Skip to content

Commit bd81e6e

Browse files
manuel-sommermanuel-sommer
authored
🐛 fix severity order of trivy (#13736)
* 🐛 fix severity order of trivy #13647 * udpate, fix unittests * update * update
1 parent 4505bdb commit bd81e6e

3 files changed

Lines changed: 175 additions & 7 deletions

File tree

dojo/tools/trivy/parser.py

Lines changed: 9 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -255,6 +255,7 @@ def get_result_items(self, test, results, service_name=None, artifact_name=""):
255255
cvssclass = None
256256
cvssv3 = None
257257
cvssv3_score = None
258+
severity = TRIVY_SEVERITIES[vuln["Severity"]] if vuln.get("Severity") else None
258259
# Iterate over the possible severity sources tom find the first match
259260
for severity_source in [detected_severity_source, *CVSS_SEVERITY_SOURCES]:
260261
cvssclass = cvss.get(severity_source, None)
@@ -265,16 +266,17 @@ def get_result_items(self, test, results, service_name=None, artifact_name=""):
265266
if cvss_data := parse_cvss_data(cvssclass.get("V3Vector", "")):
266267
cvssv3 = cvss_data.get("cvssv3")
267268
cvssv3_score = cvss_data.get("cvssv3_score")
268-
severity = cvss_data.get("severity")
269+
if severity is None:
270+
severity = cvss_data.get("severity")
269271
elif (cvss_v3_score := cvssclass.get("V3Score")) is not None:
270272
cvssv3_score = cvss_v3_score
271-
severity = self.convert_cvss_score(cvss_v3_score)
273+
if severity is None:
274+
severity = self.convert_cvss_score(cvss_v3_score)
272275
elif (cvss_v2_score := cvssclass.get("V2Score")) is not None:
273-
severity = self.convert_cvss_score(cvss_v2_score)
274-
else:
275-
severity = self.convert_cvss_score(None)
276-
else:
277-
severity = TRIVY_SEVERITIES[vuln["Severity"]]
276+
if severity is None:
277+
severity = self.convert_cvss_score(cvss_v2_score)
278+
if severity is None:
279+
severity = self.convert_cvss_score(None)
278280
if target_class in {"os-pkgs", "lang-pkgs"}:
279281
file_path = vuln.get("PkgPath")
280282
if file_path is None:

unittests/scans/trivy/severity_prio.json

Lines changed: 148 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,148 @@
1+
{
2+
"SchemaVersion": 2,
3+
"ArtifactName": "sbom.json",
4+
"ArtifactType": "cyclonedx",
5+
"Metadata": {
6+
"ImageConfig": {
7+
"architecture": "",
8+
"created": "0001-01-01T00:00:00Z",
9+
"os": "",
10+
"rootfs": {
11+
"type": "",
12+
"diff_ids": null
13+
},
14+
"config": {}
15+
}
16+
},
17+
"Results": [
18+
{
19+
"Target": "requirements.txt",
20+
"Class": "lang-pkgs",
21+
"Type": "pip",
22+
"Vulnerabilities": [
23+
{
24+
"VulnerabilityID": "CVE-2023-46218",
25+
"PkgID": "curl@7.81.0-1ubuntu1.14",
26+
"PkgName": "curl",
27+
"PkgIdentifier": {
28+
"PURL": "pkg:deb/ubuntu/curl@7.81.0-1ubuntu1.14?arch=amd64\u0026distro=ubuntu-22.04",
29+
"UID": "43a41104920d137"
30+
},
31+
"InstalledVersion": "7.81.0-1ubuntu1.14",
32+
"FixedVersion": "7.81.0-1ubuntu1.15",
33+
"Status": "fixed",
34+
"Layer": {
35+
"DiffID": "sha256:3a9073a4d18e5ed2ae6f9fd9fee81ea43774907ce603ba955bba8fc0819aa250"
36+
},
37+
"SeveritySource": "ubuntu",
38+
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-46218",
39+
"DataSource": {
40+
"ID": "ubuntu",
41+
"Name": "Ubuntu CVE Tracker",
42+
"URL": "https://git.launchpad.net/ubuntu-cve-tracker"
43+
},
44+
"Title": "curl: information disclosure by exploiting a mixed case flaw",
45+
"Description": "This flaw allows a malicious HTTP server to set \"super cookies\" in curl that\nare then passed back to more origins than what is otherwise allowed or\npossible. This allows a site to set cookies that then would get sent to\ndifferent and unrelated sites and domains.\n\nIt could do this by exploiting a mixed case flaw in curl's function that\nverifies a given cookie domain against the Public Suffix List (PSL). For\nexample a cookie could be set with `domain=co.UK` when the URL used a lower\ncase hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain.",
46+
"Severity": "LOW",
47+
"VendorSeverity": {
48+
"alma": 2,
49+
"amazon": 2,
50+
"azure": 2,
51+
"cbl-mariner": 2,
52+
"nvd": 2,
53+
"oracle-oval": 2,
54+
"photon": 2,
55+
"redhat": 2,
56+
"rocky": 2,
57+
"ubuntu": 2
58+
},
59+
"CVSS": {
60+
"nvd": {
61+
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
62+
"V3Score": 6.5
63+
},
64+
"redhat": {
65+
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
66+
"V3Score": 5.3
67+
}
68+
},
69+
"References": [
70+
"https://access.redhat.com/errata/RHSA-2024:1129",
71+
"https://access.redhat.com/security/cve/CVE-2023-46218",
72+
"https://bugzilla.redhat.com/2252030",
73+
"https://bugzilla.redhat.com/show_bug.cgi?id=2196793",
74+
"https://bugzilla.redhat.com/show_bug.cgi?id=2240033",
75+
"https://bugzilla.redhat.com/show_bug.cgi?id=2241938",
76+
"https://bugzilla.redhat.com/show_bug.cgi?id=2252030",
77+
"https://curl.se/docs/CVE-2023-46218.html",
78+
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28322",
79+
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38546",
80+
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46218",
81+
"https://errata.almalinux.org/9/ALSA-2024-1129.html",
82+
"https://errata.rockylinux.org/RLSA-2024:1601",
83+
"https://hackerone.com/reports/2212193",
84+
"https://linux.oracle.com/cve/CVE-2023-46218.html",
85+
"https://linux.oracle.com/errata/ELSA-2024-1601.html",
86+
"https://lists.debian.org/debian-lts-announce/2023/12/msg00015.html",
87+
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3ZX3VW67N4ACRAPMV2QS2LVYGD7H2MVE/",
88+
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/",
89+
"https://nvd.nist.gov/vuln/detail/CVE-2023-46218",
90+
"https://security.netapp.com/advisory/ntap-20240125-0007/",
91+
"https://ubuntu.com/security/notices/USN-6535-1",
92+
"https://ubuntu.com/security/notices/USN-6641-1",
93+
"https://www.cve.org/CVERecord?id=CVE-2023-46218",
94+
"https://www.debian.org/security/2023/dsa-5587"
95+
],
96+
"PublishedDate": "2023-12-07T01:15:07.16Z",
97+
"LastModifiedDate": "2025-02-13T18:15:33.843Z"
98+
},
99+
{
100+
"VulnerabilityID": "CVE-2023-37920",
101+
"PkgName": "certifi",
102+
"InstalledVersion": "2022.5.18.1",
103+
"FixedVersion": "2023.7.22",
104+
"Layer": {},
105+
"SeveritySource": "ghsa",
106+
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-37920",
107+
"Ref": "pkg:pypi/certifi@2022.5.18.1",
108+
"DataSource": {
109+
"ID": "ghsa",
110+
"Name": "GitHub Security Advisory pip",
111+
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
112+
},
113+
"Title": "python-certifi: Removal of e-Tugra root certificate",
114+
"Description": "Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes \"e-Tugra\" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from \"e-Tugra\" from the root store.",
115+
"Severity": "CRITICAL",
116+
"CweIDs": ["CWE-345"],
117+
"CVSS": {
118+
"ghsa": {
119+
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
120+
"V3Score": 7.5
121+
},
122+
"nvd": {
123+
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
124+
"V3Score": 9.8
125+
},
126+
"redhat": {
127+
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
128+
"V3Score": 7.5
129+
}
130+
},
131+
"References": [
132+
"https://access.redhat.com/security/cve/CVE-2023-37920",
133+
"https://github.com/certifi/python-certifi",
134+
"https://github.com/certifi/python-certifi/commit/8fb96ed81f71e7097ed11bc4d9b19afd7ea5c909",
135+
"https://github.com/certifi/python-certifi/security/advisories/GHSA-xqr8-7jwr-rhp7",
136+
"https://github.com/pypa/advisory-database/tree/main/vulns/certifi/PYSEC-2023-135.yaml",
137+
"https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/C-HrP1SEq1A",
138+
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5EX6NG7WUFNUKGFHLM35KHHU3GAKXRTG/",
139+
"https://nvd.nist.gov/vuln/detail/CVE-2023-37920",
140+
"https://www.cve.org/CVERecord?id=CVE-2023-37920"
141+
],
142+
"PublishedDate": "2023-07-25T21:15:00Z",
143+
"LastModifiedDate": "2023-08-12T06:16:00Z"
144+
}
145+
]
146+
}
147+
]
148+
}

unittests/tools/test_trivy_parser.py

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -319,3 +319,21 @@ def test_cvss_severity_sources(self):
319319
self.assertEqual("High", finding.severity)
320320
self.assertEqual("CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", finding.cvssv3)
321321
self.assertEqual(7.5, finding.cvssv3_score)
322+
323+
def test_severity_prio(self):
324+
# this tests issue #13647. The unittest file is just a copy of cvss_severity_source.json with edited severities
325+
with sample_path("severity_prio.json").open(encoding="utf-8") as test_file:
326+
parser = TrivyParser()
327+
findings = parser.get_findings(test_file, Test())
328+
self.assertEqual(len(findings), 2)
329+
with self.subTest("SeveritySource matches the CVSS entry"):
330+
finding = findings[0]
331+
self.assertEqual("Low", finding.severity)
332+
self.assertEqual("CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", finding.cvssv3)
333+
self.assertEqual(6.5, finding.cvssv3_score)
334+
335+
with self.subTest("SeveritySource does not match the CVSS entry"):
336+
finding = findings[1]
337+
self.assertEqual("Critical", finding.severity)
338+
self.assertEqual("CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", finding.cvssv3)
339+
self.assertEqual(7.5, finding.cvssv3_score)

0 commit comments

Comments
 (0)