DefectDojo / django-DefectDojo

DevSecOps, ASPM, Vulnerability Management. All on one platform.
https://defectdojo.com
BSD 3-Clause "New" or "Revised" License
3.69k stars 1.55k forks source link

Solar appScreener SARIF reports cannot be imported #8487

Closed savely-krasovsky closed 1 year ago

savely-krasovsky commented 1 year ago

Bug description Solar appScreener has an option to export SARIF report, we tried to import it, but getting this stacktrace.

Steps to reproduce Steps to reproduce the behavior:

  1. Upload SARIF from Solar appScreener

Expected behavior Importing works.

Deployment method (select with an X)

Environment information

Logs

ERROR [dojo.api_v2.exception_handler:32] cannot access local variable 'description' where it is not associated with a value
Traceback (most recent call last):
  File "/usr/local/lib/python3.11/site-packages/rest_framework/views.py", line 506, in dispatch
    response = handler(request, *args, **kwargs)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/rest_framework/mixins.py", line 19, in create
    self.perform_create(serializer)
  File "/app/dojo/api_v2/views.py", line 2302, in perform_create
    serializer.save(push_to_jira=push_to_jira)
  File "/app/dojo/api_v2/serializers.py", line 1674, in save
    test, finding_count, closed_finding_count, test_import = importer.import_scan(scan, scan_type, engagement, lead, environment,
                                                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/app/dojo/importers/importer/importer.py", line 260, in import_scan
    tests = parser.get_tests(scan_type, scan)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/app/dojo/tools/sarif/parser.py", line 47, in get_tests
    test.findings = self.__get_items_from_run(run)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/app/dojo/tools/sarif/parser.py", line 59, in __get_items_from_run
    item = get_item(result, rules, artifacts, run_date)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/app/dojo/tools/sarif/parser.py", line 333, in get_item
    description=get_description(result, rule),
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/app/dojo/tools/sarif/parser.py", line 239, in get_description
    description += get_codeFlowsDescription(result['codeFlows'])
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/app/dojo/tools/sarif/parser.py", line 214, in get_codeFlowsDescription
    return description
           ^^^^^^^^^^^

Probable problem:

cat file.sarif | jq | grep codeFlow
          "codeFlows": [],
          "codeFlows": [],
          "codeFlows": [],
          "codeFlows": [],
          "codeFlows": [],
          "codeFlows": [],
          "codeFlows": [],
          "codeFlows": [],
          "codeFlows": [],
          "codeFlows": [],
          "codeFlows": [],
savely-krasovsky commented 1 year ago

Bug was fixed in the newer version.