fix horusec null characters issue, DefectDojo#9939

manuel-sommer · Apr 17, 2024 · f7a022e · f7a022e
1 parent 3d585ba
commit f7a022e
Show file tree

Hide file tree

Showing 3 changed files with 55 additions and 1 deletion.
diff --git a/dojo/tools/horusec/parser.py b/dojo/tools/horusec/parser.py
@@ -62,7 +62,7 @@ def _get_finding(self, data, date):
                 data["vulnerabilities"]["details"].split("\n")[-1],
                 "**Code:**",
                 f"```{data['vulnerabilities']['language']}",
-                data["vulnerabilities"]["code"].replace("```", "``````"),
+                data["vulnerabilities"]["code"].replace("```", "``````").replace("\x00", ""),
                 "```",
             ]
         )

diff --git a/unittests/scans/horusec/issue_9939.json b/unittests/scans/horusec/issue_9939.json
@@ -0,0 +1,45 @@
+{
+    "version": "v2.8.0",
+    "id": "8505726a-6fae-45f7-b587-bbabe26fb661",
+    "repositoryID": "00000000-0000-0000-0000-000000000000",
+    "repositoryName": "",
+    "workspaceID": "00000000-0000-0000-0000-000000000000",
+    "workspaceName": "",
+    "status": "success",
+    "errors": "",
+    "createdAt": "2024-04-15T02:55:29.659237399Z",
+    "finishedAt": "2024-04-15T03:03:05.007770555Z",
+    "analysisVulnerabilities": [
+      {
+        "vulnerabilityID": "00000000-0000-0000-0000-000000000000",
+        "analysisID": "8505726a-6fae-45f7-b587-bbabe26fb661",
+        "createdAt": "2024-04-15T03:03:05.031128804Z",
+        "vulnerabilities": {
+          "vulnerabilityID": "e7a07e44-85bc-46fa-a2b7-71e128b36656",
+          "line": "762",
+          "column": "200",
+          "confidence": "MEDIUM",
+          "file": "file_name",
+          "code": "AAAAtw\u003e\u0000\u0001\u0000\\\ufffdV\u0005\u001f\u0005\ufffd\u0000\u0015\u0000\ufffd@\u000c\u000f\u0014\u0011\u0012B\u000b\u0008\u0015\u0006\u0011\r\u0016\u0010\ufffdK\ufffd\tTK\ufffd",
+          "details": "(1/1) * Possible vulnerability detected: AWS Secret Key\nWhen use AWS Secret Key is recommended use vault or environment variable encrypted for the best security. For more information checkout the CWE-798 (https://cwe.mitre.org/data/definitions/798.html) advisory.",
+          "securityTool": "HorusecEngine",
+          "language": "Leaks",
+          "severity": "CRITICAL",
+          "type": "Vulnerability",
+          "commitAuthor": "-",
+          "commitEmail": "-",
+          "commitHash": "-",
+          "commitMessage": "-",
+          "commitDate": "-",
+          "rule_id": "HS-LEAKS-2",
+          "vulnHash": "e8f8b781ddd0cb64f2abba9979666804018dbe974c2f4e0c1f1a8a3e4b1a0424",
+          "deprecatedHashes": [
+            "69b370c997cab683666f5809db93afa5126d28d6ec6614b87565acc45b5f3e68",
+            "e501d297afe1c359b03ca401170de8cbe1866def1cf0d6bc80d932e5ba924707"
+          ],
+          "securityToolVersion": "",
+          "securityToolInfoUri": ""
+        }
+      }
+    ]
+  }
diff --git a/unittests/tools/test_horusec_parser.py b/unittests/tools/test_horusec_parser.py
@@ -133,3 +133,12 @@ def test_get_tests_pr_6563(self):
                 self.assertGreaterEqual(finding.scanner_confidence, 3)  # "Firm"
                 self.assertLessEqual(finding.scanner_confidence, 5)  # "Firm"
                 self.assertEqual(datetime.date(2022, 5, 6), finding.date.date())
+
+    def test_issue_9939(self):
+        """"""
+        with open(path.join(path.dirname(__file__), "../scans/horusec/issue_9939.json")) as testfile:
+            parser = HorusecParser()
+            tests = parser.get_tests("Horusec Scan", testfile)
+            self.assertEqual(1, len(tests))
+            test = tests[0]
+            self.assertEqual(1, len(test.findings))