sysdig: fix severity mapping (#12873)

Author: valentijnscholten

dojo/tools/sysdig_cli/parser.py

@@ -64,7 +64,7 @@ def parse_json(self, data, test):
             for item in vulns:
                 # print("item: %s" % item)
                 vulnName = item.get("name", "")
-                vulnSeverity = item.get("severity", {}).get("value", "")
+                vulnSeverity = SysdigData._map_severity(item.get("severity", {}).get("value", ""))
                 vulnCvssScore = item.get("cvssScore", {}).get("value", {}).get("score", "")
                 vulnCvssVersion = item.get("cvssScore", {}).get("value", {}).get("version", "")
                 vulnCvssVector = item.get("cvssScore", {}).get("value", {}).get("vector", "")
@@ -130,7 +130,7 @@ def parse_csv(self, arr_data, test):
             finding.vuln_id_from_tool = row.vulnerability_id
             finding.unsaved_vulnerability_ids = []
             finding.unsaved_vulnerability_ids.append(row.vulnerability_id)
-            finding.severity = row.severity
+            finding.severity = SysdigData._map_severity(row.severity)
             # Set Component Version
             finding.component_name = row.package_name
             finding.component_version = row.package_version
@@ -221,7 +221,7 @@ def load_csv(self, filename) -> SysdigData:
             msg = ""
             # Sydig CLI format
             csv_data_record.vulnerability_id = row.get("cve id", "")
-            csv_data_record.severity = csv_data_record._map_severity(row.get("cve severity").upper())
+            csv_data_record.severity = SysdigData._map_severity(row.get("cve severity").upper())
             csv_data_record.cvss_score = row.get("cvss score", "")
             csv_data_record.cvss_version = row.get("cvss score version", "")
             csv_data_record.package_name = row.get("package name", "")

dojo/tools/sysdig_common/sysdig_data.py

@@ -6,7 +6,8 @@
 
 class SysdigData:
 
-    def _map_severity(self, severity):
+    @classmethod
+    def _map_severity(cls, severity):
         severity_mapping = {
             "CRITICAL": "Critical",
             "HIGH": "High",
@@ -15,7 +16,7 @@ def _map_severity(self, severity):
             "NEGLIGIBLE": "Informational",
         }
 
-        return severity_mapping.get(severity, "Informational")
+        return severity_mapping.get(severity.upper() if severity else "", "Informational")
 
     """
     Data class to represent the Sysdig data extracted from sources like CSV or JSON.

dojo/tools/sysdig_reports/parser.py

@@ -73,7 +73,7 @@ def parse_json(self, data, test):
             k8sWorkloadName = item.get("k8sWorkloadName", "") or item.get("kubernetes_workload_name", "")
             k8sPodContainerName = item.get("k8sPodContainerName", "") or item.get("kubernetes_pod_container_name", "")
             vulnName = item.get("vulnName", "") or item.get("vuln_id", "")
-            vulnSeverity = item.get("vulnSeverity", "") or item.get("vuln_severity", "")
+            vulnSeverity = SysdigData._map_severity(item.get("vulnSeverity", "") or item.get("vuln_severity", ""))
             vulnLink = item.get("vulnLink", "") or ""  # Not present in new format
             vulnCvssVersion = item.get("vulnCvssVersion", "") or item.get("vuln_cvss_version", "")
             vulnCvssScore = item.get("vulnCvssScore", "") or item.get("vuln_cvss_score", "")
@@ -294,7 +294,7 @@ def load_csv(self, filename) -> SysdigData:
             if "vulnerability id" in reader.fieldnames:
                 # Old format: Vulnerability Engine Format
                 csv_data_record.vulnerability_id = row.get("vulnerability id", "")
-                csv_data_record.severity = csv_data_record._map_severity(row.get("severity", "").upper())
+                csv_data_record.severity = SysdigData._map_severity(row.get("severity", "").upper())
                 csv_data_record.package_name = row.get("package name", "")
                 csv_data_record.package_version = row.get("package version", "")
                 csv_data_record.package_type = row.get("package type", "")
@@ -329,7 +329,7 @@ def load_csv(self, filename) -> SysdigData:
             elif "vulnerability name" in reader.fieldnames:
                 # New 2025 format
                 csv_data_record.vulnerability_id = row.get("vulnerability name", "")
-                csv_data_record.severity = csv_data_record._map_severity(row.get("vulnerability severity", "").upper())
+                csv_data_record.severity = SysdigData._map_severity(row.get("vulnerability severity", "").upper())
                 csv_data_record.package_name = row.get("package name", "")
                 csv_data_record.package_version = row.get("package version", "")
                 csv_data_record.package_type = row.get("package type", "")

