Merge pull request #823 from ThomGeG/feature/trivy-remap

Mapped Critical to Error instead of High for the TrivyParser
jenkinsci · Aug 9, 2022 · 6f84e89 · 6f84e89
2 parents 5aea564 + 5978059
commit 6f84e89
Show file tree

Hide file tree

Showing 6 changed files with 46 additions and 10 deletions.
diff --git a/SUPPORTED-FORMATS.md b/SUPPORTED-FORMATS.md
@@ -1,4 +1,4 @@
-<!--- DO NOT EDIT - Generated by ParserRegistry at 2022-07-30T14:15:11.026057-->
+<!--- DO NOT EDIT - Generated by ParserRegistry at 2022-08-04T02:09:49.538414400-->
 # Supported Report Formats
 
 The static analysis model supports the following report formats.
@@ -121,7 +121,7 @@ If your tool is supported, but some properties are missing (icon, URL, etc.), pl
                 trivy
             </td>
             <td>
-                -
+                <img src="https://github.com/aquasecurity/trivy/blob/main/docs/imgs/logo.png?raw=true" alt="Aquasec Trivy" height="64" width="64">
             </td>
             <td>
                 <a href="https://github.com/aquasecurity/trivy">
@@ -1323,10 +1323,12 @@ analyze - iccxxxxcompiler_opts cstat2.c</pre></code>For details check the IAR C-
                 owasp-dependency-check
             </td>
             <td>
-                -
+                <img src="https://raw.githubusercontent.com/jeremylong/DependencyCheck/main/src/site/resources/images/logo.svg" alt="OWASP Dependency Check" height="64" width="64">
             </td>
             <td>
-                OWASP Dependency Check
+                <a href="https://github.com/jeremylong/DependencyCheck">
+                    OWASP Dependency Check
+                </a>
             </td>
             <td>
                 **/dependency-check-report.json

diff --git a/src/main/java/edu/hm/hafner/analysis/parser/TrivyParser.java b/src/main/java/edu/hm/hafner/analysis/parser/TrivyParser.java
@@ -23,7 +23,6 @@
  */
 public class TrivyParser extends JsonIssueParser {
     private static final String VALUE_NOT_SET = "-";
-    private static final String TRIVY_VULNERABILITY_LEVEL_TAG_CRITICAL = "critcal";
     private static final String TRIVY_VULNERABILITY_LEVEL_TAG_HIGH = "high";
     private static final String TRIVY_VULNERABILITY_LEVEL_TAG_MEDIUM = "medium";
     private static final String TRIVY_VULNERABILITY_LEVEL_TAG_LOW = "low";
@@ -78,12 +77,11 @@ private Severity mapSeverity(final String string) {
         else if (TRIVY_VULNERABILITY_LEVEL_TAG_MEDIUM.equalsIgnoreCase(string)) {
             return Severity.WARNING_NORMAL;
         }
-        else if (TRIVY_VULNERABILITY_LEVEL_TAG_HIGH.equalsIgnoreCase(string)
-                || TRIVY_VULNERABILITY_LEVEL_TAG_CRITICAL.equalsIgnoreCase(string)) {
+        else if (TRIVY_VULNERABILITY_LEVEL_TAG_HIGH.equalsIgnoreCase(string)) {
             return Severity.WARNING_HIGH;
         }
         else {
-            return Severity.WARNING_HIGH;
+            return Severity.ERROR;
         }
     }
 

diff --git a/src/main/java/edu/hm/hafner/analysis/registry/OwaspDependencyCheckDescriptor.java b/src/main/java/edu/hm/hafner/analysis/registry/OwaspDependencyCheckDescriptor.java
@@ -23,4 +23,15 @@ public IssueParser createParser(final Option... options) {
     public String getPattern() {
         return "**/dependency-check-report.json";
     }
+
+    @Override
+    public String getUrl() {
+        return "https://github.com/jeremylong/DependencyCheck";
+    }
+
+    @Override
+    public String getIconUrl() {
+        return "https://raw.githubusercontent.com/jeremylong/DependencyCheck/main/src/site/resources/images/logo.svg";
+    }
+
 }
diff --git a/src/main/java/edu/hm/hafner/analysis/registry/TrivyDescriptor.java b/src/main/java/edu/hm/hafner/analysis/registry/TrivyDescriptor.java
@@ -36,4 +36,9 @@ public String getHelp() {
     public String getUrl() {
         return "https://github.com/aquasecurity/trivy";
     }
+
+    @Override
+    public String getIconUrl() {
+        return "https://github.com/aquasecurity/trivy/blob/main/docs/imgs/logo.png?raw=true";
+    }
 }
diff --git a/src/test/java/edu/hm/hafner/analysis/parser/TrivyParserTest.java b/src/test/java/edu/hm/hafner/analysis/parser/TrivyParserTest.java
@@ -50,6 +50,26 @@ void shouldHandleEmptyResultsJenkins67296() {
         assertThat(report).isEmpty();
     }
 
+    @Test
+    void shouldMapCorrectly() {
+        Report report = parse("trivy_result_0.20.0.json");
+
+        assertThat(report).hasSize(4);
+
+        assertThat(report.get(0))
+                .hasSeverity(Severity.WARNING_LOW)
+                .hasType("CVE-2017-6519");
+        assertThat(report.get(1))
+                .hasSeverity(Severity.WARNING_NORMAL)
+                .hasType("CVE-2020-8619");
+        assertThat(report.get(2))
+                .hasSeverity(Severity.WARNING_HIGH)
+                .hasType("CVE-2020-5555");
+        assertThat(report.get(3))
+                .hasSeverity(Severity.ERROR)
+                .hasType("CVE-2020-9999");
+    }
+
     @Test
     void brokenInput() {
         assertThatThrownBy(() -> parse("eclipse.txt")).isInstanceOf(ParsingException.class);

diff --git a/src/test/resources/edu/hm/hafner/analysis/parser/trivy_result_0.20.0.json b/src/test/resources/edu/hm/hafner/analysis/parser/trivy_result_0.20.0.json
@@ -147,7 +147,7 @@
           "LastModifiedDate": "2020-10-20T12:15:00Z"
         },
         {
-          "VulnerabilityID": "CVE-2020-9999",
+          "VulnerabilityID": "CVE-2020-5555",
           "PkgName": "generatedSample",
           "InstalledVersion": "32:9.11.13-6.el8_2.1",
           "FixedVersion": "32:9.11.20-5.el8",
@@ -177,4 +177,4 @@
       ]
     }
   ]
-}
+}