bugfix: twistlock: fix no cvss case (#12809)

valentijnscholten · web-flow · commit ae90b6b79f06 · 2025-07-21T09:09:06.000-06:00
* twistlock: fix no cvss case

* twistlock: use markdown instead html
diff --git a/dojo/tools/twistlock/parser.py b/dojo/tools/twistlock/parser.py
@@ -109,11 +109,10 @@ def parse_issue(self, row, test):
             date=finding_date,
             severity=convert_severity(data_severity),
             description=data_description
-            + "<p> Vulnerable Package: "
+            + "\n\nVulnerable Package: "
             + data_package_name
-            + "</p><p> Current Version: "
-            + str(data_package_version)
-            + "</p>",
+            + "\n\nCurrent Version: "
+            + str(data_package_version),
             mitigation=data_fix_status,
             component_name=textwrap.shorten(
                 data_package_name, width=200, placeholder="...",
@@ -231,18 +230,10 @@ def get_item(vulnerability, test, image_metadata=""):
         if "severity" in vulnerability
         else "Info"
     )
-    vector = (
-        vulnerability.get("vector", "CVSS vector not provided. ")
-    )
-    status = (
-        vulnerability.get("status", "There seems to be no fix yet. Please check description field.")
-    )
-    cvss = (
-        vulnerability.get("cvss", "No CVSS score yet.")
-    )
-    riskFactors = (
-        vulnerability.get("riskFactors", "No risk factors.")
-    )
+    cvssv3 = vulnerability.get("vector")
+    status = vulnerability.get("status", "There seems to be no fix yet. Please check description field.")
+    cvssv3_score = vulnerability.get("cvss")
+    riskFactors = vulnerability.get("riskFactors", "No risk factors.")
 
     # Build impact field combining severity and image metadata which can change between scans, so we add it to the impact field as the description field is sometimes used for hash code calculation
     impact_parts = [severity]
@@ -260,17 +251,17 @@ def get_item(vulnerability, test, image_metadata=""):
         test=test,
         severity=severity,
         description=vulnerability.get("description", "")
-        + "<p> Vulnerable Package: "
+        + "\n\nVulnerable Package: "
         + vulnerability.get("packageName", "")
-        + "</p><p> Current Version: "
-        + str(vulnerability.get("packageVersion", ""))
-        + "</p>",
+        + "\n\nCurrent Version: "
+        + str(vulnerability.get("packageVersion", "")),
         mitigation=status.title() if isinstance(status, str) else "",
         references=vulnerability.get("link"),
         component_name=vulnerability.get("packageName", ""),
         component_version=vulnerability.get("packageVersion", ""),
-        severity_justification=f"{vector} (CVSS v3 base score: {cvss})\n\n{riskFactors}",
-        cvssv3_score=cvss,
+        severity_justification=f"Vector: {cvssv3} (CVSS v3 base score: {cvssv3_score})\n\n{riskFactors}",
+        cvssv3=cvssv3,
+        cvssv3_score=cvssv3_score,
         impact=impact_text,
     )
     finding.unsaved_vulnerability_ids = [vulnerability["id"]] if "id" in vulnerability else None
@@ -294,15 +285,15 @@ def get_compliance_item(compliance, test, image_metadata=""):
     layer_time = compliance.get("layerTime", "")
 
     # Build comprehensive description
-    desc_parts = [f"<p><strong>Compliance Issue:</strong> {title}</p>"]
+    desc_parts = [f"**Compliance Issue:** {title}\n\n"]
 
     if compliance_id:
-        desc_parts.append(f"<p><strong>Compliance ID:</strong> {compliance_id}</p>")
+        desc_parts.append(f"**Compliance ID:** {compliance_id}\n\n")
 
     if category:
-        desc_parts.append(f"<p><strong>Category:</strong> {category}</p>")
+        desc_parts.append(f"**Category:** {category}\n\n")
 
-    desc_parts.append(f"<p><strong>Description:</strong> {description}</p>")
+    desc_parts.append(f"**Description:** {description}\n\n")
 
