🐛 harden jfrog xray unified file parsing #13628

dojo/tools/jfrog_xray_unified/parser.py

@@ -104,7 +104,8 @@ def get_item(vulnerability, test):
     else:
         title = vulnerability["summary"]
 
-    references = "\n".join(vulnerability["references"])
+    references_str = vulnerability.get("references")
+    references = "\n".join(references_str) if isinstance(references_str, list) else (references_str if isinstance(references_str, str) else "")
 
     scan_time = datetime.strptime(
         vulnerability["artifact_scan_time"], "%Y-%m-%dT%H:%M:%S%z",
@@ -118,15 +119,18 @@ def get_item(vulnerability, test):
     # remove package type from component name
     component_name = component_name.split("://", 1)[1]
 
-    tags = ["packagetype_" + vulnerability["package_type"]]
+    tags = []
+    package_type = vulnerability.get("package_type")
+    if package_type:
+        tags.append("packagetype_" + package_type)
 
     # create the finding object
     finding = Finding(
         title=title,
         test=test,
         severity=severity,
         description=(
-            vulnerability["description"] + "\n\n" + extra_desc
+            vulnerability.get("description", vulnerability.get("summary")) + "\n\n" + extra_desc
         ).strip(),
         mitigation=mitigation,
         component_name=component_name,

unittests/scans/jfrog_xray_unified/issue_13628.json

@@ -0,0 +1,36 @@
+{
+	"total_rows": 123,
+	"rows": [
+		{
+			"cves": [
+				{
+					"cve": "CVE-2023-42282",
+					"cvss_v3_score": 9.8,
+					"cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+				}
+			],
+			"cvss3_max_score": 9.8,
+			"severity": "Critical",
+			"component_physical_path": "ip:2.0.0",
+			"impact_path": [
+				"somepath"
+			],
+			"fixed_versions": [
+				"2.0.1",
+				"1.1.9"
+			],
+			"issue_id": "XRAY-123",
+			"project_keys": [
+				"somepath"
+			],
+			"applicability": null,
+			"applicability_result": "not_scanned",
+			"summary": "The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.",
+			"vulnerable_component": "npm://ip:2.0.0",
+			"impacted_artifact": "build://[some_artifact_id]",
+			"path": "somepath",
+			"published": "2024-02-09T16:30:10Z",
+			"artifact_scan_time": "2025-11-03T11:42:09Z"
+		}
+	]
+}

unittests/tools/test_jfrog_xray_unified_parser.py

@@ -345,3 +345,12 @@ def test_parse_file_with_another_report(self):
         findings = parser.get_findings(testfile, Test())
         testfile.close()
         self.assertEqual(7, len(findings))
+
+    def test_parse_file_issue_13628(self):
+        testfile = (get_unit_tests_scans_path("jfrog_xray_unified") / "issue_13628.json").open(encoding="utf-8")
+        parser = JFrogXrayUnifiedParser()
+        findings = parser.get_findings(testfile, Test())
+        testfile.close()
+        self.assertEqual(1, len(findings))
+        self.assertEqual("Critical", findings[0].severity)
+        self.assertEqual("XRAY-123 - The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.", findings[0].title)