Skip to content

Commit

Permalink
Bugfix: checkmarx parser - datetime is no longer put into the Finding…
Browse files Browse the repository at this point in the history 
….date field (DefectDojo#9570)

* Checkmarx parser: datetime is no longer put into the Finding.date field

* Conversion of the init and teardown methods to functions has been revoked.
  • Loading branch information
@reichertan
reichertan authored Mar 6, 2024
1 parent e88d490 commit 370cffb
Show file tree
Hide file tree
Showing 2 changed files with 41 additions and 19 deletions.
6 changes: 3 additions & 3 deletions dojo/tools/checkmarx/parser.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ def _get_findings_xml(self, filename, test):
language = ""
findingdetail = ""
group = ""
find_date = parser.parse(root.get("ScanStart"))
find_date = parser.parse(root.get("ScanStart")).date()

if query.get("Language") is not None:
language = query.get("Language")
Expand Down Expand Up @@ -389,9 +389,9 @@ def get_findings(self, file, test):

def _parse_date(self, value):
if isinstance(value, str):
return parser.parse(value)
return parser.parse(value).date()
elif isinstance(value, dict) and isinstance(value.get("seconds"), int):
return datetime.datetime.utcfromtimestamp(value.get("seconds"))
return datetime.datetime.utcfromtimestamp(value.get("seconds")).date()
else:
return None

Expand Down
54 changes: 38 additions & 16 deletions unittests/tools/test_checkmarx_parser.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -203,8 +203,8 @@ def check_parse_file_with_single_vulnerability_has_single_finding(self, findings
item.file_path,
)
# ScanStart
self.assertEqual(datetime.datetime, type(item.date))
self.assertEqual(datetime.datetime(2018, 2, 25, 11, 35, 52), item.date)
self.assertEqual(datetime.date, type(item.date))
self.assertEqual(datetime.date(2018, 2, 25), item.date)
self.assertEqual(bool, type(item.static_finding))
self.assertEqual(True, item.static_finding)

Expand Down Expand Up @@ -293,7 +293,7 @@ def test_file_name_aggregated_parse_file_with_multiple_vulnerabilities_has_multi
finding = findings[0]
self.assertEqual("SQL Injection (Assignment5.java)", finding.title)
self.assertEqual("High", finding.severity)
self.assertEqual(datetime.datetime(2018, 2, 25, 11, 35, 52), finding.date)
self.assertEqual(datetime.date(2018, 2, 25), finding.date)
self.assertEqual(True, finding.static_finding)
self.assertEqual("WebGoat/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/challenge6/Assignment5.java", finding.file_path)

Expand All @@ -312,7 +312,7 @@ def test_detailed_parse_file_with_multiple_vulnerabilities_has_multiple_findings
finding = findings[0]
self.assertEqual("SQL Injection (Assignment5.java)", finding.title)
self.assertEqual("High", finding.severity)
self.assertEqual(datetime.datetime(2018, 2, 25, 11, 35, 52), finding.date)
self.assertEqual(datetime.date(2018, 2, 25), finding.date)
self.assertEqual(True, finding.static_finding)
self.assertEqual("WebGoat/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/challenge6/Assignment5.java", finding.file_path)
self.assertEqual(50, finding.line)
Expand Down Expand Up @@ -516,8 +516,8 @@ def check_parse_file_with_utf8_replacement_char(self, findings):
item.file_path,
)
# ScanStart
self.assertEqual(datetime.datetime, type(item.date))
self.assertEqual(datetime.datetime(2018, 2, 25, 11, 35, 52), item.date)
self.assertEqual(datetime.date, type(item.date))
self.assertEqual(datetime.date(2018, 2, 25), item.date)
self.assertEqual(bool, type(item.static_finding))
self.assertEqual(True, item.static_finding)

Expand Down Expand Up @@ -665,8 +665,8 @@ def check_parse_file_with_utf8_various_non_ascii_char(self, findings):
item.file_path,
)
# ScanStart
self.assertEqual(datetime.datetime, type(item.date))
self.assertEqual(datetime.datetime(2018, 2, 25, 11, 35, 52), item.date)
self.assertEqual(datetime.date, type(item.date))
self.assertEqual(datetime.date(2018, 2, 25), item.date)
self.assertEqual(bool, type(item.static_finding))
self.assertEqual(True, item.static_finding)

Expand All @@ -685,8 +685,8 @@ def test_file_with_multiple_findings_is_aggregated_with_query_id(self, mock):
# ScanStart
self.assertEqual("Client Potential ReDoS In Match (prettify.js)", finding.title)
self.assertEqual("Low", finding.severity)
self.assertEqual(datetime.datetime, type(finding.date))
self.assertEqual(datetime.datetime(2021, 11, 17, 13, 50, 45), finding.date)
self.assertEqual(datetime.date, type(finding.date))
self.assertEqual(datetime.date(2021, 11, 17), finding.date)
self.assertEqual(bool, type(finding.static_finding))
self.assertEqual(True, finding.static_finding)

Expand All @@ -705,8 +705,8 @@ def test_file_with_empty_filename(self, mock):
# ScanStart
self.assertEqual("Missing HSTS Header", finding.title)
self.assertEqual("Medium", finding.severity)
self.assertEqual(datetime.datetime, type(finding.date))
self.assertEqual(datetime.datetime(2021, 12, 24, 9, 12, 14), finding.date)
self.assertEqual(datetime.date, type(finding.date))
self.assertEqual(datetime.date(2021, 12, 24), finding.date)
self.assertEqual(bool, type(finding.static_finding))
self.assertEqual(True, finding.static_finding)

Expand Down Expand Up @@ -791,15 +791,15 @@ def test_file_issue6956(self, mock):
self.assertEqual(89, finding.cwe)
self.assertEqual("/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java", finding.file_path)
self.assertEqual(61, finding.line)
self.assertEqual(datetime.date(2022, 5, 6), finding.date.date())
self.assertEqual(datetime.date(2022, 5, 6), finding.date)
if finding.unique_id_from_tool == "SYlu22e7ZQydKJFOlC/o1EsyixQ=":
with self.subTest(i="SYlu22e7ZQydKJFOlC/o1EsyixQ="):
self.assertEqual("SQL Injection", finding.title)
self.assertEqual("High", finding.severity)
self.assertEqual(89, finding.cwe)
self.assertEqual("/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java", finding.file_path)
self.assertEqual(72, finding.line)
self.assertEqual(datetime.date(2022, 5, 6), finding.date.date())
self.assertEqual(datetime.date(2022, 5, 6), finding.date)
# test one in SCA part
if finding.unique_id_from_tool == "GkVx1zoIKcd1EF72zqWrGzeVTmo=":
with self.subTest(i="GkVx1zoIKcd1EF72zqWrGzeVTmo="):
Expand All @@ -812,7 +812,7 @@ def test_file_issue6956(self, mock):
self.assertTrue(finding.active)
self.assertFalse(finding.verified)
self.assertIsNone(finding.line)
self.assertEqual(datetime.date(2022, 5, 6), finding.date.date())
self.assertEqual(datetime.date(2022, 5, 6), finding.date)
# test one in KICS part
if finding.unique_id_from_tool == "eZrh18HAPbe2LbDAprSPrwncAC0=":
with self.subTest(i="eZrh18HAPbe2LbDAprSPrwncAC0="):
Expand All @@ -822,4 +822,26 @@ def test_file_issue6956(self, mock):
self.assertTrue(finding.active)
self.assertFalse(finding.verified)
self.assertEqual("/webgoat-server/Dockerfile", finding.file_path)
self.assertEqual(datetime.date(2022, 5, 6), finding.date.date())
self.assertEqual(datetime.date(2022, 5, 6), finding.date)

@patch('dojo.tools.checkmarx.parser.add_language')
def test_finding_date_should_be_date_xml(self, mock):
my_file_handle, product, engagement, test = self.init(
get_unit_tests_path() + "/scans/checkmarx/single_finding.xml"
)
parser = CheckmarxParser()
parser.set_mode('detailed')
findings = parser.get_findings(my_file_handle, test)
self.teardown(my_file_handle)
self.assertEqual(findings[0].date, datetime.date(2018, 2, 25))

@patch('dojo.tools.checkmarx.parser.add_language')
def test_finding_date_should_be_date_json(self, mock):
my_file_handle, product, engagement, test = self.init(
get_unit_tests_path() + "/scans/checkmarx/multiple_findings.json"
)
parser = CheckmarxParser()
parser.set_mode('detailed')
findings = parser.get_findings(my_file_handle, test)
self.teardown(my_file_handle)
self.assertEqual(findings[0].date, datetime.date(2022, 2, 25))

0 comments on commit 370cffb

Please sign in to comment.