From 989af8b337e60263ea4222dfc289be2c8607bec1 Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Wed, 5 Nov 2025 22:00:01 +0100 Subject: [PATCH 1/2] :bug: harden jfrog xray unified file parsing --- dojo/tools/jfrog_xray_unified/parser.py | 10 ++++-- .../scans/jfrog_xray_unified/issue_13628.json | 36 +++++++++++++++++++ .../tools/test_jfrog_xray_unified_parser.py | 9 +++++ 3 files changed, 52 insertions(+), 3 deletions(-) create mode 100644 unittests/scans/jfrog_xray_unified/issue_13628.json diff --git a/dojo/tools/jfrog_xray_unified/parser.py b/dojo/tools/jfrog_xray_unified/parser.py index 83e0222ade0..8aceba5c54d 100644 --- a/dojo/tools/jfrog_xray_unified/parser.py +++ b/dojo/tools/jfrog_xray_unified/parser.py @@ -104,7 +104,8 @@ def get_item(vulnerability, test): else: title = vulnerability["summary"] - references = "\n".join(vulnerability["references"]) + references_str = vulnerability.get("references") + references = "\n".join(references_str) if isinstance(references_str, list) else (references_str if isinstance(references_str, str) else "") scan_time = datetime.strptime( vulnerability["artifact_scan_time"], "%Y-%m-%dT%H:%M:%S%z", @@ -118,7 +119,10 @@ def get_item(vulnerability, test): # remove package type from component name component_name = component_name.split("://", 1)[1] - tags = ["packagetype_" + vulnerability["package_type"]] + tags = [] + package_type = vulnerability.get("package_type") + if package_type: + tags.append("packagetype_" + package_type) # create the finding object finding = Finding( @@ -126,7 +130,7 @@ def get_item(vulnerability, test): test=test, severity=severity, description=( - vulnerability["description"] + "\n\n" + extra_desc + vulnerability.get("description", vulnerability.get("summary")) + "\n\n" + extra_desc ).strip(), mitigation=mitigation, component_name=component_name, diff --git a/unittests/scans/jfrog_xray_unified/issue_13628.json b/unittests/scans/jfrog_xray_unified/issue_13628.json new file mode 100644 index 00000000000..6cf5a92926a --- /dev/null +++ b/unittests/scans/jfrog_xray_unified/issue_13628.json @@ -0,0 +1,36 @@ +{ + "total_rows": 123, + "rows": [ + { + "cves": [ + { + "cve": "CVE-2023-42282", + "cvss_v3_score": 9.8, + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "cvss3_max_score": 9.8, + "severity": "Critical", + "component_physical_path": "ip:2.0.0", + "impact_path": [ + "somepath" + ], + "fixed_versions": [ + "2.0.1", + "1.1.9" + ], + "issue_id": "XRAY-123", + "project_keys": [ + "somepath" + ], + "applicability": null, + "applicability_result": "not_scanned", + "summary": "The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.", + "vulnerable_component": "npm://ip:2.0.0", + "impacted_artifact": "build://[some_artifact_id]", + "path": "somepath", + "published": "2024-02-09T16:30:10Z", + "artifact_scan_time": "2025-11-03T11:42:09Z" + } + ] +} \ No newline at end of file diff --git a/unittests/tools/test_jfrog_xray_unified_parser.py b/unittests/tools/test_jfrog_xray_unified_parser.py index 52b673308c4..62403254451 100644 --- a/unittests/tools/test_jfrog_xray_unified_parser.py +++ b/unittests/tools/test_jfrog_xray_unified_parser.py @@ -345,3 +345,12 @@ def test_parse_file_with_another_report(self): findings = parser.get_findings(testfile, Test()) testfile.close() self.assertEqual(7, len(findings)) + + def test_parse_file_with_another_report(self): + testfile = (get_unit_tests_scans_path("jfrog_xray_unified") / "issue_13628.json").open(encoding="utf-8") + parser = JFrogXrayUnifiedParser() + findings = parser.get_findings(testfile, Test()) + testfile.close() + self.assertEqual(1, len(findings)) + self.assertEqual("Critical", findings[0].severity) + self.assertEqual("XRAY-123 - The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.", findings[0].title) From 94b5248ef941016a704031465831921a887c7571 Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Wed, 5 Nov 2025 22:02:25 +0100 Subject: [PATCH 2/2] fix --- unittests/tools/test_jfrog_xray_unified_parser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unittests/tools/test_jfrog_xray_unified_parser.py b/unittests/tools/test_jfrog_xray_unified_parser.py index 62403254451..92bc30c75ff 100644 --- a/unittests/tools/test_jfrog_xray_unified_parser.py +++ b/unittests/tools/test_jfrog_xray_unified_parser.py @@ -346,7 +346,7 @@ def test_parse_file_with_another_report(self): testfile.close() self.assertEqual(7, len(findings)) - def test_parse_file_with_another_report(self): + def test_parse_file_issue_13628(self): testfile = (get_unit_tests_scans_path("jfrog_xray_unified") / "issue_13628.json").open(encoding="utf-8") parser = JFrogXrayUnifiedParser() findings = parser.get_findings(testfile, Test())