Split Github Vulnerability Scan into separate SCA & SAST parsers#12773
Split Github Vulnerability Scan into separate SCA & SAST parsers#12773valentijnscholten merged 26 commits intoDefectDojo:devfrom
Conversation
github-actions
Bot
added
settings_changes
|
@Maffooch All linting errors should be fixed now, thanks for bearing with. :) |
valentijnscholten
left a comment
valentijnscholten
left a comment
There was a problem hiding this comment.
comment posted above
dogboat
left a comment
dogboat
left a comment
There was a problem hiding this comment.
Just two nits about import placement, but otherwise looks great; approving because they're not blockers imho.
Responded |
Logicmn
force-pushed
the
github-vuln-parser-improvements
branch
from
2ffb18d to
82ed3f8
Compare
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
|
Conflicts have been resolved. A maintainer will review the pull request shortly. |
…django-DefectDojo into github-vuln-parser-improvements
|
@valentijnscholten Would it be helpful if I split this out into two PRs (e.g. one for the new SAST parser, and one for the improvements to the SCA parser)? Let me know how I can help get these changes merged, thanks. |
|
@Maffooch Need one more review, when you have time. Thanks in advance, |
|
@Logicmn Sorry for the delay here, we had a lot of PRs for 2.51.0. This one is scheduled for 2.52.0 which where the next release from the |
No problem. Thanks for clarifying. |
…ectDojo#12773) * Refactor GithubVulnerability parser and add GithubSAST parser * More GithubVulnerability and GithubSAST parser improvements * Add documentation * Add tests, update docs, and add hash code fields * Fix Github vulnerability parser unit test * Unit tests and parser tweaks * Rm files pushed by mistake * Revert certain removals from unit test * Add EPSS field population and update unit tests * Removed some unnecessary comments and formatting * Ruff formatting * Fix unit tests * Ruff formatting * Fix unit test * Github Vulnerability parser and docs tweaks, and upgrade instructions * Politeness * Fix dependabot update pr link parsing * Backwards compatability * Revert 2.49 docs change and add 2.51 * Add 2.51 upgrade doc * Smol 2.51 upgrade doc fix * Move imports to top * Ruff lint fix --------- Co-authored-by: Zeke Tierkel <zeketierkel@Zekes-MacBook-Pro.local> Co-authored-by: valentijnscholten <valentijnscholten@gmail.com>
5 participants
Description
Hello! The current parser implementation for GitHub code scanning results is baked into the "Github Vulnerability Scan" scan type, which is a parser originally meant to be used for GitHub SCA (Dependabot) vulnerabilities. Since these two scan types are exceptionally different, issues can arise especially around the fields used for deduplication in the hash code. This PR splits out GitHub code scanning into its own
GithubSASTParser, with a scan-type string called ""Github SAST Scan." I have included documentation, unit tests, and a new list of fields for hash code deduplication.I also included several improvements for the original Github Vulnerability Scan parser. These improvements include:
cvssSeveritieswhich will replace thecvssfield in GitHub's graphql response in October, 2025.dependabotUpdatefield to the finding descriptionepsspercentage and percentile tofinding.epss_scoreandfinding.epss_percentilefinding fieldsfinding.urlto GitHub Dependabot alert hyperlink for conveniencefinding.cveandfinding.vuln_id_from_toolfields before falling back tounsaved_vulnerability_ids)finding.component_versionwas only being set when thevulnerableRequirementsstr started with=.get()to access fieldsBackward compatibility: existing users of the “Github Vulnerability Scan” scan type (driven by GithubVulnerabilityParser) for SCA imports will see no change. If you’d been using it to ingest SAST/code-scanning JSON, you’ll need to switch your import to the new “Github SAST Scan” scan type (driven by GithubSASTParser).
Ref links: