search

DefectDojo / django-DefectDojo

DevSecOps, ASPM, Vulnerability Management. All on one platform.
https://defectdojo.com
BSD 3-Clause "New" or "Revised" License
3.51k stars 1.48k forks source link

Snyk import fails #991

Closed madchap closed 5 years ago

madchap commented 5 years ago

Issue Template

Issue Type

Description

Generating a snyk test output in json from a pom.xml file is failing to import.

It looks like the cvssScore is not handled.

If the issue is a bug, please also include the following:

Operating System

Using the master branch docker-compose.

Install

DefectDojo Version

1.5.4

Steps to Reproduce

* Checkout the jenkins project

Sample Scan File (if applicable)

Screenshots (optional)

Console Logs (optional)

Environment:

Request Method: POST
Request URL: http://100.24.193.38:8080/product/2/import_scan_results

Django Version: 1.11.20
Python Version: 2.7.16
Installed Applications:
('django.contrib.auth',
 'django.contrib.contenttypes',
 'django.contrib.sessions',
 'django.contrib.sites',
 'django.contrib.messages',
 'django.contrib.staticfiles',
 'polymorphic',
 'overextends',
 'django.contrib.admin',
 'django.contrib.humanize',
 'gunicorn',
 'tastypie',
 'auditlog',
 'dojo',
 'tastypie_swagger',
 'watson',
 'tagging',
 'custom_field',
 'imagekit',
 'multiselectfield',
 'rest_framework',
 'rest_framework.authtoken',
 'rest_framework_swagger',
 'dbbackup',
 'taggit_serializer',
 'django_celery_results')
Installed Middleware:
['django.middleware.common.CommonMiddleware',
 'django.contrib.sessions.middleware.SessionMiddleware',
 'django.middleware.csrf.CsrfViewMiddleware',
 'django.middleware.security.SecurityMiddleware',
 'django.contrib.auth.middleware.AuthenticationMiddleware',
 'django.contrib.messages.middleware.MessageMiddleware',
 'django.middleware.clickjacking.XFrameOptionsMiddleware',
 'dojo.middleware.LoginRequiredMiddleware',
 'dojo.middleware.TimezoneMiddleware']

Traceback:

File "/usr/local/lib/python2.7/site-packages/django/core/handlers/exception.py" in inner
  41.             response = get_response(request)

File "/usr/local/lib/python2.7/site-packages/django/core/handlers/base.py" in _legacy_get_response
  249.             response = self._get_response(request)

File "/usr/local/lib/python2.7/site-packages/django/core/handlers/base.py" in _get_response
  187.                 response = self.process_exception_by_middleware(e, request)

File "/usr/local/lib/python2.7/site-packages/django/core/handlers/base.py" in _get_response
  185.                 response = wrapped_callback(request, *callback_args, **callback_kwargs)

File "/usr/local/lib/python2.7/site-packages/django/contrib/auth/decorators.py" in _wrapped_view
  23.                 return view_func(request, *args, **kwargs)

File "./dojo/product/views.py" in import_scan_results_prod
  382.     return import_scan_results(request, pid=pid)

File "/usr/local/lib/python2.7/site-packages/django/contrib/auth/decorators.py" in _wrapped_view
  23.                 return view_func(request, *args, **kwargs)

File "./dojo/engagement/views.py" in import_scan_results
  515.             parser = import_parser_factory(file, t)

File "./dojo/tools/factory.py" in import_parser_factory
  100.         parser = SnykParser(file, test)

File "./dojo/tools/snyk/parser.py" in __init__
  12.             self.items = [data for data in self.get_items(tree, test)]

File "./dojo/tools/snyk/parser.py" in get_items
  31.                 item = get_item(node, test)

File "./dojo/tools/snyk/parser.py" in get_item
  48.     if vulnerability['cvssScore'] <= 3.9:

Exception Type: KeyError at /product/2/import_scan_results
Exception Value: 'cvssScore'
madchap commented 5 years ago

This is due to the licenses output, which do not have a cvssScore key.

I am going to submit an untested PR, very simple. You should see right away if that's good for you or not. Cheers.

madchap commented 5 years ago

Example output for a license:

    {
      "license": "(EPL-1.0 OR GPL-2.0 OR GPL-3.0)",
      "semver": {
        "vulnerable": [
          "[3.0.45,)"
        ]
      },
      "id": "snyk:lic:maven:com.github.jnr:jnr-posix:(EPL-1.0_OR_GPL-2.0_OR_GPL-3.0)",
      "type": "license",
      "packageManager": "maven",
      "language": "java",
      "packageName": "com.github.jnr:jnr-posix",
      "title": "Multiple licenses: EPL-1.0, GPL-2.0, GPL-3.0",
      "description": "Multiple licenses: EPL-1.0, GPL-2.0, GPL-3.0",
      "publicationTime": "2019-03-30T13:49:57.268Z",
      "creationTime": "2019-03-30T13:49:57.268Z",
      "licenseTemplateUrl": [
        "https://raw.githubusercontent.com/spdx/license-list/master/EPL-1.0.txt",
        "https://raw.githubusercontent.com/spdx/license-list/master/GPL-2.0.txt",
        "https://raw.githubusercontent.com/spdx/license-list/master/GPL-3.0.txt"
      ],
      "severity": "medium",
      "from": [
        "org.jenkins-ci.main:jenkins-parent@2.170-SNAPSHOT",
        "org.jenkins-ci.main:jenkins-war@2.170-SNAPSHOT",
        "org.jenkins-ci.main:jenkins-core@2.170-SNAPSHOT",
        "com.github.jnr:jnr-posix@3.0.45"
      ],
      "upgradePath": [],
      "isUpgradable": false,
      "isPatchable": false,
      "name": "com.github.jnr:jnr-posix",
      "version": "3.0.45"
    },
madchap commented 5 years ago

Attempt to fix at https://github.com/DefectDojo/django-DefectDojo/pull/992