Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New HCL AppScan on Cloud SAST parser #11375

Open
wants to merge 10 commits into
base: dev
Choose a base branch
from

Conversation

xpert98
Copy link

@xpert98 xpert98 commented Dec 4, 2024

⚠️ Note on feature completeness ⚠️

We are narrowing the scope of acceptable enhancements to DefectDojo in preparation for v3. Learn more here:
https://github.com/DefectDojo/django-DefectDojo/blob/master/readme-docs/CONTRIBUTING.md

Description

This is a new parser for HCL AppScan on Cloud SAST results.

Test results

Tests are included and pass.

Documentation

Documentation included.

Checklist

This checklist is for your information.

  • Make sure to rebase your PR against the very latest dev.
  • Features/Changes should be submitted against the dev.
  • Bugfixes should be submitted against the bugfix branch.
  • Give a meaningful name to your PR, as it may end up being used in the release notes.
  • Your code is flake8 compliant.
  • Your code is python 3.11 compliant.
  • If this is a new feature and not a bug fix, you've included the proper documentation in the docs at https://github.com/DefectDojo/django-DefectDojo/tree/dev/docs as part of this PR.
  • Model changes must include the necessary migrations in the dojo/db_migrations folder.
  • Add applicable tests to the unit tests.
  • Add the proper label to categorize your PR.

Extra information

@github-actions github-actions bot added settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR docs unittests parser labels Dec 4, 2024
Copy link

dryrunsecurity bot commented Dec 4, 2024

DryRun Security Summary

The pull request adds support for the HCL AppScan on Cloud SAST scanner in DefectDojo by implementing a new parser, updating configurations, adding documentation, and creating comprehensive unit tests to enhance the application's security scanning capabilities.

Expand for full summary

Summary:

The code changes in this pull request focus on adding support for the HCL AppScan on Cloud SAST (Static Application Security Testing) scanner in the DefectDojo application. The changes include:

  1. Parser Implementation: The implementation of a parser in the dojo/tools/hcl_asoc_sast/parser.py file to extract and process findings from the HCL AppScan on Cloud SAST XML output. The parser handles the XML parsing securely and extracts detailed information about the identified security vulnerabilities.

  2. Configuration Updates: Updates to the dojo/settings/settings.dist.py file to add the necessary configurations for the new HCL AppScan on Cloud SAST parser, including support for deduplication and hashcode calculations.

  3. Documentation Updates: Addition of a new document titled "HCL AppScan on Cloud SAST" in the docs/content/en/connecting_your_tools/parsers/file/ directory, providing information about the capabilities and limitations of the new parser.

  4. Unit Tests: Implementation of a comprehensive unit test suite in the unittests/tools/test_hcl_asoc_sast_parser.py file to ensure the reliability and accuracy of the HCL AppScan on Cloud SAST parser.

From an application security perspective, these changes are generally positive, as they expand the capabilities of the DefectDojo application to support a wider range of security scanners and tools. The parser implementation appears to be well-designed and secure, and the unit tests cover various scenarios to ensure the parser's functionality.

However, it's important to ensure that the new parser configurations are thoroughly tested and validated to prevent any potential security issues or vulnerabilities. Additionally, the changes to the deduplication algorithm configuration should be carefully reviewed to ensure that they do not introduce any unintended consequences.

Files Changed:

  1. dojo/tools/hcl_asoc_sast/__init__.py: A simple addition of an author attribute to the Python module.
  2. docs/content/en/connecting_your_tools/parsers/file/hcl_asoc_sast.md: A documentation update for the "HCL AppScan on Cloud SAST" parser.
  3. dojo/tools/hcl_asoc_sast/parser.py: Implementation of the parser for the HCL AppScan on Cloud SAST XML output.
  4. dojo/settings/settings.dist.py: Updates to the application configuration to add support for the new HCL AppScan on Cloud SAST parser.
  5. unittests/scans/hcl_asoc_sast/no_issues.xml: A sample XML report with no security issues.
  6. unittests/scans/hcl_asoc_sast/one_issue.xml: A sample XML report with a single security issue.
  7. unittests/tools/test_hcl_asoc_sast_parser.py: Unit tests for the HCL AppScan on Cloud SAST parser.

Code Analysis

We ran 9 analyzers against 8 files and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

@mtesauro
Copy link
Contributor

mtesauro commented Dec 4, 2024

@xpert98 Love the contribution but have to ask: Why are those conditionals so deeply nested?

I was reviewing this PR and wondering how much "fun" it would be to handle a future change with that deep nesting. I'm almost afraid to run a cyclical complexity tool on this parser code TBH.

Can you help me understand your thinking on that?

