-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New HCL AppScan on Cloud SAST parser #11375
base: dev
Are you sure you want to change the base?
Conversation
DryRun Security SummaryThe pull request adds support for the HCL AppScan on Cloud SAST scanner in DefectDojo by implementing a new parser, updating configurations, adding documentation, and creating comprehensive unit tests to enhance the application's security scanning capabilities. Expand for full summarySummary: The code changes in this pull request focus on adding support for the HCL AppScan on Cloud SAST (Static Application Security Testing) scanner in the DefectDojo application. The changes include:
From an application security perspective, these changes are generally positive, as they expand the capabilities of the DefectDojo application to support a wider range of security scanners and tools. The parser implementation appears to be well-designed and secure, and the unit tests cover various scenarios to ensure the parser's functionality. However, it's important to ensure that the new parser configurations are thoroughly tested and validated to prevent any potential security issues or vulnerabilities. Additionally, the changes to the deduplication algorithm configuration should be carefully reviewed to ensure that they do not introduce any unintended consequences. Files Changed:
Code AnalysisWe ran |
@xpert98 Love the contribution but have to ask: Why are those conditionals so deeply nested? I was reviewing this PR and wondering how much "fun" it would be to handle a future change with that deep nesting. I'm almost afraid to run a cyclical complexity tool on this parser code TBH. Can you help me understand your thinking on that? |
@mtesauro I went that route because of the way the data is structured. Specifically for the mitigations and references, those are separate blocks outside of each result and that seemed like a convenient way to include the relevant "why it's a problem" and "how to fix it" into each issue to be rendered along with the typical issue details like file name and line number. |
msg = "This doesn't seem to be a valid HCL ASoC SAST xml file." | ||
raise NamespaceErr(msg) | ||
report = root.find("issue-group") | ||
if report is not None: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of putting the whole function after this point inside an if
block when report
is not None
, just bail if report
is None
.
if report is not None: | |
if report is None: | |
return findings |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was keeping the overall style of the parser similar to the existing hcl_appscan (for DAST) parser for consistency. I can refactor if this is a dealbreaker.
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
Co-authored-by: Charles Neill <[email protected]>
Co-authored-by: Charles Neill <[email protected]>
8c9bdf7
to
6791149
Compare
@xpert98 Closing and re-opening to see if I can get ruff-linting unstuck |
HCL AppScan sure chose a "creative" structure for this output 🤮 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approved
Conflicts have been resolved. A maintainer will review the pull request shortly. |
Co-authored-by: Charles Neill <[email protected]>
Co-authored-by: Charles Neill <[email protected]>
Co-authored-by: Charles Neill <[email protected]>
We are narrowing the scope of acceptable enhancements to DefectDojo in preparation for v3. Learn more here:
https://github.com/DefectDojo/django-DefectDojo/blob/master/readme-docs/CONTRIBUTING.md
Description
This is a new parser for HCL AppScan on Cloud SAST results.
Test results
Tests are included and pass.
Documentation
Documentation included.
Checklist
This checklist is for your information.
dev
.dev
.bugfix
branch.Extra information