Mend Scan test type - too generic with new Mend changes #9886
Comments
|
mend-legacy-sca.json I've uploaded sample files here. I did not provide a SAST scan, but I can if one would be helpful for the Static Analysis parser for the Unified Platform Mend Scan. |
|
To add - I've scrubbed all mentions of IP data, in addition to manipulating specific Uuid strings to add other values, so they are not exact/real from those two json output files. |
|
It should also be mentioned that from Mend Legacy to Mend Platform, 'product' is being renamed to 'application'. In the 'platform-sca.json' you should notice 'path' and 'application' - but no 'product' field. |
Slack us first!
The easiest and fastest way to help you is via Slack. There's a free and easy signup to join our #defectdojo channel in the OWASP Slack workspace: Get Access.
If you're confident you've found a bug, or are allergic to Slack, you can submit an issue anyway.
Be informative
Please enter as much information as possible, otherwise we can't provide support. If possible upgrade to the latest release or dev version and try again.
Bug description
A clear and concise description of what the bug is. For errors include at least the exact error message you are seeing (including traceback).
The Bug Description is that the 'Mend Scan' test type does not support the updated Platform 3.0 API schema for Findings. Mend has a legacy API for SCA and SAST as separate products, for which the 'SCA' is what is mapped to the Mend Scan parser for DefectDojo currently. This is an issue, since with the new Mend Platform 3.0 API that combines SAST and SCA offerings into one portal, the format of those SCA-findings.json and SAST-findings.json differ from the expectation of the Mend Scan legacy parser.
Mend Scan should be updated/renamed to reflect that, while two new parsers should ideally be created to accept 'Mend Scan SCA Platform' and 'Mend Scan SAST Platform' scan types, since those are two new offered by Mend.
The reason I select 'Bug' is because if I try to reimport the 3.0 Platform API sca-findings.json results into DefectDojo as the 'Mend Scan' test type, the issues all become Closed, even though in the json file there are Findings.
Steps to reproduce
Steps to reproduce the behavior:
Expected behavior
Expected behavior is of course that the Mend Scan should reimport the Findings just fine. Seems to be an issue with the structure/format of the new Mend Platform findings and is changed from the old Mend Legacy SCA platform. This will most definitely cause issues and confusion going forward.
Deployment method (select with an
X)Environment information
Logs
NA - Logs show fine, no errors.
Sample scan files
Will look to scrub sample data to provide to show differences.
Screenshots
If applicable, add screenshots to help explain your problem.
Additional context (optional)
I would have noted this as a Feature Request, but if I select a 'Mend Scan' test type and upload and it closes everything with no error, even though there are Findings in the .json - then of course this would be a bug due to parser expectations and the changes on Mends side, for DefectDojo needing additional parsers to handle this.
The text was updated successfully, but these errors were encountered: