From ca3dc425fc97eb8deb7c9588f1b22dfe6f508dfd Mon Sep 17 00:00:00 2001
From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>
Date: Thu, 19 Sep 2024 00:45:58 -0500
Subject: [PATCH] Semgrep Parser: Add new severities
---
dojo/tools/semgrep/parser.py | 11 ++-
.../semgrep/high-medium-low-severities.json | 95 +++++++++++++++++++
unittests/tools/test_semgrep_parser.py | 6 ++
3 files changed, 108 insertions(+), 4 deletions(-)
create mode 100644 unittests/scans/semgrep/high-medium-low-severities.json
diff --git a/dojo/tools/semgrep/parser.py b/dojo/tools/semgrep/parser.py
index aa4f730750..e64615ec53 100644
--- a/dojo/tools/semgrep/parser.py
+++ b/dojo/tools/semgrep/parser.py
@@ -130,13 +130,16 @@ def get_findings(self, filename, test):
return list(dupes.values())
def convert_severity(self, val):
- if "CRITICAL" == val.upper():
+ upper_value = val.upper()
+ if upper_value == "CRITICAL":
return "Critical"
- elif "WARNING" == val.upper():
+ elif upper_value in ["WARNING", "MEDIUM"]:
return "Medium"
- elif "ERROR" == val.upper() or "HIGH" == val.upper():
+ elif upper_value in ["ERROR", "HIGH"]:
return "High"
- elif "INFO" == val.upper():
+ elif upper_value == "LOW":
+ return "Low"
+ elif upper_value == "INFO":
return "Info"
else:
msg = f"Unknown value for severity: {val}"
diff --git a/unittests/scans/semgrep/high-medium-low-severities.json b/unittests/scans/semgrep/high-medium-low-severities.json
new file mode 100644
index 0000000000..c2fd9c8714
--- /dev/null
+++ b/unittests/scans/semgrep/high-medium-low-severities.json
@@ -0,0 +1,95 @@
+ {
+ "errors": [],
+ "interfile_languages_used": [],
+ "paths": {
+ "scanned": []
+ },
+ "results": [
+ {
+ "check_id": "rules.sast.dev.generic.internal.detect-cdn-usage-react-express",
+ "end": {
+ "col": 89,
+ "line": 48,
+ "offset": 1772
+ },
+ "extra": {
+ "engine_kind": "OSS",
+ "fingerprint": "d30b51e68d2d56fb34e5a87920208e0f18b71dbec62b2ad91d1b55e566c5796c64b1e161d7fd3c0f65834756474c0617c29b7c5bd76b76f14f2d3fc537a664b9_0",
+ "is_ignored": false,
+ "lines": "",
+ "message": "Potential CDN usage detected. Consider removing or replacing CDN references to comply with GDPR and also avoid supply chain risk",
+ "metadata": {
+ "category": "security",
+ "technology": "cdn"
+ },
+ "metavars": {},
+ "severity": "LOW",
+ "validation_state": "NO_VALIDATOR"
+ },
+ "path": "/Users/user.example/git/company/full-codebase/company/lead-magnet/src/templates/base.html.twig",
+ "start": {
+ "col": 1,
+ "line": 48,
+ "offset": 1684
+ }
+ },
+ {
+ "check_id": "rules.sast.dev.generic.internal.detect-cdn-usage-react-express",
+ "end": {
+ "col": 206,
+ "line": 49,
+ "offset": 1978
+ },
+ "extra": {
+ "engine_kind": "OSS",
+ "fingerprint": "d30b51e68d2d56fb34e5a87920208e0f18b71dbec62b2ad91d1b55e566c5796c64b1e161d7fd3c0f65834756474c0617c29b7c5bd76b76f14f2d3fc537a664b9_1",
+ "is_ignored": false,
+ "lines": "",
+ "message": "Potential CDN usage detected. Consider removing or replacing CDN references to comply with GDPR and also avoid supply chain risk",
+ "metadata": {
+ "category": "security",
+ "technology": "cdn"
+ },
+ "metavars": {},
+ "severity": "LOW",
+ "validation_state": "NO_VALIDATOR"
+ },
+ "path": "/Users/user.example/git/company/full-codebase/company/lead-magnet/src/templates/base.html.twig",
+ "start": {
+ "col": 1,
+ "line": 49,
+ "offset": 1773
+ }
+ },
+ {
+ "check_id": "rules.sast.dev.generic.internal.detect-cdn-usage-react-express",
+ "end": {
+ "col": 203,
+ "line": 50,
+ "offset": 2181
+ },
+ "extra": {
+ "engine_kind": "OSS",
+ "fingerprint": "d30b51e68d2d56fb34e5a87920208e0f18b71dbec62b2ad91d1b55e566c5796c64b1e161d7fd3c0f65834756474c0617c29b7c5bd76b76f14f2d3fc537a664b9_2",
+ "is_ignored": false,
+ "lines": "{% block javascripts %}{% endblock %}",
+ "message": "Potential CDN usage detected. Consider removing or replacing CDN references to comply with GDPR and also avoid supply chain risk",
+ "metadata": {
+ "category": "security",
+ "technology": "cdn"
+ },
+ "metavars": {},
+ "severity": "LOW",
+ "validation_state": "NO_VALIDATOR"
+ },
+ "path": "/Users/user.example/git/company/full-codebase/company/lead-magnet/src/templates/base.html.twig",
+ "start": {
+ "col": 1,
+ "line": 50,
+ "offset": 1979
+ }
+ }
+ ],
+ "skipped_rules": [],
+ "version": "1.84.1"
+}
\ No newline at end of file
diff --git a/unittests/tools/test_semgrep_parser.py b/unittests/tools/test_semgrep_parser.py
index 6892b0b849..8729e4cc00 100644
--- a/unittests/tools/test_semgrep_parser.py
+++ b/unittests/tools/test_semgrep_parser.py
@@ -121,6 +121,12 @@ def test_parse_issue_8435(self):
findings = parser.get_findings(testfile, Test())
self.assertEqual(1, len(findings))
+ def test_parse_low_medium_high_severity(self):
+ with open("unittests/scans/semgrep/high-medium-low-severities.json", encoding="utf-8") as testfile:
+ parser = SemgrepParser()
+ findings = parser.get_findings(testfile, Test())
+ self.assertEqual(3, len(findings))
+
def test_parse_sca_deployments_vulns(self):
with open("unittests/scans/semgrep/sca-deployments-vulns.json", encoding="utf-8") as testfile:
parser = SemgrepParser()