コード例 #1
0
def parse_findings(data, scanner):
    """ Parse findings """
    try:
        findings = GitleaksScanParser(data, scanner).items
        # Make finding instances
        for item in findings:
            description = item["description"]
            if scanner.config.get("additional_text", None):
                description = scanner.config.get(
                    "additional_text") + "\n\n" + description
            finding = SastFinding(
                title=item["title"],
                description=[
                    "\n\n".join([
                        description,
                        f"**File to review:** {markdown.markdown_escape(item['file_path'])}"
                    ])
                ])
            finding.set_meta("tool", scanner.get_name())
            finding.set_meta("severity", item["severity"])
            finding.set_meta("legacy.file", item["file_path"])
            endpoints = list()
            if item["file_path"]:
                endpoints.append(Endpoint(raw=item["file_path"]))
            finding.set_meta("endpoints", endpoints)
            log.debug(f"Endpoints: {finding.get_meta('endpoints')}")
            scanner.findings.append(finding)
    except:  # pylint: disable=W0702
        log.exception("Failed to parse findings")
コード例 #2
0
ファイル: parser.py プロジェクト: pyntesting/dusty
def parse_findings(data, scanner):
    """ Parse findings """
    # Get deps
    deps = get_dependencies(
        scanner.config.get("code"), scanner.config.get("add_devdep", False)
    )
    # Parse JSON using legacy parser
    findings = NpmScanParser(data, deps).items
    # Make finding instances
    for item in findings:
        finding = SastFinding(
            title=item["title"],
            description=[
                "\n\n".join([
                    item['description'],
                    f"**URL:** {item['url']}",
                    f"**CWE:** {markdown.markdown_escape(item['cwe'])}",
                    f"**References:** {item['references']}",
                    f"**File to review:** {item['file_path']}"
                ])
            ]
        )
        finding.set_meta("tool", scanner.get_name())
        finding.set_meta("severity", constants.NPM_SEVERITY_MAPPING[item["severity"]])
        finding.set_meta("legacy.file", item["file_path"])
        endpoints = list()
        finding.set_meta("endpoints", endpoints)
        log.debug(f"Endpoints: {finding.get_meta('endpoints')}")
        scanner.findings.append(finding)
コード例 #3
0
def parse_findings(output_file, scanner):  # pylint: disable=E,W,R,C
    """ Parse findings (code from dusty 1.0) """
    # Parse HTML report using legacy parser
    filtered_statuses = scanner.config.get(
        "filtered_statuses", constants.PTAI_DEFAULT_FILTERED_STATUSES)
    if isinstance(filtered_statuses, str):
        filtered_statuses = [
            item.strip() for item in filtered_statuses.split(",")
        ]
    findings = PTAIScanParser(output_file, filtered_statuses).items
    for item in findings:
        finding = SastFinding(
            title=item["title"],
            description=[
                html.escape(
                    markdown.markdown_escape(item["description"].replace(
                        "                        ", ""))) +
                f"\n\n**File to review:** {markdown.markdown_escape(item['file_path'])}"
            ] + [html.escape(data) for data in item["steps_to_reproduce"]])
        finding.set_meta("tool", scanner.get_name())
        finding.set_meta("severity",
                         constants.PTAI_SEVERITIES[item["severity"]])
        finding.set_meta("legacy.file", item["file_path"])
        finding.set_meta(
            "endpoints",
            [namedtuple("Endpoint", ["raw"])(raw=item["file_path"])])
        log.debug(f"Endpoints: {finding.get_meta('endpoints')}")
        scanner.findings.append(finding)
コード例 #4
0
ファイル: parser.py プロジェクト: pyntesting/dusty
def parse_findings(filename, scanner):
    """ Parse findings """
    # Parse JSON using legacy parser
    findings = DependencyCheckParser(filename).items
    # Make finding instances
    for item in findings:
        finding = SastFinding(
            title=item["title"],
            description=[
                "\n\n".join([
                    "Vulnerable dependency was found. Please upgrade component or check that vulnerable functionality is not used.",  # pylint: disable=C0301
