New HCL AppScan on Cloud SAST parser #11375
+8,389
−0
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| --- | ||
| title: "HCL AppScan on Cloud SAST" | ||
| toc_hide: true | ||
| --- | ||
| HCL Appscan on Cloud can export the results in PDF, XML and CSV formats but this parser only supports the import of XML generated from HCL Appscan on Cloud for SAST scans. | ||
|
|
||
| ### Sample Scan Data | ||
| Sample HCL AppScan on Cloud SAST scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/hcl_asoc_sast). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1 @@ | ||
| 6fd36fcdf01e6881e5d97fbf37fe8e10b2aad8ac7878691f9e362cecc4eb7cca |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| __author__ = "xpert98" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,156 @@ | ||
| from xml.dom import NamespaceErr | ||
|
|
||
| from defusedxml import ElementTree as ET | ||
|
|
||
| from dojo.models import Finding | ||
|
|
||
|
|
||
| class HCLASoCSASTParser: | ||
| def get_scan_types(self): | ||
| return ["HCL AppScan on Cloud SAST XML"] | ||
|
|
||
| def get_label_for_scan_types(self, scan_type): | ||
| return scan_type | ||
|
|
||
| def get_description_for_scan_types(self, scan_type): | ||
| return "Import XML output of HCL AppScan on Cloud SAST" | ||
|
|
||
| def xmltreehelper(self, input): | ||
| if input.text is None: | ||
| output = None | ||
| elif "\n" in input.text: | ||
| output = "" | ||
| for i in input: | ||
| output = output + " " + i.text | ||
| else: | ||
| output = " " + input.text | ||
| return output | ||
|
|
||
| def get_findings(self, file, test): | ||
| findings = [] | ||
| tree = ET.parse(file) | ||
| root = tree.getroot() | ||
| if "xml-report" not in root.tag: | ||
| msg = "This doesn't seem to be a valid HCL ASoC SAST xml file." | ||
| raise NamespaceErr(msg) | ||
| report = root.find("issue-group") | ||
| if report is not None: | ||
| for finding in report: | ||
| title = "" | ||
| description = "" | ||
| for item in finding: | ||
| match item.tag: | ||
| case "severity": | ||
| output = self.xmltreehelper(item) | ||
| if output is None: | ||
| severity = "Info" | ||
| else: | ||
| severity = output.strip(" ").capitalize() | ||
|
Check failure on line 48 in dojo/tools/hcl_asoc_sast/parser.py
|
||
| case "cwe": | ||
| cwe = int(self.xmltreehelper(item)) | ||
| case "issue-type": | ||
| title = self.xmltreehelper(item).strip() | ||
| description = description + "***Issue-Type:" + title + "\n" | ||
xpert98 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| case "issue-type-name": | ||
| title = self.xmltreehelper(item).strip() | ||
| description = description + "***Issue-Type-Name:" + title + "\n" | ||
xpert98 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| case "source-file": | ||
| location = self.xmltreehelper(item).strip() | ||
| description = description + "***Location:" + location + "\n" | ||
xpert98 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| case "line": | ||
| line = int(self.xmltreehelper(item).strip()) | ||
| description = description + "***Line:" + str(line) + "\n" | ||
cneill marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| case "threat-class": | ||
| threatclass = self.xmltreehelper(item) | ||
| description = description + "***Threat-Class:" + threatclass + "\n" | ||
cneill marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| case "entity": | ||
| entity = self.xmltreehelper(item) | ||
| title += "_" + entity.strip() | ||
| description = description + "***Entity:" + entity + "\n" | ||
cneill marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| case "security-risks": | ||
| security_risks = self.xmltreehelper(item) | ||
| description = description + "***Security-Risks:" + security_risks + "\n" | ||
cneill marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| case "cause-id": | ||
| causeid = self.xmltreehelper(item) | ||
| title += "_" + causeid.strip() | ||
| description = description + "***Cause-Id:" + causeid + "\n" | ||
cneill marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| case "element": | ||
| element = self.xmltreehelper(item) | ||
| description = description + "***Element:" + element + "\n" | ||
cneill marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| case "element-type": | ||
| elementtype = self.xmltreehelper(item) | ||
| description = description + "***ElementType:" + elementtype + "\n" | ||
cneill marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| case "variant-group": | ||
| variantgroup = item.iter() | ||
| description = description + "***Call Trace:" + "\n" | ||
cneill marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| for vitem in variantgroup: | ||
| if vitem.tag == "issue-information": | ||
| issueinformation = vitem.iter() | ||
| for iitem in issueinformation: | ||
| if iitem.tag == "context": | ||
| description = description + self.xmltreehelper(iitem) + "\n" | ||
|
|
||
| case "fix": | ||
| recommendations = "" | ||
| externalreferences = "" | ||
| issuetypename = "" | ||
| remediation = "" | ||
| fix = item.iter() | ||
| for fitem in fix: | ||
| if fitem.tag == "types": | ||
| type = fitem.iter() | ||
| for titem in type: | ||
| if titem.tag == "name": | ||
| issuetypename = self.xmltreehelper(titem) | ||
| if fitem.tag == "remediation": | ||
| remediation = self.xmltreehelper(fitem) | ||
|
|
||
| articlegroup = root.find("article-group") | ||
| if articlegroup is not None: | ||
| for articles in articlegroup: | ||
| if articles.attrib["id"] == issuetypename.strip() and articles.attrib["api"] == remediation.strip(): | ||
| articledetails = articles.iter() | ||
| for aitem in articledetails: | ||
| if aitem.tag == "cause": | ||
| description = description + "***Cause:" + "\n" | ||
cneill marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| for causeitem in aitem: | ||
| if causeitem.attrib["type"] == "string": | ||
| if causeitem.text is not None: | ||
xpert98 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| description = description + causeitem.text + "\n" | ||
| if aitem.tag == "recommendations": | ||
| for recitem in aitem: | ||
| if recitem.attrib["type"] == "string": | ||
| if recitem.text is not None: | ||
xpert98 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| recommendations = recommendations + recitem.text + "\n" | ||
| elif recitem.attrib["type"] == "object": | ||
| codeblock = recitem.iter() | ||
| for codeitem in codeblock: | ||
| if codeitem.tag == "item" and codeitem.attrib["type"] == "string": | ||
| if codeitem.text is None: | ||
| recommendations = recommendations + "\n" | ||
| else: | ||
| recommendations = recommendations + self.xmltreehelper(codeitem) + "\n" | ||
|
|
||
| if aitem.tag == "externalReferences": | ||
| ref = aitem.iter() | ||
| for ritem in ref: | ||
| if ritem.tag == "title": | ||
| externalreferences = externalreferences + self.xmltreehelper(ritem).strip() + "\n" | ||
| if ritem.tag == "url": | ||
| externalreferences = externalreferences + self.xmltreehelper(ritem).strip() + "\n" | ||
|
|
||
| prepared_finding = Finding( | ||
| title=title, | ||
| description=description, | ||
| file_path=location, | ||
| line=line, | ||
| severity=severity, | ||
| cwe=cwe, | ||
| mitigation=recommendations, | ||
| references=externalreferences, | ||
| dynamic_finding=False, | ||
| static_finding=True, | ||
| ) | ||
| findings.append(prepared_finding) | ||
| return findings | ||
| return findings | ||
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of putting the whole function after this point inside an
ifblock whenreportis notNone, just bail ifreportisNone.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was keeping the overall style of the parser similar to the existing hcl_appscan (for DAST) parser for consistency. I can refactor if this is a dealbreaker.