def test_parse_file_with_single_dependency_with_related_no_vulnerability(self):
        content = """<?xml version="1.0"?>
<analysis xmlns="">
        <name>Test Project</name>
        <credits>This report contains data retrieved from the National Vulnerability Database:</credits>
                    <fileName>adapter-ear8.ear: dom4j-2.1.1.jar</fileName>
                <evidence type="vendor" confidence="HIGH">
                <evidence type="product" confidence="HIGH">
                <evidence type="version" confidence="MEDIUM">
                <evidence type="version" confidence="MEDIUM">
        testfile = TestFile("dependency-check-report.xml", content)
        parser = DependencyCheckParser()
        findings = parser.get_findings(testfile, Test())
        items = findings
        self.assertEqual(0, len(items))
    def test_parse_finding(self):
        finding_xml = """<vulnerability xmlns="">
<cwe>CWE-00 Bad Vulnerability</cwe>
<description>Description of a bad vulnerability.</description>
<name>Reference Name</name>
<name>Reference for a bad vulnerability</name>

        vulnerability = ElementTree.fromstring(finding_xml)

        expected_references = 'name: Reference Name\nsource: Reference1\nurl: http://localhost/badvulnerability.htm\n\n'
        expected_references += 'name: Reference for a bad vulnerability\nsource: MISC\n'
        expected_references += 'url: http://localhost2/reference_for_badvulnerability.pdf\n\n'

        testfile = TestFile('dp_finding.xml', finding_xml)
        parser = DependencyCheckParser(testfile, Test())
        finding = parser.get_finding_from_vulnerability(vulnerability,
                                                        'testfile.jar', Test())
        self.assertEqual('testfile.jar | CVE-0000-0001', finding.title)
        self.assertEqual('High', finding.severity)
                'Description of a bad vulnerability.',
        self.assertEqual(expected_references, finding.references)
    def test_parse_java_6_5_3(self):
        """Test with version 6.5.3"""
        with open(path.join(path.dirname(__file__), "../scans/dependency_check/version-6.5.3.xml")) as test_file:
            parser = DependencyCheckParser()
            findings = parser.get_findings(test_file, Test())
            items = findings
            self.assertEqual(1, len(items))

            i = 0
            with self.subTest(i=i):
                self.assertEqual(items[i].component_name, "org.apache.logging.log4j:log4j-api")
                self.assertEqual(items[i].component_version, "2.12.4")
                    "Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.",
                self.assertEqual(items[i].severity, "Low")
                self.assertEqual(items[i].file_path, "log4j-api-2.12.4.jar")
                    items[i].date, datetime(2022, 1, 15, 14, 31, 13, 42600, tzinfo=timezone.utc)
                )  # 2022-01-15T14:31:13.042600508Z
예제 #4
def import_parser_factory(file, test, active, verified, scan_type=None):
    if scan_type is None:
        scan_type =
    if scan_type == "Burp Scan":
        parser = BurpXmlParser(file, test)
    elif scan_type == "Burp Enterprise Scan":
        parser = BurpEnterpriseHtmlParser(file, test)
    elif scan_type == "Nessus Scan":
        filename =
        if filename.endswith("csv"):
            parser = NessusCSVParser(file, test)
        elif filename.endswith("xml") or filename.endswith("nessus"):
            parser = NessusXMLParser(file, test)
    elif scan_type == "Clair Scan":
        parser = ClairParser(file, test)
    elif scan_type == "Nmap Scan":
        parser = NmapXMLParser(file, test)
    elif scan_type == "Nikto Scan":
        parser = NiktoXMLParser(file, test)
    elif scan_type == "Nexpose Scan":
        parser = NexposeFullXmlParser(file, test)
    elif scan_type == "Veracode Scan":
        parser = VeracodeXMLParser(file, test)
    elif scan_type == "Checkmarx Scan":
        parser = CheckmarxXMLParser(file, test)
    elif scan_type == "Checkmarx Scan detailed":
        parser = CheckmarxXMLParser(file, test, 'detailed')
    elif scan_type == "Contrast Scan":
        parser = ContrastCSVParser(file, test)
    elif scan_type == "Crashtest Security JSON File":
        parser = CrashtestSecurityJsonParser(file, test)
    elif scan_type == "Crashtest Security XML File":
        parser = CrashtestSecurityXmlParser(file, test)
    elif scan_type == "Bandit Scan":
        parser = BanditParser(file, test)
    elif scan_type == "ESLint Scan":
        parser = ESLintParser(file, test)
    elif scan_type == "ZAP Scan":
        parser = ZapXmlParser(file, test)
    elif scan_type == "AppSpider Scan":
        parser = AppSpiderXMLParser(file, test)
    elif scan_type == "Arachni Scan":
        parser = ArachniJSONParser(file, test)
    elif scan_type == 'VCG Scan':
        parser = VCGParser(file, test)
    elif scan_type == 'Dependency Check Scan':
        parser = DependencyCheckParser(file, test)
    elif scan_type == 'Dependency Track Finding Packaging Format (FPF) Export':
        parser = DependencyTrackParser(file, test)
    elif scan_type == 'Retire.js Scan':
        parser = RetireJsParser(file, test)
    elif scan_type == 'Node Security Platform Scan':
        parser = NspParser(file, test)
    elif scan_type == 'NPM Audit Scan':
        parser = NpmAuditParser(file, test)
    elif scan_type == 'PHP Symfony Security Check':
        parser = PhpSymfonySecurityCheckParser(file, test)
    elif scan_type == 'Generic Findings Import':
        parser = GenericFindingUploadCsvParser(file, test, active, verified)
    elif scan_type == 'Qualys Scan':
        parser = QualysParser(file, test)
    elif scan_type == 'Qualys Infrastructure Scan (WebGUI XML)':
        parser = QualysInfraScanParser(file, test)
    elif scan_type == 'Qualys Webapp Scan':
        parser = QualysWebAppParser(file, test)
    elif scan_type == "OpenVAS CSV":
        parser = OpenVASUploadCsvParser(file, test)
    elif scan_type == 'Snyk Scan':
        parser = SnykParser(file, test)
    elif scan_type == 'SKF Scan':
        parser = SKFCsvParser(file, test)
    elif scan_type == 'SSL Labs Scan':
        parser = SSLlabsParser(file, test)
    elif scan_type == 'Trufflehog Scan':
        parser = TruffleHogJSONParser(file, test)
    elif scan_type == 'Clair Klar Scan':
        parser = ClairKlarParser(file, test)
    elif scan_type == 'Gosec Scanner':
        parser = GosecScannerParser(file, test)
    elif scan_type == 'Trustwave Scan (CSV)':
        parser = TrustwaveUploadCsvParser(file, test)
    elif scan_type == 'Netsparker Scan':
        parser = NetsparkerParser(file, test)
    elif scan_type == 'PHP Security Audit v2':
        parser = PhpSecurityAuditV2(file, test)
    elif scan_type == 'Acunetix Scan':
        parser = AcunetixScannerParser(file, test)
    elif scan_type == 'Fortify Scan':
        parser = FortifyXMLParser(file, test)
    elif scan_type == 'SonarQube Scan':
        parser = SonarQubeHtmlParser(file, test)
    elif scan_type == 'SonarQube Scan detailed':
        parser = SonarQubeHtmlParser(file, test, 'detailed')
    elif scan_type == SCAN_SONARQUBE_API:
        parser = SonarQubeApiImporter(test)
    elif scan_type == 'MobSF Scan':
        parser = MobSFParser(file, test)
    elif scan_type == 'AWS Scout2 Scan':
        parser = AWSScout2Parser(file, test)
    elif scan_type == 'AWS Prowler Scan':
        parser = AWSProwlerParser(file, test)
    elif scan_type == 'Brakeman Scan':
        parser = BrakemanScanParser(file, test)
    elif scan_type == 'SpotBugs Scan':
        parser = SpotbugsXMLParser(file, test)
    elif scan_type == 'Safety Scan':
        parser = SafetyParser(file, test)
    elif scan_type == 'DawnScanner Scan':
        parser = DawnScannerParser(file, test)
    elif scan_type == 'Anchore Engine Scan':
        parser = AnchoreEngineScanParser(file, test)
    elif scan_type == 'Bundler-Audit Scan':
        parser = BundlerAuditParser(file, test)
    elif scan_type == 'Twistlock Image Scan':
        parser = TwistlockParser(file, test)
    elif scan_type == 'IBM AppScan DAST':
        parser = IbmAppScanDASTXMLParser(file, test)
    elif scan_type == 'Kiuwan Scan':
        parser = KiuwanCSVParser(file, test)
    elif scan_type == 'Blackduck Hub Scan':
        parser = BlackduckHubCSVParser(file, test)
    elif scan_type == 'Blackduck Component Risk':
        parser = BlackduckHubParser(file, test)
    elif scan_type == 'Sonatype Application Scan':
        parser = SonatypeJSONParser(file, test)
    elif scan_type == 'Openscap Vulnerability Scan':
        parser = OpenscapXMLParser(file, test)
    elif scan_type == 'Immuniweb Scan':
        parser = ImmuniwebXMLParser(file, test)
    elif scan_type == 'Wapiti Scan':
        parser = WapitiXMLParser(file, test)
    elif scan_type == ' Scan':
        parser = CobaltCSVParser(file, test)
    elif scan_type == 'Mozilla Observatory Scan':
        parser = MozillaObservatoryJSONParser(file, test)
    elif scan_type == 'Whitesource Scan':
        parser = WhitesourceJSONParser(file, test)
    elif scan_type == 'Microfocus Webinspect Scan':
        parser = MicrofocusWebinspectXMLParser(file, test)
    elif scan_type == 'Wpscan':
        parser = WpscanJSONParser(file, test)
    elif scan_type == 'Sslscan':
        parser = SslscanXMLParser(file, test)
    elif scan_type == 'JFrog Xray Scan':
        parser = XrayJSONParser(file, test)
    elif scan_type == 'Sslyze Scan':
        parser = SslyzeXmlParser(file, test)
    elif scan_type == 'Testssl Scan':
        parser = TestsslCSVParser(file, test)
    elif scan_type == 'Hadolint Dockerfile check':
        parser = HadolintParser(file, test)
    elif scan_type == 'Aqua Scan':
        parser = AquaJSONParser(file, test)
    elif scan_type == 'HackerOne Cases':
        parser = HackerOneJSONParser(file, test)
    elif scan_type == 'Xanitizer Scan':
        parser = XanitizerXMLParser(file, test)
    elif scan_type == 'Trivy Scan':
        parser = TrivyParser(file, test)
    elif scan_type == 'Outpost24 Scan':
        parser = Outpost24Parser(file, test)
    elif scan_type == 'DSOP Scan':
        parser = DsopParser(file, test)
    elif scan_type == 'Anchore Enterprise Policy Check':
        parser = AnchoreEnterprisePolicyCheckParser(file, test)
    elif scan_type == 'Gitleaks Scan':
        parser = GitleaksJSONParser(file, test)
    elif scan_type == 'Harbor Vulnerability Scan':
        parser = HarborVulnerabilityParser(file, test)
    elif scan_type == 'Github Vulnerability Scan':
        parser = GithubVulnerabilityParser(file, test)
    elif scan_type == 'Choctaw Hog Scan':
        parser = ChoctawhogParser(file, test)
    elif scan_type == 'GitLab SAST Report':
        parser = GitlabSastReportParser(file, test)
    elif scan_type == 'Yarn Audit Scan':
        parser = YarnAuditParser(file, test)
    elif scan_type == 'BugCrowd Scan':
        parser = BugCrowdCSVParser(file, test)
    elif scan_type == 'HuskyCI Report':
        parser = HuskyCIReportParser(file, test)
    elif scan_type == 'CCVS Report':
        parser = CCVSReportParser(file, test)
        raise ValueError('Unknown Test Type')