                    markdown.markdown_escape(item["description"]),
                    f"**File to review:** {markdown.markdown_escape(item['file_path'])}"
                ])
            ] + item["steps_to_reproduce"])
        finding.set_meta("tool", scanner.get_name())
        finding.set_meta("severity", item["severity"])
        finding.set_meta("legacy.file", item["file_path"])
        endpoints = list()
        if item["file_path"]:
            endpoints.append(
                namedtuple("Endpoint", ["raw"])(raw=item["file_path"]))
        finding.set_meta("endpoints", endpoints)
        log.debug(f"Endpoints: {finding.get_meta('endpoints')}")
        scanner.findings.append(finding)
コード例 #5
0
def parse_findings(filename, scanner):
    """ Parse findings """
    # Load JSON
    try:
        with open(filename, "r") as file:
            data = json.load(file)
    except:  # pylint: disable=W0702
        log.exception("Failed to load report JSON")
        return
    # Load CWE map
    cwe_map = json.loads(
        pkg_resources.resource_string(
            "dusty",
            f"{'/'.join(__name__.split('.')[1:-1])}/data/cwe_map_v4.2.json"))
    # Parse JSON
    if not isinstance(data, dict) or "vulnerabilities" not in data:
        log.info("No data in report")
        return
    # Make finding instances
    for item in data["vulnerabilities"]:
        vuln_severity = cvss_to_severity(item.get("cvss", 0.0))
        vuln_cwe = item.get("cwe", "Vulnerability")
        #
        vuln_cwe_title = cwe_map[vuln_cwe] if vuln_cwe in cwe_map else vuln_cwe
        vuln_file_title = f" in {item.get('classMessage')}" if "classMessage" in item else ""
        vuln_title = f"{vuln_cwe_title}{vuln_file_title}"
        #
        vuln_file = item.get("classMessage", "").rsplit(" (", 1)[0]
        #
        vuln_info_chunks = list()
        if "longMessage" in item:
            vuln_info_chunks.append(
                markdown.markdown_escape(item["longMessage"]))
        if "shortMessage" in item:
            vuln_info_chunks.append(
                markdown.markdown_escape(item["shortMessage"]))
        vuln_info_chunks.append(
            f"**Class:** {markdown.markdown_escape(item['classMessage'])}")
        vuln_info_chunks.append(
            f"**Method:** {markdown.markdown_escape(item['method'])}")
        if "affectedFiles" in item:
            vuln_info_chunks.append(
                f"**Files:** {markdown.markdown_escape(', '.join(item['affectedFiles']))}"
            )
        #
        finding = SastFinding(title=vuln_title,
                              description=["\n\n".join(vuln_info_chunks)])
        finding.set_meta("tool", scanner.get_name())
        finding.set_meta("severity", vuln_severity)
        finding.set_meta("legacy.file", vuln_file)
        endpoints = list()
        if vuln_file:
            endpoints.append(namedtuple("Endpoint", ["raw"])(raw=vuln_file))
        finding.set_meta("endpoints", endpoints)
        log.debug(f"Endpoints: {finding.get_meta('endpoints')}")
        scanner.findings.append(finding)
コード例 #6
0
ファイル: parser.py プロジェクト: pyntesting/dusty
def parse_findings(data, scanner):
    """ Parse findings """
    # Parse JSON using legacy parser
    findings = GosecOutputParser(data).items
    # Make finding instances
    for item in findings:
        finding = SastFinding(
            title=item["title"],
            description=[
                "\n\n".join([
                    item['description'],
                    f"**File to review:** {markdown.markdown_escape(item['file_path'])}"
                ])
            ] + item["steps_to_reproduce"]
        )
        finding.set_meta("tool", scanner.get_name())
        finding.set_meta("severity", constants.GOSEC_SEVERITY_MAPPING[item["severity"]])
        finding.set_meta("legacy.file", item["file_path"])
        finding.set_meta("endpoints", [namedtuple("Endpoint", ["raw"])(raw=item["file_path"])])
        log.debug(f"Endpoints: {finding.get_meta('endpoints')}")
        scanner.findings.append(finding)
コード例 #7
0
ファイル: parser.py プロジェクト: pyntesting/dusty
def parse_findings(data, scanner):
    """ Parse findings """
    # Parse JSON using legacy parser
    findings = SafetyScanParser(data).items
    # Make finding instances
    for item in findings:
