Add CWE to PTART parser (#12068)

adam-bertrand-bib · Hydragyrum · web-flow · commit 7d4009cbfe6d · 2025-03-25T15:39:45.000-06:00
* Add CWE fields to test files

* Add CWE support to ptart import

* Fix bugs related to importing endpoints

* Fix bug wherein long filenames on screenshots cause an import to fail

* Add comment explaining why filename is truncated

---------

Co-authored-by: Hydragyrum &lt;hydragyrum@gmail.com&gt;
diff --git a/dojo/tools/ptart/assessment_parser.py b/dojo/tools/ptart/assessment_parser.py
@@ -51,6 +51,8 @@ def get_finding(self, assessment, hit):
         if "labels" in hit:
             finding.unsaved_tags = hit["labels"]
 
+        finding.cwe = ptart_tools.parse_cwe_from_hit(hit)
+
         finding.unsaved_endpoints = ptart_tools.parse_endpoints_from_hit(hit)
 
         # Add screenshots to files, and add other attachments as well.
diff --git a/dojo/tools/ptart/ptart_parser_tools.py b/dojo/tools/ptart/ptart_parser_tools.py
@@ -2,6 +2,7 @@
 from datetime import datetime
 
 import cvss
+from django.core.exceptions import ValidationError
 
 from dojo.models import Endpoint
 
@@ -96,7 +97,9 @@ def parse_screenshot_data(screenshot):
 
 
 def get_screenshot_title(screenshot):
-    caption = screenshot.get("caption", "screenshot")
+    raw_caption = screenshot.get("caption", "screenshot")
+    # Screenshot filenames are limited to 100 characters.
+    caption = f"{raw_caption[:94]}.." if len(raw_caption) > 96 else raw_caption
     if not caption:
         caption = "screenshot"
     return f"{caption}{get_file_suffix_from_screenshot(screenshot)}"
@@ -154,8 +157,17 @@ def get_attachement_title(attachment):
 def parse_endpoints_from_hit(hit):
     if "asset" not in hit or not hit["asset"]:
         return []
-    endpoint = Endpoint.from_uri(hit["asset"])
-    return [endpoint]
+    try:
+        asset = hit.get("asset", None)
+        if not asset:
+            return []
+        # Workaround for Defect Dojo being silly when parsing uris.
+        # If there's no protocol, it will assume the hostname is the protocol.
+        asset = f"https://{asset}" if "://" not in asset else asset
+        endpoint = Endpoint.from_uri(asset)
+    except ValidationError:
+        endpoint = None
+    return [] if not endpoint else [endpoint]
 
 
 def generate_test_description_from_report(data):
@@ -185,3 +197,41 @@ def get_transformed_reference(reference):
             return url
         return None
     return f"{title}: {url}"
+
+
+def parse_cwe_from_hit(hit):
+    if "cwes" not in hit or not hit["cwes"]:
+        return None
+    cwes = hit["cwes"]
+    # Grab the last CWE in the list, as it's sorted in numerical order,
+    # and the last element is generally the most specific.
+    return parse_cwe_id_from_cwe(cwes.pop()) if cwes and isinstance(cwes, list) and len(cwes) > 0 else None
+
+
+def parse_cwe_id_from_cwe(cwe):
+    try:
+        if not cwe:
+            return None
+
+        cwe_id = cwe.get("cwe_id", None)
+        if not cwe_id:
+            title = cwe.get("title", None)
+            if not title:
+                return None
+            cwe_id = parse_cwe_id_from_cwe_title(title)
+        elif isinstance(cwe_id, str):
+            cwe_id = int(cwe_id)
+        elif not isinstance(cwe_id, int):
+            cwe_id = None
+    except (ValueError, IndexError):
+        return None
+    return cwe_id
+
+
+def parse_cwe_id_from_cwe_title(title):
+    try:
+        if not title:
+            return None
+        return int(title.split("-")[1])
+    except (ValueError, IndexError):
+        return None
diff --git a/dojo/tools/ptart/retest_parser.py b/dojo/tools/ptart/retest_parser.py
@@ -91,6 +91,8 @@ def get_finding(self, retest, hit):
         if "labels" in original_hit:
             finding.unsaved_tags = original_hit["labels"]
 
