-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Importer/sca #16
base: main
Are you sure you want to change the base?
Importer/sca #16
Conversation
end | ||
end | ||
|
||
# parse each software_composition_analysis > ... > vulnerability | ||
xml.root.xpath('.//xmlns:vulnerability').each do |xml_vuln| |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we really need to go back all the way to xml.root
? And if so, us //
? That should be reserved for when the search item is in multiple different parts of the XML structure because it's recursive and time consuming.
If the vulnerability items are in a predictable location (sca>etc.>) we can do better than this catch-all.
(and at the same time fix L38)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated this to search based on the specific nesting we expect
xml.root.xpath( 'xmlns:software_composition_analysis/xmlns:vulnerable_components//xmlns:vulnerability')
and updated L38 to do the same
xml_severity.xpath('./xmlns:category/xmlns:cwe/xmlns:staticflaws/xmlns:flaw')
Spec
The current Veracode upload integration does not import findings under the
<software_composition_analysis>
section of the output. Users have requested to have these included in the importProposed solution
Veracode files have a <software_composition_analysis> section that we also need to export as requested by HP.
This task performs the following changes:
Check List