fix aqua parser #10585 (#10725)

manuel-sommer · web-flow · commit df1514491ce0 · 2024-08-12T09:14:48.000-05:00
* fix aqua parser #10585 * unittest and ruff * more ruff * fix according to review * fix according to review
diff --git a/dojo/tools/aqua/parser.py b/dojo/tools/aqua/parser.py
@@ -38,20 +38,29 @@ def vulnerability_tree(self, vulnerabilitytree, test):
         for node in vulnerabilitytree:
             resource = node.get("resource")
             vulnerabilities = node.get("vulnerabilities", [])
+            sensitive_items = resource.get("sensitive_items", [])
             if vulnerabilities is None:
                 vulnerabilities = []
             for vuln in vulnerabilities:
                 item = get_item(resource, vuln, test)
                 unique_key = resource.get("cpe") + vuln.get("name", "None") + resource.get("path", "None")
                 self.items[unique_key] = item
+            if sensitive_items is None:
+                sensitive_items = []
+            for sensitive_item in sensitive_items:
+                item = get_item_sensitive_data(resource, sensitive_item, test)
+                unique_key = resource.get("cpe") + resource.get("path", "None") + str(sensitive_item)
+                self.items[unique_key] = item
 
 
 def get_item(resource, vuln, test):
     resource_name = resource.get("name", resource.get("path"))
     resource_version = resource.get("version", "No version")
     vulnerability_id = vuln.get("name", "No CVE")
     fix_version = vuln.get("fix_version", "None")
-    description = vuln.get("description", "No description.")
+    description = vuln.get("description", "No description.") + "\n"
+    if resource.get("path"):
+        description += "**Path:** " + resource.get("path") + "\n"
     cvssv3 = None
 
     url = ""
@@ -161,6 +170,32 @@ def get_item_v2(item, test):
     return finding
 
 
+def get_item_sensitive_data(resource, sensitive_item, test):
+    resource_name = resource.get("name", "None")
+    resource_path = resource.get("path", "None")
+    vulnerability_id = resource_name
+    description = "**Senstive Item:** " + sensitive_item + "\n"
+    description += "**Layer:** " + resource.get("layer", "None") + "\n"
+    description += "**Layer_Digest:** " + resource.get("layer_digest", "None") + "\n"
+    description += "**Path:** " + resource.get("path", "None") + "\n"
+    finding = Finding(
+        title=vulnerability_id
+        + " - "
+        + resource_name
+        + " ("
+        + resource_path
+        + ") ",
+        test=test,
+        severity="Info",
+        description=description.strip(),
+        component_name=resource.get("name"),
+    )
+    if vulnerability_id != "No CVE":
+        finding.unsaved_vulnerability_ids = [vulnerability_id]
+
+    return finding
+
+
 def aqua_severity_of(score):
     if score == "high":
         return "High"
diff --git a/unittests/tools/test_aqua_parser.py b/unittests/tools/test_aqua_parser.py
@@ -102,7 +102,8 @@ def test_aqua_parser_aqua_devops_issue_10611(self):
         with open("unittests/scans/aqua/aqua_devops_issue_10611.json") as testfile:
             parser = AquaParser()
             findings = parser.get_findings(testfile, Test())
-            self.assertEqual(98, len(findings))
+            self.assertEqual(101, len(findings))
+            self.assertEqual("server.key - server.key (/juice-shop/node_modules/node-gyp/test/fixtures/server.key) ", findings[83].title)
 
     def test_aqua_parser_aqua_devops_empty(self):
         with open("unittests/scans/aqua/empty_aquadevops.json") as testfile:
