Adhere to new vulnerability scheme (#30)

* Secrets adheres to new vulnerability scheme

* Tests for secrets scanning

* SAST adheres to new vulnerability scheme

* Generate empty testsuite on empty input report

* Tests for SAST scanning

* Fix last incorrect import

Author: angrymeir

secscanner2junit/__init__.py

@@ -6,8 +6,8 @@
 
 from secscanner2junit.config import get_config, Config
 from secscanner2junit.container_scanning import ContainerScanningParser
-from .sast import SastParser
-from .secrets import SecretsParser
+from secscanner2junit.sast import SastParser
+from secscanner2junit.secrets import SecretsParser
 
 
 class ScanType(enum.Enum):

secscanner2junit/sast.py

@@ -1,11 +1,8 @@
-from collections import defaultdict
-from random import randrange
-
 from junit_xml import TestSuite, TestCase
 
-# is it correct import changed from .parser ? I've get error ImportError: attempted relative import with no known parent package
 from secscanner2junit.config import Config
 from secscanner2junit.parser import Parser
+from secscanner2junit.vulnerability import SastVulnerability
 
 
 # See following links to learn more about sast scanners and theirs output
@@ -16,90 +13,34 @@ def __init__(self, report, ts_name, config: Config):
         super().__init__(report, ts_name, config)
         self.p_type = "SAST"
 
-    def parse_findings(self, finding, time):
-        output = ""
-        properties = defaultdict(str)
-        simple_props = ["id", "name", "message", "description", "severity", "confidence"]
-        for prop in simple_props:
-            try:
-                prop_res = finding[prop]
-                properties[prop] = prop_res
-                output += "{prop}: {prop_res}\n".format(prop=prop, prop_res=prop_res)
-            except KeyError:
-                pass
-
-        try:
-            url = finding['links'][0]['url']
-            properties['url'] = url
-            output += "url: {url}\n".format(url=url)
-        except (KeyError, IndexError):
-            pass
-
-        try:
-            file = finding['location']['file']
-            properties['file'] = file
-            output += "file: {file}\n".format(file=file)
-        except KeyError:
-            pass
-
-        try:
-            vclass = finding['location']['class']
-            properties['class'] = vclass
-            output += "class: {vclass}\n".format(vclass=vclass)
-        except KeyError:
-            pass
-
-        try:
-            method = finding['location']['method']
-            properties['method'] = method
-            output += "method: {method}\n".format(method=method)
-        except KeyError:
-            pass
+    def parse_vulnerability(self, raw_vulnerability):
+        vulnerability = SastVulnerability(raw_vulnerability)
 
-        try:
-            start_line = finding['location']['start_line']
-            properties['start line'] = start_line
-            output += "start line: {start_line}\n".format(start_line=start_line)
-        except KeyError:
-            pass
+        tc = TestCase(name=vulnerability.get_testcase_name(),
+                      classname=self.p_type,
+                      file=vulnerability.get_location(),
+                      elapsed_sec=1)
 
-        try:
-            end_line = finding['location']['end_line']
-            properties['end line'] = end_line
-            output += "end line: {end_line}\n".format(end_line=end_line)
-        except KeyError:
-            pass
-        
-        try:
-            output += "identifiers.name: {identifiers_name}\n".format(identifiers_name=finding['identifiers'][0]['name'])
-            output += "identifiers.type: {identifiers_type}\n".format(identifiers_type=finding['identifiers'][0]['type'])
-            output += "identifiers.value: {identifiers_value}\n".format(identifiers_value=finding['identifiers'][0]['value'])
-        except KeyError:
-            pass
-
-        f_type = finding['identifiers'][0]['name']
-        
-        try:
-            finding_id = finding['id']
-        except KeyError:
-            finding_id = str(randrange(1, 10000000))
-        
-        if properties['name']:
-            tc = TestCase(name=properties['name'] + " (ID: " + finding_id + ")", classname=self.p_type, file=properties['file'], elapsed_sec=time, line=properties['start_line'])
-        else:
-            tc = TestCase(name=f_type + " (ID: " + finding_id + ")", classname=self.p_type, file=properties['file'], elapsed_sec=time, line=properties['start_line'])
-        tc.add_failure_info(message=properties['message'], output=output, failure_type=f_type)
+        tc.add_failure_info(message=vulnerability.get_description(),
+                            output=vulnerability.get_output(),
+                            failure_type=vulnerability.get_failure_type())
         return tc
 
     def parse(self):
-        timing = 0
-        findings = self.report['vulnerabilities']
-        findings = self.config.suppress(findings)
-        scanners = list(set(f['scanner']['name'] for f in findings))
+        vulnerabilities = self.report['vulnerabilities']
+        vulnerabilities = self.config.suppress(vulnerabilities)
+        scanners = list(set(vuln['scanner']['name'] for vuln in vulnerabilities))
         testsuites = []
+
         for scanner in scanners:
-            rel_find = filter(lambda x: x['scanner']['name'] == scanner, findings)
-            testcases = [self.parse_findings(finding, timing) for finding in rel_find]
+            testcases = []
+            relevant_vulns = filter(lambda x: x['scanner']['name'] == scanner, vulnerabilities)
+            for vuln in relevant_vulns:
+                testcases.append(self.parse_vulnerability(vuln))
+
             testsuites.append(TestSuite(name=self.ts_name + scanner.replace(' ', '-'), test_cases=testcases))
-        return testsuites
 
+        # If the report was empty, we generate an empty testsuite to return a valid Junit XML file
+        if len(testsuites) == 0:
+            testsuites.append(TestSuite(name=self.ts_name, test_cases=[]))
+        return testsuites

secscanner2junit/secrets.py

@@ -1,30 +1,36 @@
-from datetime import datetime as dt
-
 from junit_xml import TestSuite, TestCase
-
-from .parser import Parser
+from secscanner2junit.config import Config
+from secscanner2junit.parser import Parser
+from secscanner2junit.vulnerability import SecretsVulnerability
 
 
 class SecretsParser(Parser):
-    def __init__(self, report, ts_name, config):
+    def __init__(self, report, ts_name, config:Config):
         super().__init__(report, ts_name, config)
         self.p_type = "Secrets"
 
-    def parse_findings(self, finding, time):
-        name = finding['name']
-        message = finding['message']
-        location_file = finding['location']['file']
-        location_line = finding['location']['start_line']
-        tc = TestCase(name=name, classname=self.p_type, file=location_file, elapsed_sec=time, line=location_line)
-        tc.add_failure_info(message=message, output=message)
+    def parse_vulnerability(self, raw_vulnerability):
+        vulnerability = SecretsVulnerability(raw_vulnerability)
+
+        tc = TestCase(name=vulnerability.get_testcase_name(),
+                      classname=self.p_type,
+                      file=vulnerability.get_location(),
+                      elapsed_sec=1)
+
+        tc.add_failure_info(message=vulnerability.get_description(),
+                            output=vulnerability.get_output(),
+                            failure_type=vulnerability.get_failure_type())
         return tc
 
     def parse(self):
-        version = self.report['scan']['scanner']['version']
-        findings = self.report['vulnerabilities']
-        start_time = self.report['scan']['start_time']
-        end_time = self.report['scan']['end_time']
-        timing = dt.strptime(end_time, '%Y-%m-%dT%H:%M:%S') - dt.strptime(start_time, '%Y-%m-%dT%H:%M:%S')
-        testcases = [self.parse_findings(finding, timing.seconds) for finding in findings]
-        ts = TestSuite(name=self.ts_name + '-' + version, test_cases=testcases, timestamp=start_time)
-        return [ts]
+        vulnerabilities = self.report['vulnerabilities']
+        vulnerabilities = self.config.suppress(vulnerabilities)
+
+        testsuites = []
+        testcases = []
+
+        for raw_vulnerability in vulnerabilities:
+            testcases.append(self.parse_vulnerability(raw_vulnerability))
+
+        testsuites.append(TestSuite(name=self.ts_name, test_cases=testcases))
+        return testsuites

secscanner2junit/vulnerability.py

@@ -120,6 +120,11 @@ def get_location(self):
         return self.__location.get_location()
 
