Merge pull request #45 from logchange/maven_dependency_check

Added Maven Dependency Check GitLab format conversion to JUNIT

Author: marwin1991

.gitpod.Dockerfile

@@ -2,6 +2,6 @@ FROM gitpod/workspace-python-3.10
 
 USER gitpod
 
-RUN curl -sSL https://raw.githubusercontent.com/python-poetry/poetry/master/get-poetry.py | python -
+RUN curl -sSL https://install.python-poetry.org/ | python -
 
 RUN poetry --version

README.md

@@ -42,6 +42,13 @@ Procedure:
 2. Convert report
 3. Upload converted report as junit report
 
+### Report input types:
+You can use following report types as inputs with `ss2ju` command. (f.e `ss2ju sast ....`) 
+- [**sast**](https://docs.gitlab.com/ee/user/application_security/sast/)
+- [**secrets**](https://docs.gitlab.com/ee/user/application_security/secret_detection/pipeline/)
+- [**container_scanning**](https://docs.gitlab.com/ee/user/application_security/container_scanning/)
+- [**maven_dependency_check**](https://github.com/jeremylong/DependencyCheck)
+
 ### Example for Secret Scanning
 This example can be used as is.
 ```yaml

pyproject.toml

@@ -8,7 +8,7 @@ readme = "README.md"
 homepage = "https://github.com/logchange/SecScanner2JUnit"
 repository = "https://github.com/logchange/SecScanner2JUnit"
 packages = [
-  { include = 'secscanner2junit' },
+    { include = 'secscanner2junit' },
 ]
 
 [tool.poetry.dependencies]

secscanner2junit/__init__.py

@@ -8,6 +8,7 @@
 
 from secscanner2junit.config import get_config, Config
 from secscanner2junit.container_scanning import ContainerScanningParser
+from secscanner2junit.maven_dependency_check import MavenDependencyCheckParser
 from secscanner2junit.sast import SastParser
 from secscanner2junit.secrets import SecretsParser
 
@@ -16,6 +17,8 @@ class ScanType(enum.Enum):
     SECRETS = 'secrets'
     SAST = 'sast'
     CS = 'container_scanning'
+    MAVEN_DEPENDENCY_CHECK = 'maven_dependency_check'
+
 
     @staticmethod
     def list():
@@ -64,6 +67,8 @@ def main(args=None):
         parser = SastParser(report, args.input_file, ss2ju_config)
     elif args.activity == ScanType.CS.value:
         parser = ContainerScanningParser(report, args.input_file, ss2ju_config)
+    elif args.activity == ScanType.MAVEN_DEPENDENCY_CHECK.value:
+        parser = MavenDependencyCheckParser(report, args.input_file, ss2ju_config)
     else:
         raise NotImplementedError
     testsuite = parser.parse()

secscanner2junit/maven_dependency_check.py

@@ -0,0 +1,38 @@
+from junit_xml import TestSuite, TestCase
+
+from secscanner2junit.config import Config
+from secscanner2junit.parser import Parser
+from secscanner2junit.vulnerability import MavenDependencyCheckVulnerability
+
+
+# https://github.com/jeremylong/DependencyCheck
+class MavenDependencyCheckParser(Parser):
+    def __init__(self, report, ts_name, config: Config):
+        super().__init__(report, ts_name, config)
+        self.p_type = "MavenDependencyCheck"
+
+    def parse_vulnerability(self, raw_vulnerability):
+        vulnerability = MavenDependencyCheckVulnerability(raw_vulnerability)
+
+        tc = TestCase(name=vulnerability.get_testcase_name(),
+                      classname=self.p_type,
+                      file=vulnerability.get_location(),
+                      elapsed_sec=1)
+
+        tc.add_failure_info(message=vulnerability.get_description(),
+                            output=vulnerability.get_output(),
+                            failure_type=vulnerability.get_failure_type())
+        return tc
+
+    def parse(self):
+        vulnerabilities = self.report['vulnerabilities']
+        vulnerabilities = self.config.suppress(vulnerabilities)
+
+        testsuites = []
+        testcases = []
+
+        for raw_vulnerability in vulnerabilities:
+            testcases.append(self.parse_vulnerability(raw_vulnerability))
+
+        testsuites.append(TestSuite(name=self.ts_name, test_cases=testcases))
+        return testsuites

secscanner2junit/vulnerability.py

@@ -120,6 +120,15 @@ def get_location(self):
         return self.__location.get_location()
 
 
+class MavenDependencyCheckVulnerability(_Vulnerability):
+    def __init__(self, raw_vulnerability: dict):
+        super().__init__(raw_vulnerability)
+        self.__location = MavenDependencyCheckLocation(super()._parse_required_property('location'))
+
+    def get_location(self):
+        return self.__location.get_location()
+
+
 class SecretsVulnerability(SastVulnerability):
     def __init__(self, raw_vulnerability: dict):
         super().__init__(raw_vulnerability)
@@ -180,6 +189,16 @@ def get_location(self):
         return self.__image
 
 
+class MavenDependencyCheckLocation(Location):
+    def __init__(self, raw_location: dict):
+        super().__init__(raw_location)
+        self.__dependency = Dependency(super()._parse_required_property('dependency'))
+        self.__file = super()._parse_required_property('file')
+
+    def get_location(self):
+        return str(self.__dependency)
+
+
 # https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/src/security-report-format.json
 class Dependency(_Base):
     def __init__(self, raw_dependency: dict):
@@ -190,9 +209,15 @@ def __init__(self, raw_dependency: dict):
         self.__direct = super()._parse_simple_property('direct')
         # dependency_path - TODO in future ?
 
+    def __repr__(self):
+        return str(self.__package) + " version: " + self.__version
+
 
 # https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/src/security-report-format.json
 class Package(_Base):
     def __init__(self, raw_package: dict):
         super().__init__(raw_package)
         self.__name = super()._parse_required_property('name')
+
+    def __repr__(self):
+        return "Package: " + self.__name