diff --git a/dojo/tools/nancy/parser.py b/dojo/tools/nancy/parser.py index 2d4f4d986eb..8bc00c10fd8 100644 --- a/dojo/tools/nancy/parser.py +++ b/dojo/tools/nancy/parser.py @@ -34,14 +34,24 @@ def get_findings(self, scan_file, test): return findings + def convert_cvss_score(self, raw_value): + if raw_value is None: + return "Info" + val = float(raw_value) + if val == 0.0: + return "Info" + if val < 4.0: + return "Low" + if val < 7.0: + return "Medium" + if val < 9.0: + return "High" + return "Critical" + def get_items(self, vulnerable, test): findings = [] for vuln in vulnerable: finding = None - severity = "Info" - # the tool does not define severity, however it - # provides CVSSv3 vector which will calculate - # severity dynamically on save() references = [] if vuln["Vulnerabilities"]: comp_name = vuln["Coordinates"].split(":")[1].split("@")[0] @@ -57,7 +67,7 @@ def get_items(self, vulnerable, test): title=associated_vuln["Title"], description=associated_vuln["Description"], test=test, - severity=severity, + severity=self.convert_cvss_score(associated_vuln["CvssScore"]), component_name=comp_name, component_version=comp_version, false_p=False, diff --git a/unittests/tools/test_nancy_parser.py b/unittests/tools/test_nancy_parser.py index 09b3194360d..f233aaf7691 100644 --- a/unittests/tools/test_nancy_parser.py +++ b/unittests/tools/test_nancy_parser.py @@ -18,7 +18,7 @@ def test_nancy_parser_with_one_vuln_has_one_findings(self): self.assertEqual(1, len(findings)) with self.subTest(i=0): finding = findings[0] - self.assertEqual("Info", finding.severity) + self.assertEqual("Medium", finding.severity) self.assertIsNotNone(finding.description) self.assertGreater(len(finding.description), 0) self.assertEqual(None, finding.cve)