dradis-veracode 4.14.0 → 4.15.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 377e92adc3f11ee6e82f78c510986e3b39321d26810ae37f88630aa86f799684
-  data.tar.gz: 73d9d5ecac85b5b97b75525f6fc7f4e182e0f7742f917bd56444daecd0087284
+  metadata.gz: 835a4403ff6c5e49d1ff7b1cff0904f453581577cd529c61d1de670aff178acf
+  data.tar.gz: 462d3ddfd62c4ef27d8fae2a2a4d72d7ba3ae261353c372c8c87deae2a2bdbca
 SHA512:
-  metadata.gz: 8a4e88b7881297ffddecfb2c9e349e1e88cdfa5a84b4fd755bab1ccdc9a03c2569e513aaae874fd27324f33afb711255ab483cea456d94f3117e9a333ac0848b
-  data.tar.gz: 4007fbf71e3e6d5586947f51e54088712c1776af832b3ab4ab49d8612733355bbc0400767f3917fde38e2d8f363237e870eb5637a6b1c343b0d1a68396aa9574
+  metadata.gz: 3a5e0f025803d77e27208c81252490155ff20e2a911a17a14cad65d8ef6192428261c56ceeb2110792e8bf171dfac59bafa5fe218fa48405d02309311521d5ad
+  data.tar.gz: e444763d764f6404a9abf5952ba134de7a9e43d7b791e522c272bc8f5e2dbb0150723652cfb541266cdb54dd33971c3975b8d9fb6c02342446706153a1cef24e

data/CHANGELOG.md

@@ -1,3 +1,6 @@
+v4.15.0 (December 2024)
+  - No changes
+
 v4.14.0 (October 2024)
   - Import data from the software composition analysis section
 

data/lib/dradis/plugins/veracode/gem_version.rb

@@ -8,7 +8,7 @@ module Dradis
 
       module VERSION
         MAJOR = 4
-        MINOR = 14
+        MINOR = 15
         TINY = 0
         PRE = nil
 

data/spec/dradis/plugins/veracode/importer_spec.rb

@@ -35,7 +35,7 @@ describe Dradis::Plugins::Veracode::Importer do
   end
 
   it 'creates nodes, issues, and, evidence' do
-    expect(@content_service).to receive(:create_node).with(hash_including label: 'Cybersecurity-Pilot').once
+    expect(@content_service).to receive(:create_node).with(hash_including label: 'Example-App').once
 
     %w{ 117 382 CVE-2022-41404 CVE-2022-36033 SRCCLR-SID-22742 CVE-2022-42889 }.each do |cweid|
       expect(@content_service).to receive(:create_issue).with(hash_including id: cweid).at_least(:once)
@@ -44,6 +44,6 @@ describe Dradis::Plugins::Veracode::Importer do
     expect(@content_service).to receive(:create_evidence).with(hash_including(content: '')).at_least(7).times
 
     # Run the import
-    @importer.import(file: 'spec/fixtures/files/veracode.xml')
+    @importer.import(file: 'spec/fixtures/files/veracode-scrubbed.xml')
   end
 end