    return parser
    def test_parse_file_with_single_vulnerability_has_single_finding(self):
        content = """<?xml version="1.0"?>
<analysis xmlns="">
        <name>Test Project</name>
        <credits>This report contains data retrieved from the National Vulnerability Database:</credits>
                <evidence type="vendor" confidence="HIGH">
                <evidence type="product" confidence="HIGH">
                <evidence type="version" confidence="MEDIUM">
                <evidence type="version" confidence="MEDIUM">
                <evidence type="vendor" confidence="HIGH">
                <evidence type="product" confidence="HIGH">
                <identifier type="maven" confidence="HIGHEST">
                    <cwe>CWE-00 Bad Vulnerability</cwe>
                    <description>Description of a bad vulnerability.</description>
                            <name>Reference Name</name>
                            <name>Reference for a bad vulnerability</name>
        testfile = TestFile("dependency-check-report.xml", content)
        parser = DependencyCheckParser()
        findings = parser.get_findings(testfile, Test())
        items = findings
        self.assertEqual(1, len(items))
        i = 0
        with self.subTest(i=i):
            self.assertEqual(items[i].title, "org.owasp:library:6.7.8 | CVE-0000-0001")
            self.assertEqual(items[i].severity, "Medium")
            self.assertEqual(items[i].component_name, "org.owasp:library")
            self.assertEqual(items[i].component_version, "6.7.8")
                "Update org.owasp:library:6.7.8 to at least the version recommended in the description",
            self.assertEqual(items[i].date, datetime(2016, 11, 5, 14, 52, 15, 748000, tzinfo=tzoffset(None, -14400)))
 def test_parse_empty_file(self):
     with open(path.join(path.dirname(__file__), "../scans/dependency_check/dc_empty.xml")) as test_file:
         parser = DependencyCheckParser()
         findings = parser.get_findings(test_file, Test())
         self.assertEqual(0, len(findings))
    def test_parse_file_with_multiple_vulnerabilities_has_multiple_findings(self):
        content = """<?xml version="1.0"?>
<analysis xmlns="">
        <name>Test Project</name>
        <credits>This report contains data retrieved from the National Vulnerability Database:</credits>
                <evidence type="vendor" confidence="HIGH">
                <evidence type="product" confidence="HIGH">
                <evidence type="version" confidence="MEDIUM">
                <evidence type="version" confidence="MEDIUM">
            <fileName>adapter-ear1.ear: dom4j-2.1.1.jar</fileName>
                    <fileName>adapter-ear8.ear: dom4j-2.1.1.jar</fileName>
                    <fileName>adapter-ear1.ear: dom4j-extensions-2.1.1.jar</fileName>
                <evidence type="vendor" confidence="HIGH">
                <evidence type="product" confidence="HIGH">
                    <package confidence="HIGH">
                        <id>pkg:maven/org.dom4j/[email protected]</id>
                        <url>[email protected]</url>
                    <vulnerabilityIds confidence="HIGHEST">
                <identifier type="cpe" confidence="HIGHEST">
                <identifier type="maven" confidence="HIGHEST">
                    <cwe>CWE-00 Bad Vulnerability</cwe>
                    <description>Description of a bad vulnerability.</description>
                            <name>Reference Name</name>
                            <name>Reference for a bad vulnerability</name>
        <dependency isVirtual="true">
                <projectReference>package-lock.json: transitive</projectReference>
                <evidence type="vendor" confidence="HIGH">
                <evidence type="product" confidence="HIGHEST">
                <evidence type="version" confidence="HIGHEST">
                <package confidence="HIGHEST">
                    <id>pkg:npm/[email protected]</id>
                    <url>[email protected]</url>
                <vulnerability source="NPM">
                    <severity unscored="true">low</severity>
                    <description>Affected versions of `yargs-parser` are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of `Object`, causing the addition or modification of an existing property that will exist on all objects.Parsing the argument ` baz&apos;` adds a `bar` property with value `baz` to all objects. This is only exploitable if attackers have control over the arguments being passed to `yargs-parser`.</description>
                            <source>Advisory 1500: Prototype Pollution</source>
                            <name>- [Snyk Report](</name>
                <vulnerability source="OSSINDEX">
                    <description>yargs-parser could be tricked into adding or modifying properties of Object.prototype using a &quot;__proto__&quot; payload.</description>
                            <name>[CVE-2020-7608] yargs-parser could be tricked into adding or modifying properties of Object.prot...</name>
                        <software vulnerabilityIdMatched="true">cpe:2.3:a:*:yargs-parser:5.0.0:*:*:*:*:*:*:*</software>
                <vulnerability source="OSSINDEX">
                    <name>CWE-400: Uncontrolled Resource Consumption (&apos;Resource Exhaustion&apos;)</name>
                    <description>The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.</description>
                            <name>CWE-400: Uncontrolled Resource Consumption (&apos;Resource Exhaustion&apos;)</name>
                        <software vulnerabilityIdMatched="true">cpe:2.3:a:*:yargs-parser:5.0.0:*:*:*:*:*:*:*</software>
            <fileName>adapter-ear2.ear: dom4j-2.1.1.jar</fileName>
                <evidence type="vendor" confidence="HIGH">
                <evidence type="product" confidence="HIGH">
                    <package confidence="HIGH">
                        <id>pkg:maven/org.dom4j/[email protected]</id>
                        <url>[email protected]</url>
                    <vulnerabilityIds confidence="HIGHEST">
                <identifier type="cpe" confidence="HIGHEST">
                <identifier type="maven" confidence="HIGHEST">
                    <cwe>CWE-00 Bad Vulnerability</cwe>
                    <description>Description of a bad vulnerability.</description>
                            <name>Reference Name</name>
                            <name>Reference for a bad vulnerability</name>
            <fileName>adapter-ear3.ear: dom4j-2.1.1.jar</fileName>
                <evidence type="version" confidence="HIGH">
                <evidence type="product" confidence="HIGH">
                    <cwe>CWE-00 Bad Vulnerability</cwe>
                    <description>Description of a bad vulnerability.</description>
                            <name>Reference Name</name>
                            <name>Reference for a bad vulnerability</name>
            <fileName>adapter-ear4.ear: liquibase-core-3.5.3.jar: jquery.js</fileName>
                <evidence type="version" confidence="HIGH">
                <evidence type="product" confidence="HIGH">
                    <cwe>CWE-00 Bad Vulnerability</cwe>
                    <description>Description of a bad vulnerability.</description>
                            <name>Reference Name</name>
                            <name>Reference for a bad vulnerability</name>
                <suppressedVulnerability source="NVD">
                    <description>Sonatype Nexus Repository Manager before 3.15.0 has Incorrect Access Control.</description>
                        <software matched="true" versionEndExcluding="3.15.0">cpe:2.3:a:sonatype:nexus:*:*:*:*:*:*:*:*</software>
                <suppressedVulnerability source="NVD">
                    <description>Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.</description>
                    <notes>This is our reason for not to upgrade it.</notes>
                        <name>[debian-lts-announce] 20180109 [SECURITY] [DLA 1237-1] plexus-utils2 security update</name>
                        <software matched="true" versionEndExcluding="3.0.16">cpe:2.3:a:plexus-utils_project:plexus-utils:*:*:*:*:*:*:*:*</software>
        testfile = TestFile("dependency-check-report.xml", content)
        parser = DependencyCheckParser()
        findings = parser.get_findings(testfile, Test())
        items = findings