+        finding.cwe = ptart_tools.parse_cwe_from_hit(original_hit)
+
         finding.unsaved_endpoints = ptart_tools.parse_endpoints_from_hit(
             original_hit,
         )
diff --git a/unittests/scans/ptart/ptart_many_vul.json b/unittests/scans/ptart/ptart_many_vul.json
@@ -40,6 +40,9 @@
             "A01:2021-Broken Access Control",
             "A04:2021-Insecure Design"
           ],
+          "cwes": [
+            { "cwe_id": 862, "title": "CWE-862 - Missing Authorization" }
+          ],
           "screenshots": [
             {
               "caption": "Borked",
@@ -73,6 +76,9 @@
           "labels": [
             "A09:2021-Security Logging and Monitoring Failures"
           ],
+          "cwes": [
+            { "cwe_id": 778, "title": "CWE-778 - Insufficient Logging" }
+          ],
           "screenshots": [],
           "attachments": [],
           "references": []
diff --git a/unittests/scans/ptart/ptart_one_vul.json b/unittests/scans/ptart/ptart_one_vul.json
@@ -40,6 +40,9 @@
             "A01:2021-Broken Access Control",
             "A04:2021-Insecure Design"
           ],
+          "cwes": [
+            { "cwe_id": 862, "title": "CWE-862 - Missing Authorization" }
+          ],
           "screenshots": [
             {
               "caption": "Borked",
diff --git a/unittests/scans/ptart/ptart_one_vul_multiple_cwe.json b/unittests/scans/ptart/ptart_one_vul_multiple_cwe.json
diff --git a/unittests/scans/ptart/ptart_one_vul_screenshot_long.json b/unittests/scans/ptart/ptart_one_vul_screenshot_long.json
diff --git a/unittests/scans/ptart/ptart_vuln_plus_retest.json b/unittests/scans/ptart/ptart_vuln_plus_retest.json
@@ -40,6 +40,9 @@
             "A01:2021-Broken Access Control",
             "A04:2021-Insecure Design"
           ],
+          "cwes": [
+            { "cwe_id": 862, "title": "CWE-862 - Missing Authorization" }
+          ],
           "screenshots": [
             {
               "caption": "Borked",
@@ -73,6 +76,9 @@
           "labels": [
             "A09:2021-Security Logging and Monitoring Failures"
           ],
+          "cwes": [
+            { "cwe_id": 778, "title": "CWE-778 - Insufficient Logging" }
+          ],
           "screenshots": [],
           "attachments": [],
           "references": []
@@ -106,6 +112,9 @@
             "labels": [
               "A01:2021-Broken Access Control",
               "A04:2021-Insecure Design"
+            ],
+            "cwes": [
+              { "cwe_id": 862, "title": "CWE-862 - Missing Authorization" }
             ]
           },
           "screenshots": [
diff --git a/unittests/scans/ptart/ptart_vulns_with_mult_assessments.json b/unittests/scans/ptart/ptart_vulns_with_mult_assessments.json
@@ -39,6 +39,9 @@
           "labels": [
             "A03:2021-Injection"
           ],
+          "cwes": [
+            { "cwe_id": 79, "title": "CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" }
+          ],
           "screenshots": [],
           "attachments": [],
           "references": []
@@ -63,6 +66,9 @@
             "A01:2021-Broken Access Control",
             "A04:2021-Insecure Design"
           ],
+          "cwes": [
+            { "cwe_id": 862, "title": "CWE-862 - Missing Authorization" }
+          ],
           "screenshots": [
             {
               "caption": "Borked",
@@ -96,6 +102,9 @@
           "labels": [
             "A09:2021-Security Logging and Monitoring Failures"
           ],
+          "cwes": [
+            { "cwe_id": 778, "title": "CWE-778 - Insufficient Logging" }
+          ],
           "screenshots": [],
           "attachments": [],
           "references": []
diff --git a/unittests/tools/test_ptart_parser.py b/unittests/tools/test_ptart_parser.py

Original file line number	Diff line number	Diff line change
`@@ -91,6 +91,8 @@ def get_finding(self, retest, hit):`
`91`	`91`	`if "labels" in original_hit:`
`92`	`92`	`finding.unsaved_tags = original_hit["labels"]`
`93`	`93`
	`94`	`+ finding.cwe = ptart_tools.parse_cwe_from_hit(original_hit)`
	`95`	`+`
`94`	`96`	`finding.unsaved_endpoints = ptart_tools.parse_endpoints_from_hit(`
`95`	`97`	`original_hit,`
`96`	`98`	`)`