        finding = SastFinding(
            title=item["title"],
            description=[markdown.markdown_escape(item["description"])])
        finding.set_meta("tool", scanner.get_name())
        finding.set_meta("severity", "Medium")
        scanner.findings.append(finding)
コード例 #8
0
def parse_findings(filename, scanner):
    """ Parse findings """
    # Parse JSON using legacy parser
    findings = SpotbugsParser(filename).items
    # Make finding instances
    for item in findings:
        finding = SastFinding(
            title=item["title"],
            description=[
                "\n\n".join([
                    item["description"],
                    f"**Category:** {markdown.markdown_escape(item['category'])}",
                    f"**File to review:** {markdown.markdown_escape(item['file_path'])}" \
                        f":{item['line']}"
                ])
            ] + item["steps_to_reproduce"]
        )
        finding.set_meta("tool", scanner.get_name())
        finding.set_meta("severity", constants.SPOTBUGS_SEVERITIES[item["severity"]])
        finding.set_meta("legacy.file", item["file_path"])
        finding.set_meta("legacy.line", item["line"])
        endpoints = list()
        if item["file_path"]:
            endpoints.append(namedtuple("Endpoint", ["raw"])(raw=item["file_path"]))
        finding.set_meta("endpoints", endpoints)
        log.debug(f"Endpoints: {finding.get_meta('endpoints')}")
        scanner.findings.append(finding)
コード例 #9
0
def parse_findings(data, scanner):
    """ Parse findings """
    # Parse JSON using legacy parser
    findings = BanditParser(data).items
    # Make finding instances
    for item in findings:
        finding = SastFinding(
            title=item["title"],
            description=[
                "\n\n".join([
                    f"```\n{item['description']}\n```",
                    f"**Mitigation:** {markdown.markdown_escape(item['mitigation'])}",
                    f"**Impact:** {markdown.markdown_escape(item['impact'])}",
                    f"**References:** {markdown.markdown_escape(item['references'])}",
                    f"**File to review:** {markdown.markdown_escape(item['file_path'])}" \
                        f":{item['line']}"
                ])
            ]
        )
        # Better bandit finding titles/descriptions
        database = json.load(
            pkg_resources.resource_stream(
                "dusty",
                f"{'/'.join(__name__.split('.')[1:-1])}/data/findings.json"))
        if item["bandit_id"] in database:
            db_item = database[item["bandit_id"]]
            finding.set_meta("rewrite_title_to", db_item["title"])
            if db_item.get("description", None):
                finding.description[0] = "\n\n".join([
                    markdown.markdown_escape(db_item["description"]),
                    finding.description[0]
                ])
        # Other meta
        finding.set_meta("tool", scanner.get_name())
        finding.set_meta("severity",
                         constants.BANDIT_SEVERITIES[item["severity"]])
        finding.set_meta("legacy.file", item["file_path"])
        finding.set_meta("legacy.line", item["line"])
        finding.set_meta(
            "endpoints",
            [namedtuple("Endpoint", ["raw"])(raw=item["file_path"])])
        log.debug(f"Endpoints: {finding.get_meta('endpoints')}")
        scanner.findings.append(finding)
コード例 #10
0
ファイル: parser.py プロジェクト: pyntesting/dusty
def parse_findings(result, scanner):
    """ Parse findings """
    # Parse JSON using legacy parser
    findings = NodeJsScanParser(result).items
    # Make finding instances
    for item in findings:
        finding = SastFinding(
            title=item["title"],
            description=[
                "\n\n".join([
                    markdown.markdown_escape(item['description']),
                    f"**File to review:** {markdown.markdown_escape(item['file_path'])}" \
                        f":{item['line']}"
                ])
            ] + item["steps_to_reproduce"]
        )
        finding.set_meta("tool", scanner.get_name())
        finding.set_meta("severity", item["severity"])
        finding.set_meta("legacy.file", item["file_path"])
        finding.set_meta("legacy.line", item["line"])
        endpoints = list()
        if item["file_path"]:
            endpoints.append(
                namedtuple("Endpoint", ["raw"])(raw=item["file_path"]))
        finding.set_meta("endpoints", endpoints)
        log.debug(f"Endpoints: {finding.get_meta('endpoints')}")
        scanner.findings.append(finding)
コード例 #11
0
def parse_findings(filename, scanner):
    """ Parse findings """
    # Load JSON
    try:
        with open(filename, "r") as file:
            data = json.load(file)
    except:  # pylint: disable=W0702
        log.exception("Failed to load report JSON")
        return
    # Parse JSON
    if not isinstance(data, dict) or "results" not in data:
        log.info("No data in report")
        return
    # Make finding instances
    for item in data["results"]:
        vuln_data = item.get("extra", dict())
        vuln_meta = vuln_data.get("metadata", dict())
        #
        vuln_rule = item["check_id"]
        vuln_file = item["path"]
        vuln_info = vuln_data.get("message", "")
        vuln_severity = map_severity(vuln_data.get("severity", ""))
        #
        vuln_cwe_owasp_title = vuln_meta.get("cwe", "")
        if not vuln_cwe_owasp_title:
            vuln_cwe_owasp_title = vuln_meta.get("owasp", "")
        if not vuln_cwe_owasp_title:
            vuln_cwe_owasp_title = "Vulnerability"
        #
        vuln_title = f"{vuln_cwe_owasp_title} in {vuln_file}"
        #
        vuln_info_chunks = list()
        if vuln_info:
            vuln_info_chunks.append(markdown.markdown_escape(vuln_info))
        vuln_info_chunks.append(
            f"**Rule:** {markdown.markdown_escape(vuln_rule)}")
        if "source-rule-url" in vuln_meta:
            vuln_info_chunks.append(
                f"**Rule source:** {markdown.markdown_escape(vuln_meta['source-rule-url'])}"
            )
        if "cwe" in vuln_meta:
            vuln_info_chunks.append(
                f"**CWE:** {markdown.markdown_escape(vuln_meta['cwe'])}")
        if "owasp" in vuln_meta:
            vuln_info_chunks.append(
                f"**OWASP:** {markdown.markdown_escape(vuln_meta['owasp'])}")
        vuln_info_chunks.append(
            f"**File:** {markdown.markdown_escape(vuln_file)}")
        if "start" in item and "line" in item["start"]:
            vuln_info_chunks.append(
                f"**Start line:** {markdown.markdown_escape(str(item['start']['line']))}"
            )
        if "end" in item and "line" in item["end"]:
            vuln_info_chunks.append(
                f"**End line:** {markdown.markdown_escape(str(item['end']['line']))}"
            )
        if "lines" in vuln_data:
            vuln_info_chunks.append(
                f"**Lines:** {markdown.markdown_escape(vuln_data['lines'])}")
        #
        finding = SastFinding(title=vuln_title,
                              description=["\n\n".join(vuln_info_chunks)])
        finding.set_meta("tool", scanner.get_name())
        finding.set_meta("severity", vuln_severity)
        finding.set_meta("legacy.file", vuln_file)
        endpoints = list()
        if vuln_file:
            endpoints.append(namedtuple("Endpoint", ["raw"])(raw=vuln_file))
        finding.set_meta("endpoints", endpoints)
        log.debug(f"Endpoints: {finding.get_meta('endpoints')}")
        scanner.findings.append(finding)
コード例 #12
0
ファイル: parser.py プロジェクト: pyntesting/dusty
def parse_findings(data, scanner):
    """ Parse findings """
    # Parse JSON using legacy parser
    try:
        findings = BrakemanParser(data).items
    except:  # pylint: disable=W0702
        log.exception("Failed to parse brakeman report")
        log.warning(
            "Possibly ruby code path is invalid or not Ruby-on-Rails application"
        )
        findings = list()
    # Make finding instances
    for item in findings:
        finding = SastFinding(
            title=item["title"],
            description=[
                "\n\n".join([
                    markdown.markdown_escape(item['description']),
                    f"**References:** {markdown.markdown_escape(item['references'])}",
                    f"**File to review:** {markdown.markdown_escape(item['file_path'])}" \
                        f":{item['line']}"
                ])
            ]
        )
        finding.set_meta("tool", scanner.get_name())
        finding.set_meta("severity",
                         constants.BRAKEMAN_SEVERITY_MAPPING[item["severity"]])
