conviso-ast 3.0.1rc4__tar.gz → 3.0.2rc0__tar.gz

{conviso_ast-3.0.1rc4 → conviso_ast-3.0.2rc0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.2
 Name: conviso-ast
-Version: 3.0.1rc4
+Version: 3.0.2rc0
 Maintainer: Conviso
 Maintainer-email: development@convisoappsec.com
 Project-URL: Source, https://github.com/convisoappsec/convisocli/

{conviso_ast-3.0.1rc4 → conviso_ast-3.0.2rc0}/conviso_ast.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.2
 Name: conviso-ast
-Version: 3.0.1rc4
+Version: 3.0.2rc0
 Maintainer: Conviso
 Maintainer-email: development@convisoappsec.com
 Project-URL: Source, https://github.com/convisoappsec/convisocli/

{conviso_ast-3.0.1rc4 → conviso_ast-3.0.2rc0}/convisoappsec/flow/graphql_api/v1/schemas/resolvers/__init__.py

@@ -150,6 +150,14 @@ query GetIssuesFingerprint(
         collection {
             id
             type
+            ... on ScaFinding {
+			      	detail {
+			      		cve
+			      		affectedVersion
+			      		fileName
+			      		package
+			      	}
+			      }
             ... on FindingInterface {
                 originalIssueIdFromTool
                 scanSource

{conviso_ast-3.0.1rc4 → conviso_ast-3.0.2rc0}/convisoappsec/flowcli/vulnerability/run.py

@@ -233,28 +233,56 @@ def run(context, flow_context, asset_id, company_id, end_commit, start_commit, r
     # Starting executing the ast again
     sast_hash_issues = perform_sastbox_scan(sastbox_registry, sastbox_repository_name, sastbox_tag, repository_dir)
 
-    sca_hash_issues = perform_sca_scan(repository_dir=repository_dir)
+    vulnerabilities = perform_sca_scan(repository_dir=repository_dir)
     iac_hash_issues = perform_iac_scan(repository_dir=repository_dir)
 
     # we need to append the two lists because at the moment this was made, iac and sast has sast as type on cp.
     sast_hash_issues = sast_hash_issues + iac_hash_issues
     # end ast execution
 
+    current_sca_hashes = set()
+    current_sca_tuples = set()
+
+    for vulnerability in vulnerabilities:
+        if vulnerability.get('hash_issue'):
+            current_sca_hashes.add(vulnerability['hash_issue'])
+
+        cve_list = vulnerability.get('cve')
+
+        if isinstance(cve_list, list) and len(cve_list) > 0:
+            cve_str = str(cve_list[0])
+        else:
+            cve_str = str(cve_list) if cve_list is not None else ""
+
+        if vulnerability.get('package') and vulnerability.get('version'):
+            current_sca_tuples.add((vulnerability['package'], vulnerability['version'], cve_str))
+
     set_of_sast_hash_issues = set(sast_hash_issues)
-    set_of_sca_hash_issues = set(sca_hash_issues)
 
     close_sast_issues(conviso_api, sast_issues_without_fix_accepted, set_of_sast_hash_issues, control_sync_status_id)
-    close_sca_issues(conviso_api, sca_issues_without_fix_accepted, set_of_sca_hash_issues, control_sync_status_id)
+    close_sca_issues(conviso_api, sca_issues_without_fix_accepted, current_sca_hashes, current_sca_tuples, control_sync_status_id)
 
     sast_issues_to_reopen = [
         {'id': item['id'], 'originalIssueIdFromTool': item['originalIssueIdFromTool']}
         for item in sast_issues_with_fix_accepted if item['originalIssueIdFromTool'] in sast_hash_issues
     ]
 
-    sca_issues_to_reopen = [
-        {'id': item['id'], 'originalIssueIdFromTool': item['originalIssueIdFromTool']}
-        for item in sca_issues_with_fix_accepted if item['originalIssueIdFromTool'] in sca_hash_issues
-    ]
+    sca_issues_to_reopen = []
+    for item in sca_issues_with_fix_accepted:
+        tool_id = item.get('originalIssueIdFromTool')
+        should_reopen = False
+
+        if tool_id:
+            if tool_id in current_sca_hashes:
+                should_reopen = True
+        else:
+            detail = item.get('detail', {})
+            item_tuple = (detail.get('package'), detail.get('affectedVersion'), detail.get('cve'))
+            if item_tuple in current_sca_tuples:
+                should_reopen = True
+
+        if should_reopen:
+            sca_issues_to_reopen.append({'id': item['id'], 'originalIssueIdFromTool': tool_id})
 
     if sast_issues_to_reopen:
         log_func("SAST: reopening {issues} vulnerability/vulnerabilities on conviso platform ...".format(
@@ -303,14 +331,25 @@ def close_sast_issues(conviso_api, issues_from_cp, issues_from_current_scan, con
         )
 
 
-def close_sca_issues(conviso_api, issues_from_cp, issues_from_current_scan, control_sync_status_id):
+def close_sca_issues(conviso_api, issues_from_cp, current_hashes, current_tuples, control_sync_status_id):
     """ method to close sca issues on conviso platform """
 
     log_func("SCA: Verifying if any vulnerability was solved...")
-    differences = [
-        {'id': item['id'], 'originalIssueIdFromTool': item['originalIssueIdFromTool']}
-        for item in issues_from_cp if item['originalIssueIdFromTool'] not in issues_from_current_scan
-    ]
+
+    differences = []
+
+    for item in issues_from_cp:
+        tool_id = item.get('originalIssueIdFromTool')
+
+        if tool_id:
+            if tool_id not in current_hashes:
+                differences.append({'id': item['id'], 'originalIssueIdFromTool': tool_id})
+        else:
+            detail = item.get('detail', {})
+            item_tuple = (detail.get('package'), detail.get('affectedVersion'), detail.get('cve'))
+
+            if item_tuple not in current_tuples:
+                differences.append({'id': item['id'], 'originalIssueIdFromTool': None})
 
     if len(differences) == 0:
         log_func("No vulnerabilities have been fixed yet...")
@@ -407,19 +446,28 @@ def perform_sca_scan(flow_context, repository_dir):
             if file_path:
                 results_filepaths.append(file_path)
 
-        hash_issues = []
+        detected_vulnerabilities = []
 
         for report_path in results_filepaths:
             try:
                 with open(report_path, 'r') as report_file:
                     report_content = json.load(report_file)
                     issues = report_content.get("issues", [])
-                    hash_issues.extend(issue.get("hash_issue") for issue in issues)
+
+                    for issue in issues:
+                        vuln_data = {
+                            "hash_issue": issue.get("hash_issue"),
+                            "package": issue.get("component"),
+                            "version": issue.get("version"),
+                            "cve": issue.get("cve")
+                        }
+
+                        detected_vulnerabilities.append(vuln_data)
 
             except (FileNotFoundError, json.JSONDecodeError) as e:
                 print(f"Error processing {report_path}: {e}")
 
-        return hash_issues
+        return detected_vulnerabilities
 
     except Exception as e:
         on_http_error(e)

conviso_ast-3.0.2rc0/convisoappsec/version.py

@@ -0,0 +1 @@
+__version__ = '3.0.2-rc.0'

conviso_ast-3.0.1rc4/convisoappsec/version.py

@@ -1 +0,0 @@
-__version__ = '3.0.1-rc.4'