 
+class SecretsVulnerability(SastVulnerability):
+    def __init__(self, raw_vulnerability: dict):
+        super().__init__(raw_vulnerability)
+
+
 class Identifier(_Base):
     def __init__(self, raw_identifier: dict):
         super().__init__(raw_identifier)

tests/resources/test_sast/test_basic/gl-sast-report.json

@@ -0,0 +1,174 @@
+{
+  "version": "14.0.4",
+  "vulnerabilities": [
+    {
+      "id": "cccabffcfcf176e47f9138d7fbd763a83b310b071529b687cde3537a935cf251",
+      "category": "sast",
+      "name": "Spring CSRF unrestricted RequestMapping",
+      "message": "Spring CSRF unrestricted RequestMapping",
+      "description": "Unrestricted Spring's RequestMapping makes the method vulnerable to CSRF attacks",
+      "cve": "86d80cd1d198812fc1ba6860a9e965e1:SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING:src/main/java/pl/com/softnet/example/springbootsoftnetexample/PingController.java:23",
+      "severity": "Medium",
+      "confidence": "High",
+      "scanner": {
+        "id": "find_sec_bugs",
+        "name": "Find Security Bugs"
+      },
+      "location": {
+        "file": "src/main/java/pl/com/softnet/example/springbootsoftnetexample/PingController.java",
+        "start_line": 23,
+        "class": "pl.com.softnet.example.springbootsoftnetexample.PingController",
+        "method": "ping"
+      },
+      "identifiers": [
+        {
+          "type": "find_sec_bugs_type",
+          "name": "Find Security Bugs-SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING",
+          "value": "SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING",
+          "url": "https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING"
+        },
+        {
+          "type": "cwe",
+          "name": "CWE-352",
+          "value": "352",
+          "url": "https://cwe.mitre.org/data/definitions/352.html"
+        }
+      ]
+    },
+    {
+      "id": "db914ce5737b49650ae650fc3b0fe38a531eadd8ea780f48a013419c4adec7f0",
+      "category": "sast",
+      "name": "Found Spring endpoint",
+      "message": "Found Spring endpoint",
+      "description": "pl.com.softnet.example.springbootsoftnetexample.PingController is a Spring endpoint (Controller)",
+      "cve": "21254b1dfdebd6b8bbd05e4ed8a960c3:SPRING_ENDPOINT:src/main/java/pl/com/softnet/example/springbootsoftnetexample/PingController.java:23",
+      "severity": "Low",
+      "confidence": "Low",
+      "scanner": {
+        "id": "find_sec_bugs",
+        "name": "Find Security Bugs"
+      },
+      "location": {
+        "file": "src/main/java/pl/com/softnet/example/springbootsoftnetexample/PingController.java",
+        "start_line": 23,
+        "class": "pl.com.softnet.example.springbootsoftnetexample.PingController",
+        "method": "ping"
+      },
+      "identifiers": [
+        {
+          "type": "find_sec_bugs_type",
+          "name": "Find Security Bugs-SPRING_ENDPOINT",
+          "value": "SPRING_ENDPOINT",
+          "url": "https://find-sec-bugs.github.io/bugs.htm#SPRING_ENDPOINT"
+        }
+      ]
+    },
+    {
+      "id": "f4e1ee2a65c5d8837cfe6e3b16fc368f23462596f41ca15b182625a259a58baf",
+      "category": "sast",
+      "name": "Found Spring endpoint",
+      "message": "Found Spring endpoint",
+      "description": "pl.com.softnet.example.springbootsoftnetexample.FakeErrorController is a Spring endpoint (Controller)",
+      "cve": "62a35767e47f86da1958c888ab0ddb98:SPRING_ENDPOINT:src/main/java/pl/com/softnet/example/springbootsoftnetexample/FakeErrorController.java:16",
+      "severity": "Low",
