Adding parser for Veracode SCA (SourceClear) JSON/CSV files

coheigea · coheigea · commit 992b92b18637 · 2022-08-18T13:15:00.000+01:00
diff --git a/docs/content/en/integrations/parsers.md b/docs/content/en/integrations/parsers.md
@@ -1183,6 +1183,10 @@ VCG output can be imported in CSV or Xml formats.
 
 Detailed XML Report
 
+### Veracode SourceClear
+
+Import Project CSV or JSON report
+
 ### Wapiti Scan
 
 Import XML report.
diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py
@@ -1143,6 +1143,7 @@ def saml2_attrib_map_format(dict):
     'Whispers': ['vuln_id_from_tool', 'file_path', 'line'],
     'Blackduck Hub Scan': ['title', 'vulnerability_ids', 'component_name', 'component_version'],
     'docker-bench-security Scan': ['unique_id_from_tool'],
+    'Veracode SourceClear Scan': ['title', 'vulnerability_ids', 'component_name', 'component_version'],
 }
 
 # This tells if we should accept cwe=0 when computing hash_code with a configurable list of fields from HASHCODE_FIELDS_PER_SCANNER (this setting doesn't apply to legacy algorithm)
@@ -1177,6 +1178,7 @@ def saml2_attrib_map_format(dict):
     'Semgrep JSON Report': True,
     'Generic Findings Import': True,
     'Edgescan Scan': True,
+    'Veracode SourceClear Scan': True,
 }
 
 # List of fields that are known to be usable in hash_code computation)
@@ -1249,6 +1251,7 @@ def saml2_attrib_map_format(dict):
     'Clair Klar Scan': DEDUPE_ALGO_HASH_CODE,
     # 'Qualys Webapp Scan': DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL,  # Must also uncomment qualys webapp line in hashcode fields per scanner
     'Veracode Scan': DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE,
+    'Veracode SourceClear Scan': DEDUPE_ALGO_HASH_CODE,
     # for backwards compatibility because someone decided to rename this scanner:
     'Symfony Security Check': DEDUPE_ALGO_HASH_CODE,
     'DSOP Scan': DEDUPE_ALGO_HASH_CODE,
diff --git a/dojo/tools/veracode_sca/__init__.py b/dojo/tools/veracode_sca/__init__.py
diff --git a/dojo/tools/veracode_sca/parser.py b/dojo/tools/veracode_sca/parser.py
@@ -0,0 +1,211 @@
+import csv
+import json
+import io
+
+from cvss import parser as cvss_parser
+from dateutil import parser
+from datetime import datetime
+from dojo.models import Finding
+
+
+class VeracodeScaParser(object):
+
+    vc_severity_mapping = {
+        1: 'Info',
+        2: 'Low',
+        3: 'Medium',
+        4: 'High',
+        5: 'Critical'
+    }
+
+    def get_scan_types(self):
+        return ["Veracode SourceClear Scan"]
+
+    def get_label_for_scan_types(self, scan_type):
+        return "Veracode SourceClear Scan"
+
+    def get_description_for_scan_types(self, scan_type):
+        return "Veracode SourceClear CSV or JSON report format"
+
+    def get_findings(self, file, test):
+        if file is None:
+            return ()
+
+        if file.name.strip().lower().endswith(".json"):
+            return self._get_findings_json(file, test)
+
+        return self.get_findings_csv(file, test)
+
+    def _get_findings_json(self, file, test):
+        """Load a Veracode SCA file in JSON format"""
+        data = json.load(file)
+
+        embedded = data.get("_embedded")
+        findings = []
+        if not embedded:
+            return findings
+
+        for issue in embedded.get("issues", []):
+            if issue.get('issue_type') != 'vulnerability':
+                continue
+
+            date = parser.parse(issue.get("created_date"))
+            library = issue.get("library")
+            component_name = library.get("name")
+            if library.get("id") and library.get("id").startswith("maven:"):
+                component_name = library.get("id").split(":")[2]
+            component_version = library.get("version")
+
+            vulnerability = issue.get("vulnerability")
+            vuln_id = vulnerability.get("cve")