unittests/scans/sysdig_cli/sysdig_reports_many_vul.csv

@@ -28,5 +28,5 @@ CVE-2024-22195,Medium,6.1,3.1,Jinja2,2.11.2,/usr/local/lib/python2.7/dist-packag
 CVE-2024-34064,Medium,6.1,3.0,Jinja2,2.11.2,/usr/local/lib/python2.7/dist-packages/Jinja2-2.11.2.dist-info/METADATA,python,v3.1.5,,2024-01-11T00:00:00Z,2024-05-06T00:00:00Z,false,0.00044
 CVE-2014-1624,Low,3.3,2.0,pyxdg,0.25,/usr/share/pyshared/pyxdg-0.25.egg-info,python,v0.26.0,https://nvd.nist.gov/vuln/detail/CVE-2014-1624,2013-01-21T06:00:00Z,,false,0.00042
 CVE-2023-23934,Low,3.5,3.1,Werkzeug,1.0.1,/usr/local/lib/python2.7/dist-packages/Werkzeug-1.0.1.dist-info/METADATA,python,v2.1.1,https://nvd.nist.gov/vuln/detail/CVE-2023-23934,2023-02-14T00:00:00Z,2023-02-14T00:00:00Z,false,0.00064
-CVE-2023-5752,Low,3.3,3.1,pip,9.0.1,/usr/lib/python2.7/dist-packages/pip-9.0.1.egg-info/PKG-INFO,python,v19.2.0,https://nvd.nist.gov/vuln/detail/CVE-2023-5752,2023-10-01T00:00:00Z,2023-10-15T00:00:00Z,false,0.00048
-CVE-2024-49766,Low,3.7,3.0,Werkzeug,1.0.1,/usr/local/lib/python2.7/dist-packages/Werkzeug-1.0.1.dist-info/METADATA,python,v2.1.1,,2024-10-25T00:00:00Z,2024-10-25T00:00:00Z,false,0.00045
+CVE-2023-5752,Negligible,3.3,3.1,pip,9.0.1,/usr/lib/python2.7/dist-packages/pip-9.0.1.egg-info/PKG-INFO,python,v19.2.0,https://nvd.nist.gov/vuln/detail/CVE-2023-5752,2023-10-01T00:00:00Z,2023-10-15T00:00:00Z,false,0.00048
+CVE-2024-49766,Other,3.7,3.0,Werkzeug,1.0.1,/usr/local/lib/python2.7/dist-packages/Werkzeug-1.0.1.dist-info/METADATA,python,v2.1.1,,2024-10-25T00:00:00Z,2024-10-25T00:00:00Z,false,0.00045

unittests/scans/sysdig_cli/sysdig_reports_many_vul.json

@@ -2687,7 +2687,7 @@
           {
             "name": "CVE-2024-49766",
             "severity": {
-              "value": "Low",
+              "value": "Negligible",
               "sourceName": "vulndb"
             },
             "cvssScore": {
@@ -2710,7 +2710,7 @@
           {
             "name": "CVE-2024-49767",
             "severity": {
-              "value": "High",
+              "value": "Other",
               "sourceName": "nvd"
             },
             "cvssScore": {

