From 54cd074cc87ae9add9af8aed495c37dd763bce87 Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Fri, 9 Aug 2024 09:34:48 +0200 Subject: [PATCH 1/5] fix aqua parser #10585 --- dojo/tools/aqua/parser.py | 32 ++++++++++++++++++++++++++++- unittests/tools/test_aqua_parser.py | 2 +- 2 files changed, 32 insertions(+), 2 deletions(-) diff --git a/dojo/tools/aqua/parser.py b/dojo/tools/aqua/parser.py index 3758b84cbdb..470a41a4d1e 100644 --- a/dojo/tools/aqua/parser.py +++ b/dojo/tools/aqua/parser.py @@ -38,13 +38,19 @@ def vulnerability_tree(self, vulnerabilitytree, test): for node in vulnerabilitytree: resource = node.get("resource") vulnerabilities = node.get("vulnerabilities", []) + sensitive_items = resource.get("sensitive_items", []) if vulnerabilities is None: vulnerabilities = [] for vuln in vulnerabilities: item = get_item(resource, vuln, test) unique_key = resource.get("cpe") + vuln.get("name", "None") + resource.get("path", "None") self.items[unique_key] = item - + if sensitive_items is None: + sensitive_items = [] + for sensitive_item in sensitive_items: + item = get_item_sensitive_data(resource, sensitive_item, test) + unique_key = resource.get("cpe") + resource.get("path", "None") + str(sensitive_item) + self.items[unique_key] = item def get_item(resource, vuln, test): resource_name = resource.get("name", resource.get("path")) @@ -160,6 +166,30 @@ def get_item_v2(item, test): return finding +def get_item_sensitive_data(resource, sensitive_item, test): + resource_name = resource.get("name", "None") + resource_path = resource.get("path", "None") + vulnerability_id = resource_name + description = "**Senstive Item:** " +sensitive_item + "\n" + description+= "**Layer:** " + resource.get("layer", "None") + "\n" + description+= "**Layer_DIgest:** " + resource.get("layer_digest", "None") + "\n" + + finding = Finding( + title=vulnerability_id + + " - " + + resource_name + + " (" + + resource_path + + ") ", + test=test, + severity="Info", + description=description.strip(), + component_name=resource.get("name"), + ) + if vulnerability_id != "No CVE": + finding.unsaved_vulnerability_ids = [vulnerability_id] + + return finding def aqua_severity_of(score): if score == "high": diff --git a/unittests/tools/test_aqua_parser.py b/unittests/tools/test_aqua_parser.py index 3c653667d2e..60108cd06cb 100644 --- a/unittests/tools/test_aqua_parser.py +++ b/unittests/tools/test_aqua_parser.py @@ -102,7 +102,7 @@ def test_aqua_parser_aqua_devops_issue_10611(self): with open("unittests/scans/aqua/aqua_devops_issue_10611.json") as testfile: parser = AquaParser() findings = parser.get_findings(testfile, Test()) - self.assertEqual(98, len(findings)) + self.assertEqual(101, len(findings)) def test_aqua_parser_aqua_devops_empty(self): with open("unittests/scans/aqua/empty_aquadevops.json") as testfile: From 71be81e829bd501571181de1a7d55094cb092f24 Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Fri, 9 Aug 2024 09:47:29 +0200 Subject: [PATCH 2/5] unittest and ruff --- dojo/tools/aqua/parser.py | 6 +++--- unittests/tools/test_aqua_parser.py | 1 + 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/dojo/tools/aqua/parser.py b/dojo/tools/aqua/parser.py index 470a41a4d1e..f018bd7a779 100644 --- a/dojo/tools/aqua/parser.py +++ b/dojo/tools/aqua/parser.py @@ -170,9 +170,9 @@ def get_item_sensitive_data(resource, sensitive_item, test): resource_name = resource.get("name", "None") resource_path = resource.get("path", "None") vulnerability_id = resource_name - description = "**Senstive Item:** " +sensitive_item + "\n" - description+= "**Layer:** " + resource.get("layer", "None") + "\n" - description+= "**Layer_DIgest:** " + resource.get("layer_digest", "None") + "\n" + description = "**Senstive Item:** " + sensitive_item + "\n" + description += "**Layer:** " + resource.get("layer", "None") + "\n" + description += "**Layer_Digest:** " + resource.get("layer_digest", "None") + "\n" finding = Finding( title=vulnerability_id diff --git a/unittests/tools/test_aqua_parser.py b/unittests/tools/test_aqua_parser.py index 60108cd06cb..9b2279cfa75 100644 --- a/unittests/tools/test_aqua_parser.py +++ b/unittests/tools/test_aqua_parser.py @@ -103,6 +103,7 @@ def test_aqua_parser_aqua_devops_issue_10611(self): parser = AquaParser() findings = parser.get_findings(testfile, Test()) self.assertEqual(101, len(findings)) + self.assertEqual("server.key - server.key (/juice-shop/node_modules/node-gyp/test/fixtures/server.key) ", findings[83].title) def test_aqua_parser_aqua_devops_empty(self): with open("unittests/scans/aqua/empty_aquadevops.json") as testfile: From 0e5506e59fc3450211be66f40422fb3f06e06103 Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Fri, 9 Aug 2024 09:52:00 +0200 Subject: [PATCH 3/5] more ruff --- dojo/tools/aqua/parser.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/dojo/tools/aqua/parser.py b/dojo/tools/aqua/parser.py index f018bd7a779..357bf2b3f66 100644 --- a/dojo/tools/aqua/parser.py +++ b/dojo/tools/aqua/parser.py @@ -52,6 +52,7 @@ def vulnerability_tree(self, vulnerabilitytree, test): unique_key = resource.get("cpe") + resource.get("path", "None") + str(sensitive_item) self.items[unique_key] = item + def get_item(resource, vuln, test): resource_name = resource.get("name", resource.get("path")) resource_version = resource.get("version", "No version") @@ -166,6 +167,7 @@ def get_item_v2(item, test): return finding + def get_item_sensitive_data(resource, sensitive_item, test): resource_name = resource.get("name", "None") resource_path = resource.get("path", "None") @@ -191,6 +193,7 @@ def get_item_sensitive_data(resource, sensitive_item, test): return finding + def aqua_severity_of(score): if score == "high": return "High" From 98a33e4f5bf9c98d640605432a905046b5e0a61d Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Fri, 9 Aug 2024 18:24:50 +0200 Subject: [PATCH 4/5] fix according to review --- dojo/tools/aqua/parser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dojo/tools/aqua/parser.py b/dojo/tools/aqua/parser.py index 357bf2b3f66..9659ee6dee2 100644 --- a/dojo/tools/aqua/parser.py +++ b/dojo/tools/aqua/parser.py @@ -175,7 +175,7 @@ def get_item_sensitive_data(resource, sensitive_item, test): description = "**Senstive Item:** " + sensitive_item + "\n" description += "**Layer:** " + resource.get("layer", "None") + "\n" description += "**Layer_Digest:** " + resource.get("layer_digest", "None") + "\n" - + description += "**Path:** " + resource.get("path", "None") + "\n" finding = Finding( title=vulnerability_id + " - " From 2d2c91f60d9316e98716cd98ce1150e5503fd23e Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Fri, 9 Aug 2024 20:29:44 +0200 Subject: [PATCH 5/5] fix according to review --- dojo/tools/aqua/parser.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/dojo/tools/aqua/parser.py b/dojo/tools/aqua/parser.py index 9659ee6dee2..979cdc3e86b 100644 --- a/dojo/tools/aqua/parser.py +++ b/dojo/tools/aqua/parser.py @@ -58,7 +58,9 @@ def get_item(resource, vuln, test): resource_version = resource.get("version", "No version") vulnerability_id = vuln.get("name", "No CVE") fix_version = vuln.get("fix_version", "None") - description = vuln.get("description", "No description.") + description = vuln.get("description", "No description.") + "\n" + if resource.get("path"): + description += "**Path:** " + resource.get("path") + "\n" cvssv3 = None url = ""