New HCL AppScan on Cloud SAST parser #11375
Conversation
github-actions
bot
added
settings_changes
DryRun Security SummaryThe pull request adds support for the HCL AppScan on Cloud SAST XML parser in DefectDojo, enhancing the application's ability to parse and analyze security vulnerabilities from this specific tool through the implementation of a new parser class, configuration updates, and comprehensive unit testing. Expand for full summarySummary: The code changes in this pull request focus on adding support for the "HCL AppScan on Cloud SAST XML" parser in the DefectDojo application security platform. The key changes include:
From an application security perspective, these changes are positive as they expand the capabilities of DefectDojo to support a wider range of vulnerability scanning tools, allowing security teams to consolidate and analyze security data from multiple sources. The attention to input validation, structured data representation, and the extraction of detailed vulnerability information in the parser implementation is also commendable. The unit tests ensure the reliability and accuracy of the security findings reported by the HCL AppScan on Cloud SAST tool, which is crucial for effectively addressing identified vulnerabilities. The coverage of different scenarios and the validation of severity, CWE mapping, and file/line number tracking demonstrate a comprehensive approach to testing the security-critical functionality of the parser. Overall, these changes appear to be a well-designed and secure addition to the DefectDojo application, enhancing its capabilities to support a wider range of security tools and providing a robust framework for managing and addressing security vulnerabilities. Files Changed:
Code AnalysisWe ran |
|
@xpert98 Love the contribution but have to ask: Why are those conditionals so deeply nested? I was reviewing this PR and wondering how much "fun" it would be to handle a future change with that deep nesting. I'm almost afraid to run a cyclical complexity tool on this parser code TBH. Can you help me understand your thinking on that? |
|
@mtesauro I went that route because of the way the data is structured. Specifically for the mitigations and references, those are separate blocks outside of each result and that seemed like a convenient way to include the relevant "why it's a problem" and "how to fix it" into each issue to be rendered along with the typical issue details like file name and line number. |
| msg = "This doesn't seem to be a valid HCL ASoC SAST xml file." | ||
| raise NamespaceErr(msg) | ||
| report = root.find("issue-group") | ||
| if report is not None: |
There was a problem hiding this comment.
Instead of putting the whole function after this point inside an if block when report is not None, just bail if report is None.
| if report is not None: | |
| if report is None: | |
| return findings |
There was a problem hiding this comment.
I was keeping the overall style of the parser similar to the existing hcl_appscan (for DAST) parser for consistency. I can refactor if this is a dealbreaker.
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
Co-authored-by: Charles Neill <[email protected]>
Co-authored-by: Charles Neill <[email protected]>
xpert98
force-pushed
the
hcl-asoc-sast-parser
branch
from
8c9bdf7 to
6791149
Compare
|
@xpert98 Closing and re-opening to see if I can get ruff-linting unstuck |
HCL AppScan sure chose a "creative" structure for this output 🤮 |
We are narrowing the scope of acceptable enhancements to DefectDojo in preparation for v3. Learn more here:
https://github.com/DefectDojo/django-DefectDojo/blob/master/readme-docs/CONTRIBUTING.md
Description
This is a new parser for HCL AppScan on Cloud SAST results.
Test results
Tests are included and pass.
Documentation
Documentation included.
Checklist
This checklist is for your information.
dev.dev.bugfixbranch.Extra information