+            if vuln_id and not (vuln_id.startswith("cve") or vuln_id.startswith("CVE")):
+                vuln_id = "CVE-" + vuln_id
+            cvss_score = issue.get("severity")
+            if vulnerability.get("cvss3_score"):
+                cvss_score = vulnerability.get("cvss3_score")
+            severity = self.__cvss_to_severity(cvss_score)
+
+            description = 'This library has known vulnerabilities.\n'
+            description += \
+                "**CVE:** {0} ({1})\n" \
+                "CVS Score: {2} ({3})\n" \
+                "Project name: {4}\n" \
+                "Title: \n>{5}" \
+                "\n\n-----\n\n".format(
+                    vuln_id,
+                    date,
+                    cvss_score,
+                    severity,
+                    issue.get("project_name"),
+                    vulnerability.get('title'))
+
+            finding = Finding(test=test,
+                              title=f"{component_name}:{component_version} | {vuln_id}",
+                              description=description,
+                              severity=severity,
+                              component_name=component_name,
+                              component_version=component_version,
+                              static_finding=True,
+                              dynamic_finding=False,
+                              unique_id_from_tool=issue.get("id"),
+                              date=date,
+                              nb_occurences=1)
+
+            if vuln_id:
+                finding.unsaved_vulnerability_ids = [vuln_id]
+
+            if vulnerability.get("cvss3_vector"):
+                cvssv3_vector = vulnerability.get("cvss3_vector")
+                if not cvssv3_vector.startswith("CVSS:3.1/"):
+                    cvssv3_vector = "CVSS:3.1/" + cvssv3_vector
+                vectors = cvss_parser.parse_cvss_from_text(cvssv3_vector)
+                if len(vectors) > 0:
+                    finding.cvssv3 = vectors[0].clean_vector()
+
+            if vulnerability.get("cwe_id"):
+                cwe = vulnerability.get("cwe_id")
+                if cwe:
+                    if cwe.startswith("CWE-") or cwe.startswith("cwe-"):
+                        cwe = cwe[4:]
+                    if cwe.isdigit():
+                        finding.cwe = int(cwe)
+
+            finding.references = "\n\n" + issue.get("_links").get("html").get("href")
+            if (issue.get('Ignored') and issue.get('Ignored').capitalize() == 'True' or
+                    issue.get('issue_status') and issue.get('issue_status').capitalize() == 'Resolved'):
+                finding.is_mitigated = True
+                finding.active = False
+
+            findings.append(finding)
+
+        return findings
+
+    def get_findings_csv(self, file, test):
+        content = file.read()
+        if type(content) is bytes:
+            content = content.decode('utf-8')
+        reader = csv.DictReader(io.StringIO(content), delimiter=',', quotechar='"')
+        csvarray = []
+
+        for row in reader:
+            csvarray.append(row)
+
+        findings = []
+        for row in csvarray:
+            if row.get('Issue type') != 'Vulnerability':
+                continue
+
+            issueId = row.get('Issue ID', None)
+            if not issueId:
+                # Workaround for possible encoding issue
+                issueId = list(row.values())[0]
+            library = row.get('Library', None)
+            if row.get('Package manager') == 'MAVEN' and row.get('Coordinate 2'):
+                library = row.get('Coordinate 2')
+            version = row.get('Version in use', None)
+            vuln_id = row.get('CVE', None)
+            if vuln_id and not (vuln_id.startswith("cve") or vuln_id.startswith("CVE")):
+                vuln_id = "CVE-" + vuln_id
+
