Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

yarn: fix CWE parsing #6000

Merged
merged 5 commits into from
Mar 7, 2022
Merged

yarn: fix CWE parsing #6000

merged 5 commits into from
Mar 7, 2022

Conversation

valentijnscholten
Copy link
Member

@valentijnscholten valentijnscholten commented Mar 7, 2022
edited

fix yarn parser to handle wildly formatted list of CWEs: #5999

    # Somehow multiple CWEs end up in the json report like this
    # [\"CWE-173\",\"CWE-200\",\"CWE-601\"]
    # which becomes after json load:
    # ["CWE-173","CWE-200","CWE-601"]
    # we parse this and take the first CWE

EDIT: Seems to happen also for single CWE values

    # [\"CWE-173\"]

@dvdgsng
Copy link

dvdgsng commented Mar 7, 2022

Any idea what DefectDojo is doing when running an import that could cause such an issue out of the blue? We are running v2.7.1 and haven't touched the deployment for 25 days. So we would expect it to be rather stable.

@valentijnscholten
Copy link
Member Author

yarn has changed their output format or logic, or gets data from another source formatted in a different way.

@dvdgsng
Copy link

dvdgsng commented Mar 7, 2022

AFAICT we haven't changed the node version either :/ need to verify though

@valentijnscholten valentijnscholten changed the title yarn: fix multiple CWE parsing yarn: fix CWE parsing Mar 7, 2022
@valentijnscholten
Copy link
Member Author

It might be a bug / side effect in yarn that they may fix at some point.

damiencarol
damiencarol requested changes Mar 7, 2022
View reviewed changes
dojo/tools/yarn_audit/parser.py Outdated Show resolved Hide resolved
@valentijnscholten @damiencarol
Update dojo/tools/yarn_audit/parser.py
b057dbf 
Co-authored-by: Damien Carol <damien.carol@gmail.com>
@valentijnscholten valentijnscholten merged commit 110aaeb into DefectDojo:dev Mar 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@damiencarol damiencarol damiencarol approved these changes

@devGregA devGregA devGregA approved these changes

@alles-klar alles-klar Awaiting requested review from alles-klar

Assignees
No one assigned
Labels
parser unittests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@valentijnscholten @dvdgsng @damiencarol @devGregA