DefectDojo
diff --git a/‎dojo/tools/mayhem/__init__.py b/‎dojo/tools/mayhem/__init__.py
diff --git a/‎dojo/tools/mayhem/parser.py
Lines changed: 627 additions & 0 deletions b/‎dojo/tools/mayhem/parser.py
Lines changed: 627 additions & 0 deletions
diff --git a/‎unittests/scans/mayhem/mayhem_api_many_vulns.sarif
Lines changed: 1705 additions & 0 deletions b/‎unittests/scans/mayhem/mayhem_api_many_vulns.sarif
Lines changed: 1705 additions & 0 deletions
diff --git a/‎unittests/scans/mayhem/mayhem_api_no_vulns.sarif
Lines changed: 17 additions & 0 deletions b/‎unittests/scans/mayhem/mayhem_api_no_vulns.sarif
Lines changed: 17 additions & 0 deletions
diff --git a/‎unittests/scans/mayhem/mayhem_api_one_vuln.sarif
Lines changed: 62 additions & 0 deletions b/‎unittests/scans/mayhem/mayhem_api_one_vuln.sarif
Lines changed: 62 additions & 0 deletions
diff --git a/‎unittests/scans/mayhem/mayhem_code_many_vulns.sarif
Lines changed: 394 additions & 0 deletions b/‎unittests/scans/mayhem/mayhem_code_many_vulns.sarif
Lines changed: 394 additions & 0 deletions
diff --git a/‎unittests/scans/mayhem/mayhem_code_no_vulns.sarif
Lines changed: 27 additions & 0 deletions b/‎unittests/scans/mayhem/mayhem_code_no_vulns.sarif
Lines changed: 27 additions & 0 deletions
diff --git a/‎unittests/scans/mayhem/mayhem_code_one_vuln.sarif
Lines changed: 87 additions & 0 deletions b/‎unittests/scans/mayhem/mayhem_code_one_vuln.sarif
Lines changed: 87 additions & 0 deletions
diff --git a/‎unittests/tools/test_mayhem_parser.py
Lines changed: 71 additions & 0 deletions b/‎unittests/tools/test_mayhem_parser.py
Lines changed: 71 additions & 0 deletions
@@ -0,0 +1,17 @@
+{
+  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+  "version": "2.1.0",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "semanticVersion": "2.31.2",
+          "name": "mAPI",
+          "fullName": "Mayhem for API",
+          "rules": []
+        }
+      },
+      "results": []
+    }
+  ]
+}
@@ -0,0 +1,62 @@
+{
+  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+  "version": "2.1.0",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "semanticVersion": "2.31.2",
+          "name": "mAPI",
+          "fullName": "Mayhem for API",
+          "rules": [
+            {
+              "id": "default-credentials",
+              "shortDescription": {
+                "text": "Default Credentials Used"
+              },
+              "fullDescription": {
+                "text": "A protected API returned a successful response using well-known default credentials."
+              },
+              "help": {
+                "text": "Review the endpoint code to ensure that the required authentication code is\nrunning in all cases. If the endpoint does not require authentication, update\nthe specification to indicate as such.\n\nIf the authentication checks are performed on this endpoint, review the code\nchecking the provided credentials to ensure that default credentials are not\naccepted as valid. Ensure that the user-provided data is validated extensively\nbefore any authentication checks are performed. The sample response provided by\nMayhem for API as part of the bug report may point you in the right direction\nwhen trying to debug the issue. The issue may be in the underlying library, if\nany, you are using to perform validation checks.\n"
+              },
+              "defaultConfiguration": {
+                "level": "error"
+              },
+              "properties": {
+                "tags": [
+                  "Security",
+                  "CWE-287",
+                  "CWE-1390",
+                  "CWE-1391",
+                  "CWE-1392",
+                  "OWASP-API2"
+                ]
+              }
+            }
+          ]
+        }
+      },
+      "results": [
+        {
+          "ruleId": "default-credentials",
+          "message": {
+            "text": "Default Credentials Used in 'GET /info'. [Details](https://app.mayhem.security/xansec/mayhem-demo/api/-/defects/2587042)",
+            "markdown": "Default Credentials Used in 'GET /info'.\n\n# Sample Request\n\n```http\nGET /info HTTP/1.1\ncontent-length: 0\nauthorization: Basic TFItSVNETjpMUi1JU0RO\nx-mapi-program-uuid: eb3b952d-2088-4711-a86b-7995c83b8579\n\n```\n\n# Sample Response\n\n```http\nHTTP/1.1 200 OK\ndate: Wed, 18 Jun 2025 02:24:15 GMT\nserver: uvicorn\ncontent-length: 35\ncontent-type: application/json\n\n[\n  \"version: 1.0.0\\n\",\n  \"config: fast\"\n]\n```\n\n[Details](https://app.mayhem.security/xansec/mayhem-demo/api/-/defects/2587042)\n"
+          },
+          "codeFlows": [],
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "unknown-file",
+                  "uriBaseId": "%SRCROOT%"
+                }
+              }
+            }
+          ]
+        }
+      ]
+    }
+  ]
+}
@@ -0,0 +1,27 @@
+{
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "Mayhem Code Security",
+          "rules": [],
+          "version": "2.12.0",
+          "informationUri": "https://www.mayhem.security/"
+        }
+      },
+      "results": [],
+      "taxonomies": [
+        {
+          "name": "CWE",
+          "organization": "MITRE",
+          "taxa": [],
+          "shortDescription": {
+            "text": "The MITRE Common Weakness Enumeration"
+          }
+        }
+      ]
+    }
+  ],
+  "version": "2.1.0",
+  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Documents/CommitteeSpecifications/2.1.0/sarif-schema-2.1.0.json"
+}
@@ -0,0 +1,87 @@
+{
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "Mayhem Code Security",
+          "rules": [
+            {
+              "id": "MI101",
+              "name": "ImproperInputValidation",
+              "defaultConfiguration": {
+                "level": "error"
+              },
+              "helpUri": "https://www.mayhem.security/",
+              "shortDescription": {
+                "text": "The software receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly."
+              }
+            }
+          ],
+          "version": "2.12.0",
+          "informationUri": "https://www.mayhem.security/"
+        }
+      },
+      "results": [
+        {
+          "message": {
+            "markdown": "#0 0x7ffff7e47b1c in vfwprintf+0x23ec at ??:0:0\n#1 0x7ffff7dee26e in raise+0x1e at ??:0:0\n#2 0x7ffff7dd18ff in abort+0xdf at ??:0:0\n#3 0x5555555559a9 in ?? at ??:0:0\n#4 0x555555555ab8 in ?? at ??:0:0\n#5 0x7ffff7dd31ca in __libc_init_first+0x8a at ??:0:0\n#6 0x7ffff7dd328b in __libc_start_main+0x8b at ??:0:0\n#7 0x555555555875 in ?? at ??:0:0\n\n\n[Details](https://app.mayhem.security:443/forallsecure-demo/bazel-rules/mayhemit/10?defect=2211925)",
+            "text": "TDID-2211925 - Improper Input Validation"
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "region": {
+                  "endColumn": 1,
+                  "endLine": 1,
+                  "startColumn": 1,
+                  "startLine": 1
+                },
+                "artifactLocation": {
+                  "uri": "unknown_file"
+                }
+              }
+            }
+          ],
+          "taxa": [
+            {
+              "id": "20",
+              "toolComponent": {
+                "name": "CWE"
+              }
+            }
+          ],
+          "ruleId": "MI101"
+        }
+      ],
+      "taxonomies": [
+        {
+          "name": "CWE",
+          "organization": "MITRE",
+          "taxa": [
+            {
+              "id": "20",
+              "help": {
+                "text": "The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly."
+              },
+              "name": "Improper Input Validation",
+              "defaultConfiguration": {
+                "level": "error"
+              },
+              "fullDescription": {
+                "text": "The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly."
+              },
+              "shortDescription": {
+                "text": "The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly."
+              }
+            }
+          ],
+          "shortDescription": {
+            "text": "The MITRE Common Weakness Enumeration"
+          }
+        }
+      ]
+    }
+  ],
+  "version": "2.1.0",
+  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Documents/CommitteeSpecifications/2.1.0/sarif-schema-2.1.0.json"
+}
@@ -0,0 +1,71 @@
+from dojo.models import Finding, Test
+from dojo.tools.mayhem.parser import MayhemParser
+from unittests.dojo_test_case import DojoTestCase, get_unit_tests_scans_path
+
+
+class TestMayhemParser(DojoTestCase):
+    def common_checks(self, finding):
+        self.assertLessEqual(len(finding.title), 250)
+        self.assertIn(finding.severity, Finding.SEVERITIES)
+        if finding.cwe:
+            self.assertIsInstance(finding.cwe, int)
+        self.assertEqual(False, finding.static_finding)  # Mayhem is DAST!
+        self.assertEqual(True, finding.dynamic_finding)  # Mayhem is DAST!
+
+    def test_mcode_many_report(self):
+        with (
+            get_unit_tests_scans_path("mayhem") / "mayhem_code_many_vulns.sarif"
+        ).open(encoding="utf-8") as testfile:
+            parser = MayhemParser()
+            findings = parser.get_findings(testfile, Test())
+            self.assertEqual(8, len(findings))
+            for finding in findings:
+                self.common_checks(finding)
+    
+    def test_mapi_many_report(self):
+        with (
+            get_unit_tests_scans_path("mayhem") / "mayhem_api_many_vulns.sarif"
+        ).open(encoding="utf-8") as testfile:
+            parser = MayhemParser()
+            findings = parser.get_findings(testfile, Test())
+            self.assertEqual(20, len(findings))
+            for finding in findings:
+                self.common_checks(finding)
+
+    def test_mcode_one_report(self):
+        with (
+            get_unit_tests_scans_path("mayhem") / "mayhem_code_one_vuln.sarif"
+        ).open(encoding="utf-8") as testfile:
+            parser = MayhemParser()
+            findings = parser.get_findings(testfile, Test())
+            self.assertEqual(1, len(findings))
+            finding = findings[0]
+            self.common_checks(finding)
+            self.assertEqual(20, finding.cwe)
+
+    def test_mapi_one_report(self):
+        with (
+            get_unit_tests_scans_path("mayhem") / "mayhem_api_one_vuln.sarif"
+        ).open(encoding="utf-8") as testfile:
+            parser = MayhemParser()
+            findings = parser.get_findings(testfile, Test())
+            self.assertEqual(1, len(findings))
+            finding = findings[0]
+            self.common_checks(finding)
+            self.assertEqual(1392, finding.cwe)
+
+    def test_mcode_no_vulns_report(self):
+        with (
+            get_unit_tests_scans_path("mayhem") / "mayhem_code_no_vulns.sarif"
+        ).open(encoding="utf-8") as testfile:
+            parser = MayhemParser()
+            findings = parser.get_findings(testfile, Test())
+            self.assertEqual(0, len(findings))
+
+    def test_mapi_no_vulns_report(self):
+        with (
+            get_unit_tests_scans_path("mayhem") / "mayhem_api_no_vulns.sarif"
+        ).open(encoding="utf-8") as testfile:
+            parser = MayhemParser()
+            findings = parser.get_findings(testfile, Test())
+            self.assertEqual(0, len(findings))