+            severity = self.fix_severity(row.get('Severity', None))
+            cvss_score = float(row.get('CVSS score', 0))
+            date = datetime.strptime(row.get('Issue opened: Scan date'), '%d %b %Y %H:%M%p %Z')
+            description = 'This library has known vulnerabilities.\n'
+            description += \
+                "**CVE:** {0} ({1})\n" \
+                "CVS Score: {2} ({3})\n" \
+                "Project name: {4}\n" \
+                "Title: \n>{5}" \
+                "\n\n-----\n\n".format(
+                    vuln_id,
+                    date,
+                    cvss_score,
+                    severity,
+                    row.get('Project'),
+                    row.get('Title'))
+
+            finding = Finding(test=test,
+                              title=f"{library}:{version} | {vuln_id}",
+                              description=description,
+                              severity=severity,
+                              component_name=library,
+                              component_version=version,
+                              static_finding=True,
+                              dynamic_finding=False,
+                              unique_id_from_tool=issueId,
+                              date=date,
+                              nb_occurences=1)
+
+            finding.unsaved_vulnerability_ids = [vuln_id]
+            if cvss_score:
+                finding.cvssv3_score = cvss_score
+
+            if (row.get('Ignored') and row.get('Ignored').capitalize() == 'True' or
+                    row.get('Status') and row.get('Status').capitalize() == 'Resolved'):
+                finding.is_mitigated = True
+                finding.active = False
+
+            findings.append(finding)
+
+        return findings
+
+    def fix_severity(self, severity):
+        severity = severity.capitalize()
+        if severity is None:
+            severity = "Medium"
+        elif "Unknown" == severity or "None" == severity:
+            severity = "Info"
+        return severity
+
+    @classmethod
+    def __cvss_to_severity(cls, cvss):
+        if cvss >= 9:
+            return cls.vc_severity_mapping.get(5)
+        elif cvss >= 7:
+            return cls.vc_severity_mapping.get(4)
+        elif cvss >= 4:
+            return cls.vc_severity_mapping.get(3)
+        elif cvss > 0:
+            return cls.vc_severity_mapping.get(2)
+        else:
+            return cls.vc_severity_mapping.get(1)
diff --git a/unittests/scans/veracode_sca/veracode_sca.csv b/unittests/scans/veracode_sca/veracode_sca.csv
@@ -0,0 +1,4 @@
+﻿"Issue ID","Issue type","Ignored","Status","Project ID","Library","Version in use","Library release date","Package manager","Coordinate 1","Coordinate 2","Latest version","Latest release date","Project","Branch","Tag","Issue opened: Scan ID","Issue opened: Scan date","Issue fixed: Scan ID","Issue fixed: Scan date","Dependency (Transitive or Direct)","Scan","Scan date","Vulnerability ID","Title","CVSS score","Severity","CVE","Public or Veracode Customer Access","Disclosure date","Has vulnerable methods","Number of vulnerable methods","Updated release date","Release date","Updated Version","License","License Risk"
+127637430,"Vulnerability",false,"Open",369423,"AWS Java SDK for Amazon S3","1.11.951","8 Feb 2021 00:00AM GMT","MAVEN","com.amazonaws","aws-java-sdk-s3","1.12.277","8 Aug 2022 01:00AM GMT","some-project","master",,38648137,"7 Jul 2022 09:15AM GMT","","","Transitive",39777838,"8 Aug 2022 10:01AM GMT",36376,"Path Traversal",6.4,"Medium","2022-31159","Public Disclosure","15 Jul 2022 00:00AM GMT",false,0,"","",,,""
+122648496,"Vulnerability",false,"Open",369423,"spring-cloud-function-context","3.2.5","26 May 2022 01:00AM GMT","MAVEN","org.springframework.cloud","spring-cloud-function-context","4.0.0-M4","29 Jul 2022 01:00AM GMT","some-project","master",,37831009,"14 Jun 2022 11:34AM GMT","","","Transitive",39777838,"8 Aug 2022 10:01AM GMT",36006,"Denial Of Service (DoS)",5,"Medium","2022-22979","Public Disclosure","15 Jun 2022 00:00AM GMT",false,0,"","",,,""
