dradis-veracode 4.13.0 → 4.14.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e7a6bf17b3d57590b7d4714a464e144bb6663a8298b0716810df645b0ec6948e
-  data.tar.gz: 90f4a540c99ef2c63f469f8ca91cd6c0417a0438049bf30783f629f521201b72
+  metadata.gz: 377e92adc3f11ee6e82f78c510986e3b39321d26810ae37f88630aa86f799684
+  data.tar.gz: 73d9d5ecac85b5b97b75525f6fc7f4e182e0f7742f917bd56444daecd0087284
 SHA512:
-  metadata.gz: 59fc19179ea7543d2ee191edf88f72dbf83eaf3e0367bc9c64be26ba9f45b62706624dd68c7ac84aa1d7d4a73d412fb995726205464e28cfe6e42b48a799c65e
-  data.tar.gz: 5ac98a895646eca1c074b1c0976963c4d5397ce5e67b802d1c71601b630044afdff0d3bc3066ad1d403b50fb823f489e2fcd2ee8f69bbf98f223bd89a4861dec
+  metadata.gz: 8a4e88b7881297ffddecfb2c9e349e1e88cdfa5a84b4fd755bab1ccdc9a03c2569e513aaae874fd27324f33afb711255ab483cea456d94f3117e9a333ac0848b
+  data.tar.gz: 4007fbf71e3e6d5586947f51e54088712c1776af832b3ab4ab49d8612733355bbc0400767f3917fde38e2d8f363237e870eb5637a6b1c343b0d1a68396aa9574

data/CHANGELOG.md

@@ -1,3 +1,6 @@
+v4.14.0 (October 2024)
+  - Import data from the software composition analysis section
+
 v4.13.0 (July 2024)
   - Add `issueid`, `line`, `module`, `sourcefile`, & `sourcefilepath` as available issue fields
 

data/lib/dradis/plugins/veracode/field_processor.rb

@@ -4,14 +4,15 @@ module Dradis
       class FieldProcessor < Dradis::Plugins::Upload::FieldProcessor
         def post_initialize(args = {})
           @record =
-            if (data.is_a?(::Veracode::Flaw) || data.is_a?(::Veracode::Evidence))
+            if data.is_a?(::Veracode::Flaw) || data.is_a?(::Veracode::Evidence) || data.is_a?(::Veracode::Vulnerability)
               data
-
             # Note: The evidence and flaw samples are the same but they need to
             # be differentiated in the plugins manager preview. In that case,
             # we're adding a "dradis_type" attribute in the evidence.sample file
-            elsif (data['dradis_type'] == 'evidence')
+            elsif data['dradis_type'] == 'evidence'
               ::Veracode::Evidence.new(data.at_xpath('./staticflaws/flaw'))
+            elsif data.name == 'component'
+              ::Veracode::Vulnerability.new(data.at_xpath('./vulnerabilities/vulnerability'))
             else
               ::Veracode::Flaw.new(data.at_xpath('./staticflaws/flaw'))
             end

data/lib/dradis/plugins/veracode/formats/flaw.rb

@@ -0,0 +1,19 @@
+module Dradis::Plugins::Veracode::Formats
+  module Flaw
+
+    private
+
+    def parse_flaw(xml_flaw)
+      cwe_id = xml_flaw[:cweid]
+      logger.info { "\t\t => Creating issue and evidence (flaw cweid: #{ cwe_id })" }
+
+      flaw = ::Veracode::Flaw.new(xml_flaw)
+      issue_text = mapping_service.apply_mapping(source: 'issue', data: flaw)
+      issue = content_service.create_issue(text: issue_text, id: cwe_id)
+
+      evidence = ::Veracode::Evidence.new(xml_flaw)
+      evidence_text = mapping_service.apply_mapping(source: 'evidence', data: evidence)
+      content_service.create_evidence(content: evidence_text, issue: issue, node: node)
+    end
+  end
+end

data/lib/dradis/plugins/veracode/formats/vulnerability.rb

@@ -0,0 +1,17 @@
+module Dradis::Plugins::Veracode::Formats
+  module Vulnerability
+
+    private
+
+    def parse_vulnerability(xml_vuln)
+      cve_id = xml_vuln[:cve_id]
+      vuln = ::Veracode::Vulnerability.new(xml_vuln)
+      issue_text = mapping_service.apply_mapping(source: 'sca_issue', data: vuln)
+      issue = content_service.create_issue(text: issue_text, id: cve_id)
+
+      evidence = ::Veracode::Vulnerability.new(xml_vuln)
+      evidence_text = mapping_service.apply_mapping(source: 'sca_evidence', data: evidence)
+      content_service.create_evidence(content: evidence_text, issue: issue, node: node)
+    end
+  end
+end