     # Build impact field combining severity and image metadata
     impact_parts = [severity]
diff --git a/unittests/scans/twistlock/no_cvss.json b/unittests/scans/twistlock/no_cvss.json
@@ -0,0 +1,102 @@
+{
+	"results": [
+		{
+			"id": "sha256:02f8d1e213aaef1e4534bd5183b17b4dc60c1be32025113b7ea20de4cb14a36e",
+			"name": "somename:v8.11",
+			"distro": "Debian GNU/Linux 12 (bookworm)",
+			"distroRelease": "bookworm",
+			"collections": [
+				"All collections",
+				"Group (RBAC)"
+			],
+			"packages": [
+				{
+					"type": "os",
+					"name": "bash",
+					"version": "5.2.15-2",
+					"licenses": [
+						"GPL-3+"
+					]
+				},
+				{
+					"type": "python",
+					"name": "inflect",
+					"version": "7.3.1",
+					"path": "/usr/local/lib/python3.13/site-packages/setuptools/_vendor/inflect-7.3.1.dist-info"
+				}
+			],
+			"compliances": [
+				{
+					"id": 404,
+					"title": "(CIS_Docker_v1.5.0 - 4.6) Add HEALTHCHECK instruction to the container image",
+					"severity": "medium",
+					"description": "One of the important security triads is availability. Adding HEALTHCHECK instruction to your\ncontainer image ensures that the docker engine periodically checks the running container\ninstances against that instruction to ensure that the instances are still working",
+					"layerTime": "1970-01-01T00:00:00Z",
+					"category": "Docker"
+				}
+			],
+			"complianceDistribution": {
+				"critical": 0,
+				"high": 0,
+				"medium": 1,
+				"low": 0,
+				"total": 1
+			},
+			"complianceScanPassed": true,
+			"vulnerabilities": [
+				{
+					"id": "CVE-2025-6297",
+					"status": "open",
+					"severity": "low",
+					"packageName": "dpkg",
+					"packageVersion": "1.21.22",
+					"link": "https://security-tracker.debian.org/tracker/CVE-2025-6297",
+					"impactedVersions": [
+						"\u003c=1.21.22"
+					],
+					"discoveredDate": "2025-07-08T09:50:42Z",
+					"layerTime": "2025-02-26T09:50:35Z",
+					"layerInstruction": "COPY extra/instantclient-basic-linux.x64-19.16.0.0.0dbru.zip /tmp/instantclient-basic-linux.x64-19.16.0.0.0dbru.zip # buildkit"
+				},
+				{
+					"id": "CVE-2025-1390",
+					"status": "fixed in 1:2.66-4+deb12u1",
+					"description": "The PAM module pam_cap.so of libcap configuration supports group names starting with “@”, during actual parsing, configurations not starting with “@” are incorrectly recognized as group names. This may result in nonintended users being granted an inherited capability set, potentially leading to security risks. Attackers can exploit this vulnerability to achieve local privilege escalation on systems where /etc/security/capability.conf is used to configure user inherited privileges by constructing specific usernames.",
+					"severity": "low",
+					"packageName": "libcap2",
+					"packageVersion": "1:2.66-4",
+					"link": "https://security-tracker.debian.org/tracker/CVE-2025-1390",
+					"riskFactors": [
+						"Has fix",
+						"Recent vulnerability"
+					],
+					"impactedVersions": [
+						"\u003c1:2.66-4+deb12u1"
+					],
+					"publishedDate": "2025-02-18T03:15:10Z",
+					"discoveredDate": "2025-07-08T09:50:42Z",
+					"fixDate": "2025-05-17T14:08:50Z",
+					"layerTime": "2025-02-26T09:50:35Z",
+					"layerInstruction": "COPY extra/instantclient-basic-linux.x64-19.16.0.0.0dbru.zip /tmp/instantclient-basic-linux.x64-19.16.0.0.0dbru.zip # buildkit"
+				}
+			],
+			"vulnerabilityDistribution": {
+				"critical": 0,
+				"high": 1,
+				"medium": 0,
+				"low": 2,
+				"total": 3
+			},
+			"vulnerabilityScanPassed": true,
+			"history": [
+				{
+					"created": "2025-01-01T21:11:11Z",
+					"instruction": "bashstring -i -F"
+				}
+			],
+			"scanTime": "2025-01-01T02:12:23.309542313Z",
+			"scanID": "686cea70f70e81f2b73eb5c3"
+		}
+	],
+	"consoleURL": "https://canadaconsoleforthearts.gov.ca"
+}
diff --git a/unittests/tools/test_twistlock_parser.py b/unittests/tools/test_twistlock_parser.py
@@ -1,4 +1,5 @@
 
+
 from dojo.models import Test
 from dojo.tools.twistlock.parser import TwistlockParser
 from unittests.dojo_test_case import DojoTestCase, get_unit_tests_scans_path
@@ -114,6 +115,33 @@ def test_parse_file_with_no_link_no_description(self):
                 self.assertEqual("PRISMA-2021-0013", finding.unsaved_vulnerability_ids[0])
                 break
 
+    def test_parse_file_with_no_cvss(self):
+        testfile = (get_unit_tests_scans_path("twistlock") / "no_cvss.json").open(encoding="utf-8")
+        parser = TwistlockParser()
+        findings = parser.get_findings(testfile, Test())
+        testfile.close()
+        # Should have 4 findings: 3 vulnerabilities + 1 compliance
+        self.assertEqual(3, len(findings))
+
+        for finding in findings:
+            if finding.title.startswith("Compliance:"):
+                # Verify compliance finding exists
+                self.assertIn("CIS_Docker_v1.5.0 - 4.6", finding.title)
+                self.assertEqual("Medium", finding.severity)
+                self.assertIn("404", finding.vuln_id_from_tool)
+            else:
+                # This should be a vulnerability finding
+                self.assertEqual(1, len(finding.unsaved_vulnerability_ids))
+                finding.unsaved_vulnerability_ids[0]
+                # Findings without CVSS should have None or empty CVSS fields
+                self.assertIsNone(finding.cvssv3)
+                self.assertIsNone(finding.cvssv3_score)
+
+                # All vulnerability findings should have impact metadata
+                self.assertIn("Image ID:", finding.impact)
+                self.assertIn("Distribution:", finding.impact)
+                self.assertIn("Debian GNU/Linux 12", finding.impact)
+
     def test_parse_file_with_many_vulns(self):
         testfile = (get_unit_tests_scans_path("twistlock") / "many_vulns.json").open(encoding="utf-8")
         parser = TwistlockParser()