+126041205,"Vulnerability",false,"Resolved",203830,"Apache Commons Configuration","2.1.1","5 Feb 2017 00:00AM GMT","MAVEN","org.apache.commons","commons-configuration2","2.8.0","30 Jun 2022 01:00AM GMT","some-project","master",,38492656,"2 Jul 2022 23:19PM GMT",39357916,"2022-07-27T08:27:30.217+00:00","Direct",38980296,"16 Jul 2022 23:05PM GMT",36282,"Arbitrary Code Execution",7.5,"High","2022-33980","Public Disclosure","14 Jun 2022 00:00AM GMT",false,0,"","",,,""
diff --git a/unittests/scans/veracode_sca/veracode_sca.json b/unittests/scans/veracode_sca/veracode_sca.json
@@ -0,0 +1 @@
+{"_embedded":{"issues":[{"id":"ddcc6e1b-3ed9-45c8-b77a-ead759fb5e2c","site_id":129556889,"created_date":"2022-07-29T05:13:00.924+0000","issue_status":"open","issue_type":"vulnerability","ignored":false,"severity":8.8,"workspace_id":"12345","project_id":"12345","project_name":"some-project","project_branch":"master","library":{"id":"maven:org.apache.calcite.avatica:avatica-core:1.11.0:","name":"Apache Calcite Avatica","version":"1.11.0","release_date":"2018-03-06","latest_version":"1.22.0","latest_version_release_date":"2022-07-26","direct":true,"transitive":false,"_links":{"self":{"href":"https://api.veracode.com/srcclr/v3/libraries/maven:org.apache.calcite.avatica:avatica-core:1.11.0:"}}},"vulnerability":{"id":"36527","title":"Arbitrary Code Execution","cve":"2022-36364","cvss2_vector":"(AV:L/AC:L/Au:S/C:P/I:P/A:P)","cvss3_vector":"AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","cvss2_score":4.3,"cvss3_score":8.8,"cwe_id":"CWE-665","_links":{"self":{"href":"https://api.veracode.com/srcclr/v3/vulnerabilities/36527"}}},"vulnerable_method":false,"_links":{"vulnerability":{"href":"https://api.veracode.com/srcclr/v3/vulnerabilities/36527"},"workspace":{"href":"https://api.veracode.com/srcclr/v3/workspaces/123456"},"html":{"href":"https://sca.analysiscenter.veracode.com/teams/X33hjMQ/issues/vulnerabilities/12345"},"self":{"href":"https://api.veracode.com/srcclr/v3/issues/12355"}}}]},"_links":{"self":{"href":"https://api.veracode.com/srcclr/v3/workspaces/12345/issues?type=vulnerability&project_id=1234&page=0&size=200&sort=id,desc"}},"page":{"size":200,"total_elements":1,"total_pages":1,"number":0}}
diff --git a/unittests/tools/test_veracode_sca_parser.py b/unittests/tools/test_veracode_sca_parser.py
@@ -0,0 +1,71 @@
+import datetime
+
+from ..dojo_test_case import DojoTestCase
+from dojo.tools.veracode_sca.parser import VeracodeScaParser
+from dojo.models import Test
+
+from dateutil.tz import UTC
+
+
+class TestVeracodeScaScannerParser(DojoTestCase):
+
+    def test_parse_csv(self):
+        testfile = open("unittests/scans/veracode_sca/veracode_sca.csv")
+        parser = VeracodeScaParser()
+        findings = parser.get_findings(testfile, Test())
+        self.assertEqual(3, len(findings))
+
+        finding = findings[0]
+        self.assertEqual("Medium", finding.severity)
+        self.assertTrue(finding.active)
+        self.assertFalse(finding.is_mitigated)
+        self.assertEqual("aws-java-sdk-s3", finding.component_name)
+        self.assertEqual("1.11.951", finding.component_version)
+        self.assertEqual(1, len(finding.unsaved_vulnerability_ids))
+        self.assertEqual("CVE-2022-31159", finding.unsaved_vulnerability_ids[0])
+        self.assertEqual(6.4, finding.cvssv3_score)
+        self.assertEqual("127637430", finding.unique_id_from_tool)
+        self.assertEqual(datetime.datetime(2022, 7, 7, 9, 15, 0), finding.date)
+
+        finding = findings[1]
+        self.assertEqual("Medium", finding.severity)
+        self.assertTrue(finding.active)
+        self.assertFalse(finding.is_mitigated)
