DefectDojo
diff --git a/‎dojo/fixtures/test_type.json‎
Lines changed: 7 additions & 0 deletions b/‎dojo/fixtures/test_type.json‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎dojo/forms.py‎
Lines changed: 2 additions & 1 deletion b/‎dojo/forms.py‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎dojo/templates/dojo/import_scan_results.html‎
Lines changed: 3 additions & 2 deletions b/‎dojo/templates/dojo/import_scan_results.html‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎dojo/tools/factory.py‎
Lines changed: 3 additions & 0 deletions b/‎dojo/tools/factory.py‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎dojo/tools/sonatype/__init__.py‎ b/‎dojo/tools/sonatype/__init__.py‎
diff --git a/‎dojo/tools/sonatype/parser.py‎
Lines changed: 134 additions & 0 deletions b/‎dojo/tools/sonatype/parser.py‎
Lines changed: 134 additions & 0 deletions
@@ -312,5 +312,12 @@
     },
     "model": "dojo.test_type",
     "pk": 52
+  },
+  {
+    "fields": {
+      "name": "Sonatype Application Scan"
+    },
+    "model": "dojo.test_type",
+    "pk": 53
   }
 ]
@@ -293,7 +293,8 @@ class ImportScanForm(forms.Form):
                          ("Bundler-Audit Scan", "Bundler-Audit Scan"),
                          ("Twistlock Image Scan", "Twistlock Image Scan"),
                          ("Kiuwan Scan", "Kiuwan Scan"),
-                         ("Blackduck Hub Scan", "Blackduck Hub Scan"))
+                         ("Blackduck Hub Scan", "Blackduck Hub Scan"),
+                         ("Sonatype Application Scan", "Sonatype Application Scan"))
 
     SORTED_SCAN_TYPE_CHOICES = sorted(SCAN_TYPE_CHOICES, key=lambda x: x[1])
 
 
@@ -26,6 +26,7 @@ <h3> Add Tests</h3>
 
 	<p>DefectDojo accepts:</p>
     <ul>
+	<li><b>Acunetix Scanner</b> - XML format.</li>
 	<li><b>Anchore-Engine</b> - Anchore-CLI JSON vulnerability report format.</li>
 	<li><b>AWS Scout2 Scanner</b> - JS file in scout2-report/inc-awsconfig/aws_config.js.</li>
 	<li><b>AWS Prowler Scanner</b> - Prowler file can be imported as a CSV file (-M csv).</li>
@@ -46,6 +47,7 @@ <h3> Add Tests</h3>
 	<li><b>Dependency Check</b> - OWASP Dependency Check output can be imported in Xml format.</li>
 	<li><b>Generic Findings Import</b> - Import Generic findings in CSV format.</li>
 	<li><b>Gosec Scanner </b> - Import Gosec Scanner findings in JSON format.</li>
+	<li><b>Kiuwan Scanner</b> - Import Kiuwan Scan in CSV format. Export as CSV Results on Kiuwan.</li>
 	<li><b>MobSF Scanner </b> - Export a JSON file using the API, api/v1/report_json.</li>
 	<li><b>Nessus (Tenable)</b> - Reports can be imported as CSV or .nessus (XML) report formats.</li>
 	<li><b>Netsparker Scanner</b> - Netsparker JSON format.</li>
@@ -64,6 +66,7 @@ <h3> Add Tests</h3>
 	<li><b>SKF Scan</b> - Output of SKF Sprint summary export.</li>
 	<li><b>Snyk</b> - Snyk output file (snyk test --json > snyk.json) can be imported in JSON format.</li>
 	<!----<li><b>SonarQube</b> - SonarQube output file can be imported in HTML format.</li>-->
+	<li><b>Sonatype Application Scan</b> - Can be imported in JSON format</li>
 	<li><b>SpotBugs</b> - XML report of textui cli.</li>
 	<li><b>SSL Labs</b> - JSON Output of ssllabs-scan cli.</li>
 	<li><b>Trufflehog</b> - JSON Output of Trufflehog.</li>
@@ -72,8 +75,6 @@ <h3> Add Tests</h3>
 	<li><b>Visual Code Grepper (VCG)</b> - VCG output can be imported in CSV or Xml formats.</li>
 	<li><b>Veracode Detailed XML Report</b></li>
 	<li><b>Zed Attack Proxy</b> - ZAP XML report format.</li>
-	<li><b>Acunetix Scanner</b> - XML format.</li>
-	<li><b>Kiuwan Scanner</b> - Import Kiuwan Scan in CSV format. Export as CSV Results on Kiuwan.</li>
 
     </ul>
 
 
@@ -46,6 +46,7 @@
 from dojo.tools.twistlock.parser import TwistlockParser
 from dojo.tools.kiuwan.parser import KiuwanCSVParser
 from dojo.tools.blackduck.parser import BlackduckHubCSVParser
+from dojo.tools.sonatype.parser import SonatypeJSONParser
 
 __author__ = 'Jay Paz'
 
@@ -153,6 +154,8 @@ def import_parser_factory(file, test, scan_type=None):
         parser = KiuwanCSVParser(file, test)
     elif scan_type == 'Blackduck Hub Scan':
         parser = BlackduckHubCSVParser(file, test)
+    elif scan_type == 'Sonatype Application Scan':
+        parser = SonatypeJSONParser(file, test)
     else:
         raise ValueError('Unknown Test Type')
 
 
@@ -0,0 +1,134 @@
+""" Surely a fragile parser, but gets things started and will evolve over time I guess.
+It seems that a lot of the json data does not have any securityData data
+So these are just skipped, since there is nothing much to do with them here
+"""
+import json
+from dojo.models import Finding
+
+
+class SonatypeJSONParser(object):
+    # This parser does not deal with licenses information.
+    def __init__(self, json_output, test):
+        tree = self.parse_json(json_output)
+
+        if tree:
+            self.items = [data for data in self.get_items(tree, test)]
+        else:
+            self.items = []
+
+    def parse_json(self, json_output):
+        try:
+            tree = json.load(json_output)
+        except:
+            raise Exception("Invalid format")
+
+        return tree
+
+    def get_items(self, tree, test):
+        items = {}
+        if 'components' in tree:
+            vulnerability_tree = tree['components']
+
+            for node in vulnerability_tree:
+                item = get_item(node, test)
+                if item is None:
+                    continue
+                # TODO
+                unique_key = node['hash']
+                items[unique_key] = item
+
+        return items.values()
+
+
+def get_item(vulnerability, test):
+    # Following the CVSS Scoring per https://nvd.nist.gov/vuln-metrics/cvss
+    if vulnerability['securityData'] is not None and len(vulnerability['securityData']['securityIssues']) >= 1:
+        # there can be nothing in the array, or securityData can be null altogether. If the latter, well, nothing much to do?
+        # issues is an array, and there can be 2+ of them, e.g. a cve and a sonatype entry or two cves
+        # Given the current Finding class, if a cve, will be the main. If not a cve, then CVE ref will remain null due to regex.
+        # Others go to references.
+        main_finding = vulnerability['securityData']['securityIssues'][0]
+
+        if main_finding.get("source") == "cve":
+            cve = main_finding.get("reference")
+        else:
+            # if sonatype of else, will not match Finding model today
+            cve = ""
+
+        if main_finding['severity'] <= 3.9:
+            severity = "Low"
+        elif main_finding['severity'] > 4.0 and main_finding['severity'] <= 6.9:
+            severity = "Medium"
+        elif main_finding['severity'] and main_finding['severity'] <= 8.9:
+            severity = "High"
+        else:
+            severity = "Critical"
+
+        references = []
+        if len(vulnerability['securityData']['securityIssues']) > 1:
+            for additional_issue in vulnerability['securityData']['securityIssues']:
+                references.append("{}, {}, {}, {}, {} ".format(
+                    additional_issue.get("reference"),
+                    additional_issue.get("status"),
+                    additional_issue.get("severity"),
+                    additional_issue.get("threatCategory"),
+                    additional_issue.get("url"))
+                )
+
+        component_id = ''
+        if 'componentIdentifier' in vulnerability:
+            if vulnerability['componentIdentifier']['format'] == "maven":
+                component_id = "{} {} {}".format(
+                    vulnerability['componentIdentifier']['coordinates']['artifactId'],
+                    vulnerability['componentIdentifier']['coordinates']['groupId'],
+                    vulnerability['componentIdentifier']['coordinates']['version']
+                )
+            elif vulnerability['componentIdentifier']['format'] == "a-name":
+                component_id = "{} {} {}".format(
+                    vulnerability['componentIdentifier']['coordinates']['name'],
+                    vulnerability['componentIdentifier']['coordinates']['qualifier'],
+                    vulnerability['componentIdentifier']['coordinates']['version']
+                )
+
+        finding_title = "{} - {}".format(
+            main_finding['reference'],
+            component_id
+        )
+
+        finding_description = "Hash {}\n\n".format(vulnerability['hash'])
+        finding_description += component_id
+        finding_description += "\n\nPlease check the CVE details for a detailed description. If a sonatype issue, you're out of luck."
+        threat_category = main_finding.get("threatCategory", "CVSS vector not provided. ").title()
+        status = main_finding['status']
+        score = main_finding.get('severity', "No CVSS score yet.")
+        if 'pathnames' in vulnerability:
+            file_path = ' '.join(vulnerability['pathnames'])
+        else:
+            file_path = ''
+
+        # create the finding object
+        finding = Finding(
+            title=finding_title,
+            cve=cve,
+            test=test,
+            severity=severity,
+            numerical_severity=Finding.get_numerical_severity(severity),
+            description=finding_description,
+            mitigation=status,
+            references="{}\n{}\n".format(main_finding['url'], "\n".join(references)),
+            active=False,
+            verified=False,
+            false_p=False,
+            duplicate=False,
+            out_of_scope=False,
+            mitigated=None,
+            file_path=file_path,
+            impact=threat_category,
+            static_finding=True
+        )
+
+        finding.description = finding.description.strip()
+
+        return finding
+    else:
+        return None
Original file line number	Diff line number	Diff line change
`@@ -312,5 +312,12 @@`
`312`	`312`	`},`
`313`	`313`	`"model": "dojo.test_type",`
`314`	`314`	`"pk": 52`
	`315`	`+ },`
	`316`	`+ {`
	`317`	`+ "fields": {`
	`318`	`+ "name": "Sonatype Application Scan"`
	`319`	`+ },`
	`320`	`+ "model": "dojo.test_type",`
	`321`	`+ "pk": 53`
`315`	`322`	`}`
`316`	`323`	`]`