@xpert98
Copy link
Author

xpert98 commented Dec 4, 2024

@mtesauro I went that route because of the way the data is structured. Specifically for the mitigations and references, those are separate blocks outside of each result and that seemed like a convenient way to include the relevant "why it's a problem" and "how to fix it" into each issue to be rendered along with the typical issue details like file name and line number.

msg = "This doesn't seem to be a valid HCL ASoC SAST xml file."
raise NamespaceErr(msg)
report = root.find("issue-group")
if report is not None:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of putting the whole function after this point inside an if block when report is not None, just bail if report is None.

Suggested change
if report is not None:
if report is None:
return findings

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was keeping the overall style of the parser similar to the existing hcl_appscan (for DAST) parser for consistency. I can refactor if this is a dealbreaker.

dojo/tools/hcl_asoc_sast/parser.py Outdated Show resolved Hide resolved
dojo/tools/hcl_asoc_sast/parser.py Outdated Show resolved Hide resolved
Copy link
Contributor

github-actions bot commented Dec 9, 2024

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@xpert98 xpert98 force-pushed the hcl-asoc-sast-parser branch from 8c9bdf7 to 6791149 Compare December 10, 2024 13:22
@mtesauro
Copy link
Contributor

@xpert98 Closing and re-opening to see if I can get ruff-linting unstuck

@mtesauro mtesauro closed this Dec 10, 2024
@mtesauro mtesauro reopened this Dec 10, 2024
@mtesauro
Copy link
Contributor

@mtesauro I went that route because of the way the data is structured. Specifically for the mitigations and references, those are separate blocks outside of each result and that seemed like a convenient way to include the relevant "why it's a problem" and "how to fix it" into each issue to be rendered along with the typical issue details like file name and line number.

HCL AppScan sure chose a "creative" structure for this output 🤮

@mtesauro
Copy link
Contributor

I'm approving assuming the sha256sum gets fixed before it's merged.

@xpert98 You'll be happy to see PR #11299 😉

Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

Copy link
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

dojo/tools/hcl_asoc_sast/parser.py Outdated Show resolved Hide resolved
dojo/tools/hcl_asoc_sast/parser.py Outdated Show resolved Hide resolved
dojo/tools/hcl_asoc_sast/parser.py Outdated Show resolved Hide resolved
description = description + "**Location:** " + location + "\n"
case "line":
line = int(self.xmltreehelper(item).strip())
description = description + "***Line:" + str(line) + "\n"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description = description + "***Line:" + str(line) + "\n"
description = description + "**Line:** " + str(line) + "\n"

description = description + "***Line:" + str(line) + "\n"
case "threat-class":
threatclass = self.xmltreehelper(item)
description = description + "***Threat-Class:" + threatclass + "\n"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description = description + "***Threat-Class:" + threatclass + "\n"
description = description + "**Threat-Class:** " + threatclass + "\n"

case "entity":
entity = self.xmltreehelper(item)
title += "_" + entity.strip()
description = description + "***Entity:" + entity + "\n"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description = description + "***Entity:" + entity + "\n"
description = description + "**Entity:** " + entity + "\n"

description = description + "***Entity:" + entity + "\n"
case "security-risks":
security_risks = self.xmltreehelper(item)
description = description + "***Security-Risks:" + security_risks + "\n"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description = description + "***Security-Risks:" + security_risks + "\n"
description = description + "**Security-Risks:** " + security_risks + "\n"

case "cause-id":
causeid = self.xmltreehelper(item)
title += "_" + causeid.strip()
description = description + "***Cause-Id:" + causeid + "\n"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description = description + "***Cause-Id:" + causeid + "\n"
description = description + "**Cause-Id:** " + causeid + "\n"

description = description + "***Cause-Id:" + causeid + "\n"
case "element":
element = self.xmltreehelper(item)
description = description + "***Element:" + element + "\n"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description = description + "***Element:" + element + "\n"
description = description + "**Element:** " + element + "\n"

description = description + "***Element:" + element + "\n"
case "element-type":
elementtype = self.xmltreehelper(item)
description = description + "***ElementType:" + elementtype + "\n"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description = description + "***ElementType:" + elementtype + "\n"
description = description + "**ElementType:** " + elementtype + "\n"

description = description + "***ElementType:" + elementtype + "\n"
case "variant-group":
variantgroup = item.iter()
description = description + "***Call Trace:" + "\n"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description = description + "***Call Trace:" + "\n"
description = description + "**Call Trace:** " + "\n"

articledetails = articles.iter()
for aitem in articledetails:
if aitem.tag == "cause":
description = description + "***Cause:" + "\n"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description = description + "***Cause:" + "\n"
description = description + "**Cause:**" + "\n"

Copy link
Author

@xpert98 xpert98 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Incorporating changes from @cneill

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
docs parser settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR unittests
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants