🐛 fix trivy parser cvss score severity discrepance DefectDojo#9092

manuel-sommer · Dec 5, 2023 · 9bb3e08 · 9bb3e08
1 parent 030c00d
commit 9bb3e08
Show file tree

Hide file tree

Showing 3 changed files with 107 additions and 7 deletions.
diff --git a/dojo/tools/trivy/parser.py b/dojo/tools/trivy/parser.py
@@ -54,6 +54,19 @@ def get_label_for_scan_types(self, scan_type):
     def get_description_for_scan_types(self, scan_type):
         return "Import trivy JSON scan report."
 
+    def convert_cvss_score(self, raw_value):
+        val = float(raw_value)
+        if val == 0.0:
+            return "Info"
+        elif val < 4.0:
+            return "Low"
+        elif val < 7.0:
+            return "Medium"
+        elif val < 9.0:
+            return "High"
+        else:
+            return "Critical"
+
     def get_findings(self, scan_file, test):
         scan_data = scan_file.read()
 
@@ -138,7 +151,18 @@ def get_result_items(self, test, results, service_name=None, artifact_name=""):
                 try:
                     vuln_id = vuln.get("VulnerabilityID", "0")
                     package_name = vuln["PkgName"]
-                    severity = TRIVY_SEVERITIES[vuln["Severity"]]
+                    severity_source = vuln.get("SeveritySource", None)
+                    cvss = vuln.get("CVSS", None)
+                    cvssv3 = None
+                    if severity_source is not None and cvss is not None:
+                        cvssclass = cvss.get(severity_source, None)
+                        if cvssclass is not None:
+                            severity = self.convert_cvss_score(cvssclass.get("V3Score", None))
+                            cvssv3 = dict(cvssclass).get("V3Vector", None)
+                        else:
+                            severity = TRIVY_SEVERITIES[vuln["Severity"]]
+                    else:
+                        severity = TRIVY_SEVERITIES[vuln["Severity"]]
                     file_path = vuln.get("PkgPath")
                 except KeyError as exc:
                     logger.warning("skip vulnerability due %r", exc)
@@ -165,12 +189,6 @@ def get_result_items(self, test, results, service_name=None, artifact_name=""):
                     fixed_version=mitigation,
                     description_text=vuln.get("Description", ""),
                 )
-                cvss = vuln.get("CVSS", None)
-                cvssv3 = None
-                if cvss is not None:
-                    nvd = cvss.get("nvd", None)
-                    if nvd is not None:
-                        cvssv3 = nvd.get("V3Vector", None)
                 finding = Finding(
                     test=test,
                     title=title,

diff --git a/unittests/scans/trivy/issue_9092.json b/unittests/scans/trivy/issue_9092.json
@@ -0,0 +1,74 @@
+{
+    "SchemaVersion": 2,
+    "ArtifactName": "sbom.json",
+    "ArtifactType": "cyclonedx",
+    "Metadata": {
+      "ImageConfig": {
+        "architecture": "",
+        "created": "0001-01-01T00:00:00Z",
+        "os": "",
+        "rootfs": {
+          "type": "",
+          "diff_ids": null
+        },
+        "config": {}
+      }
+    },
+    "Results": [
+      {
+        "Target": "requirements.txt",
+        "Class": "lang-pkgs",
+        "Type": "pip",
+        "Vulnerabilities": [
+          {
+            "VulnerabilityID": "CVE-2023-37920",
+            "PkgName": "certifi",
+            "InstalledVersion": "2022.5.18.1",
+            "FixedVersion": "2023.7.22",
+            "Layer": {},
+            "SeveritySource": "ghsa",
+            "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-37920",
+            "Ref": "pkg:pypi/certifi@2022.5.18.1",
+            "DataSource": {
+              "ID": "ghsa",
+              "Name": "GitHub Security Advisory pip",
+              "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
+            },
+            "Title": "python-certifi: Removal of e-Tugra root certificate",
+            "Description": "Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes \"e-Tugra\" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from \"e-Tugra\" from the root store.",
+            "Severity": "HIGH",
+            "CweIDs": [
+              "CWE-345"
+            ],
+            "CVSS": {
+              "ghsa": {
+                "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
+                "V3Score": 9.8
+              },
+              "nvd": {
+                "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+                "V3Score": 7.5
+              },
+              "redhat": {
+                "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
+                "V3Score": 7.5
+              }
+            },
+            "References": [
+              "https://access.redhat.com/security/cve/CVE-2023-37920",
+              "https://github.com/certifi/python-certifi",
+              "https://github.com/certifi/python-certifi/commit/8fb96ed81f71e7097ed11bc4d9b19afd7ea5c909",
+              "https://github.com/certifi/python-certifi/security/advisories/GHSA-xqr8-7jwr-rhp7",
+              "https://github.com/pypa/advisory-database/tree/main/vulns/certifi/PYSEC-2023-135.yaml",
+              "https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/C-HrP1SEq1A",
+              "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5EX6NG7WUFNUKGFHLM35KHHU3GAKXRTG/",
+              "https://nvd.nist.gov/vuln/detail/CVE-2023-37920",
+              "https://www.cve.org/CVERecord?id=CVE-2023-37920"
+            ],
+            "PublishedDate": "2023-07-25T21:15:00Z",
+            "LastModifiedDate": "2023-08-12T06:16:00Z"
+          }
+        ]
+      }
+    ]
+  }
diff --git a/unittests/tools/test_trivy_parser.py b/unittests/tools/test_trivy_parser.py
@@ -201,3 +201,11 @@ def test_license_scheme(self):
 **Package:** alpine-baselayout
 '''
         self.assertEqual(description, finding.description)
+
+    def test_issue_9092(self):
+        test_file = open(sample_path("issue_9092.json"))
+        parser = TrivyParser()
+        findings = parser.get_findings(test_file, Test())
+        self.assertEqual(len(findings), 1)
+        finding = findings[0]
+        self.assertEqual("Critical", finding.severity)