OpenReports: Add Dedup and non-CVE support

Author: mfyll

dojo/settings/settings.dist.py

@@ -1395,6 +1395,7 @@ def saml2_attrib_map_format(din):
     "Cycognito Scan": ["title", "severity"],
     "OpenVAS Parser v2": ["title", "severity", "vuln_id_from_tool", "endpoints"],
     "Snyk Issue API Scan": ["vuln_id_from_tool", "file_path"],
+    "OpenReports": ["vulnerability_ids", "component_name", "component_version", "severity"],
 }
 
 # Override the hardcoded settings here via the env var
@@ -1467,6 +1468,7 @@ def saml2_attrib_map_format(din):
     "AWS Inspector2 Scan": True,
     "Cyberwatch scan (Galeax)": True,
     "OpenVAS Parser v2": True,
+    "OpenReports": True,
 }
 
 # List of fields that are known to be usable in hash_code computation)
@@ -1657,6 +1659,7 @@ def saml2_attrib_map_format(din):
     "Cyberwatch scan (Galeax)": DEDUPE_ALGO_HASH_CODE,
     "OpenVAS Parser v2": DEDUPE_ALGO_HASH_CODE,
     "Snyk Issue API Scan": DEDUPE_ALGO_HASH_CODE,
+    "OpenReports": DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL,
 }
 
 # Override the hardcoded settings here via the env var

dojo/tools/openreports/parser.py

@@ -31,13 +31,13 @@
 
 class OpenreportsParser:
     def get_scan_types(self):
-        return ["OpenReports Scan"]
+        return ["OpenReports"]
 
     def get_label_for_scan_types(self, scan_type):
-        return "OpenReports Scan"
+        return "OpenReports"
 
     def get_description_for_scan_types(self, scan_type):
-        return "Import OpenReports JSON scan report."
+        return "Import OpenReports JSON report."
 
     def get_findings(self, scan_file, test):
         scan_data = scan_file.read()
@@ -79,6 +79,7 @@ def _parse_report(self, test, report):
         metadata = report.get("metadata", {})
         report_name = metadata.get("name", "")
         namespace = metadata.get("namespace", "")
+        report_uid = metadata.get("uid", "")
 
         # Extract scope information
         scope = report.get("scope", {})
@@ -95,13 +96,13 @@ def _parse_report(self, test, report):
             if not isinstance(result, dict):
                 continue
 
-            finding = self._create_finding_from_result(test, result, service_name, report_name)
+            finding = self._create_finding_from_result(test, result, service_name, report_name, report_uid)
             if finding:
                 findings.append(finding)
 
         return findings
 
-    def _create_finding_from_result(self, test, result, service_name, report_name):
+    def _create_finding_from_result(self, test, result, service_name, report_name, report_uid):
         try:
             # Extract basic fields
             message = result.get("message", "")
@@ -175,8 +176,15 @@ def _create_finding_from_result(self, test, result, service_name, report_name):
             # Add vulnerability ID if it's a CVE
             if policy.startswith("CVE-"):
                 finding.unsaved_vulnerability_ids = [policy]
-            else:
-                return finding
+
+            # Create unique_id_from_tool for deduplication
+            # Use the report UID if available (from metadata.uid), otherwise fall back to service_name
+            # Format: report_uid:policy:package_name (preferred) or policy:package_name:service_name (fallback)
+            # This uses the stable UID from the OpenReports API that won't change on reimport
+            unique_id_components = [report_uid, policy, pkg_name] if report_uid else [policy, pkg_name, service_name]
+            finding.unique_id_from_tool = ":".join(unique_id_components)
+
+            return finding  # noqa: TRY300 - This is intentional
 
         except KeyError as exc:
             logger.warning("Failed to parse OpenReports result due to missing key: %r", exc)

unittests/scans/openreports/openreports_list_format.json

@@ -91,6 +91,20 @@
                     "result": "fail",
                     "severity": "high",
                     "source": "image-scanner"
+                },
+                {
+                    "category": "configuration scan",
+                    "message": "Container running as root user",
+                    "policy": "SECURITY-001",
+                    "properties": {
+                        "fixedVersion": "",
+                        "installedVersion": "latest",
+                        "pkgName": "container-config",
+                        "primaryURL": "https://security.example.com/policies/SECURITY-001"
+                    },
+                    "result": "warn",
+                    "severity": "medium",
+                    "source": "policy-scanner"
                 }
             ],
             "scope": {
@@ -102,7 +116,7 @@
             "summary": {
                 "fail": 1,
                 "skip": 0,
-                "warn": 0
+                "warn": 1
             }
         }
     ],

unittests/scans/openreports/openreports_single_report.json

@@ -50,6 +50,20 @@
             "result": "fail",
             "severity": "high",
             "source": "image-scanner"
+        },
+        {
+            "category": "compliance check",
+            "message": "Missing security headers in HTTP response",
+            "policy": "CIS-BENCH-001",
+            "properties": {
+                "fixedVersion": "Configure proper security headers",
+                "installedVersion": "N/A",
+                "pkgName": "web-server",
+                "primaryURL": "https://www.cisecurity.org/benchmark/docker"
+            },
+            "result": "fail",
+            "severity": "low",
+            "source": "compliance-scanner"
         }
     ],
     "scope": {
@@ -59,7 +73,7 @@
         "uid": "d0cbd625-d495-415e-bf39-b4e3c4f4366e"
     },
     "summary": {
-        "fail": 1,
+        "fail": 2,
         "skip": 0,
         "warn": 1
     }

unittests/tools/test_openreports_parser.py

@@ -8,7 +8,6 @@ def sample_path(file_name):
 
 
 class TestOpenreportsParser(DojoTestCase):
-
     def test_no_results(self):
         with sample_path("openreports_no_results.json").open(encoding="utf-8") as test_file:
             parser = OpenreportsParser()
@@ -19,7 +18,7 @@ def test_single_report(self):
         with sample_path("openreports_single_report.json").open(encoding="utf-8") as test_file:
             parser = OpenreportsParser()
             findings = parser.get_findings(test_file, Test())
-            self.assertEqual(len(findings), 2)
+            self.assertEqual(len(findings), 3)
 
