Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update CheckMarx One parser for imports where description is None #11308

Merged
merged 3 commits into from
Nov 22, 2024

Conversation

hblankenship
Copy link
Collaborator

@hblankenship hblankenship commented Nov 21, 2024

Modified the parser to accept the case where results may have a missing description. The description and title is then taken from the severity + queryName
[sc-8947]

Copy link

dryrunsecurity bot commented Nov 21, 2024

DryRun Security Summary

The provided code changes focus on improving the robustness and reliability of the Checkmarx One parser by addressing various security-related concerns, including adding a new test case to handle missing vulnerability descriptions, enhancing the handling of missing vulnerability descriptions in the parser, and improving the formatting of vulnerability category information in the parser output.

Expand for full summary

Summary:

The provided code changes focus on improving the robustness and reliability of the Checkmarx One parser by addressing various security-related concerns. The changes include adding a new test case to handle missing vulnerability descriptions, enhancing the handling of missing vulnerability descriptions in the parser, and improving the formatting of vulnerability category information in the parser output.

These changes are positive from an application security perspective, as they help to ensure that the parser can gracefully handle a variety of input formats and edge cases, improving the overall security and reliability of the application. By providing meaningful descriptions for findings even when the original description is missing and formatting the vulnerability category information in a more readable way, the parser can help the security team more effectively identify and address security issues in the codebase.

Additionally, the code changes include the addition of a new unit test case, which increases the overall test coverage of the Checkmarx One parser. This is a good security practice, as it helps to ensure the reliability and maintainability of the application.

Files Changed:

  1. unittests/tools/test_checkmarx_one_parser.py: This file has been updated to include a new test case called test_checkmarx_one_no_description, which checks the behavior of the CheckmarxOneParser when the input JSON file does not contain a description for the findings. This helps to ensure that the parser can handle various input formats and edge cases.

  2. dojo/tools/checkmarx_one/parser.py: The changes in this file focus on improving the handling of missing vulnerability descriptions in the Checkmarx One parser. The code now checks if the description field is None and constructs a new description using the vulnerability's severity and queryName fields. Additionally, a new get_markdown_categories function has been introduced to format the vulnerability categories and subcategories in Markdown format.

  3. unittests/scans/checkmarx_one/checkmarx_one_format_two.json: This file appears to be a sample Checkmarx One scan report, which includes information about a security vulnerability classified as "Insufficiently Protected Credentials" with a severity level of "LOW". The code change highlights the importance of addressing security vulnerabilities identified by SAST tools and incorporating security testing into the software development lifecycle.

Code Analysis

We ran 9 analyzers against 3 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@Maffooch Maffooch merged commit b26751e into bugfix Nov 22, 2024
75 checks passed
@Maffooch Maffooch deleted the hb-update-cmo-parser branch November 22, 2024 05:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants