From f9de48f3bad5f92429cd2e4a34af1865e37da362 Mon Sep 17 00:00:00 2001 From: shodanwashere Date: Wed, 7 May 2025 14:25:18 +0100 Subject: [PATCH 01/11] Introduced needed dependencies --- dojo/tools/checkov/parser.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/dojo/tools/checkov/parser.py b/dojo/tools/checkov/parser.py index 0f1f461cea6..df53220b528 100644 --- a/dojo/tools/checkov/parser.py +++ b/dojo/tools/checkov/parser.py @@ -1,5 +1,6 @@ import json - +import requests +from bs4 import BeautifulSoup from dojo.models import Finding From 08f68d90396ff285ae088f6e497216342a09a981 Mon Sep 17 00:00:00 2001 From: shodanwashere Date: Wed, 7 May 2025 14:28:50 +0100 Subject: [PATCH 02/11] Added info injection from guideline into finding --- dojo/tools/checkov/parser.py | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/dojo/tools/checkov/parser.py b/dojo/tools/checkov/parser.py index df53220b528..da0bd0dbcb9 100644 --- a/dojo/tools/checkov/parser.py +++ b/dojo/tools/checkov/parser.py @@ -120,6 +120,22 @@ def get_item(vuln, test, check_type): if "check_name" in vuln: description += f"{vuln['check_name']}\n" + mitigation = "" + if "guideline" in vuln: + plain_url = f"{vuln['guideline']}.plain.html".replace("docs.prismacloud.io", "docs.prismacloud.io/docs") + plain_req = requests.get(plain_url) + plain_html = plain_req.text + + soup = BeautifulSoup(plain_html, 'html.parser') + + # More detailed description + d_txt = soup.find(id='description').parent + description += str(d_txt) + + # More detailed mitigation + m_txt = soup.findAll(id=lambda x: x and x.startswith('fix'))[0].parent + mitigation += str(m_txt) + file_path = vuln.get("file_path", None) source_line = None if "file_line_range" in vuln: @@ -134,8 +150,6 @@ def get_item(vuln, test, check_type): if "severity" in vuln and vuln["severity"] is not None: severity = vuln["severity"].capitalize() - mitigation = "" - references = vuln.get("guideline", "") return Finding( title=title, From d4d86f72d6609cbe858f6d491e358afd3d72d0db Mon Sep 17 00:00:00 2001 From: shodanwashere Date: Wed, 7 May 2025 14:29:38 +0100 Subject: [PATCH 03/11] Adding BeautifulSoup to requirements Let's debate if this version is the best to use. --- requirements.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/requirements.txt b/requirements.txt index 86a9974ccb0..2ba1287ffec 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,5 +1,6 @@ # requirements.txt for DefectDojo using Python 3.x asteval==1.0.6 +beautifulsoup4==4.13.4 bleach==6.2.0 bleach[css] celery==5.5.2 From f17416408f11ce9f6d7308125baa0e2ec4f2c609 Mon Sep 17 00:00:00 2001 From: shodanwashere Date: Wed, 7 May 2025 14:51:22 +0100 Subject: [PATCH 04/11] Add benchmark guidelines to mitigation section --- dojo/tools/checkov/parser.py | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/dojo/tools/checkov/parser.py b/dojo/tools/checkov/parser.py index da0bd0dbcb9..dfa18087110 100644 --- a/dojo/tools/checkov/parser.py +++ b/dojo/tools/checkov/parser.py @@ -134,7 +134,15 @@ def get_item(vuln, test, check_type): # More detailed mitigation m_txt = soup.findAll(id=lambda x: x and x.startswith('fix'))[0].parent - mitigation += str(m_txt) + mitigation += str(m_txt) + "\n" + + if "benchmarks" in vuln: + bms = vuln['benchmarks'].keys() + if len(bms) > 0: + mitigation += f"\nBenchmarks:\n" + for bm in bms: + for gl in vuln['benchmarks'][bm]: + mitigation += f"- {bm} # {gl['name']} : {gl['description']}\n" file_path = vuln.get("file_path", None) source_line = None From b2540e2864e3e68221010d552d3dd9f6342b93ff Mon Sep 17 00:00:00 2001 From: shodanwashere Date: Thu, 15 May 2025 11:04:00 +0100 Subject: [PATCH 05/11] Revert "Adding BeautifulSoup to requirements" This reverts commit d4d86f72d6609cbe858f6d491e358afd3d72d0db. --- requirements.txt | 1 - 1 file changed, 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 2ba1287ffec..86a9974ccb0 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,6 +1,5 @@ # requirements.txt for DefectDojo using Python 3.x asteval==1.0.6 -beautifulsoup4==4.13.4 bleach==6.2.0 bleach[css] celery==5.5.2 From ed4b3f188f5bb207df1b389fa213653cb40db59e Mon Sep 17 00:00:00 2001 From: shodanwashere Date: Thu, 15 May 2025 11:06:05 +0100 Subject: [PATCH 06/11] Revert "Added info injection from guideline into finding" This reverts commit 08f68d90396ff285ae088f6e497216342a09a981. --- dojo/tools/checkov/parser.py | 18 ++---------------- 1 file changed, 2 insertions(+), 16 deletions(-) diff --git a/dojo/tools/checkov/parser.py b/dojo/tools/checkov/parser.py index dfa18087110..c2505da3511 100644 --- a/dojo/tools/checkov/parser.py +++ b/dojo/tools/checkov/parser.py @@ -120,22 +120,6 @@ def