diff --git a/dojo/tools/qualys/parser.py b/dojo/tools/qualys/parser.py index c629bcf28cd..0300ee43ff7 100644 --- a/dojo/tools/qualys/parser.py +++ b/dojo/tools/qualys/parser.py @@ -311,22 +311,16 @@ def parse_finding(host, tree): split_cvss(cvss2, temp) # DefectDojo does not support cvssv2 temp["CVSS_vector"] = None - # CVE and LINKS - temp_cve_details = vuln_item.iterfind("CVE_ID_LIST/CVE_ID") - if temp_cve_details: - cl = { - cve_detail.findtext("ID"): cve_detail.findtext("URL") - for cve_detail in temp_cve_details - } - temp["cve"] = "\n".join(list(cl.keys())) - temp["links"] = "\n".join(list(cl.values())) + temp_cve_details = [(cve.findtext("ID"), cve.findtext("URL")) for cve in vuln_item.iterfind("CVE_ID_LIST/CVE_ID")] + temp["cve_list"] = [cve_id for cve_id, _ in temp_cve_details if cve_id] + temp["links"] = [url for _, url in temp_cve_details if url] # Generate severity from number in XML's 'SEVERITY' field, if not present default to 'Informational' sev = get_severity(vuln_item.findtext("SEVERITY")) finding = None if temp_cve_details: - refs = "\n".join(list(cl.values())) + refs = temp.get("links", "") finding = Finding( title="QID-" + gid[4:] + " | " + temp["vuln_name"], mitigation=temp["solution"], @@ -363,6 +357,7 @@ def parse_finding(host, tree): finding.verified = True finding.unsaved_endpoints = [] finding.unsaved_endpoints.append(ep) + finding.unsaved_vulnerability_ids = temp.get("cve_list", []) ret_rows.append(finding) return ret_rows diff --git a/unittests/tools/test_qualys_parser.py b/unittests/tools/test_qualys_parser.py index b7d9f95b944..457588a70c0 100644 --- a/unittests/tools/test_qualys_parser.py +++ b/unittests/tools/test_qualys_parser.py @@ -151,10 +151,38 @@ def test_parse_file_with_cvss_values_and_scores(self): for finding in findings: if finding.unsaved_endpoints[0].host == "demo14.s02.sjc01.qualys.com" and finding.title == "QID-370876 | AMD Processors Multiple Security Vulnerabilities (RYZENFALL/MASTERKEY/CHIMERA-FW/FALLOUT)": finding_cvssv3_score = finding + self.assertEqual( + finding.unsaved_vulnerability_ids, + [ + "CVE-2018-8930", + "CVE-2018-8931", + "CVE-2018-8932", + "CVE-2018-8933", + "CVE-2018-8934", + "CVE-2018-8935", + "CVE-2018-8936", + ], + ) if finding.unsaved_endpoints[0].host == "demo13.s02.sjc01.qualys.com" and finding.title == "QID-370876 | AMD Processors Multiple Security Vulnerabilities (RYZENFALL/MASTERKEY/CHIMERA-FW/FALLOUT)": finding_no_cvssv3_at_detection = finding + self.assertEqual( + finding.unsaved_vulnerability_ids, + [ + "CVE-2018-8930", + "CVE-2018-8931", + "CVE-2018-8932", + "CVE-2018-8933", + "CVE-2018-8934", + "CVE-2018-8935", + "CVE-2018-8936", + ], + ) if finding.unsaved_endpoints[0].host == "demo14.s02.sjc01.qualys.com" and finding.title == 'QID-121695 | NTP "monlist" Feature Denial of Service Vulnerability': finding_no_cvssv3 = finding + self.assertEqual( + finding.unsaved_vulnerability_ids, + ["CVE-2013-5211"], + ) # The CVSS Vector is not used from the Knowledgebase self.assertEqual( # CVSS_FINAL is defined without a cvssv3 vector