New HCL AppScan on Cloud SAST parser #11375
Conversation
github-actions
bot
added
settings_changes
DryRun Security SummaryDefectDojo has added a new parser for HCL AppScan on Cloud SAST, updated application settings, and created a comprehensive test suite to enhance its security assessment capabilities. Expand for full summarySummary: The provided code changes cover a range of updates to the DefectDojo application, including the addition of a new parser for the HCL AppScan on Cloud SAST (Static Application Security Testing) tool, updates to the application settings, and the introduction of a comprehensive test suite for the new parser. From an application security perspective, the changes are generally positive and demonstrate a thoughtful approach to integrating new security tooling and ensuring the reliability of the security assessment process. Key highlights include:
Overall, these changes demonstrate a strong focus on security and a commitment to providing a robust and reliable security assessment platform for the DefectDojo application. Files Changed:
Code AnalysisWe ran |
|
@xpert98 Love the contribution but have to ask: Why are those conditionals so deeply nested? I was reviewing this PR and wondering how much "fun" it would be to handle a future change with that deep nesting. I'm almost afraid to run a cyclical complexity tool on this parser code TBH. Can you help me understand your thinking on that? |
|
@mtesauro I went that route because of the way the data is structured. Specifically for the mitigations and references, those are separate blocks outside of each result and that seemed like a convenient way to include the relevant "why it's a problem" and "how to fix it" into each issue to be rendered along with the typical issue details like file name and line number. |
| msg = "This doesn't seem to be a valid HCL ASoC SAST xml file." | ||
| raise NamespaceErr(msg) | ||
| report = root.find("issue-group") | ||
| if report is not None: |
There was a problem hiding this comment.
Instead of putting the whole function after this point inside an if block when report is not None, just bail if report is None.
| if report is not None: | |
| if report is None: | |
| return findings |
There was a problem hiding this comment.
I was keeping the overall style of the parser similar to the existing hcl_appscan (for DAST) parser for consistency. I can refactor if this is a dealbreaker.
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
Co-authored-by: Charles Neill <[email protected]>
Co-authored-by: Charles Neill <[email protected]>
xpert98
force-pushed
the
hcl-asoc-sast-parser
branch
from
8c9bdf7 to
6791149
Compare
|
@xpert98 Closing and re-opening to see if I can get ruff-linting unstuck |
HCL AppScan sure chose a "creative" structure for this output 🤮 |
|
Conflicts have been resolved. A maintainer will review the pull request shortly. |
Co-authored-by: Charles Neill <[email protected]>
Co-authored-by: Charles Neill <[email protected]>
Co-authored-by: Charles Neill <[email protected]>
We are narrowing the scope of acceptable enhancements to DefectDojo in preparation for v3. Learn more here:
https://github.com/DefectDojo/django-DefectDojo/blob/master/readme-docs/CONTRIBUTING.md
Description
This is a new parser for HCL AppScan on Cloud SAST results.
Test results
Tests are included and pass.
Documentation
Documentation included.
Checklist
This checklist is for your information.
dev.dev.bugfixbranch.Extra information