From 18a0e421ab89daeb9c64bbf3f6028cf74c69457b Mon Sep 17 00:00:00 2001
From: Manuel Sommer <sommermanuel@gmx.de>
Date: Mon, 24 Nov 2025 08:37:37 +0100
Subject: [PATCH 1/3] :tada: Add 'fix_available' field to zora parser

---
 dojo/tools/zora/parser.py           |  6 ++++--
 unittests/scans/zora/scan_many.csv  |  4 ++--
 unittests/tools/test_zora_parser.py | 10 +++++++++-
 3 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/dojo/tools/zora/parser.py b/dojo/tools/zora/parser.py
index eee4cf9dfd0..1f128f649ef 100644
--- a/dojo/tools/zora/parser.py
+++ b/dojo/tools/zora/parser.py
@@ -43,8 +43,6 @@ def get_findings(self, content, test: Test) -> list[Finding]:
             description += f"**Image**: {row.get('image')}\n"
             description += f"**ID**: {row.get('id')}\n"
             description += f"**Details**: {row.get('description')}\n"
-            if row.get("fixVersion"):
-                description += f"**Fix Version**: {row.get('fixVersion')}\n"
             mitigation = row.get("description", "")
             unique_id = f"{row.get('source')}-{row.get('image')}-{row.get('id')}"
             status = row.get("status", "").upper()
@@ -60,6 +58,10 @@ def get_findings(self, content, test: Test) -> list[Finding]:
                 test=test,
                 is_mitigated=is_mitigated,
             )
+            if row.get("fixVersion") and row.get("fixVersion") != "":
+                finding.fix_available = True
+            else:
+                finding.fix_available = False
             vuln_id = row.get("id")
             if vuln_id:
                 finding.unsaved_vulnerability_ids = [vuln_id]
diff --git a/unittests/scans/zora/scan_many.csv b/unittests/scans/zora/scan_many.csv
index e36dc0dd49e..581cb11e9a0 100644
--- a/unittests/scans/zora/scan_many.csv
+++ b/unittests/scans/zora/scan_many.csv
@@ -21,7 +21,7 @@ public key verification failed by calling SSL_get_verify_result(), and those
 that do, and take appropriate action, are not affected.  This issue was
 introduced in the initial implementation of RPK support in OpenSSL 3.2.
 
-The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.","3.3.3-r0"
+The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.",""
 "Trivy","ghcr.io/undistro/popeye:0.21","CVE-2024-13176","openssl: Timing side-channel in ECDSA signature computation","MEDIUM","fixed","Issue summary: A timing side-channel which could potentially allow recovering
 the private key exists in the ECDSA signature computation.
 
@@ -38,7 +38,7 @@ process must either be located in the same physical computer or must
 have a very fast network connection with low latency. For that reason
 the severity of this vulnerability is Low.
 
-The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are affected by this issue.","3.3.2-r2"
+The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are affected by this issue.",
 "Trivy","ghcr.io/undistro/popeye:0.21","CVE-2025-9230","openssl: Out-of-bounds read & write in RFC 3211 KEK Unwrap","MEDIUM","fixed","Issue summary: An application trying to decrypt CMS messages encrypted using
 password based encryption can trigger an out-of-bounds read and write.
 
diff --git a/unittests/tools/test_zora_parser.py b/unittests/tools/test_zora_parser.py
index 48978a31578..ab4a4f38d61 100644
--- a/unittests/tools/test_zora_parser.py
+++ b/unittests/tools/test_zora_parser.py
@@ -19,8 +19,16 @@ def test_parse_file_with_many_vuln_has_many_findings(self):
             findings = parser.get_findings(content, Test())
             self.assertEqual(198, len(findings))  # Adjust based on your test file
             # Check a specific finding for correctness
+            finding = findings[0]
+            self.assertEqual(True, finding.fix_available)
+            finding = findings[1]
+            self.assertEqual(False, finding.fix_available)
+            finding = findings[2]
+            self.assertEqual(False, finding.fix_available)
+            finding = findings[3]
+            self.assertEqual(True, finding.fix_available)
             finding = findings[10]
             self.assertEqual("net/url: Insufficient validation of bracketed IPv6 hostnames in net/url", finding.title)
             self.assertEqual("Medium", finding.severity)
             self.assertTrue(finding.unique_id_from_tool.startswith(f"{finding.description.splitlines()[0].split(': ')[1]}"))
-            self.assertIn("Fix Version", finding.description)
+            self.assertEqual('**Source**: Trivy\n**Image**: ghcr.io/undistro/popeye:0.21\n**ID**: CVE-2025-47912\n**Details**: The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.\n', finding.description)

From d6a26ad1c09040819b592737c2d61796b884456c Mon Sep 17 00:00:00 2001
From: Manuel Sommer <sommermanuel@gmx.de>
Date: Mon, 24 Nov 2025 08:43:53 +0100
Subject: [PATCH 2/3] ruff

---
 dojo/tools/zora/parser.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dojo/tools/zora/parser.py b/dojo/tools/zora/parser.py
index 1f128f649ef..31b91b7a1ac 100644
--- a/dojo/tools/zora/parser.py
+++ b/dojo/tools/zora/parser.py
@@ -58,7 +58,7 @@ def get_findings(self, content, test: Test) -> list[Finding]:
                 test=test,
                 is_mitigated=is_mitigated,
             )
-            if row.get("fixVersion") and row.get("fixVersion") != "":
+            if row.get("fixVersion"):
                 finding.fix_available = True
             else:
                 finding.fix_available = False

From 525c3d6dab79a019386295a330ed94438ec8a68b Mon Sep 17 00:00:00 2001
From: Manuel Sommer <sommermanuel@gmx.de>
Date: Mon, 24 Nov 2025 17:13:37 +0100
Subject: [PATCH 3/3] review

---
 dojo/tools/zora/parser.py           | 1 +
 unittests/tools/test_zora_parser.py | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/dojo/tools/zora/parser.py b/dojo/tools/zora/parser.py
index 31b91b7a1ac..4768a79263c 100644
--- a/dojo/tools/zora/parser.py
+++ b/dojo/tools/zora/parser.py
@@ -60,6 +60,7 @@ def get_findings(self, content, test: Test) -> list[Finding]:
             )
             if row.get("fixVersion"):
                 finding.fix_available = True
+                finding.fix_version = row.get("fixVersion")
             else:
                 finding.fix_available = False
             vuln_id = row.get("id")
diff --git a/unittests/tools/test_zora_parser.py b/unittests/tools/test_zora_parser.py
index ab4a4f38d61..9ad4cc61055 100644
--- a/unittests/tools/test_zora_parser.py
+++ b/unittests/tools/test_zora_parser.py
@@ -21,12 +21,16 @@ def test_parse_file_with_many_vuln_has_many_findings(self):
             # Check a specific finding for correctness
             finding = findings[0]
             self.assertEqual(True, finding.fix_available)
+            self.assertEqual("1.2.5-r1", finding.fix_version)
             finding = findings[1]
             self.assertEqual(False, finding.fix_available)
+            self.assertEqual(None, finding.fix_version)
             finding = findings[2]
             self.assertEqual(False, finding.fix_available)
+            self.assertEqual(None, finding.fix_version)
             finding = findings[3]
             self.assertEqual(True, finding.fix_available)
+            self.assertEqual("3.3.5-r0", finding.fix_version)
             finding = findings[10]
             self.assertEqual("net/url: Insufficient validation of bracketed IPv6 hostnames in net/url", finding.title)
             self.assertEqual("Medium", finding.severity)