diff --git a/lib/sarif/osv/base_sarif.rb b/lib/sarif/osv/base_sarif.rb index 6ce2c625..07e637e5 100644 --- a/lib/sarif/osv/base_sarif.rb +++ b/lib/sarif/osv/base_sarif.rb @@ -25,6 +25,19 @@ def parse_scan_report! end def parse_issue(issue) + # Example issue + # {"Package"=>"github.com/syncthing/syncthing", + # "Vulnerable Version"=>"0", + # "Version Detected"=>"1.14.0", + # "Patched Version"=>"1.15.0", + # "ID"=>"CVE-2021-21404", + # "Database"=>"Github Advisory Database", + # "Summary"=>"Crash due to malformed relay protocol message", + # "References"=> + # "https://github.com/advisories/GHSA-x462-89pf-6r5h, https://nvd.nist.gov...", + # "Source"=>"https://osv.dev/list", + # "Severity"=>"LOW"} + parsed_issue = { id: issue['ID'], name: SCANNER_NAME, @@ -33,6 +46,7 @@ def parse_issue(issue) messageStrings: { "package": { "text": issue['Package'].to_s }, "title": { "text": issue['Summary'].to_s }, "severity": { "text": issue['Severity'].to_s }, + "cwe": { "text": [issue['ID']].to_s }, "patched_versions": { "text": issue['Patched Version'].to_s }, "vulnerable_versions": { "text": issue['Vulnerable Version'].to_s diff --git a/spec/lib/sarif/osv/go_osv_sarif_spec.rb b/spec/lib/sarif/osv/go_osv_sarif_spec.rb index bd307a21..13a097b9 100644 --- a/spec/lib/sarif/osv/go_osv_sarif_spec.rb +++ b/spec/lib/sarif/osv/go_osv_sarif_spec.rb @@ -46,6 +46,9 @@ def stub_req_with_valid_response "helpUri" => "https://osv.dev/list", "id" => "CVE-2021-21404", "messageStrings" => { + "cwe" => { + "text" => "[\"CVE-2021-21404\"]" + }, "package" => { "text" => "github.com/syncthing/syncthing" }, diff --git a/spec/lib/sarif/osv/gradle_osv_sarif_spec.rb b/spec/lib/sarif/osv/gradle_osv_sarif_spec.rb index 9f3f068b..c00d4da8 100644 --- a/spec/lib/sarif/osv/gradle_osv_sarif_spec.rb +++ b/spec/lib/sarif/osv/gradle_osv_sarif_spec.rb @@ -48,6 +48,9 @@ def stub_req_with_valid_response "helpUri" => "https://osv.dev/list", "id" => "CVE-2020-8908", "messageStrings" => { + "cwe" => { + "text" => "[\"CVE-2020-8908\"]" + }, "package" => { "text" => "com.google.guava:guava" }, diff --git a/spec/lib/sarif/osv/maven_osv_sarif_spec.rb b/spec/lib/sarif/osv/maven_osv_sarif_spec.rb index 96729309..9a28b8f4 100644 --- a/spec/lib/sarif/osv/maven_osv_sarif_spec.rb +++ b/spec/lib/sarif/osv/maven_osv_sarif_spec.rb @@ -48,6 +48,9 @@ def stub_req_with_valid_response "helpUri" => "https://osv.dev/list", "id" => "CVE-2018-15756", "messageStrings" => { + "cwe" => { + "text" => "[\"CVE-2018-15756\"]" + }, "package" => { "text" => "org.springframework:spring-core" }, diff --git a/spec/lib/sarif/osv/python_osv_sarif_spec.rb b/spec/lib/sarif/osv/python_osv_sarif_spec.rb index 71f892d1..c07a8418 100644 --- a/spec/lib/sarif/osv/python_osv_sarif_spec.rb +++ b/spec/lib/sarif/osv/python_osv_sarif_spec.rb @@ -46,6 +46,9 @@ def stub_req_with_valid_response "helpUri" => "https://osv.dev/list", "id" => "CVE-2020-29651", "messageStrings" => { + "cwe" => { + "text" => "[\"CVE-2020-29651\"]" + }, "package" => { "text" => "py" },