Enhance OSV Parser to Include Mitigation Information with Fixed Package Versions (#11681)

* Introducing a mechanism to extract and include mitigation information (fixed versions)

* Removing empty lines at the end of the file

* Update unittest test_osv_scanner_parser script

* Update unittest test_osv_scanner_parser script

* Add new empty line to parser

* Add empty line at end file

* Update parser.py

* Update parser.py

* Add missing comments and document new methods in OSVScannerParserh

* update

* Add missing comments and document new methods in OSVScannerParser

* update Fixed Package Versions

* update Fixed test_osv_scanner

* Fixing ruff

---------

Co-authored-by: ahubert <ahubert@nganalytics.eu>
Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>

Author: 3 people

dojo/tools/osv_scanner/parser.py

@@ -79,6 +79,8 @@ def get_findings(self, file, test):
                     vulnerabilitydetails = vulnerability.get("details", "")
                     vulnerabilitypackagepurl = ""
                     cwe = None
+                    mitigations_by_type = {}  # Dictionary to store corrected versions by type
+
                     # Make sure we have an affected section to work with
                     if (affected := vulnerability.get("affected")) is not None:
                         if len(affected) > 0:
@@ -88,19 +90,45 @@ def get_findings(self, file, test):
                             # Extract the CWE
                             if (cwe := affected[0].get("database_specific", {}).get("cwes", None)) is not None:
                                 cwe = cwe[0]["cweId"]
+                            # Extraction of corrected versions by type
+                            ranges = affected[0].get("ranges", [])
+                            for range_item in ranges:
+                                range_type = range_item.get("type", "")
+                                repo_url = range_item.get("repo", "")
+                                for event in range_item.get("events", []):
+                                    if "fixed" in event:
+                                        fixed_value = event["fixed"]
+                                        # GIT URL format if applicable
+                                        if range_type == "GIT" and repo_url:
+                                            formatted_value = f"{repo_url}/commit/{fixed_value}"
+                                        else:
+                                            formatted_value = fixed_value
+                                        # Add to the list by type
+                                        if range_type not in mitigations_by_type:
+                                            mitigations_by_type[range_type] = []
+                                        mitigations_by_type[range_type].append(formatted_value)
+
+                    # Creation of formatted mitigation text
+                    mitigation_text = None
+                    if mitigations_by_type:
+                        mitigation_text = "**Upgrade to versions**:\n"
+                        for typ, versions in mitigations_by_type.items():
+                            mitigation_text += f"\t{typ} :\n"
+                            for version in versions:
+                                mitigation_text += f"\t\t- {version}\n"
                     # Create some references
                     reference = ""
-                    for ref in vulnerability.get("references"):
+                    for ref in vulnerability.get("references", []):
                         reference += ref.get("url") + "\n"
                     # Define the description
                     description = vulnerabilitysummary + "\n"
-                    description += "**source_type**: " + source_type + "\n"
-                    description += "**package_ecosystem**: " + package_ecosystem + "\n"
-                    description += "**vulnerabilitydetails**: " + vulnerabilitydetails + "\n"
-                    description += "**vulnerabilitypackagepurl**: " + vulnerabilitypackagepurl + "\n"
+                    description += f"**Source type**: {source_type}\n"
+                    description += f"**Package ecosystem**: {package_ecosystem}\n"
+                    description += f"**Vulnerability details**: {vulnerabilitydetails}\n"
+                    description += f"**Vulnerability package purl**: {vulnerabilitypackagepurl}\n"
                     sev = vulnerability.get("database_specific", {}).get("severity", "")
                     finding = Finding(
-                        title=vulnerabilityid + "_" + package_name,
+                        title=f"{vulnerabilityid}_{package_name}",
                         test=test,
                         description=description,
                         severity=self.classify_severity(sev),
@@ -112,8 +140,11 @@ def get_findings(self, file, test):
                         file_path=source_path,
                         references=reference,
                     )
-                    if vulnerabilityid != "":
-                        finding.unsaved_vulnerability_ids = []
-                        finding.unsaved_vulnerability_ids.append(vulnerabilityid)
+
+                    if mitigation_text:
+                        finding.mitigation = mitigation_text
+
+                    if vulnerabilityid:
+                        finding.unsaved_vulnerability_ids = [vulnerabilityid]
                     findings.append(finding)
         return findings

unittests/tools/test_osv_scanner_parser.py

@@ -41,3 +41,4 @@ def test_many_findings(self):
             finding = findings[17]
             self.assertEqual(finding.references, "https://nvd.nist.gov/vuln/detail/CVE-2021-45115\nhttps://docs.djangoproject.com/en/4.0/releases/security\nhttps://github.com/django/django\nhttps://groups.google.com/forum/#!forum/django-announce\nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV\nhttps://security.netapp.com/advisory/ntap-20220121-0005\nhttps://www.djangoproject.com/weblog/2022/jan/04/security-releases\n")
             self.assertEqual(finding.title, "GHSA-53qw-q765-4fww_django")
+            self.assertEqual(finding.mitigation, "**Upgrade to versions**:\n\tECOSYSTEM :\n\t\t- 2.2.26\n")