diff --git a/lib/glue/mappings/snyk.json b/lib/glue/mappings/snyk.json new file mode 100644 index 0000000..ce3cde9 --- /dev/null +++ b/lib/glue/mappings/snyk.json @@ -0,0 +1,16 @@ +{ + "task_name": "Snyk", + "app_name": "path", + "mappings": [ + { + "key": "vulnerabilities", + "properties": { + "description": "title", + "detail": "description", + "source": "packageName", + "severity": "severity", + "fingerprint": "id" + } + } + ] +} \ No newline at end of file diff --git a/spec/tasks/dynamic/dynamic_spec.rb b/spec/tasks/dynamic/dynamic_spec.rb index 1466d8c..1913a70 100644 --- a/spec/tasks/dynamic/dynamic_spec.rb +++ b/spec/tasks/dynamic/dynamic_spec.rb @@ -132,8 +132,8 @@ def get_dynamic_task_buildin_mapping(report_path, mapping_name) end end - # The tests used the report after transformed with JQ, see the documentation for more details - context "zaproxy" do + # The tests used the report after transformed with JQ, see the documentation for more details + context "zaproxy" do let(:task) { get_dynamic_task_buildin_mapping "tools_samples/zaproxy.json", "zaproxy"} subject(:task_findings) { task.findings } before do @@ -154,4 +154,26 @@ def get_dynamic_task_buildin_mapping(report_path, mapping_name) expect(finding.task).to eq("OWASP Zaproxy") end end + + context "snyk" do + let(:task) { get_dynamic_task_buildin_mapping "tools_samples/snyk.json", "snyk"} + subject(:task_findings) { task.findings } + before do + task.run + end + it "should produce one finding" do + should have(2).items + end + + it "should fill all the required fields" do + finding = subject[0] + expect(finding.severity).to eq(2) + expect(finding.description).to eq("Denial of Service (DoS)") + expect(finding.detail).to eq("description") + expect(finding.source).to eq("Microsoft.AspNetCore.All") + expect(finding.fingerprint).to eq("SNYK-DOTNET-MICROSOFTASPNETCOREALL-60258") + expect(finding.appname).to eq("dummy/obj") + expect(finding.task).to eq("Snyk") + end + end end diff --git a/spec/tasks/dynamic/targets/tools_samples/snyk.json b/spec/tasks/dynamic/targets/tools_samples/snyk.json new file mode 100644 index 0000000..6a3f757 --- /dev/null +++ b/spec/tasks/dynamic/targets/tools_samples/snyk.json @@ -0,0 +1,121 @@ +{ + "ok": false, + "vulnerabilities": [ + { + "title": "Denial of Service (DoS)", + "credit": [ + "Unknown" + ], + "packageName": "Microsoft.AspNetCore.All", + "language": "dotnet", + "packageManager": "nuget", + "description": "description", + "identifiers": { + "CWE": [ + "CWE-400" + ], + "CVE": [] + }, + "semver": { + "unaffected": "", + "vulnerable": "[,2.0.9), [2.1.0, 2.1.2)" + }, + "patches": [], + "cvssScore": 6.5, + "severity": "medium", + "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "disclosureTime": "2018-07-18T21:00:00.000Z", + "publicationTime": "2018-07-26T11:23:24.744Z", + "modificationTime": "2018-07-25T11:23:46.125Z", + "creationTime": "2018-07-25T11:23:46.125Z", + "id": "SNYK-DOTNET-MICROSOFTASPNETCOREALL-60258", + "from": [ + "Microsoft.AspNetCore.All@2.0.5" + ], + "upgradePath": [], + "version": "2.0.5", + "name": "Microsoft.AspNetCore.All", + "isUpgradable": false, + "isPatchable": false + }, + { + "title": "Privilege Escalation", + "credit": [ + "Unknown" + ], + "language": "dotnet", + "packageManager": "nuget", + "packageName": "Microsoft.AspNetCore.HttpOverrides", + "description": "description", + "semver": { + "vulnerable": "[,2.0.2)", + "unaffected": "" + }, + "identifiers": { + "CVE": [ + "CVE-2018-0787" + ], + "CWE": [ + "CWE-20" + ] + }, + "patches": [], + "cvssScore": 8.8, + "severity": "high", + "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "modificationTime": "2017-01-25T13:19:47.018Z", + "creationTime": "2017-01-25T13:19:47.018Z", + "disclosureTime": "2017-01-25T13:19:47.018Z", + "publicationTime": "2018-05-02T14:33:27.159Z", + "id": "SNYK-DOTNET-MICROSOFTASPNETCOREHTTPOVERRIDES-60238", + "from": [ + "Microsoft.AspNetCore.All@2.0.5" + ], + "upgradePath": [], + "version": "2.0.1", + "name": "Microsoft.AspNetCore.HttpOverrides", + "isUpgradable": false, + "isPatchable": false + } + ], + "dependencyCount": 322, + "org": "soluto-tel-aviv", + "licensesPolicy": { + "severities": { + "MS-RL": "medium", + "EPL-1.0": "medium", + "GPL-2.0": "high", + "GPL-3.0": "high", + "MPL-1.1": "medium", + "MPL-2.0": "medium", + "AGPL-1.0": "high", + "AGPL-3.0": "high", + "CDDL-1.0": "medium", + "LGPL-2.0": "medium", + "LGPL-2.1": "medium", + "LGPL-3.0": "medium", + "CPOL-1.02": "high", + "LGPL-2.1+": "medium", + "LGPL-3.0+": "medium", + "SimPL-2.0": "high", + "Artistic-1.0": "medium", + "Artistic-2.0": "medium" + } + }, + "isPrivate": true, + "packageManager": "nuget", + "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.12.0\nignore: {}\npatch: {}\n", + "ignoreSettings": { + "adminOnly": false, + "reasonRequired": true, + "disregardFilesystemIgnores": false + }, + "summary": "88 vulnerable dependency paths", + "filesystemPolicy": false, + "filtered": { + "ignore": [], + "patch": [] + }, + "uniqueCount": 18, + "path": "dummy/obj" +}