        self.assertEqual(11, len(items))
        # test also different component_name formats

        with self.subTest(i=0):
            # identifier -> package url java + 2 relateddependencies
            self.assertEqual(items[0].title, "org.dom4j:dom4j:2.1.1.redhat-00001 | CVE-0000-0001")
            self.assertEqual(items[0].component_name, "org.dom4j:dom4j")
            self.assertEqual(items[0].component_version, "2.1.1.redhat-00001")
                "Description of a bad vulnerability.",
            self.assertEqual(items[0].severity, "High")
            self.assertEqual(items[0].file_path, "adapter-ear1.ear: dom4j-2.1.1.jar")
                "Update org.dom4j:dom4j:2.1.1.redhat-00001 to at least the version recommended in the description",
                items[0].date, datetime(2016, 11, 5, 14, 52, 15, 748000, tzinfo=tzoffset(None, -14400))
            )  # 2016-11-05T14:52:15.748-0400

        with self.subTest(i=1):
            self.assertEqual(items[1].title, "org.dom4j:dom4j:2.1.1.redhat-00001 | CVE-0000-0001")
            self.assertEqual(items[1].component_name, "org.dom4j:dom4j")
            self.assertEqual(items[1].component_version, "2.1.1.redhat-00001")
                "Description of a bad vulnerability.",
            self.assertEqual(items[1].severity, "High")
            self.assertEqual(items[1].file_path, "adapter-ear8.ear: dom4j-2.1.1.jar")
                "Update org.dom4j:dom4j:2.1.1.redhat-00001 to at least the version recommended in the description",
            self.assertEqual(items[1].tags, "related")

        with self.subTest(i=2):
            self.assertEqual(items[2].title, "org.dom4j:dom4j:2.1.1.redhat-00001 | CVE-0000-0001")
            self.assertEqual(items[2].component_name, "org.dom4j:dom4j")
            self.assertEqual(items[2].component_version, "2.1.1.redhat-00001")
                "Description of a bad vulnerability.",
            self.assertEqual(items[2].severity, "High")
            self.assertEqual(items[2].file_path, "adapter-ear1.ear: dom4j-extensions-2.1.1.jar")
                "Update org.dom4j:dom4j:2.1.1.redhat-00001 to at least the version recommended in the description",

        with self.subTest(i=3):
            # identifier -> package url javascript, no vulnerabilitids, 3 vulnerabilities, relateddependencies without filename (pre v6.0.0)
                items[3].title, "yargs-parser:5.0.0 | 1500"
            self.assertEqual(items[3].component_name, "yargs-parser")
            self.assertEqual(items[3].component_version, "5.0.0")
            # assert fails due to special characters, not too important
            # self.assertEqual(items[1].description, "Affected versions of `yargs-parser` are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of `Object`, causing the addition or modification of an existing property that will exist on all objects.Parsing the argument ` baz&apos;` adds a `bar` property with value `baz` to all objects. This is only exploitable if attackers have control over the arguments being passed to `yargs-parser`.")
            self.assertEqual(items[3].severity, "Low")
            self.assertEqual(items[3].file_path, "yargs-parser:5.0.0")
                items[3].mitigation, "Update yargs-parser:5.0.0 to at least the version recommended in the description"
                "**Source:** NPM",