get_item(vuln, test, check_type): if "check_name" in vuln: description += f"{vuln['check_name']}\n" - mitigation = "" - if "guideline" in vuln: - plain_url = f"{vuln['guideline']}.plain.html".replace("docs.prismacloud.io", "docs.prismacloud.io/docs") - plain_req = requests.get(plain_url) - plain_html = plain_req.text - - soup = BeautifulSoup(plain_html, 'html.parser') - - # More detailed description - d_txt = soup.find(id='description').parent - description += str(d_txt) - - # More detailed mitigation - m_txt = soup.findAll(id=lambda x: x and x.startswith('fix'))[0].parent - mitigation += str(m_txt) + "\n" - if "benchmarks" in vuln: bms = vuln['benchmarks'].keys() if len(bms) > 0: @@ -158,6 +142,8 @@ def get_item(vuln, test, check_type): if "severity" in vuln and vuln["severity"] is not None: severity = vuln["severity"].capitalize() + mitigation = "" + references = vuln.get("guideline", "") return Finding( title=title, From a25aa8deb96f3cbff28a858be38d1470eaf64e18 Mon Sep 17 00:00:00 2001 From: shodanwashere Date: Thu, 15 May 2025 11:06:26 +0100 Subject: [PATCH 07/11] Revert "Introduced needed dependencies" This reverts commit f9de48f3bad5f92429cd2e4a34af1865e37da362. --- dojo/tools/checkov/parser.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/dojo/tools/checkov/parser.py b/dojo/tools/checkov/parser.py index c2505da3511..d9bd5f0adea 100644 --- a/dojo/tools/checkov/parser.py +++ b/dojo/tools/checkov/parser.py @@ -1,6 +1,5 @@ import json -import requests -from bs4 import BeautifulSoup + from dojo.models import Finding From 195f9026c1580315a1590ea522ffc0eae77e619c Mon Sep 17 00:00:00 2001 From: shodanwashere Date: Thu, 15 May 2025 11:07:25 +0100 Subject: [PATCH 08/11] Maintaining benchmark refs in finding --- dojo/tools/checkov/parser.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/dojo/tools/checkov/parser.py b/dojo/tools/checkov/parser.py index d9bd5f0adea..785f5681aab 100644 --- a/dojo/tools/checkov/parser.py +++ b/dojo/tools/checkov/parser.py @@ -141,8 +141,6 @@ def get_item(vuln, test, check_type): if "severity" in vuln and vuln["severity"] is not None: severity = vuln["severity"].capitalize() - mitigation = "" - references = vuln.get("guideline", "") return Finding( title=title, From f27cd8222863e016a5eca1b7e7bdaf26e91a7d42 Mon Sep 17 00:00:00 2001 From: shodanwashere Date: Thu, 15 May 2025 11:09:21 +0100 Subject: [PATCH 09/11] Implemented future proofed description inclusion --- dojo/tools/checkov/parser.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/dojo/tools/checkov/parser.py b/dojo/tools/checkov/parser.py index 785f5681aab..2cf55526197 100644 --- a/dojo/tools/checkov/parser.py +++ b/dojo/tools/checkov/parser.py @@ -119,6 +119,9 @@ def get_item(vuln, test, check_type): if "check_name" in vuln: description += f"{vuln['check_name']}\n" + if "description" in vuln: + description += f"\n{vuln['description']}\n" + if "benchmarks" in vuln: bms = vuln['benchmarks'].keys() if len(bms) > 0: From a601ef3390d40760d2ae056c81d533c9ed20983c Mon Sep 17 00:00:00 2001 From: shodanwashere Date: Tue, 20 May 2025 11:39:41 +0100 Subject: [PATCH 10/11] Fixes problems raised by Ruff Linter Specifically, this fixes Q000, F821 and F541 identified previously on lines 126, 128 and 130 --- dojo/tools/checkov/parser.py | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/dojo/tools/checkov/parser.py b/dojo/tools/checkov/parser.py index 2cf55526197..c2ab7c4e587 100644 --- a/dojo/tools/checkov/parser.py +++ b/dojo/tools/checkov/parser.py @@ -121,13 +121,14 @@ def get_item(vuln, test, check_type): if "description" in vuln: description += f"\n{vuln['description']}\n" - + + mitigation = "" if "benchmarks" in vuln: - bms = vuln['benchmarks'].keys() + bms = vuln["benchmarks"].keys() if len(bms) > 0: - mitigation += f"\nBenchmarks:\n" + mitigation += "\nBenchmarks:\n" for bm in bms: - for gl in vuln['benchmarks'][bm]: + for gl in vuln["benchmarks"][bm]: mitigation += f"- {bm} # {gl['name']} : {gl['description']}\n" file_path = vuln.get("file_path", None) From 3100b0627782bbbc6bd5d4538d0e9350c26b9a68 Mon Sep 17 00:00:00 2001 From: Nuno Dias Date: Tue, 27 May 2025 08:21:51 +0100 Subject: [PATCH 11/11] Removed whitespace reported by linter Co-authored-by: valentijnscholten --- dojo/tools/checkov/parser.py | 1 - 1 file changed, 1 deletion(-) diff --git a/dojo/tools/checkov/parser.py b/dojo/tools/checkov/parser.py index c2ab7c4e587..87b5921525a 100644 --- a/dojo/tools/checkov/parser.py +++ b/dojo/tools/checkov/parser.py @@ -121,7 +121,6 @@ def get_item(vuln, test, check_type): if "description" in vuln: description += f"\n{vuln['description']}\n" - mitigation = "" if "benchmarks" in vuln: bms = vuln["benchmarks"].keys()