Add new Mend Platform API 3.0 file types to existing Mend parser

dojo/tools/mend/parser.py

@@ -4,7 +4,7 @@
 
 from dojo.models import Finding
 
-__author__ = "dr3dd589"
+__author__ = "dr3dd589 + testaccount90009 aka SH"
 
 logger = logging.getLogger(__name__)
 
@@ -35,7 +35,55 @@ def _build_common_output(node, lib_name=None):
             cve = None
             component_name = None
             component_version = None
-            if "library" in node:
+            impact = None
+            description = "No Description Available"
+            cvss3_score = None
+            mitigation = "N/A"
+            if "component" in node:
+                description = (
+                    "**Vulnerability Description**: "
+                    + node["vulnerability"].get("description", "No Description Available")
+                    + "\n\n"
+                    + "**Component Name**: "
+                    + node["component"].get("name", "")
+                    + "\n"
+                    + "**Component Type**: "
+                    + node["component"].get("componentType", "")
+                    + "\n"
+                    + "**Root Library**: "
+                    + str(node["component"].get("rootLibrary", ""))
+                    + "\n"
+                    + "**Library Type**: "
+                    + node["component"].get("libraryType", "")
+                    + "\n"
+                    + "**Location Found**: "
+                    + node["component"].get("path", "")
+                    + "\n"
+                    + "**Direct or Transitive Dependency**: "
+                    + node["component"].get("dependencyType", "")
+                    + "\n"
+                )
+                lib_name = node["component"].get("name")
+                component_name = node["component"].get("artifactId")
+                component_version = node["component"].get("version")
+                impact = node["component"].get("dependencyType")
+                cvss3_score = node["vulnerability"].get("score", None)
+                if "topFix" in node:
+                    try:
+                        topfix_node = node.get("topFix")
+                        mitigation = (
+                            "**Resolution**: "
+                            + topfix_node.get("date", "")
+                            + "\n"
+                            + topfix_node.get("message", "")
+                            + "\n"
+                            + topfix_node.get("fixResolution", "")
+                            + "\n"
+                        )
+                    except Exception:
+                        logger.exception("Error handling topFix node.")
+
+            elif "library" in node:
                 node.get("project")
                 description = (
                     "**Description** : "
@@ -57,8 +105,18 @@ def _build_common_output(node, lib_name=None):
                 lib_name = node["library"].get("filename")
                 component_name = node["library"].get("artifactId")
                 component_version = node["library"].get("version")
+                cvss3_score = node.get("cvss3_score", None)
+                if "topFix" in node:
+                    try:
+                        topfix_node = node.get("topFix")
+                        mitigation = "**Resolution** ({}): {}\n".format(
+                            topfix_node.get("date"),
+                            topfix_node.get("fixResolution"),
+                        )
+                    except Exception:
+                        logger.exception("Error handling topFix node.")
             else:
-                description = node.get("description")
+                description = node.get("description", "Unknown")
 
             cve = node.get("name")
             if cve is None:
@@ -69,27 +127,29 @@ def _build_common_output(node, lib_name=None):
             # homogeneous behavior.
             if "cvss3_severity" in node:
                 cvss_sev = node.get("cvss3_severity")
+            elif "vulnerability" in node:
+                cvss_sev = node["vulnerability"].get("severity")
             else:
                 cvss_sev = node.get("severity")
             severity = cvss_sev.lower().capitalize()
 
-            cvss3_score = node.get("cvss3_score", None)
             cvss3_vector = node.get("scoreMetadataVector", None)
             severity_justification = "CVSS v3 score: {} ({})".format(
                 cvss3_score if cvss3_score is not None else "N/A", cvss3_vector if cvss3_vector is not None else "N/A",
             )
             cwe = 1035  # default OWASP a9 until the report actually has them
 
-            mitigation = "N/A"
-            if "topFix" in node:
-                try:
-                    topfix_node = node.get("topFix")
-                    mitigation = "**Resolution** ({}): {}\n".format(
-                        topfix_node.get("date"),
-                        topfix_node.get("fixResolution"),
-                    )
-                except Exception:
-                    logger.exception("Error handling topFix node.")
+            # comment out the below for now - working on adding this into the above conditional statements since format can be slightly different
+            # mitigation = "N/A"
+            # if "topFix" in node:
+            #     try:
+            #         topfix_node = node.get("topFix")
+            #         mitigation = "**Resolution** ({}): {}\n".format(
+            #             topfix_node.get("date"),
+            #             topfix_node.get("fixResolution"),
+            #         )
+            #     except Exception:
+            #         logger.exception("Error handling topFix node.")
 
             filepaths = []
             if "sourceFiles" in node:
@@ -134,6 +194,7 @@ def _build_common_output(node, lib_name=None):
                 dynamic_finding=True,
                 cvssv3=cvss3_vector,
                 cvssv3_score=float(cvss3_score) if cvss3_score is not None else None,
+                impact=impact,
             )
             if cve:
                 new_finding.unsaved_vulnerability_ids = [cve]
@@ -164,8 +225,29 @@ def _build_common_output(node, lib_name=None):
             for node in tree_node:
                 findings.append(_build_common_output(node))
 
+        elif "components" in content:
+            # likely a Mend Platform or 3.0 API SCA output - "library" is replaced as "component"
+            tree_components = content.get("components")
+            for comp_node in tree_components:
+                # get component info here, before going into vulns
+                if (
+                    "response" in comp_node
+                    and len(comp_node.get("response")) > 0
+                ):
+                    for vuln in comp_node.get("response"):
+                        findings.append(
+                            _build_common_output(vuln, comp_node.get("name")),
+                        )
+
+        elif "response" in content:
+            # New schema: handle response array
+            tree_node = content["response"]
+            if tree_node:
+                for node in tree_node:
+                    findings.append(_build_common_output(node))
+
         def create_finding_key(f: Finding) -> str:
-            """Hashes the finding's description and title to retrieve a key for deduplication."""
+            # """Hashes the finding's description and title to retrieve a key for deduplication."""
             return hashlib.md5(
                 f.description.encode("utf-8")
                 + f.title.encode("utf-8"),