data/spec/fixtures/files/{veracode.xml → veracode-scrubbed.xml}

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 
-<detailedreport xmlns:xsi="http&#x3a;&#x2f;&#x2f;www.w3.org&#x2f;2001&#x2f;XMLSchema-instance" xmlns="https&#x3a;&#x2f;&#x2f;www.veracode.com&#x2f;schema&#x2f;reports&#x2f;export&#x2f;1.0" xsi:schemaLocation="https&#x3a;&#x2f;&#x2f;www.veracode.com&#x2f;schema&#x2f;reports&#x2f;export&#x2f;1.0 https&#x3a;&#x2f;&#x2f;analysiscenter.veracode.com&#x2f;resource&#x2f;detailedreport.xsd" report_format_version="1.5" account_id="10470" app_name="Cybersecurity-Pilot" app_id="1280614" analysis_id="22666593" static_analysis_unit_id="22682243" sandbox_id="4031820" first_build_submitted_date="2022-12-12 06&#x3a;18&#x3a;41 UTC" version="12 Dec 2022 Static Promoted" build_id="22695302" submitter="Sai Manjunath Reddy Katha" platform="Not Specified" assurance_level="2" business_criticality="2" generation_date="2023-03-07 14&#x3a;45&#x3a;59 UTC" veracode_level="VL3 &#x2b; SCA" total_flaws="3" flaws_not_mitigated="3" teams="SecurityReviewServices" life_cycle_stage="Not Specified" planned_deployment_date="2022-12-12 07&#x3a;40&#x3a;09 UTC" last_update_time="2022-12-12 08&#x3a;20&#x3a;14 UTC" is_latest_build="true" policy_name="HP Internet App" policy_version="13" policy_compliance_status="Pass" policy_rules_status="Pass" grace_period_expired="false" scan_overdue="false" business_owner="Hoelzer, Ralf" business_unit="Cybersecurity" tags="sammuel.washington&#x40;hp.com" legacy_scan_engine="false"><static-analysis rating="A" score="99" submitted_date="2022-12-12 08&#x3a;19&#x3a;44 UTC" published_date="2022-12-12 08&#x3a;20&#x3a;13 UTC" version="12 Dec 2022 Static Promoted" analysis_size_bytes="105400" engine_version="20221110172554">
+<detailedreport xmlns:xsi="http&#x3a;&#x2f;&#x2f;www.w3.org&#x2f;2001&#x2f;XMLSchema-instance" xmlns="https&#x3a;&#x2f;&#x2f;www.veracode.com&#x2f;schema&#x2f;reports&#x2f;export&#x2f;1.0" xsi:schemaLocation="https&#x3a;&#x2f;&#x2f;www.veracode.com&#x2f;schema&#x2f;reports&#x2f;export&#x2f;1.0 https&#x3a;&#x2f;&#x2f;analysiscenter.veracode.com&#x2f;resource&#x2f;detailedreport.xsd" report_format_version="1.5" account_id="10470" app_name="Example-App" app_id="12345" analysis_id="22666593" static_analysis_unit_id="22682243" sandbox_id="4031820" first_build_submitted_date="2022-12-12 06&#x3a;18&#x3a;41 UTC" version="12 Dec 2022 Static Promoted" build_id="22695302" submitter="Submitter" platform="Not Specified" assurance_level="2" business_criticality="2" generation_date="2023-03-07 14&#x3a;45&#x3a;59 UTC" veracode_level="VL3 &#x2b; SCA" total_flaws="3" flaws_not_mitigated="3" teams="SecurityReviewServices" life_cycle_stage="Not Specified" planned_deployment_date="2022-12-12 07&#x3a;40&#x3a;09 UTC" last_update_time="2022-12-12 08&#x3a;20&#x3a;14 UTC" is_latest_build="true" policy_name="Example Internet App" policy_version="13" policy_compliance_status="Pass" policy_rules_status="Pass" grace_period_expired="false" scan_overdue="false" business_owner="Business Owner" business_unit="Cybersecurity" tags="example&#x40;test.com" legacy_scan_engine="false"><static-analysis rating="A" score="99" submitted_date="2022-12-12 08&#x3a;19&#x3a;44 UTC" published_date="2022-12-12 08&#x3a;20&#x3a;13 UTC" version="12 Dec 2022 Static Promoted" analysis_size_bytes="105400" engine_version="20221110172554">
       <modules>
          <module name="pipeline-scan.jar" compiler="JAVAC_8" os="Java J2SE 8" architecture="JVM" loc="6130" score="99" numflawssev0="0" numflawssev1="0" numflawssev2="1" numflawssev3="2" numflawssev4="0" numflawssev5="0"/>
       </modules>
@@ -110,9 +110,9 @@
             <vulnerabilities>
                <vulnerability cve_id="CVE-2022-41404" cvss_score="5.0" severity="3" cwe_id="" first_found_date="2022-12-12 08&#x3a;19&#x3a;48 UTC" cve_summary="org.ini4j&#x3a;ini4j is vulnerable to denial of service &#x28;DoS&#x29; attacks. The vulnerable &#x60;fetch&#x60; method in the &#x60;BasicProfile.java&#x60; allows remote attackers to cause denial of service conditions in the target system." severity_desc="Medium" mitigation="true" mitigation_type="Potential False Positive" mitigated_date="2023-01-05 16&#x3a;15&#x3a;07 UTC" vulnerability_affects_policy_compliance="false">
                   <mitigations>
-                     <mitigation action="Potential False Positive" description="testing" user="login.external.hp.comkatha.sai.manjunath.reddy&#x40;hp.com" date="2023-01-05 16&#x3a;15&#x3a;07 UTC"/>
-                     <mitigation action="Approve Mitigation" description="asda" user="login.external.hp.comkatha.sai.manjunath.reddy&#x40;hp.com" date="2022-12-12 16&#x3a;00&#x3a;29 UTC"/>
-                     <mitigation action="Mitigate by Design" description="&#xd;Technique&#x3a; M1 &#x3a;  Establish and maintain control over all of your inputs&#xd;&#xa;Specifics&#x3a; sds&#xd;&#xa;Remaining Risk&#x3a; sd&#xd;&#xa;Verification&#x3a; asd" user="login.external.hp.comkatha.sai.manjunath.reddy&#x40;hp.com" date="2022-12-12 15&#x3a;59&#x3a;53 UTC"/>
+                     <mitigation action="Potential False Positive" description="testing" user="example&#x40;test.com" date="2023-01-05 16&#x3a;15&#x3a;07 UTC"/>
+                     <mitigation action="Approve Mitigation" description="asda" user="example&#x40;test.com" date="2022-12-12 16&#x3a;00&#x3a;29 UTC"/>
+                     <mitigation action="Mitigate by Design" description="&#xd;Technique&#x3a; M1 &#x3a;  Establish and maintain control over all of your inputs&#xd;&#xa;Specifics&#x3a; sds&#xd;&#xa;Remaining Risk&#x3a; sd&#xd;&#xa;Verification&#x3a; asd" user="example&#x40;test.com" date="2022-12-12 15&#x3a;59&#x3a;53 UTC"/>
                   </mitigations>
                </vulnerability>
             </vulnerabilities>
@@ -130,8 +130,8 @@
             <vulnerabilities>
                <vulnerability cve_id="CVE-2022-36033" cvss_score="6.4" severity="4" cwe_id="CWE-79" first_found_date="2022-12-12 08&#x3a;19&#x3a;48 UTC" cve_summary="jsoup is vulnerable to cross-site scripting. The vulnerability exists in &#x60;resolve&#x60; function in &#x60;StringUtil.java&#x60; because the jsoup cleaner is not properly sanitized when SafeList.preserveRelativeLinks is enabled which allows an attacker to inject and execute arbitrary javascript." severity_desc="High" mitigation="true" mitigation_type="Potential False Positive" mitigated_date="2022-12-12 08&#x3a;57&#x3a;30 UTC" vulnerability_affects_policy_compliance="false">
                   <mitigations>
-                     <mitigation action="Approve Mitigation" description="testg" user="login.external.hp.comkatha.sai.manjunath.reddy&#x40;hp.com" date="2022-12-12 08&#x3a;57&#x3a;30 UTC"/>
-                     <mitigation action="Potential False Positive" description="testr" user="login.external.hp.comkatha.sai.manjunath.reddy&#x40;hp.com" date="2022-12-12 08&#x3a;57&#x3a;21 UTC"/>
+                     <mitigation action="Approve Mitigation" description="testg" user="example&#x40;test.com" date="2022-12-12 08&#x3a;57&#x3a;30 UTC"/>
+                     <mitigation action="Potential False Positive" description="testr" user="example&#x40;test.com" date="2022-12-12 08&#x3a;57&#x3a;21 UTC"/>
                   </mitigations>
                </vulnerability>
             </vulnerabilities>
@@ -173,9 +173,9 @@
             <vulnerabilities>
                <vulnerability cve_id="SRCCLR-SID-22742" cvss_score="5.0" severity="3" cwe_id="" first_found_date="2022-12-12 08&#x3a;19&#x3a;48 UTC" cve_summary="commons-codec does not properly perform input validation on encoded values. The &#x60;decode&#x28;&#x29;&#x60; function in the Base32, Base64 and BCodec classes fails to reject malformed Base32 and Base64 encoded strings and decodes into arbitrary values. A remote attacker can leverage this vulnerability to tunnel additional information via Base32 or Base64 encoded strings that appears to be legitimate." severity_desc="Medium" mitigation="true" mitigation_type="Potential False Positive" mitigated_date="2023-01-04 17&#x3a;38&#x3a;44 UTC" vulnerability_affects_policy_compliance="false">