        with self.subTest(i=4):
                "yargs-parser:5.0.0 | CVE-2020-7608",
            self.assertEqual(items[4].component_name, "yargs-parser")
            self.assertEqual(items[4].component_version, "5.0.0")
                'yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "__proto__" payload.',
            self.assertEqual(items[4].severity, "High")
            self.assertEqual(items[4].file_path, "yargs-parser:5.0.0")
                items[4].mitigation, "Update yargs-parser:5.0.0 to at least the version recommended in the description"

        with self.subTest(i=5):
                "yargs-parser:5.0.0 | CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')",
            self.assertEqual(items[5].component_name, "yargs-parser")
            self.assertEqual(items[5].component_version, "5.0.0")
                "The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.",
            # check that the filepath is in the description
            self.assertEqual(items[5].severity, "High")
            self.assertEqual(items[5].file_path, "yargs-parser:5.0.0")
                items[5].mitigation, "Update yargs-parser:5.0.0 to at least the version recommended in the description"

        with self.subTest(i=6):
            # identifier -> cpe java
            self.assertEqual(items[6].title, "org.dom4j:dom4j:2.1.1.redhat-00001 | CVE-0000-0001")
            self.assertEqual(items[6].component_name, "org.dom4j:dom4j")
            self.assertEqual(items[6].component_version, "2.1.1.redhat-00001")
            self.assertEqual(items[6].severity, "High")
            self.assertEqual(items[6].file_path, "adapter-ear2.ear: dom4j-2.1.1.jar")
                "Update org.dom4j:dom4j:2.1.1.redhat-00001 to at least the version recommended in the description",

        with self.subTest(i=7):
            # identifier -> maven java
            self.assertEqual(items[7].title, "dom4j:2.1.1 | CVE-0000-0001")
            self.assertEqual(items[7].component_name, "dom4j")
            self.assertEqual(items[7].component_version, "2.1.1")
            self.assertEqual(items[7].severity, "High")
                items[7].mitigation, "Update dom4j:2.1.1 to at least the version recommended in the description"

        with self.subTest(i=8):
            # evidencecollected -> single product + single verison javascript
                "jquery:3.1.1 | CVE-0000-0001",
            self.assertEqual(items[8].component_name, "jquery")
            self.assertEqual(items[8].component_version, "3.1.1")
            self.assertEqual(items[8].severity, "High")
                items[8].mitigation, "Update jquery:3.1.1 to at least the version recommended in the description"

        with self.subTest(i=9):
            # Tests for two suppressed vulnerabilities,
            # One for Suppressed with notes, the other is without.
            self.assertEqual(items[9].active, False)
                "**This vulnerability is mitigated and/or suppressed:** Document on why we are suppressing this vulnerability is missing!\nUpdate jquery:3.1.1 to at least the version recommended in the description",
            self.assertEqual(items[9].tags, ["suppressed", "no_suppression_document"])
            self.assertEqual(items[10].severity, "Critical")

        with self.subTest(i=10):
            self.assertEqual(items[10].active, False)
                "**This vulnerability is mitigated and/or suppressed:** This is our reason for not to upgrade it.\nUpdate jquery:3.1.1 to at least the version recommended in the description",
            self.assertEqual(items[10].tags, "suppressed")
            self.assertEqual(items[10].severity, "Critical")
    def test_parse_file_with_multiple_vulnerabilities_has_multiple_findings(self):
        content = """<?xml version="1.0"?>
<analysis xmlns="">
        <name>Test Project</name>
        <credits>This report contains data retrieved from the National Vulnerability Database:</credits>
                <evidence type="vendor" confidence="HIGH">
                <evidence type="product" confidence="HIGH">
                <evidence type="version" confidence="MEDIUM">
                <evidence type="version" confidence="MEDIUM">
            <fileName>adapter-ear1.ear: dom4j-2.1.1.jar</fileName>
                    <fileName>adapter-ear8.ear: dom4j-2.1.1.jar</fileName>
                    <fileName>adapter-ear1.ear: dom4j-extensions-2.1.1.jar</fileName>
                <evidence type="vendor" confidence="HIGH">
                <evidence type="product" confidence="HIGH">
                    <package confidence="HIGH">
                        <id>pkg:maven/org.dom4j/[email protected]</id>
                        <url>[email protected]</url>
                    <vulnerabilityIds confidence="HIGHEST">
                <identifier type="cpe" confidence="HIGHEST">
                <identifier type="maven" confidence="HIGHEST">
                    <cwe>CWE-00 Bad Vulnerability</cwe>
                    <description>Description of a bad vulnerability.</description>
                            <name>Reference Name</name>
                            <name>Reference for a bad vulnerability</name>
        <dependency isVirtual="true">
                <projectReference>package-lock.json: transitive</projectReference>
                <evidence type="vendor" confidence="HIGH">
                <evidence type="product" confidence="HIGHEST">
                <evidence type="version" confidence="HIGHEST">
                <package confidence="HIGHEST">
                    <id>pkg:npm/[email protected]</id>
                    <url>[email protected]</url>
                <vulnerability source="NPM">
                    <severity unscored="true">low</severity>
                    <description>Affected versions of `yargs-parser` are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of `Object`, causing the addition or modification of an existing property that will exist on all objects.Parsing the argument ` baz&apos;` adds a `bar` property with value `baz` to all objects. This is only exploitable if attackers have control over the arguments being passed to `yargs-parser`.</description>
                            <source>Advisory 1500: Prototype Pollution</source>
                            <name>- [Snyk Report](</name>
                <vulnerability source="OSSINDEX">
                    <description>yargs-parser could be tricked into adding or modifying properties of Object.prototype using a &quot;__proto__&quot; payload.</description>
                            <name>[CVE-2020-7608] yargs-parser could be tricked into adding or modifying properties of Object.prot...</name>
                        <software vulnerabilityIdMatched="true">cpe:2.3:a:*:yargs-parser:5.0.0:*:*:*:*:*:*:*</software>
                <vulnerability source="OSSINDEX">
                    <name>CWE-400: Uncontrolled Resource Consumption (&apos;Resource Exhaustion&apos;)</name>
                    <description>The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.</description>
                            <name>CWE-400: Uncontrolled Resource Consumption (&apos;Resource Exhaustion&apos;)</name>
                        <software vulnerabilityIdMatched="true">cpe:2.3:a:*:yargs-parser:5.0.0:*:*:*:*:*:*:*</software>
            <fileName>adapter-ear2.ear: dom4j-2.1.1.jar</fileName>
                <evidence type="vendor" confidence="HIGH">
                <evidence type="product" confidence="HIGH">
                    <package confidence="HIGH">
                        <id>pkg:maven/org.dom4j/[email protected]</id>
                        <url>[email protected]</url>
                    <vulnerabilityIds confidence="HIGHEST">
                <identifier type="cpe" confidence="HIGHEST">
                <identifier type="maven" confidence="HIGHEST">
                    <cwe>CWE-00 Bad Vulnerability</cwe>
                    <description>Description of a bad vulnerability.</description>
                            <name>Reference Name</name>
                            <name>Reference for a bad vulnerability</name>
            <fileName>adapter-ear3.ear: dom4j-2.1.1.jar</fileName>
                <evidence type="version" confidence="HIGH">
                <evidence type="product" confidence="HIGH">
                    <cwe>CWE-00 Bad Vulnerability</cwe>
                    <description>Description of a bad vulnerability.</description>
                            <name>Reference Name</name>
                            <name>Reference for a bad vulnerability</name>
            <fileName>adapter-ear4.ear: liquibase-core-3.5.3.jar: jquery.js</fileName>
                <evidence type="version" confidence="HIGH">
                <evidence type="product" confidence="HIGH">
                    <cwe>CWE-00 Bad Vulnerability</cwe>
                    <description>Description of a bad vulnerability.</description>
                            <name>Reference Name</name>
                            <name>Reference for a bad vulnerability</name>
        testfile = TestFile("dependency-check-report.xml", content)
        parser = DependencyCheckParser()
        findings = parser.get_findings(testfile, Test())
        items = findings
        self.assertEqual(9, len(items))
        # test also different component_name formats

