Added handling for abnormal wazuh severity values (#13522)

Jino-T · web-flow · commit 26fe7a9db33b · 2025-10-30T13:28:00.000-05:00
* Added handling for abnormal wazuh severity values

* Added unit tests for wazuh abnormal severities

* Fixing ruff issue
diff --git a/dojo/tools/wazuh/v4_7.py b/dojo/tools/wazuh/v4_7.py
@@ -25,6 +25,19 @@ def parse_findings(self, test, data):
                 agent_ip = item.get("agent_ip")
                 detection_time = item.get("detection_time").split("T")[0]
 
+                # Map Wazuh severity to its equivalent in DefectDojo
+                SEVERITY_MAP = {
+                    "Critical": "Critical",
+                    "High": "High",
+                    "Medium": "Medium",
+                    "Low": "Low",
+                    "Info": "Info",
+                    "Informational": "Info",
+                    "Untriaged": "Info",
+                }
+                # Get DefectDojo severity and default to "Info" if severity is not in the mapping
+                severity = SEVERITY_MAP.get(severity, "Info")
+
                 references = "\n".join(links) if links else None
 
                 title = (
diff --git a/dojo/tools/wazuh/v4_8.py b/dojo/tools/wazuh/v4_8.py
@@ -25,6 +25,19 @@ def parse_findings(self, test, data):
             detection_time = vuln.get("detected_at").split("T")[0]
             references = vuln.get("reference")
 
+            # Map Wazuh severity to its equivalent in DefectDojo
+            SEVERITY_MAP = {
+                "Critical": "Critical",
+                "High": "High",
+                "Medium": "Medium",
+                "Low": "Low",
+                "Info": "Info",
+                "Informational": "Info",
+                "Untriaged": "Info",
+            }
+            # Get DefectDojo severity and default to "Info" if severity is not in the mapping
+            severity = SEVERITY_MAP.get(severity, "Info")
+
             title = (
                 cve + " affects (version: " + item.get("package").get("version") + ")"
             )
diff --git a/unittests/scans/wazuh/wazuh_abnormal_severity.json b/unittests/scans/wazuh/wazuh_abnormal_severity.json
@@ -0,0 +1,80 @@
+{
+    "took": 8,
+    "timed_out": false,
+    "_shards": {
+      "total": 1,
+      "successful": 1,
+      "skipped": 0,
+      "failed": 0
+    },
+    "hits": {
+      "total": {
+        "value": 125,
+        "relation": "eq"
+      },
+      "max_score": 5.596354,
+      "hits": [
+        {
+          "_index": "wazuh-states-vulnerabilities-wazuh-server",
+          "_id": "001_c2f8c1a3b6e902b4c6d8e0g7a4b6c5d0e2b4a6n5_CVE-2025-27558",
+          "_score": 5.596323,
+          "_source": {
+            "agent": {
+              "id": "001",
+              "name": "myhost0",
+              "type": "Wazuh",
+              "version": "v4.11.1"
+            },
+            "host": {
+              "os": {
+                "full": "Ubuntu 24.04.2 LTS",
+                "kernel": "6.8.0-62-generic",
+                "name": "Ubuntu",
+                "platform": "ubuntu",
+                "type": "ubuntu",
+                "version": "24.04.2"
+              }
+            },
+            "package": {
+              "architecture": "amd64",
+              "description": "Signed kernel image generic",
+              "name": "linux-image-6.8.0-60-generic",
+              "size": 15025152,
+              "type": "deb",
+              "version": "6.8.0-60.63"
+            },
+            "vulnerability": {
+              "category": "Packages",
+              "classification": "-",
+              "description": "IEEE P603.12-REVme D1.2 through D7.1 allows FragAttacks against meshnetworks. In mesh networks using Wi-Fi Protected Access (WPA, WPA2, orWPA3) or Wired Equivalent Privacy (WEP), an adversary can exploit thisvulnerability to inject arbitrary frames towards devices that supportreceiving non-SSP A-MSDU frames. NOTE: this issue exists because of anincorrect fix for CVE-2020-24588. P802.11-REVme, as of early 2025, is aplanned release of the 802.11 standard.",
+              "detected_at": "2025-05-25T17:07:15.204Z",
+              "enumeration": "CVE",
+              "id": "CVE-2025-27558",
+              "published_at": "2025-04-22T19:16:08Z",
+              "reference": "https://ubuntu.com/security/CVE-2025-27558, https://www.cve.org/CVERecord?id=CVE-2025-27558",
+              "scanner": {
+                "condition": "Package default status",
+                "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2025-27558",
+                "source": "Canonical Security Tracker",
+                "vendor": "Wazuh"
+              },
+              "score": {
+                "base": 9.1,
+                "version": "3.1"
+              },
+              "severity": "-",
+              "under_evaluation": false
+            },
+            "wazuh": {
+              "cluster": {
+                "name": "wazuh-server"
+              },
+              "schema": {
+                "version": "1.0.0"
+              }
+            }
+          }
+        }
+      ]
+    }
+  }
diff --git a/unittests/tools/test_wazuh_parser.py b/unittests/tools/test_wazuh_parser.py
@@ -60,3 +60,10 @@ def test_parse_v4_8_many_findings(self):
             self.assertEqual("CVE-2025-27558 affects (version: 6.8.0-60.63)", findings[0].title)
             self.assertEqual("Critical", findings[0].severity)
             self.assertEqual(9.1, findings[0].cvssv3_score)
+
+    def test_parse_wazuh_abnormal_severity(self):
+        with (get_unit_tests_scans_path("wazuh") / "wazuh_abnormal_severity.json").open(encoding="utf-8") as testfile:
+            parser = WazuhParser()
+            findings = parser.get_findings(testfile, Test())
+            for finding in findings:
+                self.assertEqual("Info", finding.severity)