unittests/scans/sysdig_reports/sysdig-2025.csv

@@ -3,5 +3,5 @@ CVE-2005-2541,Negligible,package name 1,0.0.0.1,OS,/path/path/file.abc,defectdoj
 CVE-2005-2541,Negligible,package name 2,0.0.0.2,OS,/path/path/file.abc,defectdojo/defectdojo-django:latest,debian 12.9,2,10,AV:N/AC:L/Au:N/C:C/I:C/A:C,2005-08-10T04:00:00Z,1970-01-01T00:00:00Z,,false,k8s name 2,defectdojo,Deployment,defectdojo-django,uwsgi,sha256:a520752f350909c191db45a598a88fcca2fa5db17a340dee6b3d0e36f4122e11,false,false,,,,false
 CVE-2005-2541,Negligible,package name 3,0.0.0.3,OS,/path/path/file.abc,docker.io/bitnami/redis:7.2.5-debian-12-r4,debian 12.6,2,10,AV:N/AC:L/Au:N/C:C/I:C/A:C,2005-08-10T04:00:00Z,1970-01-01T00:00:00Z,,false,k8s name 3,defectdojo,Deployment,defectdojo-redis-master,redis,sha256:a520752f350909c191db45a598a88fcca2fa5db17a340dee6b3d0e36f4122e11,false,false,,,,false
 CVE-2025-48379,Critical,package name 4,0.0.0.4,Python,/path/path/path/file.abc,defectdojo/defectdojo-django:latest,debian 12.9,3,9.8,CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,2025-07-01T17:29:37Z,2025-07-01T09:15:58Z,11.3.0,false,k8s name 4,defectdojo,Deployment,defectdojo-celery-beat,celery,sha256:a520752f350909c191db45a598a88fcca2fa5db17a340dee6b3d0e36f4122e11,true,false,,,,true
-CVE-2025-6021,Critical,package name 5,0.0.0.5,OS,/path/path/file.abc,defectdojo/defectdojo-django:latest,debian 12.9,3,9.8,CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,2025-06-12T13:15:25Z,1970-01-01T00:00:00Z,,false,k8s name 5,defectdojo,Deployment,defectdojo-django,uwsgi,sha256:a520752f350909c191db45a598a88fcca2fa5db17a340dee6b3d0e36f4122e11,false,false,,,,false
-CVE-2011-10007,Critical,package name 6,0.0.0.6,OS,/path/path/file.abc,docker.io/bitnami/redis:7.2.5-debian-12-r4,debian 12.6,3,9.8,CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,2025-06-05T12:15:22Z,1970-01-01T00:00:00Z,0.34-4~deb12u1,false,k8s name 6,defectdojo,Deployment,defectdojo-redis-master,redis,sha256:a520752f350909c191db45a598a88fcca2fa5db17a340dee6b3d0e36f4122e11,false,false,,,,true
+CVE-2025-6021,Negligible,package name 5,0.0.0.5,OS,/path/path/file.abc,defectdojo/defectdojo-django:latest,debian 12.9,3,9.8,CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,2025-06-12T13:15:25Z,1970-01-01T00:00:00Z,,false,k8s name 5,defectdojo,Deployment,defectdojo-django,uwsgi,sha256:a520752f350909c191db45a598a88fcca2fa5db17a340dee6b3d0e36f4122e11,false,false,,,,false
+CVE-2011-10007,Other,package name 6,0.0.0.6,OS,/path/path/file.abc,docker.io/bitnami/redis:7.2.5-debian-12-r4,debian 12.6,3,9.8,CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,2025-06-05T12:15:22Z,1970-01-01T00:00:00Z,0.34-4~deb12u1,false,k8s name 6,defectdojo,Deployment,defectdojo-redis-master,redis,sha256:a520752f350909c191db45a598a88fcca2fa5db17a340dee6b3d0e36f4122e11,false,false,,,,true

unittests/scans/sysdig_reports/sysdig-2025.json

@@ -183,7 +183,7 @@
           "vuln_has_exploit": false,
           "vuln_id": "CVE-2025-48379",
           "vuln_risk_accepted": false,
-          "vuln_severity": "Critical"
+          "vuln_severity": "Other"
         },
         {
           "container_image": "defectdojo/defectdojo-django:latest",