        # identifier -> package url java + 2 relateddependencies
            items[0].title, "dom4j:2.1.1.redhat-00001 | Description of a bad vulnerability.(in adapter-ear1.ear: dom4j-2.1.1.jar)"
        self.assertEqual(items[0].component_name, "org.dom4j:dom4j")
        self.assertEqual(items[0].component_version, "2.1.1.redhat-00001")
        self.assertEqual(items[0].description, "Description of a bad vulnerability.\nFilepath: /var/lib/adapter-ear1.ear/dom4j-2.1.1.jar")
        self.assertEqual(items[0].severity, "High")
        self.assertEqual(items[0].file_path, "adapter-ear1.ear: dom4j-2.1.1.jar")
            "Update org.dom4j:dom4j:2.1.1.redhat-00001 to at least the version recommended in the description"

            items[1].title, "dom4j:2.1.1.redhat-00001 | Description of a bad vulnerability.(in adapter-ear8.ear: dom4j-2.1.1.jar)"
        self.assertEqual(items[1].component_name, "org.dom4j:dom4j")
        self.assertEqual(items[1].component_version, "2.1.1.redhat-00001")
        self.assertEqual(items[1].description, "Description of a bad vulnerability.\nFilepath: /var/lib/adapter-ear8.ear/dom4j-2.1.1.jar")
        self.assertEqual(items[1].severity, "High")
        self.assertEqual(items[1].file_path, "adapter-ear8.ear: dom4j-2.1.1.jar")
            "Update org.dom4j:dom4j:2.1.1.redhat-00001 to at least the version recommended in the description"

            "dom4j:2.1.1.redhat-00001 | Description of a bad vulnerability.(in adapter-ear1.ear: dom4j-extensions-2.1.1.jar)",
        self.assertEqual(items[2].component_name, "org.dom4j:dom4j")
        self.assertEqual(items[2].component_version, "2.1.1.redhat-00001")
        self.assertEqual(items[2].description, "Description of a bad vulnerability.\nFilepath: /var/lib/adapter-ear1.ear/dom4j-extensions-2.1.1.jar")
        self.assertEqual(items[2].severity, "High")
            items[2].file_path, "adapter-ear1.ear: dom4j-extensions-2.1.1.jar"
            "Update org.dom4j:dom4j:2.1.1.redhat-00001 to at least the version recommended in the description"

        # identifier -> package url javascript, no vulnerabilitids, 3 vulnerabilities, relateddependencies without filename (pre v6.0.0)
        self.assertEqual(items[3].title, "yargs-parser:5.0.0 | 1500 Affected versions of `yargs-parser` are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of `Object`, causing the addition or modification of an existing property that will exist on all objects.Parsing the argument ` baz'` adds a `bar` property with value `baz` to all objects. This is only exploitable if attackers have control over the arguments being passed to `yargs-parser`.(in yargs-parser:5.0.0)")
        self.assertEqual(items[3].component_name, "yargs-parser")
        self.assertEqual(items[3].component_version, "5.0.0")
        # assert fails due to special characters, not too important
        # self.assertEqual(items[1].description, "Affected versions of `yargs-parser` are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of `Object`, causing the addition or modification of an existing property that will exist on all objects.Parsing the argument ` baz&apos;` adds a `bar` property with value `baz` to all objects. This is only exploitable if attackers have control over the arguments being passed to `yargs-parser`.")
        self.assertEqual(items[3].severity, "Low")
        self.assertEqual(items[3].file_path, "yargs-parser:5.0.0")
            "Update yargs-parser:5.0.0 to at least the version recommended in the description"

        self.assertEqual(items[4].title, 'yargs-parser:5.0.0 | yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "__proto__" payload.(in yargs-parser:5.0.0)')
        self.assertEqual(items[4].component_name, "yargs-parser")
        self.assertEqual(items[4].component_version, "5.0.0")
            'yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "__proto__" payload.\nFilepath: /var/lib/jenkins/workspace/nl-selfservice_-_metrics_develop/package-lock.json?yargs-parser',
        self.assertEqual(items[4].severity, "High")
        self.assertEqual(items[4].file_path, "yargs-parser:5.0.0")
            "Update yargs-parser:5.0.0 to at least the version recommended in the description"

