🎉 Add 'fix_available' field to zora parser (#13760)

manuel-sommer · web-flow · commit 8917680323a6 · 2025-11-26T09:37:09.000-07:00
* 🎉 Add 'fix_available' field to zora parser

* ruff

* review
diff --git a/dojo/tools/zora/parser.py b/dojo/tools/zora/parser.py
@@ -43,8 +43,6 @@ def get_findings(self, content, test: Test) -> list[Finding]:
             description += f"**Image**: {row.get('image')}\n"
             description += f"**ID**: {row.get('id')}\n"
             description += f"**Details**: {row.get('description')}\n"
-            if row.get("fixVersion"):
-                description += f"**Fix Version**: {row.get('fixVersion')}\n"
             mitigation = row.get("description", "")
             unique_id = f"{row.get('source')}-{row.get('image')}-{row.get('id')}"
             status = row.get("status", "").upper()
@@ -60,6 +58,11 @@ def get_findings(self, content, test: Test) -> list[Finding]:
                 test=test,
                 is_mitigated=is_mitigated,
             )
+            if row.get("fixVersion"):
+                finding.fix_available = True
+                finding.fix_version = row.get("fixVersion")
+            else:
+                finding.fix_available = False
             vuln_id = row.get("id")
             if vuln_id:
                 finding.unsaved_vulnerability_ids = [vuln_id]
diff --git a/unittests/scans/zora/scan_many.csv b/unittests/scans/zora/scan_many.csv
@@ -21,7 +21,7 @@ public key verification failed by calling SSL_get_verify_result(), and those
 that do, and take appropriate action, are not affected.  This issue was
 introduced in the initial implementation of RPK support in OpenSSL 3.2.
 
-The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.","3.3.3-r0"
+The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.",""
 "Trivy","ghcr.io/undistro/popeye:0.21","CVE-2024-13176","openssl: Timing side-channel in ECDSA signature computation","MEDIUM","fixed","Issue summary: A timing side-channel which could potentially allow recovering
 the private key exists in the ECDSA signature computation.
 
@@ -38,7 +38,7 @@ process must either be located in the same physical computer or must
 have a very fast network connection with low latency. For that reason
 the severity of this vulnerability is Low.
 
-The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are affected by this issue.","3.3.2-r2"
+The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are affected by this issue.",
 "Trivy","ghcr.io/undistro/popeye:0.21","CVE-2025-9230","openssl: Out-of-bounds read & write in RFC 3211 KEK Unwrap","MEDIUM","fixed","Issue summary: An application trying to decrypt CMS messages encrypted using
 password based encryption can trigger an out-of-bounds read and write.
 
diff --git a/unittests/tools/test_zora_parser.py b/unittests/tools/test_zora_parser.py
@@ -19,8 +19,20 @@ def test_parse_file_with_many_vuln_has_many_findings(self):
             findings = parser.get_findings(content, Test())
             self.assertEqual(198, len(findings))  # Adjust based on your test file
             # Check a specific finding for correctness
+            finding = findings[0]
+            self.assertEqual(True, finding.fix_available)
+            self.assertEqual("1.2.5-r1", finding.fix_version)
+            finding = findings[1]
+            self.assertEqual(False, finding.fix_available)
+            self.assertEqual(None, finding.fix_version)
+            finding = findings[2]
+            self.assertEqual(False, finding.fix_available)
+            self.assertEqual(None, finding.fix_version)
+            finding = findings[3]
+            self.assertEqual(True, finding.fix_available)
+            self.assertEqual("3.3.5-r0", finding.fix_version)
             finding = findings[10]
             self.assertEqual("net/url: Insufficient validation of bracketed IPv6 hostnames in net/url", finding.title)
             self.assertEqual("Medium", finding.severity)
             self.assertTrue(finding.unique_id_from_tool.startswith(f"{finding.description.splitlines()[0].split(': ')[1]}"))
-            self.assertIn("Fix Version", finding.description)
+            self.assertEqual('**Source**: Trivy\n**Image**: ghcr.io/undistro/popeye:0.21\n**ID**: CVE-2025-47912\n**Details**: The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.\n', finding.description)