data/lib/dradis/plugins/veracode/gem_version.rb

@@ -8,7 +8,7 @@ module Dradis
 
       module VERSION
         MAJOR = 4
-        MINOR = 13
+        MINOR = 14
         TINY = 0
         PRE = nil
 

data/lib/dradis/plugins/veracode/importer.rb

@@ -1,7 +1,12 @@
 module Dradis::Plugins::Veracode
   class Importer < Dradis::Plugins::Upload::Importer
+    attr_accessor :node
+
+    include Dradis::Plugins::Veracode::Formats::Flaw
+    include Dradis::Plugins::Veracode::Formats::Vulnerability
+
     def self.templates
-      { evidence: 'evidence', issue: 'issue' }
+      { evidence: ['evidence', 'sca_evidence'], issue: ['issue', 'sca_issue'] }
     end
 
     # The framework will call this function if the user selects this plugin from
@@ -25,15 +30,22 @@ module Dradis::Plugins::Veracode
       end
 
       # create app_name, and parse attributes
-      node = parse_report_details(xml.root)
+      @node = parse_report_details(xml.root)
 
-      # parse each severity > category > cwe > flaws
-      xml.root.xpath('./xmlns:severity').each do |xml_severity|
+      # parse each severity > category > cwe > staticflaws > flaw
+      xml.root.xpath('xmlns:severity').each do |xml_severity|
         logger.info { "\t => Severity (level: #{ xml_severity[:level] })" }
-        xml_severity.xpath('.//xmlns:flaw').each do |xml_flaw|
-          parse_flaw(xml_flaw, node)
+        xml_severity.xpath('./xmlns:category/xmlns:cwe/xmlns:staticflaws/xmlns:flaw').each do |xml_flaw|
+          parse_flaw(xml_flaw)
         end
       end
+
+      # parse each software_composition_analysis > ... > vulnerability
+      xml.root.xpath(
+        'xmlns:software_composition_analysis/xmlns:vulnerable_components//xmlns:vulnerability'
+      ).each do |xml_vuln|
+        parse_vulnerability(xml_vuln)
+      end
     end
 
     private
@@ -54,18 +66,5 @@ module Dradis::Plugins::Veracode
       app_node.save
       app_node
     end
-
-    def parse_flaw(xml_flaw, node)
-      cwe_id = xml_flaw[:cweid]
-      logger.info { "\t\t => Creating issue and evidence (flaw cweid: #{ cwe_id })" }
-
-      flaw = ::Veracode::Flaw.new(xml_flaw)
-      issue_text = mapping_service.apply_mapping(source: 'issue', data: flaw)
-      issue = content_service.create_issue(text: issue_text, id: cwe_id)
-
-      veracode_evidence = ::Veracode::Evidence.new(xml_flaw)
-      evidence_text = mapping_service.apply_mapping(source: 'evidence', data: veracode_evidence)
-      evidence = content_service.create_evidence(content: evidence_text, issue: issue, node: node)
-    end
   end
 end

data/lib/dradis/plugins/veracode/mapping.rb

@@ -18,6 +18,18 @@ module Dradis::Plugins::Veracode
         'Category' => '{{ veracode[issue.categoryname] }}',
         'CWE' => '{{ veracode[issue.cweid] }}',
         'RemediationStatus' => '{{ veracode[issue.remediation_status] }}'
+      },
+      sca_evidence: {
+        'File' => "{{ veracode[sca_evidence.file_name] }}\n{{ veracode[sca_evidence.file_path_value] }}",
+        'Library' => "{{ veracode[sca_evidence.library] }}\n{{ veracode[sca_evidence.library_id] }}",
+        'Mitigation' => "{{ veracode[sca_evidence.mitigation] }}"
+      },
+      sca_issue: {
+        'Title' => '{{ veracode[sca_issue.cve_id] }}',
+        'Description' => '{{ veracode[sca_issue.cve_summary] }}',
+        'Severity' => '{{ veracode[sca_issue.severity_desc] }}',
+        'Notes' => "CWE: {{ veracode[sca_issue.cwe_id] }}\nCVSS: {{ veracode[sca_issue.cvss_score] }}\nAffects policy compliance: {{ veracode[sca_issue.vulnerability_affects_policy_compliance] }}",
+        'Mitigation' => "{{ veracode[sca_issue.mitigation] }}"
       }
     }.freeze
 
@@ -53,6 +65,23 @@ module Dradis::Plugins::Veracode
         'issue.severity',
         'issue.sourcefile',
         'issue.sourcefilepath'
+      ],
+      sca_evidence: [
+        'sca_evidence.file_name',
+        'sca_evidence.file_path_value',
+        'sca_evidence.library',
+        'sca_evidence.library_id',
+        'sca_evidence.mitigation',
+      ],
+      sca_issue: [
+        'sca_issue.cve_id',
+        'sca_issue.cve_summary',
+        'sca_issue.cvss_score',
+        'sca_issue.cwe_id',
+        'sca_issue.mitigation',
+        'sca_issue.severity',
+        'sca_issue.severity_desc',
+        'sca_issue.vulnerability_affects_policy_compliance'
       ]
     }.freeze
   end

data/lib/dradis/plugins/veracode.rb

@@ -7,6 +7,8 @@ end
 
 require 'dradis/plugins/veracode/engine'
 require 'dradis/plugins/veracode/field_processor'
+require 'dradis/plugins/veracode/formats/vulnerability'
+require 'dradis/plugins/veracode/formats/flaw'
 require 'dradis/plugins/veracode/mapping'
 require 'dradis/plugins/veracode/importer'
 require 'dradis/plugins/veracode/version'

data/lib/dradis-veracode.rb

@@ -7,3 +7,4 @@ require 'dradis/plugins/veracode'
 # Load supporting Veracode classes
 require 'veracode/evidence'
 require 'veracode/flaw'
+require 'veracode/vulnerability'

data/lib/veracode/vulnerability.rb

@@ -0,0 +1,58 @@
+module Veracode
+  class Vulnerability
+    attr_reader :xml_vulnerability
+
+    def initialize(xml_vulnerability)
+      @xml = xml_vulnerability
+    end
+
+    # List of supported tags. They can be attributes, simple descendans or
+    # collections (e.g. <references/>, <tags/>)
+    def supported_tags
+      [
+        :cve_id, :cve_summary, :cvss_score, :cwe_id, :file_name, :file_path,
+        :library, :library_id, :mitigation, :severity, :severity_desc,
+        :vulnerability_affects_policy_compliance
+      ]
+    end
+
+    # This allows external callers (and specs) to check for implemented
+    # properties
+    def respond_to?(method, include_private = false)
+      return true if supported_tags.include?(method.to_sym)
+      super
+    end
+
+    # This method is invoked by Ruby when a method that is not defined in this
+    # instance is called.
+    #
+    # In our case we inspect the @method@ parameter and try to find the
+    # attribute, simple descendent or collection that it maps to in the XML
+    # tree.
+    def method_missing(method, *args)
+      # We could remove this check and return nil for any non-recognized tag.
+      # The problem would be that it would make tricky to debug problems with
+      # typos. For instance: <>.potr would return nil instead of raising an
+      # exception
+      unless supported_tags.include?(method)
+        super
+        return
+      end
+
+      method_name = method.to_s
+
+      if method_name == 'mitigation'
+        return @xml.xpath('.//*:mitigation').map do |mitigation|
+          "#{mitigation.attr('action')}\n#{mitigation.attr('description')}\n#{mitigation.attr('date')}"
+        end.join("\n\n")
+      end
+
+      # First we try the attributes
+      return @xml.attributes[method_name].value if @xml.attributes.key?(method_name)
+
+      # Next we try the parent <component> attributes
+      component = @xml.parent.parent
+      return component.attributes[method_name].value if component.attributes.key?(method_name)
+    end
+  end
+end

data/spec/dradis/plugins/veracode/importer_spec.rb

@@ -2,12 +2,13 @@ require 'spec_helper'
 require 'ostruct'
 
 describe Dradis::Plugins::Veracode::Importer do
-
   before(:each) do
     # Stub template service
     templates_dir = File.expand_path('../../../../../templates', __FILE__)
-    expect_any_instance_of(Dradis::Plugins::TemplateService)
-    .to receive(:default_templates_dir).and_return(templates_dir)
+
+    mapping_service = double('Dradis::Plugins::MappingService')
+    allow(mapping_service).to receive(:apply_mapping).and_return('')
+    allow(Dradis::Plugins::MappingService).to receive(:new).and_return(mapping_service)
 
     # Init services
     plugin = Dradis::Plugins::Veracode
@@ -36,13 +37,11 @@ describe Dradis::Plugins::Veracode::Importer do
   it 'creates nodes, issues, and, evidence' do
     expect(@content_service).to receive(:create_node).with(hash_including label: 'Cybersecurity-Pilot').once
 
-    %w{ 117 382 }.each do |cweid|
+    %w{ 117 382 CVE-2022-41404 CVE-2022-36033 SRCCLR-SID-22742 CVE-2022-42889 }.each do |cweid|
       expect(@content_service).to receive(:create_issue).with(hash_including id: cweid).at_least(:once)
     end
 
-    %w{ 107 129 333 }.each do |line|
-      expect(@content_service).to receive(:create_evidence).with(hash_including(content: a_string_matching(/#{line}/))).once
-    end
+    expect(@content_service).to receive(:create_evidence).with(hash_including(content: '')).at_least(7).times
 
