Add support for GitLab Dependency Scanning reports (#3534)

macedogm · web-flow · commit 72a1b8d022d3 · 2020-12-29T16:05:09.000+01:00
diff --git a/dojo/fixtures/test_type.json b/dojo/fixtures/test_type.json
@@ -684,5 +684,13 @@
         },
         "model": "dojo.test_type",
         "pk": 189
+    },
+    {
+        "fields": {
+            "name": "GitLab Dependency Scanning Report"
+        },
+        "model": "dojo.test_type",
+        "pk": 190
     }
+
 ]
diff --git a/dojo/forms.py b/dojo/forms.py
@@ -402,7 +402,7 @@ class ImportScanForm(forms.Form):
                          ("BugCrowd Scan", "BugCrowd Scan"),
                          ("GitLab SAST Report", "GitLab SAST Report"),
                          ("AWS Security Hub Scan", "AWS Security Hub Scan"),
-                         ("GitLab SAST Report", "GitLab SAST Report"),
+                         ("GitLab Dependency Scanning Report", "GitLab Dependency Scanning Report"),
                          ("HuskyCI Report", "HuskyCI Report"),
                          ("Semgrep JSON Report", "Semgrep JSON Report"),
                          ("Risk Recon API Importer", "Risk Recon API Importer"),
diff --git a/dojo/templates/dojo/import_scan_results.html b/dojo/templates/dojo/import_scan_results.html
@@ -82,6 +82,7 @@ <h4> JIRA </h4>
 	<li><b>Fortify</b> - Import Findings from XML file format.</li>
 	<li><b>Generic Findings Import</b> - Import Generic findings in CSV format.</li>
 	<li><b>GitLab SAST Report</b> - Import GitLab SAST Report vulnerabilities in JSON format.</li>
+	<li><b>GitLab Dependency Scanning Report</b> - Import GitLab Dependency Scanning Report vulnerabilities in JSON format.</li>
 	<li><b>Gitleaks Scan </b> - Import Gitleaks Scan findings in JSON format.</li>
 	<li><b>Gosec Scanner </b> - Import Gosec Scanner findings in JSON format.</li>
 	<li><b>HackerOne Cases</b> - Import HackerOne cases findings in JSON format.</li>
diff --git a/dojo/tools/factory.py b/dojo/tools/factory.py
@@ -82,6 +82,7 @@
 from dojo.tools.github_vulnerability.parser import GithubVulnerabilityParser
 from dojo.tools.choctaw_hog.parser import ChoctawhogParser
 from dojo.tools.gitlab_sast.parser import GitlabSastReportParser
+from dojo.tools.gitlab_dep_scan.parser import GitlabDepScanReportParser
 from dojo.tools.yarn_audit.parser import YarnAuditParser
 from dojo.tools.bugcrowd.parser import BugCrowdCSVParser
 from dojo.tools.huskyci.parser import HuskyCIReportParser
@@ -277,6 +278,8 @@ def import_parser_factory(file, test, active, verified, scan_type=None):
         parser = ChoctawhogParser(file, test)
     elif scan_type == 'GitLab SAST Report':
         parser = GitlabSastReportParser(file, test)
+    elif scan_type == 'GitLab Dependency Scanning Report':
+        parser = GitlabDepScanReportParser(file, test)
     elif scan_type == 'Yarn Audit Scan':
         parser = YarnAuditParser(file, test)
     elif scan_type == 'BugCrowd Scan':
diff --git a/dojo/tools/gitlab_dep_scan/__init__.py b/dojo/tools/gitlab_dep_scan/__init__.py
diff --git a/dojo/tools/gitlab_dep_scan/parser.py b/dojo/tools/gitlab_dep_scan/parser.py
@@ -0,0 +1,141 @@
+import json
+from dojo.models import Finding
+
+
+class GitlabDepScanReportParser(object):
+    def __init__(self, json_output, test):
+        self.items = []
+
+        if json_output is None:
+            return
+
+        tree = self.parse_json(json_output)
+        if tree:
+            self.items = [data for data in self.get_items(tree, test)]
+
+    def parse_json(self, json_output):
+        try:
+            data = json_output.read()
+            try:
+                tree = json.loads(str(data, 'utf-8'))
+            except:
+                tree = json.loads(data)
+        except:
+            raise Exception("Invalid format")
+
+        return tree
+
+    def get_items(self, tree, test):
+        items = {}
+
+        for node in tree['vulnerabilities']:
+            item = get_item(node, test)
+            if item:
+                items[item.unique_id_from_tool] = item
+
+        return list(items.values())
+
+
+def get_item(vuln, test):
+    if vuln['category'] != 'dependency_scanning':
+        # For Dependency Scanning reports, value must always be "dependency_scanning"
+        return None
+
+    unique_id_from_tool = None
+    if 'id' in vuln:
+        unique_id_from_tool = vuln['id']
+    else:
+        # If the new unique id is not provided, fall back to deprecated "cve" fingerprint (old version)
+        unique_id_from_tool = vuln['cve']
+
+    title = ''
+    if 'name' in vuln:
+        title = vuln['name']
+    elif 'message' in vuln:
+        title = vuln['message']
+    elif 'description' in vuln:
+        title = vuln['description']
+    else:
+        # All other fields are optional, if none of them has a value, fall back on the unique id
+        title = unique_id_from_tool
+
+    description = 'Scanner: {}\n'.format(vuln['scanner']['name'])
+    if 'message' in vuln:
+        description += '{}\n'.format(vuln['message'])
+    if 'description' in vuln:
+        description += '{}\n'.format(vuln['description'])
+
+    location = vuln['location']
+    file_path = location['file'] if 'file' in location else None
+    sourcefile = location['file'] if 'file' in location else None
+
+    line = location['start_line'] if 'start_line' in location else None
+    if 'end_line' in location:
+        line = location['end_line']
+
+    sast_source_line = location['start_line'] if 'start_line' in location else None
+
+    sast_object = None
+    if 'class' in location and 'method' in location:
+        sast_object = '{}#{}'.format(location['class'], location['method'])
+    elif 'class' in location:
+        sast_object = location['class']
+    elif 'method' in location:
+        sast_object = location['method']
+
+    severity = vuln['severity']
+    if severity == 'Undefined' or severity == 'Unknown':
+        # Severity can be "Undefined" or "Unknown" in report
+        # In that case we set it as Info and specify the initial severity in the title
+        title = '[{} severity] {}'.format(severity, title)
+        severity = 'Info'
+    numerical_severity = Finding.get_numerical_severity(severity)
+    # Dependency Scanning analyzers doesn't provide confidence property
+    # See https://docs.gitlab.com/ee/user/application_security/dependency_scanning/analyzers.html#analyzers-data
+    scanner_confidence = False
+
+    mitigation = ''
+    if 'solution' in vuln:
+        mitigation = vuln['solution']
+
+    cwe = None
+    cve = None
+    references = ''
+    if 'identifiers' in vuln:
+        for identifier in vuln['identifiers']:
+            if identifier['type'].lower() == 'cwe':
+                cwe = identifier['value']
+            elif identifier['type'].lower() == 'cve':
+                cve = identifier['value']
+            else:
+                references += 'Identifier type: {}\n'.format(identifier['type'])
+                references += 'Name: {}\n'.format(identifier['name'])
+                references += 'Value: {}\n'.format(identifier['value'])
+                if 'url' in identifier:
+                    references += 'URL: {}\n'.format(identifier['url'])
+                references += '\n'
+
+    finding = Finding(title=cve + ": " + title if cve else title,
+                      test=test,
+                      active=False,
+                      verified=False,
+                      description=description,
+                      severity=severity,
+                      numerical_severity=numerical_severity,
+                      scanner_confidence=scanner_confidence,
+                      mitigation=mitigation,
+                      unique_id_from_tool=unique_id_from_tool,
+                      references=references,
+                      file_path=file_path,
+                      sourcefile=sourcefile,
+                      line=line,
+                      sast_source_object=sast_object,
+                      sast_sink_object=sast_object,
+                      sast_source_file_path=file_path,