            "yargs-parser:5.0.0 | Uncontrolled Resource Consumption ('Resource Exhaustion') (in yargs-parser:5.0.0)",
        self.assertEqual(items[5].component_name, "yargs-parser")
        self.assertEqual(items[5].component_version, "5.0.0")
            "The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.\nFilepath: /var/lib/jenkins/workspace/nl-selfservice_-_metrics_develop/package-lock.json?yargs-parser",
        self.assertEqual(items[5].severity, "High")
        self.assertEqual(items[5].file_path, "yargs-parser:5.0.0")
            "Update yargs-parser:5.0.0 to at least the version recommended in the description"

        # identifier -> cpe java
            items[6].title, "dom4j:2.1.1.redhat-00001 | Description of a bad vulnerability.(in adapter-ear2.ear: dom4j-2.1.1.jar)"
        self.assertEqual(items[6].component_name, "org.dom4j:dom4j")
        self.assertEqual(items[6].component_version, "2.1.1.redhat-00001")
        self.assertEqual(items[6].severity, "High")
        self.assertEqual(items[6].file_path, "adapter-ear2.ear: dom4j-2.1.1.jar")
            "Update org.dom4j:dom4j:2.1.1.redhat-00001 to at least the version recommended in the description"

        # identifier -> maven java
            items[7].title, "dom4j:2.1.1 | Description of a bad vulnerability.(in adapter-ear3.ear: dom4j-2.1.1.jar)"
        self.assertEqual(items[7].component_name, "dom4j")
        self.assertEqual(items[7].component_version, "2.1.1")
        self.assertEqual(items[7].severity, "High")
            "Update dom4j:2.1.1 to at least the version recommended in the description"

