Change of the compute severity for Aqua JSON parser (#4465)

* WIP: update the compute for severity * add a new test file * New compute for severity * New compute for severity * chore:flake8 * chore: fix cvss3 when having aqua_severity * add unitests for aqua severity and fix some others * add unitests for aqua severity and fix some others * chore: one test for speed Co-authored-by: Sebastien gioria <s.gioria@lectra.com>
DefectDojo · May 10, 2021 · 2539e52 · 2539e52
1 parent 591e1be
commit 2539e52
Show file tree

Hide file tree

Showing 3 changed files with 567 additions and 20 deletions.
diff --git a/dojo/tools/aqua/parser.py b/dojo/tools/aqua/parser.py
@@ -57,26 +57,32 @@ def get_item(resource, vuln, test):
     score = 0
     severity_justification = ""
     used_for_classification = ""
-    if 'aqua_score' in vuln:
-        score = vuln.get('aqua_score')
-        used_for_classification = "Aqua score ({}) used for classification.\n".format(score)
-    if 'vendor_score' in vuln:
-        score = vuln.get('vendor_score')
-        used_for_classification = "Vendor score ({}) used for classification.\n".format(score)
-    if 'nvd_score' in vuln:
-        score = vuln.get('nvd_score')
-        used_for_classification = "NVD score v2 ({}) used for classification.\n".format(score)
-        severity_justification += "\nNVD v2 vectors: {}".format(vuln.get('nvd_vectors'))
-    if 'nvd_score_v3' in vuln:
-        score = vuln.get('nvd_score_v3')
-        used_for_classification = "NVD score v3 ({}) used for classification.\n".format(score)
-        severity_justification += "\nNVD v3 vectors: {}".format(vuln.get('nvd_vectors_v3'))
-        # Add the CVSS3 to Finding
-        cvssv3 = vuln.get('nvd_vectors_v3')
-
-    severity_justification += "\n{}".format(used_for_classification)
-
-    severity = severity_of(score)
+    if 'aqua_severity' in vuln:
+        score = vuln.get('aqua_severity')
+        severity = aqua_severity_of(score)
+        used_for_classification = "Aqua security score ({}) used for classification.\n".format(score)
+        severity_justification = vuln.get('aqua_severity_classification')
+        if 'nvd_score_v3' in vuln:
+            cvssv3 = vuln.get('nvd_vectors_v3')
+    else:
+        if 'aqua_score' in vuln:
+            score = vuln.get('aqua_score')
+            used_for_classification = "Aqua score ({}) used for classification.\n".format(score)
+        elif 'vendor_score' in vuln:
+            score = vuln.get('vendor_score')
+            used_for_classification = "Vendor score ({}) used for classification.\n".format(score)
+        elif 'nvd_score_v3' in vuln:
+            score = vuln.get('nvd_score_v3')
+            used_for_classification = "NVD score v3 ({}) used for classification.\n".format(score)
+            severity_justification += "\nNVD v3 vectors: {}".format(vuln.get('nvd_vectors_v3'))
+            # Add the CVSS3 to Finding
+            cvssv3 = vuln.get('nvd_vectors_v3')
+        elif 'nvd_score' in vuln:
+            score = vuln.get('nvd_score')
+            used_for_classification = "NVD score v2 ({}) used for classification.\n".format(score)
+            severity_justification += "\nNVD v2 vectors: {}".format(vuln.get('nvd_vectors'))
+        severity = severity_of(score)
+        severity_justification += "\n{}".format(used_for_classification)
 
     return Finding(
         title=cve + " - " + resource_name + " (" + resource_version + ") ",
@@ -120,6 +126,19 @@ def get_item_v2(item, test):
                    mitigation=mitigation)
 
 
+def aqua_severity_of(score):
+    if score == 'high':
+        return "High"
+    if score == 'medium':
+        return "Medium"
+    elif score == 'low':
+        return "Low"
+    elif score == "negligible":
+        return "Info"
+    else:
+        return "Critical"
+
+
 def severity_of(score):
     if score == 0:
         return "Info"