+                      sast_source_line=sast_source_line,
+                      cwe=cwe,
+                      cve=cve,
+                      static_finding=True,
+                      dynamic_finding=False)
+
+    return finding
diff --git a/dojo/unittests/scans/gitlab_dep_scan/gl-dependency-scanning-report-0-vuln.json b/dojo/unittests/scans/gitlab_dep_scan/gl-dependency-scanning-report-0-vuln.json
@@ -0,0 +1,27 @@
+{
+  "version": "3.0.0",
+  "vulnerabilities": [],
+  "remediations": [],
+  "dependency_files": [
+    {
+      "path": "service/go.sum",
+      "package_manager": "go",
+      "dependencies": []
+    }
+  ],
+  "scan": {
+    "scanner": {
+      "id": "gemnasium",
+      "name": "Gemnasium",
+      "url": "https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium",
+      "vendor": {
+        "name": "GitLab"
+      },
+      "version": "2.24.1"
+    },
+    "type": "dependency_scanning",
+    "start_time": "2020-12-23T13:44:07",
+    "end_time": "2020-12-23T13:44:08",
+    "status": "success"
+  }
+}
diff --git a/dojo/unittests/scans/gitlab_dep_scan/gl-dependency-scanning-report-1-vuln.json b/dojo/unittests/scans/gitlab_dep_scan/gl-dependency-scanning-report-1-vuln.json
@@ -0,0 +1,77 @@
+{
+  "version": "3.0.0",
+  "vulnerabilities": [
+    {
+      "id": "2d8b607cb56d9866c73cdcf33a016f64b4fa37d909c1dd300037b1ac026a3ca5",
+      "category": "dependency_scanning",
+      "name": "XML Entity Expansion",
+      "message": "XML Entity Expansion in gopkg.in/yaml.v2",
+      "description": "go-yaml is vulnerable to a Billion Laughs Attack.",
+      "cve": "service/go.sum:gopkg.in/yaml.v2:gemnasium:7368f513-0aa9-4e34-a08d-40ea81f48e0e",
+      "severity": "Unknown",
+      "solution": "Upgrade to version 2.2.3 or above.",
+      "scanner": {
+        "id": "gemnasium",
+        "name": "Gemnasium"
+      },
+      "location": {
+        "file": "service/go.sum",
+        "dependency": {
+          "package": {
+            "name": "gopkg.in/yaml.v2"
+          },
+          "version": "v2.2.2"
+        }
+      },
+      "identifiers": [
+        {
+          "type": "gemnasium",
+          "name": "Gemnasium-7368f513-0aa9-4e34-a08d-40ea81f48e0e",
+          "value": "7368f513-0aa9-4e34-a08d-40ea81f48e0e",
+          "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/go/gopkg.in/yaml.v2/GMS-2019-2.yml"
+        }
+      ],
+      "links": [
+        {
+          "url": "https://github.com/docker/cli/pull/2117"
+        }
+      ]
+    }
+  ],
+  "remediations": [],
+  "dependency_files": [
+    {
+      "path": "service/go.sum",
+      "package_manager": "go",
+      "dependencies": [
+        {
+          "package": {
+            "name": "gopkg.in/yaml.v2"
+          },
+          "version": "v2.2.2"
+        },
+        {
+          "package": {
+            "name": "gopkg.in/yaml.v2"
+          },
+          "version": "v2.2.4"
+        }
+      ]
+    }
+  ],
+  "scan": {
+    "scanner": {
+      "id": "gemnasium",
+      "name": "Gemnasium",
+      "url": "https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium",
+      "vendor": {
+        "name": "GitLab"
+      },
+      "version": "2.24.1"
+    },
+    "type": "dependency_scanning",
+    "start_time": "2020-12-23T13:43:48",
+    "end_time": "2020-12-23T13:43:49",
+    "status": "success"
+  }
+}
diff --git a/dojo/unittests/scans/gitlab_dep_scan/gl-dependency-scanning-report-many-vuln.json b/dojo/unittests/scans/gitlab_dep_scan/gl-dependency-scanning-report-many-vuln.json
diff --git a/dojo/unittests/test_gitlab_dep_scan_parser.py b/dojo/unittests/test_gitlab_dep_scan_parser.py

Original file line number	Diff line number	Diff line change
`@@ -684,5 +684,13 @@`
`684`	`684`	`},`
`685`	`685`	`"model": "dojo.test_type",`
`686`	`686`	`"pk": 189`
	`687`	`+ },`
	`688`	`+ {`
	`689`	`+ "fields": {`
	`690`	`+ "name": "GitLab Dependency Scanning Report"`
	`691`	`+ },`
	`692`	`+ "model": "dojo.test_type",`
	`693`	`+ "pk": 190`
`687`	`694`	`}`
	`695`	`+`
`688`	`696`	`]`