Merge branch 'dev' into add_kiuwan_support

Author: dr3dd589

dojo/forms.py

@@ -291,7 +291,8 @@ class ImportScanForm(forms.Form):
                          ("Anchore Engine Scan", "Anchore Engine Scan"),
                          ("Bundler-Audit Scan", "Bundler-Audit Scan"),
                          ("Twistlock Image Scan", "Twistlock Image Scan"),
-                         ("Kiuwan Scan", "Kiuwan Scan"))
+                         ("Kiuwan Scan", "Kiuwan Scan"),
+                         ("Blackduck Hub Scan", "Blackduck Hub Scan"))
 
     SORTED_SCAN_TYPE_CHOICES = sorted(SCAN_TYPE_CHOICES, key=lambda x: x[1])
 

dojo/templates/dojo/import_scan_results.html

@@ -32,6 +32,7 @@ <h3> Add Tests</h3>
 	<li><b>Arachni Scanner</b> - Arachni JSON report format.</li>
 	<li><b>AppSpider (Rapid7)</b> - Use the VulnerabilitiesSummary.xml file found in the zipped report download.</li>
 	<li><b>Bandit</b> - JSON report format</li>
+	<li><b>Blackduck Hub</b> - CSV report format (security.csv)</li>
 	<li><b>Bundler-Audit Scan</b> - 'bundler-audit check' output (in plain text)</li>
 	<li><b>Burp XML</b> - When the Burp report is generated, the recommended option is Base64 encoding both the request and
 	    response fields. These fields will be processed and made available in the 'Finding View' page.</li>

dojo/tools/blackduck/__init__.py

@@ -0,0 +1,107 @@
+import pandas as pd
+import hashlib
+from dojo.models import Finding
+
+
+class BlackduckHubCSVParser(object):
+    """
+    security.csv fields
+    1 project id -- ignore
+    2 version id -- ignore
+    3 chan version id -- ignore
+    4 Project name
+    5 Version NO -- part of channel id
+    6 channel version origin (i.e maven)
+    7 Channel version origin id YES
+    8 channel version origin name NO, part of ID already
+    9 Vulnerability id (either a CVE or some random number from VULNDB?)
+    10 Description
+    11 Published on
+    12 Updated on
+    13 Base score
+    14 Exploitability
+    15 Impact
+    16 Vulnerability source
+    17 Remediation status (NEW, DUPLICATE...)
+    18 Remediation target date
+    19 Remediation actual date
+    20 Remediation comment
+    21 URL (can be empty)
+    22 Security Risk
+    """
+    def __init__(self, filename, test):
+        dupes = dict()
+        self.items = ()
+
+        if filename is None:
+            self.items = ()
+            return
+
+        df = pd.read_csv(filename, header=0)
+        df = df.fillna("N/A")
+
+        for i, row in df.iterrows():
+            cve = df.ix[i, 'Vulnerability id']
+            cwe = 0  # need a way to automaticall retrieve that see #1119
+            title = self.format_title(df, i)
+            description = self.format_description(df, i)
+            severity = str(df.ix[i, 'Security Risk']).title()
+            mitigation = self.format_mitigation(df, i)
+            impact = df.ix[i, 'Impact']
+            references = self.format_reference(df, i)
+
+            dupe_key = hashlib.md5(title + '|' + df.ix[i, 'Vulnerability source']).hexdigest()
+
+            if dupe_key in dupes:
+                finding = dupes[dupe_key]
+                if finding.description:
+                    finding.description += "Vulnerability ID: {}\n {}\n".format(
+                        df.ix[i, 'Vulnerability id'], df.ix[i, 'Vulnerability source'])
+                dupes[dupe_key] = finding
+            else:
+                dupes[dupe_key] = True
+
+                finding = Finding(title=title,
+                                  cwe=int(cwe),
+                                  test=test,
+                                  active=False,
+                                  verified=False,
+                                  description=description,
+                                  severity=severity,
+                                  numerical_severity=Finding.get_numerical_severity(
+                                      severity),
+                                  mitigation=mitigation,
+                                  impact=impact,
+                                  references=references,
+                                  url=df.ix[i, 'URL'],
+                                  dynamic_finding=True)
+
+                dupes[dupe_key] = finding
+
+        self.items = dupes.values()
+
+    def format_title(self, df, i):
+        return "{} - {}".format(df.ix[i, 'Vulnerability id'], df.ix[i, 'Channel version origin id'])
+
+    def format_description(self, df, i):
+        description = "Published on: {}\n\n".format(str(df.ix[i, 'Published on']))
+        description += "Updated on: {}\n\n".format(str(df.ix[i, 'Updated on']))
+        description += "Base score: {}\n\n".format(str(df.ix[i, 'Base score']))
+        description += "Exploitability: {}\n\n".format(str(df.ix[i, 'Exploitability']))
+        description += "Description: {}\n".format(df.ix[i, 'Description'])
+
+        return description
+
+    def format_mitigation(self, df, i):
+        mitigation = "Remediation status: {}\n".format(df.ix[i, 'Remediation status'])
+        mitigation += "Remediation target date: {}\n".format(df.ix[i, 'Remediation target date'])
+        mitigation += "Remdediation actual date: {}\n".format(df.ix[i, 'Remediation actual date'])
+        mitigation += "Remdediation comment: {}\n".format(df.ix[i, 'Remediation comment'])
+
+        return mitigation
+
+    def format_reference(self, df, i):
+        reference = "Source: {}\n".format(df.ix[i, 'Vulnerability source'])
+        reference += "URL: {}\n".format(df.ix[i, 'URL'])
+
+        return reference

dojo/tools/blackduck/parser.py

@@ -44,6 +44,7 @@
 from dojo.tools.bundler_audit.parser import BundlerAuditParser
 from dojo.tools.twistlock.parser import TwistlockParser
 from dojo.tools.kiuwan.parser import KiuwanCSVParser
+from dojo.tools.blackduck.parser import BlackduckHubCSVParser
 
 __author__ = 'Jay Paz'
 
@@ -147,6 +148,8 @@ def import_parser_factory(file, test, scan_type=None):
         parser = TwistlockParser(file, test)
     elif scan_type == 'Kiuwan Scan':
         parser = KiuwanCSVParser(file, test)
+    elif scan_type == 'Blackduck Hub Scan':
+        parser = BlackduckHubCSVParser(file, test)
     else:
         raise ValueError('Unknown Test Type')
 

dojo/tools/factory.py

@@ -54,10 +54,12 @@ def get_item(vulnerability, test):
     vector = vulnerability['vector'] if 'vector' in vulnerability else "CVSS vector not provided. "
     status = vulnerability['status'] if 'status' in vulnerability else "There seems to be no fix yet. Please check description field."
     cvss = vulnerability['cvss'] if 'cvss' in vulnerability else "No CVSS score yet."
+    riskFactors = vulnerability['riskFactors'] if 'riskFactors' in vulnerability else "No risk factors."
 
     # create the finding object
     finding = Finding(
         title=vulnerability['id'] + ": " + vulnerability['packageName'] + " - " + vulnerability['packageVersion'],
+        cve=vulnerability['id'],
         test=test,
         severity=severity,
         description=vulnerability['description'] + "<p> Vulnerable Package: " +
@@ -71,7 +73,7 @@ def get_item(vulnerability, test):
         duplicate=False,
         out_of_scope=False,
         mitigated=None,
-        severity_justification="{}({})\n\n{}".format(vector, cvss, vulnerability['riskFactors']),
+        severity_justification="{}({})\n\n{}".format(vector, cvss, riskFactors),
         impact=severity)
 
     finding.description = finding.description.strip()