                   <mitigations>
-                     <mitigation action="Comment" description="testing" user="login.external.hp.comkatha.sai.manjunath.reddy&#x40;hp.com" date="2023-01-04 17&#x3a;38&#x3a;44 UTC"/>
-                     <mitigation action="Approve Mitigation" description="testing" user="login.external.hp.comkatha.sai.manjunath.reddy&#x40;hp.com" date="2022-12-12 08&#x3a;22&#x3a;48 UTC"/>
-                     <mitigation action="Potential False Positive" description="testing" user="login.external.hp.comkatha.sai.manjunath.reddy&#x40;hp.com" date="2022-12-12 08&#x3a;22&#x3a;36 UTC"/>
+                     <mitigation action="Comment" description="testing" user="example&#x40;test.com" date="2023-01-04 17&#x3a;38&#x3a;44 UTC"/>
+                     <mitigation action="Approve Mitigation" description="testing" user="example&#x40;test.com" date="2022-12-12 08&#x3a;22&#x3a;48 UTC"/>
+                     <mitigation action="Potential False Positive" description="testing" user="example&#x40;test.com" date="2022-12-12 08&#x3a;22&#x3a;36 UTC"/>
                   </mitigations>
                </vulnerability>
             </vulnerabilities>
@@ -193,8 +193,8 @@
             <vulnerabilities>
                <vulnerability cve_id="CVE-2022-42889" cvss_score="7.5" severity="4" cwe_id="CWE-94" first_found_date="2022-12-12 08&#x3a;19&#x3a;48 UTC" cve_summary="Apache Commons Text is vulnerable to arbitrary code execution. The vulnerability exists in the &#x60;lookup&#x60; module due to insecure interpolation defaults when untrusted configuration values are used which allows an attacker to inject arbitrary code into the system." severity_desc="High" mitigation="true" mitigation_type="Potential False Positive" mitigated_date="2022-12-12 15&#x3a;58&#x3a;13 UTC" vulnerability_affects_policy_compliance="false">
                   <mitigations>
-                     <mitigation action="Approve Mitigation" description="tets" user="login.external.hp.comkatha.sai.manjunath.reddy&#x40;hp.com" date="2022-12-12 15&#x3a;58&#x3a;13 UTC"/>
-                     <mitigation action="Potential False Positive" description="test" user="login.external.hp.comkatha.sai.manjunath.reddy&#x40;hp.com" date="2022-12-12 15&#x3a;58&#x3a;06 UTC"/>
+                     <mitigation action="Approve Mitigation" description="tets" user="example&#x40;test.com" date="2022-12-12 15&#x3a;58&#x3a;13 UTC"/>
+                     <mitigation action="Potential False Positive" description="test" user="example&#x40;test.com" date="2022-12-12 15&#x3a;58&#x3a;06 UTC"/>
                   </mitigations>
                </vulnerability>
             </vulnerabilities>

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dradis-veracode
 version: !ruby/object:Gem::Version
-  version: 4.14.0
+  version: 4.15.0
 platform: ruby
 authors:
 - Dradis Team
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-10-21 00:00:00.000000000 Z
+date: 2024-12-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dradis-plugins
@@ -113,7 +113,7 @@ files:
 - lib/veracode/flaw.rb
 - lib/veracode/vulnerability.rb
 - spec/dradis/plugins/veracode/importer_spec.rb
-- spec/fixtures/files/veracode.xml
+- spec/fixtures/files/veracode-scrubbed.xml
 - spec/spec_helper.rb
 - templates/evidence.sample
 - templates/issue.sample
@@ -144,5 +144,5 @@ specification_version: 4
 summary: Veracode add-on for the Dradis Framework.
 test_files:
 - spec/dradis/plugins/veracode/importer_spec.rb
-- spec/fixtures/files/veracode.xml
+- spec/fixtures/files/veracode-scrubbed.xml
 - spec/spec_helper.rb