✨ implement yarn2 parser (DefectDojo#9985)

* ✨ implement yarn2 parser * fix bug * Update dojo/tools/yarn_audit/parser.py Co-authored-by: Charles Neill <[email protected]> * thank you for the review @cneill * fix ruff --------- Co-authored-by: Charles Neill <[email protected]>
dogboat · May 2, 2024 · f08166d · f08166d
1 parent 2f33bee
commit f08166d
Show file tree

Hide file tree

Showing 4 changed files with 62 additions and 11 deletions.
diff --git a/dojo/tools/yarn_audit/parser.py b/dojo/tools/yarn_audit/parser.py
@@ -25,6 +25,10 @@ def get_findings(self, json_output, test):
             lines = lines.split('\n')
             tree = (json.loads(line) for line in lines if "{" in line)
             return self.get_items_yarn(tree, test)
+        elif '"value"' in lines:
+            lines = lines.split('\n')
+            tree = (json.loads(line) for line in lines if "{" in line)
+            return self.get_items_yarn2(tree, test)
         else:
             tree = json.loads(lines)
             return self.get_items_auditci(tree, test)
@@ -43,6 +47,39 @@ def get_items_yarn(self, tree, test):
                 raise ValueError(msg, error)
         return list(items.values())
 
+    def get_items_yarn2(self, tree, test):
+        items = []
+        for element in tree:
+            value = element.get("value", None)
+            child = element.get("children")
+            description = ""
+            childid = child.get("ID")
+            childissue = child.get("Issue")
+            childseverity = child.get("Severity")
+            child_vuln_version = child.get("Vulnerable Versions")
+            child_tree_versions = ', '.join(set(child.get("Tree Versions")))
+            child_dependents = ', '.join(set(child.get("Dependents")))
+            description += childissue + "\n"
+            description += "**Vulnerable Versions:** " + child_vuln_version + "\n"
+            description += "**Dependents:** " + child_dependents + "\n"
+            dojo_finding = Finding(
+                title=str(childid),
+                test=test,
+                severity=self.severitytranslator(severity=childseverity),
+                description=description,
+                component_version=str(child_tree_versions),
+                false_p=False,
+                duplicate=False,
+                out_of_scope=False,
+                mitigated=None,
+                static_finding=True,
+                dynamic_finding=False,
+            )
+            items.append(dojo_finding)
+            if value is not None:
+                dojo_finding.component_name = value
+        return items
+
     def get_items_auditci(self, tree, test):  # https://github.com/DefectDojo/django-DefectDojo/issues/6495
         items = []
         for element in tree.get("advisories"):

diff --git a/unittests/scans/yarn_audit/yarn2_audit_issue9911.json b/unittests/scans/yarn_audit/yarn2_audit_issue9911.json
@@ -0,0 +1,4 @@
+{"value":"@babel/plugin-proposal-class-properties","children":{"ID":"@babel/plugin-proposal-class-properties (deprecation)","Issue":"This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-class-properties instead.","Severity":"moderate","Vulnerable Versions":"7.18.6","Tree Versions":["7.18.6"],"Dependents":["jscodeshift@virtual:95986a29f66ea5c154da709639e46d9f25ab769cdc542a6076b371e193f79e407bbee37bc9d3845bfa503bd700408966c85b5a74356facf4da9a113fd4ce89d9#npm:0.14.0"]}}
+{"value":"@babel/plugin-proposal-nullish-coalescing-operator","children":{"ID":"@babel/plugin-proposal-nullish-coalescing-operator (deprecation)","Issue":"This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-nullish-coalescing-operator instead.","Severity":"moderate","Vulnerable Versions":"7.18.6","Tree Versions":["7.18.6"],"Dependents":["jscodeshift@virtual:95986a29f66ea5c154da709639e46d9f25ab769cdc542a6076b371e193f79e407bbee37bc9d3845bfa503bd700408966c85b5a74356facf4da9a113fd4ce89d9#npm:0.14.0"]}}
+{"value":"@babel/plugin-proposal-optional-chaining","children":{"ID":"@babel/plugin-proposal-optional-chaining (deprecation)","Issue":"This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-optional-chaining instead.","Severity":"moderate","Vulnerable Versions":"7.21.0","Tree Versions":["7.21.0"],"Dependents":["jscodeshift@virtual:95986a29f66ea5c154da709639e46d9f25ab769cdc542a6076b371e193f79e407bbee37bc9d3845bfa503bd700408966c85b5a74356facf4da9a113fd4ce89d9#npm:0.14.0"]}}
+{"value":"transformers","children":{"ID":1096536,"Issue":"Transformers Deserialization of Untrusted Data vulnerability","URL":"https://github.com/advisories/GHSA-37q5-v5qm-c9v8","Severity":"low","Vulnerable Versions":"< 4.38.0","Tree Versions":["4.38"],"Dependents":["test@npm:1.13.0"]}}