Generic Parser: Support Test Type Meta

Author: Maffooch

docs/content/en/connecting_your_tools/parsers/generic_findings_import.md

@@ -9,6 +9,7 @@ You can use Generic Findings Import as a method to ingest JSON or CSV files into
 Files uploaded using Generic Findings Import must conform to the accepted format with respect to CSV column headers / JSON attributes.
 
 These attributes are supported for CSV:
+
 - Date: Date of the finding in mm/dd/yyyy format.
 - Title: Title of the finding
 - CweId: Cwe identifier, must be an integer value.
@@ -104,18 +105,32 @@ Example:
 }
 ```
 
-This parser supports an attribute `name` and `type` to be able to define `TestType`. Based on this, you can define custom `HASHCODE_FIELDS` or `DEDUPLICATION_ALGORITHM` in the settings.
+This parser supports some additional attributes to be able to define custom `TestTypes` as well as influencing some meta fields on the `Test`:
+
+- `name`: The internal name of the tool you are using. This is primarily informational, and used for reading the report manually.
+- `type`: The name of the test type to create in DefectDojo with the suffix of `(Generic Findings Import)`. The suffix is an important identifier for future users attempting to identify the test type to supply when importing new reports. This value is very important when fetching the correct test type to import findings into, so be sure to keep the `type` consistent from import to import! As an example, a report submitted with a `type` of `Internal Company Tool` will produce a test type in DefectDojo with the title `Internal Company Tool (Generic Findings Import)`. With this newly created test type, you can define custom `HASHCODE_FIELDS` or `DEDUPLICATION_ALGORITHM` in the settings.
+- `version`: The version of the tool you are using. This is primarily informational, and is used for reading the report manually and tracking format changes from version to version.
+- `description`: A brief description of the test. This could be an explanation of what the tool is reporting, where the tools is maintained, who the point of contact is for the tool when issues arise, or anything in between.
+- `static_tool`: Dictates that tool used is running static analysis methods to discover vulnerabilities.
+- `dynamic_tool`: Dictates that tool used is running dynamic analysis methods to discover vulnerabilities.
+- `soc`: Dictates that tool is used for reporting alerts from a soc (Pro Edition Only).
 
 Example:
 
 ```JSON
 {
     "name": "My wonderful report",
     "type": "My custom Test type",
+    "version": "1.0.5",
+    "description": "A unicorn tool that is capable of static analysis, dynamic analysis, and even capturing soc alerts!",
+    "static_tool": true,
+    "dynamic_tool": true,
+    "soc": true,
     "findings": [
     ]
 }
 ```
 
 ### Sample Scan Data
+
 Sample Generic Findings Import scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/generic).

dojo/importers/base_importer.py

@@ -33,6 +33,7 @@
 )
 from dojo.notifications.helper import create_notification
 from dojo.tools.factory import get_parser
+from dojo.tools.parser_test import ParserTest
 from dojo.utils import max_safe
 
 logger = logging.getLogger(__name__)
@@ -179,15 +180,36 @@ def parse_dynamic_test_type_tests(
             logger.warning(e)
             raise ValidationError(e)
 
-    def parse_dynamic_test_type_findings_from_tests(
-        self,
-        tests: list[Test],
-    ) -> list[Finding]:
-        """
-        Currently we only support import one Test
-        so for parser that support multiple tests (like SARIF)
-        we aggregate all the findings into one uniq test
-        """
+    def consolidate_dynamic_tests(self, tests: list[Test]) -> list[Finding]:
+        parsed_findings = []
+        # Make sure we have at least one test returned
+        if len(tests) == 0:
+            logger.info(f"No tests found in import for {self.scan_type}")
+            self.test = None
+            return parsed_findings
+        # for now we only consider the first test in the list and artificially aggregate all findings of all tests
+        # this is the same as the old behavior as current import/reimporter implementation doesn't handle the case
+        # when there is more than 1 test
+        #
+        # we also aggregate the label of the Test_type to show the user the original self.scan_type
+        # only if they are different. This is to support meta format like SARIF
+        # so a report that have the label 'CodeScanner' will be changed to 'CodeScanner Scan (SARIF)'
+        test_raw = tests[0]
+        test_type_name = self.scan_type
+        # Create a new test if it has not already been created
+        if not self.test:
+            # Determine if we should use a custom test type name
+            if test_raw.type:
+                test_type_name = f"{tests[0].type} Scan"
+                if test_type_name != self.scan_type:
+                    test_type_name = f"{test_type_name} ({self.scan_type})"
+            self.test = self.create_test(test_type_name)
+        # This part change the name of the Test
+        # we get it from the data of the parser
+        # Update the test and test type with meta from the raw test
+        self.update_test_from_internal_test(test_raw)
+        self.update_test_type_from_internal_test(test_raw)
+        # Aggregate all of the findings into a single place
         parsed_findings = []
         for test_raw in tests:
             parsed_findings.extend(test_raw.findings)
@@ -205,7 +227,7 @@ def parse_findings_dynamic_test_type(
         This version of this function is intended to be extended by children classes
         """
         tests = self.parse_dynamic_test_type_tests(scan, parser)
-        return self.parse_dynamic_test_type_findings_from_tests(tests)
+        return self.consolidate_dynamic_tests(tests)
 
     def parse_findings(
         self,
@@ -215,12 +237,12 @@ def parse_findings(
         """
         Determine how to parse the findings based on the presence of the
         `get_tests` function on the parser object
-
-        This function will vary by importer, so it is marked as
-        abstract with a prohibitive exception raised if the
-        method is attempted to to be used by the BaseImporter class
         """
-        self.check_child_implementation_exception()
+        # Attempt any preprocessing before generating findings
+        scan = self.process_scan_file(scan)
+        if hasattr(parser, "get_tests"):
+            return self.parse_findings_dynamic_test_type(scan, parser)
+        return self.parse_findings_static_test_type(scan, parser)
 
     def sync_process_findings(
         self,
@@ -539,6 +561,22 @@ def get_or_create_test_type(
             test_type.save()
         return test_type
 
+    def update_test_from_internal_test(self, internal_test: ParserTest) -> None:
+        if (name := getattr(internal_test, "name", None)) is not None:
+            self.test.name = name
+        if (description := getattr(internal_test, "description", None)) is not None:
+            self.test.description = description
+        if (version := getattr(internal_test, "version", None)) is not None:
+            self.test.version = version
+        self.test.save()
+
+    def update_test_type_from_internal_test(self, internal_test: ParserTest) -> None:
+        if (static_tool := getattr(internal_test, "static_tool", None)) is not None:
+            self.test.test_type.static_tool = static_tool
+        if (dynamic_tool := getattr(internal_test, "dynamic_tool", None)) is not None:
+            self.test.test_type.dynamic_tool = dynamic_tool
+        self.test.test_type.save()
+
     def verify_tool_configuration_from_test(self):
         """
         Verify that the Tool_Configuration supplied along with the

dojo/importers/default_importer.py

@@ -320,21 +320,6 @@ def close_old_findings(
 
         return old_findings
 
-    def parse_findings(
-        self,
-        scan: TemporaryUploadedFile,
-        parser: Parser,
-    ) -> list[Finding]:
-        """
-        Determine how to parse the findings based on the presence of the
-        `get_tests` function on the parser object
-        """
-        # Attempt any preprocessing before generating findings
-        scan = self.process_scan_file(scan)
-        if hasattr(parser, "get_tests"):
-            return self.parse_findings_dynamic_test_type(scan, parser)
-        return self.parse_findings_static_test_type(scan, parser)
-
     def parse_findings_static_test_type(
         self,
         scan: TemporaryUploadedFile,
@@ -364,40 +349,7 @@ def parse_findings_dynamic_test_type(
         into a single test, and then renames the test is applicable
         """
         logger.debug("IMPORT_SCAN parser v2: Create Test and parse findings")
-        tests = self.parse_dynamic_test_type_tests(scan, parser)
-        parsed_findings = []
-        # Make sure we have at least one test returned
-        if len(tests) == 0:
-            logger.info(f"No tests found in import for {self.scan_type}")
-            self.test = None
-            return parsed_findings
-        # for now we only consider the first test in the list and artificially aggregate all findings of all tests
-        # this is the same as the old behavior as current import/reimporter implementation doesn't handle the case
-        # when there is more than 1 test
-        #
-        # we also aggregate the label of the Test_type to show the user the original self.scan_type
-        # only if they are different. This is to support meta format like SARIF
-        # so a report that have the label 'CodeScanner' will be changed to 'CodeScanner Scan (SARIF)'
-        test_type_name = self.scan_type
-        # Determine if we should use a custom test type name
-        if tests[0].type:
-            test_type_name = f"{tests[0].type} Scan"
-            if test_type_name != self.scan_type:
-                test_type_name = f"{test_type_name} ({self.scan_type})"
-        # Create a new test if it has not already been created
-        if not self.test:
-            self.test = self.create_test(test_type_name)
-        # This part change the name of the Test
-        # we get it from the data of the parser
-        test_raw = tests[0]
-        if test_raw.name:
-            self.test.name = test_raw.name
-        if test_raw.description:
-            self.test.description = test_raw.description
-        self.test.save()
-        logger.debug("IMPORT_SCAN parser v2: Parse findings (aggregate)")
-        # Aggregate all the findings and return them with the newly created test
-        return self.parse_dynamic_test_type_findings_from_tests(tests)
+        return super().parse_findings_dynamic_test_type(scan, parser)
 
     def async_process_findings(
         self,

dojo/importers/default_reimporter.py

@@ -288,21 +288,6 @@ def close_old_findings(
 
         return mitigated_findings
 
-    def parse_findings(
-        self,
-        scan: TemporaryUploadedFile,
-        parser: Parser,
-    ) -> list[Finding]:
-        """
-        Determine how to parse the findings based on the presence of the
-        `get_tests` function on the parser object
-        """
-        # Attempt any preprocessing before generating findings
-        scan = self.process_scan_file(scan)
-        if hasattr(parser, "get_tests"):
-            return self.parse_findings_dynamic_test_type(scan, parser)
-        return self.parse_findings_static_test_type(scan, parser)
-
     def parse_findings_static_test_type(
         self,
         scan: TemporaryUploadedFile,

dojo/tools/generic/json_parser.py

@@ -15,6 +15,10 @@ def _get_test_json(self, data):
             name=data.get("name", self.ID),
             parser_type=data.get("type", self.ID),
             version=data.get("version"),
+            description=data.get("description"),
+            dynamic_tool=data.get("dynamic_tool"),
+            static_tool=data.get("static_tool"),
+            soc=data.get("soc"),
         )
         test_internal.findings = []
         for item in data.get("findings", []):

dojo/tools/parser_test.py

@@ -1,6 +1,41 @@
+import importlib
+from contextlib import suppress
+
+from django.conf import settings
+
+
 class ParserTest:
-    def __init__(self, name: str, parser_type: str, version: str):
-        self.name = name
-        self.type = parser_type
-        self.version = version
-        self.description = None
+    def __init__(self, *args: list, **kwargs: dict):
+        parser_test_class = OpenSourceParserTest
+        with suppress(ModuleNotFoundError):
+            if (
+                class_path := getattr(settings, "PARSER_TEST_CLASS_PATH", None)
+            ) is not None:
+                module_name, _separator, class_name = class_path.rpartition(".")
+                module = importlib.import_module(module_name)
+                parser_test_class = getattr(module, class_name)
+        parser_test_class().apply(self, *args, **kwargs)
+
+
+class OpenSourceParserTest:
+    def apply(
+        self,
+        instance: ParserTest,
+        name: str,
+        parser_type: str,
+        version: str,
+        *args: list,
+        description: str | None,
+        dynamic_tool: bool | None,
+        static_tool: bool | None,
+        **kwargs: dict,
+    ):
+        instance.name = name
+        instance.type = parser_type
+        instance.version = version
+        if description is not None:
+            instance.description = description
+        if dynamic_tool is not None:
+            instance.dynamic_tool = dynamic_tool
+        if static_tool is not None:
+            instance.static_tool = static_tool

requirements.txt

@@ -75,3 +75,4 @@ vulners==2.3.6
 fontawesomefree==6.6.0
 PyYAML==6.0.2
 pyopenssl==25.0.0
+parameterized==0.9.0

unittests/scans/generic/generic_custom_test_with_meta.json

@@ -0,0 +1,15 @@
+{
+    "name": "Test 1",
+    "type": "Tool 1",
+    "version": "1.0.0",
+    "description": "The contents of this report is from a tool that gathers vulnerabilities both statically and dynamically",
+    "dynamic_tool": true,
+    "static_tool": true,
+    "findings": [
+        {
+            "title": "test title",
+            "description": "Some very long description with\n\n some UTF-8 chars à qu'il est beau",
+            "severity": "Medium"
+        }
+    ]
+}