From 5f24480cccac86018d6d780519d2f7d2e0e93a38 Mon Sep 17 00:00:00 2001 From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Date: Fri, 31 Oct 2025 15:29:23 -0600 Subject: [PATCH] fix(CycloneDXJSONParser): handle missing severity field by defaulting to "Medium" --- dojo/tools/cyclonedx/json_parser.py | 5 +++- unittests/scans/cyclonedx/no-severity.json | 35 ++++++++++++++++++++++ unittests/tools/test_cyclonedx_parser.py | 14 +++++++++ 3 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 unittests/scans/cyclonedx/no-severity.json diff --git a/dojo/tools/cyclonedx/json_parser.py b/dojo/tools/cyclonedx/json_parser.py index a53b9dd799d..73cda102c1f 100644 --- a/dojo/tools/cyclonedx/json_parser.py +++ b/dojo/tools/cyclonedx/json_parser.py @@ -36,7 +36,10 @@ def _get_findings_json(self, file, test): # better than always 'Medium' ratings = vulnerability.get("ratings") if ratings: - severity = ratings[0]["severity"] + # Determine if we can use the severity field + # In some cases, the severity field is missing, so we can rely on either the Medium severity + # or the CVSS vector (retrieved further down below) to determine the severity: + severity = ratings[0].get("severity", "Medium") severity = Cyclonedxhelper().fix_severity(severity) else: severity = "Medium" diff --git a/unittests/scans/cyclonedx/no-severity.json b/unittests/scans/cyclonedx/no-severity.json new file mode 100644 index 00000000000..ed12833bc5c --- /dev/null +++ b/unittests/scans/cyclonedx/no-severity.json @@ -0,0 +1,35 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.4", + "version": 1, + "metadata": { + "timestamp": "2025-10-28T14:38:10Z" + }, + "vulnerabilities": [ + { + "id": "CVE-2021-44228", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" + }, + "ratings": [ + { + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" + }, + "score": 10.0, + "method": "CVSSv3", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" + } + ], + "created": "2025-09-05T05:05:47Z", + "updated": "2025-03-03T16:51:00Z", + "affects": [ + { + "ref": "gerbwetbqt" + } + ] + } + ] +} diff --git a/unittests/tools/test_cyclonedx_parser.py b/unittests/tools/test_cyclonedx_parser.py index 898d649c38b..e98b5338ff8 100644 --- a/unittests/tools/test_cyclonedx_parser.py +++ b/unittests/tools/test_cyclonedx_parser.py @@ -357,3 +357,17 @@ def test_cyclonedx_issue_8022(self): self.assertIn(finding.severity, Finding.SEVERITIES) finding.clean() self.assertEqual(1, len(findings)) + + def test_cyclonedx_no_severity(self): + """CycloneDX version 1.4 JSON format""" + with (get_unit_tests_scans_path("cyclonedx") / "no-severity.json").open(encoding="utf-8") as file: + parser = CycloneDXParser() + findings = parser.get_findings(file, Test()) + self.assertEqual(1, len(findings)) + finding = findings[0] + # There is so little information in the vulnerability, that we cannot build a proper title + self.assertEqual("None:None | CVE-2021-44228", finding.title) + self.assertEqual("Critical", finding.severity) + # The score will be evaluated when the finding save method is ran + # self.assertEqual(10.0, finding.cvssv3_score) + self.assertEqual("CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", finding.cvssv3)