unittests/tools/test_sysdig_cli_parser.py

@@ -9,9 +9,19 @@ def test_sysdig_parser_with_many_vuln_has_many_findings_cli(self):
         with (get_unit_tests_scans_path("sysdig_cli") / "sysdig_reports_many_vul.csv").open(encoding="utf-8") as testfile:
             parser = SysdigCLIParser()
             findings = parser.get_findings(testfile, Test())
+            # Verify each CVE appears exactly once
+            all_vuln_ids = [vid for f in findings for vid in f.unsaved_vulnerability_ids]
+            self.assertEqual(1, all_vuln_ids.count("CVE-2023-5752"), "CVE-2023-5752 should appear exactly once")
+            self.assertEqual(1, all_vuln_ids.count("CVE-2024-49766"), "CVE-2024-49766 should appear exactly once")
+
             for finding in findings:
                 for endpoint in finding.unsaved_endpoints:
                     endpoint.clean()
+                if "CVE-2023-5752" in finding.unsaved_vulnerability_ids:
+                    self.assertEqual(finding.severity, "Informational")  # Negligible maps to Informational
+                if "CVE-2024-49766" in finding.unsaved_vulnerability_ids:
+                    self.assertEqual(finding.severity, "Informational")  # Other maps to Informational
+
             self.assertEqual(31, len(findings))
             finding = findings[0]
             self.assertEqual("CVE-2013-7459 - pycrypto", finding.title)
@@ -27,9 +37,19 @@ def test_sysdig_parser_json_with_many_findings_cli(self):
         with (get_unit_tests_scans_path("sysdig_cli") / "sysdig_reports_many_vul.json").open(encoding="utf-8") as testfile:
             parser = SysdigCLIParser()
             findings = parser.get_findings(testfile, Test())
+            # Verify each CVE appears exactly once
+            all_vuln_ids = [vid for f in findings for vid in f.unsaved_vulnerability_ids]
+            self.assertEqual(1, all_vuln_ids.count("CVE-2024-49766"), "CVE-2024-49766 should appear exactly once")
+            self.assertEqual(1, all_vuln_ids.count("CVE-2024-49767"), "CVE-2024-49767 should appear exactly once")
+
             for finding in findings:
                 for endpoint in finding.unsaved_endpoints:
                     endpoint.clean()
+                if "CVE-2024-49766" in finding.unsaved_vulnerability_ids:
+                    self.assertEqual(finding.severity, "Informational")  # Negligible maps to Informational
+                if "CVE-2024-49767" in finding.unsaved_vulnerability_ids:
+                    self.assertEqual(finding.severity, "Informational")  # Other maps to Informational
+
             self.assertEqual(31, len(findings))
             finding = findings[0]
             self.assertEqual("CVE-2023-50782 - cryptography - v42.0.0", finding.title)

unittests/tools/test_sysdig_reports_parser.py

@@ -82,9 +82,19 @@ def test_sysdig_parser_2025_csv_format(self):
         with (get_unit_tests_scans_path("sysdig_reports") / "sysdig-2025.csv").open(encoding="utf-8") as testfile:
             parser = SysdigReportsParser()
             findings = parser.get_findings(testfile, Test())
+            # Verify each CVE appears exactly once
+            all_vuln_ids = [vid for f in findings for vid in f.unsaved_vulnerability_ids]
+            self.assertEqual(1, all_vuln_ids.count("CVE-2025-6021"), "CVE-2025-6021 should appear exactly once")
+            self.assertEqual(1, all_vuln_ids.count("CVE-2011-10007"), "CVE-2011-10007 should appear exactly once")
             for finding in findings:
                 for endpoint in finding.unsaved_endpoints:
                     endpoint.clean()
+
+                if "CVE-2025-6021" in finding.unsaved_vulnerability_ids:
+                    self.assertEqual(finding.severity, "Informational")  # Other maps to Informational
+                if "CVE-2011-10007" in finding.unsaved_vulnerability_ids:
+                    self.assertEqual(finding.severity, "Informational")  # Negligible maps to Informational
+
             self.assertEqual(6, len(findings))
 
             # Test specific finding details from the 2025 format
@@ -105,9 +115,18 @@ def test_sysdig_parser_2025_json_format(self):
         with (get_unit_tests_scans_path("sysdig_reports") / "sysdig-2025.json").open(encoding="utf-8") as testfile:
             parser = SysdigReportsParser()
             findings = parser.get_findings(testfile, Test())
+            # Verify each CVE appears exactly once
+            all_vuln_ids = [vid for f in findings for vid in f.unsaved_vulnerability_ids]
+            self.assertEqual(1, all_vuln_ids.count("CVE-2023-45322"), "CVE-2023-45322 should appear exactly once")
+            self.assertEqual(1, all_vuln_ids.count("CVE-2025-48379"), "CVE-2025-48379 should appear exactly once")
+
             for finding in findings:
                 for endpoint in finding.unsaved_endpoints:
                     endpoint.clean()
+                if "CVE-2023-45322" in finding.unsaved_vulnerability_ids:
+                    self.assertEqual(finding.severity, "Informational")  # Negligible maps to Informational
+                if "CVE-2025-48379" in finding.unsaved_vulnerability_ids:
+                    self.assertEqual(finding.severity, "Informational")  # Other maps to Informational
 
             # Should parse successfully even with metadata before data section
             self.assertGreater(len(findings), 0)