Skip to content

Commit 88144dc

Browse files
valentijnscholtenMaffooch
valentijnscholten
and
Maffooch
authored
deptrack parser + test fixes and improvements (#14748)
Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>
1 parent 354e6bd commit 88144dc

5 files changed

Lines changed: 1794 additions & 119 deletions

File tree

dojo/tools/dependency_track/parser.py

Lines changed: 8 additions & 117 deletions
Original file line numberDiff line numberDiff line change
@@ -13,106 +13,6 @@
1313

1414
class DependencyTrackParser:
1515

16-
r"""
17-
A class that can be used to parse the JSON Finding Packaging Format (FPF) export from OWASP Dependency Track.
18-
19-
See here for more info on this JSON format: https://docs.dependencytrack.org/integrations/file-formats/
20-
21-
A typical Finding Packaging Format (FPF) export looks like the following:
22-
23-
{
24-
"version": "1.3",
25-
"meta" : {
26-
"application": "Dependency-Track",
27-
"version": "4.5.0",
28-
"timestamp": "2022-02-18T23:31:42Z",
29-
"baseUrl": "http://dtrack.example.org"
30-
},
31-
"project" : {
32-
"uuid": "ca4f2da9-0fad-4a13-92d7-f627f3168a56",
33-
"name": "Acme Example",
34-
"version": "1.0",
35-
"description": "A sample application"
36-
},
37-
"findings" : [
38-
{
39-
"component": {
40-
"uuid": "b815b581-fec1-4374-a871-68862a8f8d52",
41-
"name": "timespan",
42-
"version": "2.3.0",
43-
"purl": "pkg:npm/timespan@2.3.0",
44-
"latestVersion": "3.2.0"
45-
},
46-
"vulnerability": {
47-
"uuid": "115b80bb-46c4-41d1-9f10-8a175d4abb46",
48-
"source": "NPM",
49-
"vulnId": "533",
50-
"title": "Regular Expression Denial of Service",
51-
"subtitle": "timespan",
52-
"severity": "LOW",
53-
"severityRank": 3,
54-
"cvssV2Vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P",
55-
"cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
56-
"cvssV4Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
57-
"references": "* [https://example.com](https://example.com)\n* [https://example.org](https://example.org)",
58-
"published": "2025-07-11 03:16:03.563",
59-
"cweId": 400,
60-
"cweName": "Uncontrolled Resource Consumption ('Resource Exhaustion')",
61-
"cwes": [
62-
{
63-
"cweId": 400,
64-
"name": "Uncontrolled Resource Consumption ('Resource Exhaustion')"
65-
}
66-
],
67-
"description": "Affected versions of `timespan`...",
68-
"recommendation": "No direct patch is available..."
69-
},
70-
"analysis": {
71-
"state": "NOT_SET",
72-
"isSuppressed": false
73-
},
74-
"matrix": "ca4f2da9-0fad-4a13-92d7-f627f3168a56:b815b581-fec1-4374-a871-68862a8f8d52:115b80bb-46c4-41d1-9f10-8a175d4abb46"
75-
},
76-
{
77-
"component": {
78-
"uuid": "979f87f5-eaf5-4095-9d38-cde17bf9228e",
79-
"name": "uglify-js",
80-
"version": "2.4.24",
81-
"purl": "pkg:npm/uglify-js@2.4.24"
82-
},
83-
"vulnerability": {
84-
"uuid": "701a3953-666b-4b7a-96ca-e1e6a3e1def3",
85-
"source": "NPM",
86-
"vulnId": "48",
87-
"aliases": [
88-
{
89-
"cveId": "CVE-2022-2053",
90-
"ghsaId": "GHSA-95rf-557x-44g5"
91-
}
92-
],
93-
"title": "Regular Expression Denial of Service",
94-
"subtitle": "uglify-js",
95-
"severity": "LOW",
96-
"severityRank": 3,
97-
"cweId": 400,
98-
"cweName": "Uncontrolled Resource Consumption ('Resource Exhaustion')",
99-
"cwes": [
100-
{
101-
"cweId": 400,
102-
"name": "Uncontrolled Resource Consumption ('Resource Exhaustion')"
103-
}
104-
],
105-
"description": "Versions of `uglify-js` prior to...",
106-
"recommendation": "Update to version 2.6.0 or later."
107-
},
108-
"analysis": {
109-
"isSuppressed": false
110-
},
111-
"matrix": "ca4f2da9-0fad-4a13-92d7-f627f3168a56:979f87f5-eaf5-4095-9d38-cde17bf9228e:701a3953-666b-4b7a-96ca-e1e6a3e1def3"
112-
}]
113-
}
114-
"""
115-
11616
def _convert_dependency_track_severity_to_dojo_severity(self, dependency_track_severity):
11717
"""
11818
Converts a Dependency Track severity to a DefectDojo severity.
@@ -171,23 +71,14 @@ def _convert_dependency_track_finding_to_dojo_finding(self, dependency_track_fin
17171

17272
title = f"{component_name}:{version_description} affected by: {vuln_id} ({source})"
17373

174-
# We should collect all the vulnerability ids, the FPF format can add additional IDs as aliases
175-
# we add these aliases in the vulnerability_id list making sure duplicate findings get correctly deduplicated
176-
# older version of Dependency-track might not include these field therefore lets check first
177-
if dependency_track_finding["vulnerability"].get("aliases"):
178-
# There can be multiple alias entries
179-
set_of_ids = set()
180-
set_of_sources = {"cveId", "sonatypeId", "ghsaId", "osvId", "snykId", "gsdId", "vulnDbId"}
181-
for alias in dependency_track_finding["vulnerability"]["aliases"]:
182-
for source in set_of_sources:
183-
if source in alias:
184-
set_of_ids.add(alias[source])
185-
vulnerability_id = list(set_of_ids)
186-
else:
187-
# The vulnId is not always a CVE (e.g. if the vulnerability is not from the NVD source)
188-
# So here we set the cve for the DefectDojo finding to null unless the source of the
189-
# Dependency Track vulnerability is NVD
190-
vulnerability_id = [vuln_id] if source is not None and source.upper() == "NVD" else None
74+
# Collect all vulnerability IDs: vulnId itself plus any aliases
75+
set_of_ids = {vuln_id}
76+
set_of_alias_sources = {"cveId", "sonatypeId", "ghsaId", "osvId", "snykId", "gsdId", "vulnDbId"}
77+
for alias in dependency_track_finding["vulnerability"].get("aliases") or []:
78+
for alias_source in set_of_alias_sources:
79+
if alias_source in alias:
80+
set_of_ids.add(alias[alias_source])
81+
vulnerability_id = list(set_of_ids)
19182

19283
# Default CWE to CWE-1035 Using Components with Known Vulnerabilities if there is no CWE
19384
if "cweId" in dependency_track_finding["vulnerability"] and dependency_track_finding["vulnerability"]["cweId"] is not None:

0 commit comments

Comments
 (0)