        finding.set_meta("legacy.file", item["file_path"])
        finding.set_meta("legacy.line", item["line"])
        finding.set_meta(
            "endpoints",
            [namedtuple("Endpoint", ["raw"])(raw=item["file_path"])])
        log.debug(f"Endpoints: {finding.get_meta('endpoints')}")
        scanner.findings.append(finding)
コード例 #13
0
def parse_findings(filename, scanner):
    """ Parse findings """
    # Load JSON
    try:
        with open(filename, "r") as file:
            data = json.load(file)
    except:  # pylint: disable=W0702
        log.exception("Failed to load report JSON")
        return
    # Severity mapping
    severity_mapping = {
        "UNKNOWN": "Info",
        "LOW": "Low",
        "MEDIUM": "Medium",
        "HIGH": "High",
        "CRITICAL": "Critical",
    }
    # Parse JSON
    if not isinstance(data, list) or not data:
        log.info("No data in report")
        return
    # Make finding instances
    for data_block in data:
        if not data_block.get("Vulnerabilities", list()):
            log.info("Skipping empty data block: %s",
                     data_block.get("Target", data_block))
            continue
        for item in data_block.get("Vulnerabilities", list()):
            #
            vuln_id = item.get("VulnerabilityID", "")
            vuln_pkgname = item.get("PkgName", "")
            vuln_installed_version = item.get("InstalledVersion", "")
            vuln_fixed_version = item.get("FixedVersion", "")
            vuln_layer = item.get("Layer", dict()).get("DiffID", "")
            #
            vuln_title = item.get("Title", "-")
            if vuln_id:
                vuln_title = f"{vuln_id}: {vuln_title}"
            if vuln_pkgname:
                vuln_title = f"{vuln_pkgname}: {vuln_title}"
            #
            if not scanner.config.get("show_with_temp_id", False) and \
                    vuln_id.startswith("TEMP-"):
                log.info("Skipping finding with TEMP ID: %s", vuln_title)
                continue
            if not scanner.config.get("show_without_description", True) and \
                    "Description" not in item:
                log.info("Skipping finding without description: %s",
                         vuln_title)
                continue
            #
            vuln_severity = severity_mapping[item.get("Severity", "UNKNOWN")]
            vuln_file = vuln_layer
            #
            vuln_info_chunks = list()
            #
            vuln_info_chunks.append(
                markdown.markdown_escape(item.get("Description", "-")))
            #
            if vuln_id:
                vuln_info_chunks.append(
                    f"**VulnerabilityID:** {markdown.markdown_escape(vuln_id)}"
                )
            if vuln_pkgname:
                vuln_info_chunks.append(
                    f"**PkgName:** {markdown.markdown_escape(vuln_pkgname)}")
            if vuln_installed_version:
                vuln_info_chunks.append(
                    f"**InstalledVersion:** {markdown.markdown_escape(vuln_installed_version)}"
                )
            if vuln_fixed_version:
                vuln_info_chunks.append(
                    f"**FixedVersion:** {markdown.markdown_escape(vuln_fixed_version)}"
                )
            if vuln_layer:
                vuln_info_chunks.append(
                    f"**Layer DiffID:** {markdown.markdown_escape(vuln_layer)}"
                )
            #
            vuln_refs = item.get("References", list())
            if vuln_refs:
                vuln_info_chunks.append("**References:**")
                for vuln_ref in vuln_refs:
                    vuln_info_chunks.append(markdown.markdown_escape(vuln_ref))
            #
            finding = SastFinding(title=vuln_title,
                                  description=["\n\n".join(vuln_info_chunks)])
            finding.set_meta("tool", scanner.get_name())
            finding.set_meta("severity", vuln_severity)
            finding.set_meta("legacy.file", vuln_file)
            endpoints = list()
            if vuln_file:
                endpoints.append(
                    namedtuple("Endpoint", ["raw"])(raw=vuln_file))
            finding.set_meta("endpoints", endpoints)
            log.debug(f"Endpoints: {finding.get_meta('endpoints')}")
            scanner.findings.append(finding)