Importer/sca

[aapomm]

Spec

The current Veracode upload integration does not import findings under the <software_composition_analysis> section of the output. Users have requested to have these included in the import

Proposed solution

Veracode files have a <software_composition_analysis> section that we also need to export as requested by HP.

This task performs the following changes:

• Add .sample file to include software_composition_analysis block
• Add default mappings and issue and evidence source fields to mapping.rb
• In importer.rb, check for the presence of software_composition_analysis/vulnerable_components and if present, process sca findings
• Add model for sca vulnerability and sca evidence
• Pull out parse_flaw method into a formats/flaw.rb file and create a formats/vulnerability.rb file
• Update specs

I assign all rights, including copyright, to any future Dradis
work by myself to Security Roots.

Check List

• Added a CHANGELOG entry
• Added specs

[etdsoft]

Do we really need to go back all the way to xml.root? And if so, us //? That should be reserved for when the search item is in multiple different parts of the XML structure because it's recursive and time consuming.

If the vulnerability items are in a predictable location (sca>etc.>) we can do better than this catch-all.

(and at the same time fix L38)

[caitmich]

Updated this to search based on the specific nesting we expect

xml.root.xpath( 'xmlns:software_composition_analysis/xmlns:vulnerable_components//xmlns:vulnerability')

and updated L38 to do the same

xml_severity.xpath('./xmlns:category/xmlns:cwe/xmlns:staticflaws/xmlns:flaw')