+        self.assertEqual("spring-cloud-function-context", finding.component_name)
+        self.assertEqual("3.2.5", finding.component_version)
+        self.assertEqual(1, len(finding.unsaved_vulnerability_ids))
+        self.assertEqual("CVE-2022-22979", finding.unsaved_vulnerability_ids[0])
+        self.assertEqual(5, finding.cvssv3_score)
+        self.assertEqual("122648496", finding.unique_id_from_tool)
+        self.assertEqual(datetime.datetime(2022, 6, 14, 11, 34, 0), finding.date)
+
+        finding = findings[2]
+        self.assertEqual("High", finding.severity)
+        self.assertFalse(finding.active)
+        self.assertTrue(finding.is_mitigated)
+        self.assertEqual("commons-configuration2", finding.component_name)
+        self.assertEqual("2.1.1", finding.component_version)
+        self.assertEqual(1, len(finding.unsaved_vulnerability_ids))
+        self.assertEqual("CVE-2022-33980", finding.unsaved_vulnerability_ids[0])
+        self.assertEqual(7.5, finding.cvssv3_score)
+        self.assertEqual("126041205", finding.unique_id_from_tool)
+        self.assertEqual(datetime.datetime(2022, 7, 2, 23, 19, 0), finding.date)
+
+    def test_parse_json(self):
+        testfile = open("unittests/scans/veracode_sca/veracode_sca.json")
+        parser = VeracodeScaParser()
+        findings = parser.get_findings(testfile, Test())
+        self.assertEqual(1, len(findings))
+
+        finding = findings[0]
+        self.assertEqual("High", finding.severity)
+        self.assertTrue(finding.active)
+        self.assertFalse(finding.is_mitigated)
+        self.assertEqual("avatica-core", finding.component_name)
+        self.assertEqual("1.11.0", finding.component_version)
+        self.assertEqual(1, len(finding.unsaved_vulnerability_ids))
+        self.assertEqual("CVE-2022-36364", finding.unsaved_vulnerability_ids[0])
+        self.assertEqual("CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", finding.cvssv3)
+        self.assertEqual(665, finding.cwe)
+        self.assertEqual("ddcc6e1b-3ed9-45c8-b77a-ead759fb5e2c", finding.unique_id_from_tool)
+        self.assertEqual(datetime.datetime(2022, 7, 29, 5, 13, 0, 924000).astimezone(UTC), finding.date)

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+{"_embedded":{"issues":[{"id":"ddcc6e1b-3ed9-45c8-b77a-ead759fb5e2c","site_id":129556889,"created_date":"2022-07-29T05:13:00.924+0000","issue_status":"open","issue_type":"vulnerability","ignored":false,"severity":8.8,"workspace_id":"12345","project_id":"12345","project_name":"some-project","project_branch":"master","library":{"id":"maven:org.apache.calcite.avatica:avatica-core:1.11.0:","name":"Apache Calcite Avatica","version":"1.11.0","release_date":"2018-03-06","latest_version":"1.22.0","latest_version_release_date":"2022-07-26","direct":true,"transitive":false,"_links":{"self":{"href":"https://api.veracode.com/srcclr/v3/libraries/maven:org.apache.calcite.avatica:avatica-core:1.11.0:"}}},"vulnerability":{"id":"36527","title":"Arbitrary Code Execution","cve":"2022-36364","cvss2_vector":"(AV:L/AC:L/Au:S/C:P/I:P/A:P)","cvss3_vector":"AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","cvss2_score":4.3,"cvss3_score":8.8,"cwe_id":"CWE-665","_links":{"self":{"href":"https://api.veracode.com/srcclr/v3/vulnerabilities/36527"}}},"vulnerable_method":false,"_links":{"vulnerability":{"href":"https://api.veracode.com/srcclr/v3/vulnerabilities/36527"},"workspace":{"href":"https://api.veracode.com/srcclr/v3/workspaces/123456"},"html":{"href":"https://sca.analysiscenter.veracode.com/teams/X33hjMQ/issues/vulnerabilities/12345"},"self":{"href":"https://api.veracode.com/srcclr/v3/issues/12355"}}}]},"_links":{"self":{"href":"https://api.veracode.com/srcclr/v3/workspaces/12345/issues?type=vulnerability&project_id=1234&page=0&size=200&sort=id,desc"}},"page":{"size":200,"total_elements":1,"total_pages":1,"number":0}}