a/dojo/tools/mend/parser.py b/dojo/tools/mend/parser.py index de00e60b87..bf9095e959 100644 --- a/dojo/tools/mend/parser.py +++ b/dojo/tools/mend/parser.py @@ -73,7 +73,6 @@ def _build_common_output(node, lib_name=None): topfix_node = node.get("topFix") mitigation = ( "**Resolution**: " - + "\n" + topfix_node.get("date", "") + "\n" + topfix_node.get("message", "")