        # evidencecollected -> single product + single verison javascript
            "jquery:3.1.1 | Description of a bad vulnerability.(in adapter-ear4.ear: liquibase-core-3.5.3.jar: jquery.js)",
        self.assertEqual(items[8].component_name, "jquery")
        self.assertEqual(items[8].component_version, "3.1.1")
        self.assertEqual(items[8].severity, "High")
            "Update jquery:3.1.1 to at least the version recommended in the description"
    def test_parse_file_with_no_vulnerabilities_has_no_findings(self):
        content = """<?xml version="1.0"?>
<analysis xmlns="">
        <name>Test Project</name>
        <credits>This report contains data retrieved from the National Vulnerability Database:</credits>
                <evidence type="vendor" confidence="HIGH">
                <evidence type="product" confidence="HIGH">
                <evidence type="version" confidence="MEDIUM">
                <evidence type="version" confidence="MEDIUM">
                <evidence type="vendor" confidence="HIGH">
                <evidence type="product" confidence="HIGH">
        testfile = TestFile("dependency-check-report.xml", content)
        parser = DependencyCheckParser()
        findings = parser.get_findings(testfile, Test())
        self.assertEqual(0, len(findings))
예제 #10
 def test_parse_without_file_has_no_findings(self):
     parser = DependencyCheckParser(None, Test())
     self.assertEqual(0, len(parser.items))
    def test_parse_file_with_single_vulnerability_has_single_finding(self):
        content = """<?xml version="1.0"?>
<analysis xmlns="">
        <name>Test Project</name>
        <credits>This report contains data retrieved from the National Vulnerability Database:</credits>
                <evidence type="vendor" confidence="HIGH">
                <evidence type="product" confidence="HIGH">
                <evidence type="version" confidence="MEDIUM">
                <evidence type="version" confidence="MEDIUM">
                <evidence type="vendor" confidence="HIGH">
                <evidence type="product" confidence="HIGH">
                <identifier type="cpe" confidence="LOW">
                    <cwe>CWE-00 Bad Vulnerability</cwe>
                    <description>Description of a bad vulnerability.</description>
                            <name>Reference Name</name>
                            <name>Reference for a bad vulnerability</name>
        testfile = TestFile("dependency-check-report.xml", content)
        parser = DependencyCheckParser(testfile, Test())
        self.assertEqual(1, len(parser.items))
예제 #12
def import_parser_factory(file, test, active, verified, scan_type=None):
    if scan_type is None:
        scan_type =
    if scan_type == "Burp Scan":
        parser = BurpXmlParser(file, test)
    elif scan_type == "Nessus Scan":
        filename =
        if filename.endswith("csv"):
            parser = NessusCSVParser(file, test)
        elif filename.endswith("xml") or filename.endswith("nessus"):
            parser = NessusXMLParser(file, test)
    elif scan_type == "Clair Scan":
        parser = ClairParser(file, test)
    elif scan_type == "Nmap Scan":
        parser = NmapXMLParser(file, test)
    elif scan_type == "Nikto Scan":
        parser = NiktoXMLParser(file, test)
    elif scan_type == "Nexpose Scan":
        parser = NexposeFullXmlParser(file, test)
    elif scan_type == "Veracode Scan":
        parser = VeracodeXMLParser(file, test)
    elif scan_type == "Checkmarx Scan":
        parser = CheckmarxXMLParser(file, test)
    elif scan_type == "Contrast Scan":
        parser = ContrastCSVParser(file, test)
    elif scan_type == "Crashtest Security Scan":
        parser = CrashtestSecurityXmlParser(file, test)
    elif scan_type == "Bandit Scan":
        parser = BanditParser(file, test)
    elif scan_type == "ZAP Scan":
        parser = ZapXmlParser(file, test)
    elif scan_type == "AppSpider Scan":
        parser = AppSpiderXMLParser(file, test)
    elif scan_type == "Arachni Scan":
        parser = ArachniJSONParser(file, test)
    elif scan_type == 'VCG Scan':
        parser = VCGParser(file, test)
    elif scan_type == 'Dependency Check Scan':
        parser = DependencyCheckParser(file, test)
    elif scan_type == 'Retire.js Scan':
        parser = RetireJsParser(file, test)
    elif scan_type == 'Node Security Platform Scan':
        parser = NspParser(file, test)
    elif scan_type == 'NPM Audit Scan':
        parser = NpmAuditParser(file, test)
    elif scan_type == 'Symfony Security Check':
        parser = PhpSymfonySecurityCheckParser(file, test)
    elif scan_type == 'Generic Findings Import':
        parser = GenericFindingUploadCsvParser(file, test, active, verified)
    elif scan_type == 'Qualys Scan':
        parser = QualysParser(file, test)
    elif scan_type == 'Qualys Webapp Scan':
        parser = QualysWebAppParser(file, test)
    elif scan_type == "OpenVAS CSV":
        parser = OpenVASUploadCsvParser(file, test)
    elif scan_type == 'Snyk Scan':
        parser = SnykParser(file, test)
    elif scan_type == 'SKF Scan':
        parser = SKFCsvParser(file, test)
    elif scan_type == 'SSL Labs Scan':
        parser = SSLlabsParser(file, test)
    elif scan_type == 'Trufflehog Scan':
        parser = TruffleHogJSONParser(file, test)
    elif scan_type == 'Clair Klar Scan':
        parser = ClairKlarParser(file, test)
    elif scan_type == 'Gosec Scanner':
        parser = GosecScannerParser(file, test)
    elif scan_type == 'Trustwave Scan (CSV)':
        parser = TrustwaveUploadCsvParser(file, test)
    elif scan_type == 'Netsparker Scan':
        parser = NetsparkerParser(file, test)
    elif scan_type == 'PHP Security Audit v2':
        parser = PhpSecurityAuditV2(file, test)
    elif scan_type == 'Acunetix Scan':
        parser = AcunetixScannerParser(file, test)
    elif scan_type == 'Fortify Scan':
        parser = FortifyXMLParser(file, test)
    elif scan_type == 'SonarQube Scan':
        parser = SonarQubeHtmlParser(file, test)
    elif scan_type == 'MobSF Scan':
        parser = MobSFParser(file, test)
    elif scan_type == 'AWS Scout2 Scan':
        parser = AWSScout2Parser(file, test)
    elif scan_type == 'AWS Prowler Scan':
        parser = AWSProwlerParser(file, test)
    elif scan_type == 'Brakeman Scan':
        parser = BrakemanScanParser(file, test)
    elif scan_type == 'SpotBugs Scan':
        parser = SpotbugsXMLParser(file, test)
    elif scan_type == 'Safety Scan':
        parser = SafetyParser(file, test)
    elif scan_type == 'DawnScanner Scan':
        parser = DawnScannerParser(file, test)
    elif scan_type == 'Anchore Engine Scan':
        parser = AnchoreEngineScanParser(file, test)
    elif scan_type == 'Bundler-Audit Scan':
        parser = BundlerAuditParser(file, test)
    elif scan_type == 'Twistlock Image Scan':
        parser = TwistlockParser(file, test)
    elif scan_type == 'IBM AppScan DAST':
        parser = IbmAppScanDASTXMLParser(file, test)
    elif scan_type == 'Kiuwan Scan':
        parser = KiuwanCSVParser(file, test)
    elif scan_type == 'Blackduck Hub Scan':
        parser = BlackduckHubCSVParser(file, test)
    elif scan_type == 'Sonatype Application Scan':
        parser = SonatypeJSONParser(file, test)
    elif scan_type == 'Openscap Vulnerability Scan':
        parser = OpenscapXMLParser(file, test)
    elif scan_type == 'Immuniweb Scan':
        parser = ImmuniwebXMLParser(file, test)
    elif scan_type == 'Wapiti Scan':
        parser = WapitiXMLParser(file, test)
    elif scan_type == ' Scan':
        parser = CobaltCSVParser(file, test)
    elif scan_type == 'Mozilla Observatory Scan':
        parser = MozillaObservatoryJSONParser(file, test)
    elif scan_type == 'Whitesource Scan':
        parser = WhitesourceJSONParser(file, test)
    elif scan_type == 'Microfocus Webinspect Scan':
        parser = MicrofocusWebinspectXMLParser(file, test)
    elif scan_type == 'Wpscan':
        parser = WpscanJSONParser(file, test)
    elif scan_type == 'Sslscan':
        parser = SslscanXMLParser(file, test)
    elif scan_type == 'JFrog Xray Scan':
        parser = XrayJSONParser(file, test)
    elif scan_type == 'Sslyze Scan':
        parser = SslyzeXmlParser(file, test)
    elif scan_type == 'Testssl Scan':
        parser = TestsslCSVParser(file, test)
    elif scan_type == 'Hadolint Dockerfile check':
        parser = HadolintParser(file, test)
        raise ValueError('Unknown Test Type')

    return parser