🐛 fix npm audit v7+, issue #10801 (#10813)

Author: manuel-sommer

dojo/tools/npm_audit_7_plus/parser.py

@@ -121,7 +121,10 @@ def get_item(item_node, tree, test):
     elif item_node["via"] and isinstance(item_node["via"][0], dict):
         title = item_node["via"][0]["title"]
         component_name = item_node["nodes"][0]
-        cwe = item_node["via"][0]["cwe"][0]
+        if len(item_node["via"][0]["cwe"]) > 0:
+            cwe = item_node["via"][0]["cwe"][0]
+        else:
+            cwe = None
         references.append(item_node["via"][0]["url"])
         unique_id_from_tool = str(item_node["via"][0]["source"])
         cvssv3 = item_node["via"][0]["cvss"]["vectorString"]
@@ -144,15 +147,11 @@ def get_item(item_node, tree, test):
             if isinstance(vuln, dict):
                 references.append(vuln["url"])
 
-    if len(cwe):
-        cwe = int(cwe.split("-")[1])
-
     dojo_finding = Finding(
         title=title,
         test=test,
         severity=severity,
         description=description,
-        cwe=cwe,
         mitigation=mitigation,
         references=", ".join(references),
         component_name=component_name,
@@ -166,6 +165,10 @@ def get_item(item_node, tree, test):
         vuln_id_from_tool=unique_id_from_tool,
     )
 
+    if cwe is not None:
+        cwe = int(cwe.split("-")[1])
+        dojo_finding.cwe = cwe
+
     if (cvssv3 is not None) and (len(cvssv3) > 0):
         dojo_finding.cvssv3 = cvssv3
 

unittests/scans/npm_audit_7_plus/issue_10801.json

@@ -0,0 +1,56 @@
+{
+  "auditReportVersion": 2,
+  "vulnerabilities": {
+    "got": {
+      "name": "got",
+      "severity": "moderate",
+      "isDirect": false,
+      "via": [
+        {
+          "source": 1088948,
+          "name": "got",
+          "dependency": "got",
+          "title": "Got allows a redirect to a UNIX socket",
+          "url": "https://github.com/advisories/GHSA-pfrx-2q88-qq97",
+          "severity": "moderate",
+          "cwe": [],
+          "cvss": {
+            "score": 5.3,
+            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
+          },
+          "range": "<11.8.5"
+        }
+      ],
+      "effects": [
+      ],
+      "range": "<11.8.5",
+      "nodes": [
+        "node_modules/got"
+      ],
+      "fixAvailable": {
+        "name": "nodemon",
+        "version": "3.1.4",
+        "isSemVerMajor": true
+      }
+    }
+  },
+  "metadata": {
+    "vulnerabilities": {
+      "info": 0,
+      "low": 0,
+      "moderate": 0,
+      "high": 1,
+      "critical": 0,
+      "total": 1
+    },
+    "dependencies": {
+      "prod": 98,
+      "dev": 0,
+      "optional": 0,
+      "peer": 0,
+      "peerOptional": 0,
+      "total": 97
+    }
+  }
+}
+

unittests/tools/test_npm_audit_7_plus_parser.py

@@ -40,3 +40,14 @@ def test_npm_audit_7_plus_parser_with_many_vuln_has_many_findings(self):
             self.assertIsNotNone(finding.description)
             self.assertGreater(len(finding.description), 0)
             self.assertEqual("@vercel/fun", finding.title)
+
+    def test_npm_audit_7_plus_parser_issue_10801(self):
+        testfile = open(path.join(path.dirname(__file__), "../scans/npm_audit_7_plus/issue_10801.json"))
+        parser = NpmAudit7PlusParser()
+        findings = parser.get_findings(testfile, Test())
+        testfile.close()
+        self.assertEqual(1, len(findings))
+        with self.subTest(i=0):
+            finding = findings[0]
+            self.assertEqual("Medium", finding.severity)
+            self.assertEqual(0, finding.cwe)