Add parser for Sonarqube JSON result. (#9366)

* init parser * fix filename * add testcase * Update docs * strip severity beforce compare * rebase from upstream/dev * remove not need newline * fix flake8 * Update docs * update recommend version * add recommend version in parser description --------- Co-authored-by: biennd4 <biennd4@vcs.com>
DefectDojo · Jan 31, 2024 · 25df450 · 25df450
1 parent 41c683d
commit 25df450
Show file tree

Hide file tree

Showing 7 changed files with 608 additions and 61 deletions.
diff --git a/docs/content/en/integrations/parsers/file/sonarqube.md b/docs/content/en/integrations/parsers/file/sonarqube.md
@@ -4,21 +4,24 @@ toc_hide: true
 ---
 ## SonarQube Scan (Aggregates findings per cwe, title, description, file\_path.)
 
-SonarQube output file can be imported in HTML format.
+SonarQube output file can be imported in HTML format or JSON format. JSON format generated by options `--save-report-json` and have same behavior with HTML format.
 
 To generate the report, see
 <https://github.com/soprasteria/sonar-report>
 
 Version: \>= 1.1.0
+Recommend version for both format \>= 3.1.2
 
 ## SonarQube Scan Detailed (Import all findings from SonarQube html report.)
 
-SonarQube output file can be imported in HTML format.
+SonarQube output file can be imported in HTML format or JSON format. JSON format generated by options `--save-report-json` and have same behavior with HTML format.
 
 To generate the report, see
 <https://github.com/soprasteria/sonar-report>
 
-Version: \>= 1.1.0
+Version: \>= 1.1.0.
+Recommend version for both format \>= 3.1.2
+
 
 ### Sample Scan Data
-Sample SonarQube scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/sonarqube).
+Sample SonarQube scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/sonarqube).
diff --git a/dojo/tools/sonarqube/parser.py b/dojo/tools/sonarqube/parser.py
@@ -3,6 +3,7 @@
 
 from django.utils.html import strip_tags
 from lxml import etree
+import json
 
 from dojo.models import Finding
 
@@ -23,21 +24,88 @@ def get_label_for_scan_types(self, scan_type):
 
     def get_description_for_scan_types(self, scan_type):
         if scan_type == "SonarQube Scan":
-            return "Aggregates findings per cwe, title, description, file_path. SonarQube output file can be imported in HTML format. Generate with https://github.com/soprasteria/sonar-report version >= 1.1.0"
+            return "Aggregates findings per cwe, title, description, file_path. SonarQube output file can be imported in HTML format or JSON format. Generate with https://github.com/soprasteria/sonar-report version >= 1.1.0, recommend version >= 3.1.2"
         else:
-            return "Import all findings from sonarqube html report. SonarQube output file can be imported in HTML format. Generate with https://github.com/soprasteria/sonar-report version >= 1.1.0"
+            return "Import all findings from sonarqube html report or JSON format. SonarQube output file can be imported in HTML format or JSON format. Generate with https://github.com/soprasteria/sonar-report version >= 1.1.0, recommend version >= 3.1.2"
 
     def get_findings(self, filename, test):
-        parser = etree.HTMLParser()
-        tree = etree.parse(filename, parser)
-        if self.mode not in [None, "detailed"]:
-            raise ValueError(
-                "Internal error: Invalid mode "
-                + self.mode
-                + ". Expected: one of None, 'detailed'"
-            )
+        if filename.name.strip().lower().endswith(".json"):
+            json_content = json.load(filename)
+            return self.get_json_items(json_content, test, self.mode)
+        else:
+            parser = etree.HTMLParser()
+            tree = etree.parse(filename, parser)
+            if self.mode not in [None, "detailed"]:
+                raise ValueError(
+                    "Internal error: Invalid mode "
+                    + self.mode
+                    + ". Expected: one of None, 'detailed'"
+                )
+
+            return self.get_items(tree, test, self.mode)
 
-        return self.get_items(tree, test, self.mode)
+    def get_json_items(self, json_content, test, mode):
+        dupes = dict()
+        rules = json_content["rules"]
+        issues = json_content["issues"]
+        for issue in issues:
+            key = issue["key"]
+            line = str(issue["line"])
+            mitigation = issue["message"]
+            title = issue["description"]
+            file_path = issue["component"]
+            severity = self.convert_sonar_severity(issue["severity"])
+            rule_id = issue["rule"]
+
+            if title is None or mitigation is None:
+                raise ValueError(
+                    "Parser ValueError: can't find a title or a mitigation for vulnerability of name "
+                    + rule_id
+                )
+
+            try:
+                issue_detail = rules[rule_id]
+                parser = etree.HTMLParser()
+                html_desc_as_e_tree = etree.fromstring(issue_detail["htmlDesc"], parser)
+                issue_description = self.get_description(html_desc_as_e_tree)
+                logger.debug(issue_description)
+                issue_references = self.get_references(
+                    rule_id, html_desc_as_e_tree
+                )
+                issue_cwe = self.get_cwe(issue_references)
+            except KeyError:
+                issue_description = "No description provided"
+                issue_references = ""
+                issue_cwe = 0
+
+            if mode is None:
+                self.process_result_file_name_aggregated(
+                    test,
+                    dupes,
+                    title,
+                    issue_cwe,
+                    issue_description,
+                    file_path,
+                    line,
+                    severity,
+                    mitigation,
+                    issue_references,
+                )
+            else:
+                self.process_result_detailed(
+                    test,
+                    dupes,
+                    title,
+                    issue_cwe,
+                    issue_description,
+                    file_path,
+                    line,
+                    severity,
+                    mitigation,
+                    issue_references,
+                    key,
+                )
+        return list(dupes.values())
 
     def get_items(self, tree, test, mode):
         # Check that there is at least one vulnerability (the vulnerabilities