Enhance OSV Parser to Include Mitigation Information with Fixed Package Versions

dojo/tools/osv_scanner/parser.py

@@ -37,6 +37,7 @@
                     vulnerabilitydetails = vulnerability.get("details", "")
                     vulnerabilitypackagepurl = ""
                     cwe = None
+                    mitigation = None
                     # Make sure we have an affected section to work with
                     if (affected := vulnerability.get("affected")) is not None:
                         if len(affected) > 0:
@@ -46,16 +47,23 @@
                             # Extract the CWE
                             if (cwe := affected[0].get("database_specific", {}).get("cwes", None)) is not None:
                                 cwe = cwe[0]["cweId"]
+                            # Extract fixed version
+                            ranges = affected[0].get("ranges", [])
+                            for range_item in ranges:
+                                for event in range_item.get("events", []):
+                                    if "fixed" in event:
+                                        mitigation = f"Upgrade to version: {event['fixed']}"
                     # Create some references
                     reference = ""
-                    for ref in vulnerability.get("references"):
+                    for ref in vulnerability.get("references", []):
                         reference += ref.get("url") + "\n"
                     # Define the description
                     description = vulnerabilitysummary + "\n"
                     description += "**source_type**: " + source_type + "\n"
                     description += "**package_ecosystem**: " + package_ecosystem + "\n"
                     description += "**vulnerabilitydetails**: " + vulnerabilitydetails + "\n"
                     description += "**vulnerabilitypackagepurl**: " + vulnerabilitypackagepurl + "\n"
+
                     sev = vulnerability.get("database_specific", {}).get("severity", "")
                     finding = Finding(
                         title=vulnerabilityid + "_" + package_name,
@@ -70,8 +78,11 @@
                         file_path=source_path,
                         references=reference,
                     )
+                    if mitigation:
+                        finding.mitigation = mitigation
                     if vulnerabilityid != "":
                         finding.unsaved_vulnerability_ids = []
                         finding.unsaved_vulnerability_ids.append(vulnerabilityid)
                     findings.append(finding)
         return findings
+

unittests/tools/test_osv_scanner_parser.py

@@ -43,3 +43,4 @@ def test_many_findings(self):
             finding = findings[17]
             self.assertEqual(finding.references, "https://nvd.nist.gov/vuln/detail/CVE-2021-45115\nhttps://docs.djangoproject.com/en/4.0/releases/security\nhttps://github.com/django/django\nhttps://groups.google.com/forum/#!forum/django-announce\nhttps://lists.fedoraproject.org/archives/list/[email protected]/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV\nhttps://security.netapp.com/advisory/ntap-20220121-0005\nhttps://www.djangoproject.com/weblog/2022/jan/04/security-releases\n")
             self.assertEqual(finding.title, "GHSA-53qw-q765-4fww_django")
+            self.assertEqual(finding.mitigation, "Upgrade to version: 2.2.26")