+      "confidence": "Low",
+      "scanner": {
+        "id": "find_sec_bugs",
+        "name": "Find Security Bugs"
+      },
+      "location": {
+        "file": "src/main/java/pl/com/softnet/example/springbootsoftnetexample/FakeErrorController.java",
+        "start_line": 16,
+        "class": "pl.com.softnet.example.springbootsoftnetexample.FakeErrorController",
+        "method": "getDomainError"
+      },
+      "identifiers": [
+        {
+          "type": "find_sec_bugs_type",
+          "name": "Find Security Bugs-SPRING_ENDPOINT",
+          "value": "SPRING_ENDPOINT",
+          "url": "https://find-sec-bugs.github.io/bugs.htm#SPRING_ENDPOINT"
+        }
+      ]
+    },
+    {
+      "id": "e5104af1e9b781ffa19a0f9299e9c44bb62b3dd62c4483e9f2e087dc03e8cd95",
+      "category": "sast",
+      "name": "HTTP headers untrusted",
+      "message": "HTTP headers untrusted",
+      "description": "Request header can easily be altered by the client",
+      "cve": "6b0c63f9593aecd2ad80afdc4a85656d:SERVLET_HEADER:src/main/java/pl/com/softnet/example/springbootsoftnetexample/PingController.java:50",
+      "severity": "Low",
+      "confidence": "Low",
+      "scanner": {
+        "id": "find_sec_bugs",
+        "name": "Find Security Bugs"
+      },
+      "location": {
+        "file": "src/main/java/pl/com/softnet/example/springbootsoftnetexample/PingController.java",
+        "start_line": 50,
+        "class": "pl.com.softnet.example.springbootsoftnetexample.PingController$IpAddressUtils",
+        "method": "getIpAddressFromRequest"
+      },
+      "identifiers": [
+        {
+          "type": "find_sec_bugs_type",
+          "name": "Find Security Bugs-SERVLET_HEADER",
+          "value": "SERVLET_HEADER",
+          "url": "https://find-sec-bugs.github.io/bugs.htm#SERVLET_HEADER"
+        }
+      ]
+    },
+    {
+      "id": "dd623e3dafc27991b80b00c2b38b8ec69ef4b2635a5838622b3efb921e2cbfac",
+      "category": "sast",
+      "name": "Found Spring endpoint",
+      "message": "Found Spring endpoint",
+      "description": "pl.com.softnet.example.springbootsoftnetexample.FakeErrorController is a Spring endpoint (Controller)",
+      "cve": "8e968b3dea7c8b68b43c07ab9b37c120:SPRING_ENDPOINT:src/main/java/pl/com/softnet/example/springbootsoftnetexample/FakeErrorController.java:11",
+      "severity": "Low",
+      "confidence": "Low",
+      "scanner": {
+        "id": "find_sec_bugs",
+        "name": "Find Security Bugs"
+      },
+      "location": {
+        "file": "src/main/java/pl/com/softnet/example/springbootsoftnetexample/FakeErrorController.java",
+        "start_line": 11,
+        "class": "pl.com.softnet.example.springbootsoftnetexample.FakeErrorController",
+        "method": "getSomeFakeError"
+      },
+      "identifiers": [
+        {
+          "type": "find_sec_bugs_type",
+          "name": "Find Security Bugs-SPRING_ENDPOINT",
+          "value": "SPRING_ENDPOINT",
+          "url": "https://find-sec-bugs.github.io/bugs.htm#SPRING_ENDPOINT"
+        }
+      ]
+    }
+  ],
+  "scan": {
+    "analyzer": {
+      "id": "spotbugs",
+      "name": "Spotbugs",
+      "vendor": {
+        "name": "GitLab"
+      },
+      "version": "3.2.1"
+    },
+    "scanner": {
+      "id": "find_sec_bugs",
+      "name": "Find Security Bugs",
+      "url": "https://spotbugs.github.io",
+      "vendor": {
+        "name": "GitLab"
+      },
+      "version": "4.7.0"
+    },
+    "type": "sast",
+    "start_time": "2022-08-04T05:31:38",
+    "end_time": "2022-08-04T05:32:16",
+    "status": "success"
+  }
+}