-
Notifications
You must be signed in to change notification settings - Fork 183
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge remote-tracking branch 'origin/master' into arthur/add-CCES-parser
- Loading branch information
Showing
8 changed files
with
687 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
60 changes: 60 additions & 0 deletions
60
src/main/java/edu/hm/hafner/analysis/parser/GrypeParser.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,60 @@ | ||
| package edu.hm.hafner.analysis.parser; | ||
|
|
||
| import static j2html.TagCreator.a; | ||
| import static j2html.TagCreator.p; | ||
|
|
||
| import org.json.JSONArray; | ||
| import org.json.JSONObject; | ||
|
|
||
| import edu.hm.hafner.analysis.Issue; | ||
| import edu.hm.hafner.analysis.IssueBuilder; | ||
| import edu.hm.hafner.analysis.Report; | ||
| import edu.hm.hafner.analysis.Severity; | ||
|
|
||
| /** | ||
| * JSON report parser for grype (https://plugins.jenkins.io/grypescanner/ / | ||
| * https://github.com/anchore/grype). | ||
| */ | ||
| public class GrypeParser extends JsonIssueParser { | ||
| private static final long serialVersionUID = -1369431674771459756L; | ||
|
|
||
| private static final String MATCHES_TAG = "matches"; | ||
| private static final String VULNERABILIY_TAG = "vulnerability"; | ||
| private static final String ARTIFACT_TAG = "artifact"; | ||
| private static final String LOCATIONS_TAG = "locations"; | ||
| private static final String PATH_TAG = "path"; | ||
| private static final String DATA_SOURCE_TAG = "dataSource"; | ||
| private static final String SEVERITY_TAG = "severity"; | ||
| private static final String ID_TAG = "id"; | ||
| private static final String DESCRIPTION_TAG = "description"; | ||
|
|
||
| @Override | ||
| protected void parseJsonObject(final Report report, final JSONObject jsonReport, final IssueBuilder issueBuilder) { | ||
| final JSONArray matches = jsonReport.getJSONArray(MATCHES_TAG); | ||
| for (int i = 0; i < matches.length(); i++) { | ||
| final JSONObject match = matches.getJSONObject(i); | ||
| if (match.has(VULNERABILIY_TAG)) { | ||
| Issue issue = getIssue(issueBuilder, match); | ||
| report.add(issue); | ||
| } | ||
| } | ||
| } | ||
|
|
||
| private Issue getIssue(final IssueBuilder issueBuilder, final JSONObject match) { | ||
| JSONObject vuln = match.getJSONObject(VULNERABILIY_TAG); | ||
| String fileName = match.getJSONObject(ARTIFACT_TAG).getJSONArray(LOCATIONS_TAG).getJSONObject(0) | ||
| .getString(PATH_TAG); | ||
|
|
||
| return issueBuilder.setFileName(fileName) | ||
| .setCategory(vuln.getString(SEVERITY_TAG)) | ||
| .setSeverity(Severity.guessFromString(vuln.getString(SEVERITY_TAG))) | ||
| .setType(vuln.getString(ID_TAG)) | ||
| .setMessage(vuln.getString(DESCRIPTION_TAG)) | ||
| .setOriginName("Grype") | ||
| .setPathName(fileName) | ||
| .setDescription(p().with(a() | ||
| .withHref(vuln.getString(DATA_SOURCE_TAG)) | ||
| .withText(vuln.getString(DATA_SOURCE_TAG))).render()) | ||
| .build(); | ||
| } | ||
| } |
37 changes: 37 additions & 0 deletions
37
src/main/java/edu/hm/hafner/analysis/registry/GrypeDescriptor.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| package edu.hm.hafner.analysis.registry; | ||
|
|
||
| import edu.hm.hafner.analysis.IssueParser; | ||
| import edu.hm.hafner.analysis.parser.GrypeParser; | ||
|
|
||
| /** | ||
| * Descriptor for Grype report parser. | ||
| */ | ||
| public class GrypeDescriptor extends ParserDescriptor { | ||
| private static final String ID = "grype"; | ||
| private static final String NAME = "Grype"; | ||
|
|
||
| GrypeDescriptor() { | ||
| super(ID, NAME); | ||
| } | ||
|
|
||
| @Override | ||
| public IssueParser createParser(final Option... options) { | ||
| return new GrypeParser(); | ||
| } | ||
|
|
||
| @Override | ||
| public String getPattern() { | ||
| return "**/grype-report.json"; | ||
| } | ||
|
|
||
| @Override | ||
| public String getUrl() { | ||
| return "https://github.com/anchore/grype"; | ||
| } | ||
|
|
||
| @Override | ||
| public String getIconUrl() { | ||
| return "https://user-images.githubusercontent.com/5199289/136855393-d0a9eef9-ccf1-4e2b-9d7c-7aad16a567e5.png"; | ||
| } | ||
|
|
||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
47 changes: 47 additions & 0 deletions
47
src/test/java/edu/hm/hafner/analysis/parser/GrypeParserTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| package edu.hm.hafner.analysis.parser; | ||
|
|
||
| import edu.hm.hafner.analysis.AbstractParserTest; | ||
| import edu.hm.hafner.analysis.IssueParser; | ||
| import edu.hm.hafner.analysis.Report; | ||
| import edu.hm.hafner.analysis.Severity; | ||
| import edu.hm.hafner.analysis.assertions.SoftAssertions; | ||
| import static j2html.TagCreator.a; | ||
| import static j2html.TagCreator.p; | ||
|
|
||
| class GrypeParserTest extends AbstractParserTest { | ||
| protected GrypeParserTest() { | ||
| super("grype-report.json"); | ||
| } | ||
|
|
||
| @Override | ||
| protected void assertThatIssuesArePresent(final Report report, final SoftAssertions softly) { | ||
| softly.assertThat(report).hasSize(3).hasDuplicatesSize(0); | ||
| softly.assertThat(report.get(0)) | ||
| .hasFileName("tomcat-jdbc/8.0.28/tomcat-jdbc-8.0.28.jar") | ||
| .hasSeverity(Severity.WARNING_NORMAL) | ||
| .hasCategory("Medium") | ||
| .hasType("CVE-2015-5345") | ||
| .hasMessage( | ||
| "The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character.") | ||
| .hasDescription(p().with(a() | ||
| .withHref("https://nvd.nist.gov/vuln/detail/CVE-2015-5345") | ||
| .withText("https://nvd.nist.gov/vuln/detail/CVE-2015-5345")).render()); | ||
|
|
||
| softly.assertThat(report.get(2)) | ||
| .hasFileName("tomcat-jdbc/8.0.28/tomcat-jdbc-8.0.28.jar") | ||
| .hasSeverity(Severity.WARNING_HIGH) | ||
| .hasCategory("High") | ||
| .hasType("CVE-2016-8745") | ||
| .hasMessage( | ||
| "A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. The bug was first noticed in 8.5.x onwards where it appears the refactoring of the Connector code for 8.5.x onwards made it more likely that the bug was observed. Initially it was thought that the 8.5.x refactoring introduced the bug but further investigation has shown that the bug is present in all currently supported Tomcat versions.") | ||
|
|
||
| .hasDescription(p().with(a() | ||
| .withHref("https://nvd.nist.gov/vuln/detail/CVE-2016-8745") | ||
| .withText("https://nvd.nist.gov/vuln/detail/CVE-2016-8745")).render()); | ||
| } | ||
|
|
||
| @Override | ||
| protected IssueParser createParser() { | ||
| return new GrypeParser(); | ||
| } | ||
| } |
Oops, something went wrong.