     # Run the import
     @importer.import(file: 'spec/fixtures/files/veracode.xml')

data/templates/sca_evidence.sample

@@ -0,0 +1,19 @@
+<component component_id="hash" file_name="filename.jar" sha1="" vulnerabilities="1" max_cvss_score="5.0" version="0.1.1" library="library" library_id="library_id" vendor="library.org" description="Sample description" added_date="2022-12-12 08&#x3a;19&#x3a;55 UTC" component_affects_policy_compliance="false">
+  <file_paths>
+     <file_path value="file_path"/>
+  </file_paths>
+  <licenses>
+     <license name="License" spdx_id="Apache-2.0" license_url="example.com" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+        <mitigations/>
+     </license>
+  </licenses>
+  <vulnerabilities>
+     <vulnerability cve_id="CVE-2022-11111" cvss_score="5.0" severity="3" cwe_id="" first_found_date="2022-12-12 08&#x3a;19&#x3a;55 UTC" cve_summary="CVE Summary" severity_desc="Medium" mitigation="true" mitigation_type="Mitigate by Design" mitigated_date="2022-12-12 16&#x3a;00&#x3a;29 UTC" vulnerability_affects_policy_compliance="false">
+        <mitigations>
+           <mitigation action="Approve Mitigation" description="asda" user="sample_user" date="2022-12-12 16&#x3a;00&#x3a;55 UTC"/>
+           <mitigation action="Mitigate by Design" description="fdsa" user="sample_user" date="2022-12-12 15&#x3a;59&#x3a;55 UTC"/>
+        </mitigations>
+     </vulnerability>
+  </vulnerabilities>
+  <violated_policy_rules/>
+</component>

data/templates/sca_issue.sample

@@ -0,0 +1,19 @@
+<component component_id="hash" file_name="filename.jar" sha1="" vulnerabilities="1" max_cvss_score="5.0" version="0.1.1" library="library" library_id="library_id" vendor="library.org" description="Sample description" added_date="2022-12-12 08&#x3a;19&#x3a;55 UTC" component_affects_policy_compliance="false">
+  <file_paths>
+     <file_path value="file_path"/>
+  </file_paths>
+  <licenses>
+     <license name="License" spdx_id="Apache-2.0" license_url="example.com" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
+        <mitigations/>
+     </license>
+  </licenses>
+  <vulnerabilities>
+     <vulnerability cve_id="CVE-2022-11111" cvss_score="5.0" severity="3" cwe_id="" first_found_date="2022-12-12 08&#x3a;19&#x3a;55 UTC" cve_summary="CVE Summary" severity_desc="Medium" mitigation="true" mitigation_type="Mitigate by Design" mitigated_date="2022-12-12 16&#x3a;00&#x3a;29 UTC" vulnerability_affects_policy_compliance="false">
+        <mitigations>
+           <mitigation action="Approve Mitigation" description="asda" user="sample_user" date="2022-12-12 16&#x3a;00&#x3a;55 UTC"/>
+           <mitigation action="Mitigate by Design" description="fdsa" user="sample_user" date="2022-12-12 15&#x3a;59&#x3a;55 UTC"/>
+        </mitigations>
+     </vulnerability>
+  </vulnerabilities>
+  <violated_policy_rules/>
+</component>

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dradis-veracode
 version: !ruby/object:Gem::Version
-  version: 4.13.0
+  version: 4.14.0
 platform: ruby
 authors:
 - Dradis Team
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-08-07 00:00:00.000000000 Z
+date: 2024-10-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dradis-plugins
@@ -102,6 +102,8 @@ files:
 - lib/dradis/plugins/veracode.rb
 - lib/dradis/plugins/veracode/engine.rb
 - lib/dradis/plugins/veracode/field_processor.rb
+- lib/dradis/plugins/veracode/formats/flaw.rb
+- lib/dradis/plugins/veracode/formats/vulnerability.rb
 - lib/dradis/plugins/veracode/gem_version.rb
 - lib/dradis/plugins/veracode/importer.rb
 - lib/dradis/plugins/veracode/mapping.rb
@@ -109,11 +111,14 @@ files:
 - lib/tasks/thorfile.rb
 - lib/veracode/evidence.rb
 - lib/veracode/flaw.rb
+- lib/veracode/vulnerability.rb
 - spec/dradis/plugins/veracode/importer_spec.rb
 - spec/fixtures/files/veracode.xml
 - spec/spec_helper.rb
 - templates/evidence.sample
 - templates/issue.sample
+- templates/sca_evidence.sample
+- templates/sca_issue.sample
 homepage: https://dradis.com/integrations/veracode.html
 licenses:
 - GPL-2