             # Test first finding (warn/low severity)
             finding1 = findings[0]
@@ -35,6 +34,9 @@ def test_single_report(self):
             self.assertTrue(finding1.fix_available)
             self.assertEqual(1, len(finding1.unsaved_vulnerability_ids))
             self.assertEqual("CVE-2025-9232", finding1.unsaved_vulnerability_ids[0])
+            self.assertEqual(
+                "b1fcca57-2efd-44d3-89e9-949e29b61936:CVE-2025-9232:libcrypto3", finding1.unique_id_from_tool
+            )
             self.assertIn("vulnerability scan", finding1.tags)
             self.assertIn("image-scanner", finding1.tags)
             self.assertIn("Deployment", finding1.tags)
@@ -53,31 +55,61 @@ def test_single_report(self):
             self.assertTrue(finding2.fix_available)
             self.assertEqual(1, len(finding2.unsaved_vulnerability_ids))
             self.assertEqual("CVE-2025-47907", finding2.unsaved_vulnerability_ids[0])
+            self.assertEqual("b1fcca57-2efd-44d3-89e9-949e29b61936:CVE-2025-47907:stdlib", finding2.unique_id_from_tool)
+
+            # Test third finding (non-CVE policy, fail/low severity)
+            finding3 = findings[2]
+            self.assertEqual("CIS-BENCH-001: Missing security headers in HTTP response", finding3.title)
+            self.assertEqual("Low", finding3.severity)
+            self.assertEqual("web-server", finding3.component_name)
+            self.assertEqual("N/A", finding3.component_version)
+            self.assertEqual("Upgrade to version: Configure proper security headers", finding3.mitigation)
+            self.assertEqual("https://www.cisecurity.org/benchmark/docker", finding3.references)
+            self.assertEqual("test/Deployment/test-app", finding3.service)
+            self.assertTrue(finding3.active)
+            self.assertTrue(finding3.verified)
+            self.assertTrue(finding3.fix_available)
+            # Non-CVE policies should not have vulnerability IDs
+            self.assertIsNone(finding3.unsaved_vulnerability_ids)
+            self.assertEqual(
+                "b1fcca57-2efd-44d3-89e9-949e29b61936:CIS-BENCH-001:web-server", finding3.unique_id_from_tool
+            )
+            self.assertIn("compliance check", finding3.tags)
+            self.assertIn("compliance-scanner", finding3.tags)
+            self.assertIn("Deployment", finding3.tags)
 
     def test_list_format(self):
         with sample_path("openreports_list_format.json").open(encoding="utf-8") as test_file:
             parser = OpenreportsParser()
             findings = parser.get_findings(test_file, Test())
-            self.assertEqual(len(findings), 2)
+            self.assertEqual(len(findings), 3)
 
             # Verify findings from different reports have different services
             services = {finding.service for finding in findings}
             self.assertEqual(len(services), 2)
             self.assertIn("test/Deployment/app1", services)
             self.assertIn("test/Deployment/app2", services)
 
-            # Verify CVE IDs
-            cve_ids = [finding.unsaved_vulnerability_ids[0] for finding in findings]
+            # Verify CVE IDs - only findings with CVE policies should have vulnerability IDs
+            cve_findings = [finding for finding in findings if finding.unsaved_vulnerability_ids]
+            self.assertEqual(len(cve_findings), 2)
+            cve_ids = [finding.unsaved_vulnerability_ids[0] for finding in cve_findings]
             self.assertIn("CVE-2025-9232", cve_ids)
             self.assertIn("CVE-2025-47907", cve_ids)
 
+            # Verify there's at least one non-CVE finding
+            non_cve_findings = [finding for finding in findings if not finding.unsaved_vulnerability_ids]
+            self.assertEqual(len(non_cve_findings), 1)
+            non_cve_finding = non_cve_findings[0]
+            self.assertEqual("SECURITY-001: Container running as root user", non_cve_finding.title)
+
     def test_parser_metadata(self):
         parser = OpenreportsParser()
         scan_types = parser.get_scan_types()
-        self.assertEqual(["OpenReports Scan"], scan_types)
+        self.assertEqual(["OpenReports"], scan_types)
 
-        label = parser.get_label_for_scan_types("OpenReports Scan")
-        self.assertEqual("OpenReports Scan", label)
+        label = parser.get_label_for_scan_types("OpenReports")
+        self.assertEqual("OpenReports", label)
 
-        description = parser.get_description_for_scan_types("OpenReports Scan")
-        self.assertEqual("Import OpenReports JSON scan report.", description)
+        description = parser.get_description_for_scan_types("OpenReports")
+        self.assertEqual("Import OpenReports JSON report.", description)