django-DefectDojo icon indicating copy to clipboard operation
django-DefectDojo copied to clipboard
verified publisher icon DefectDojo

Introduce coverity scan parser

Open tschaepe-secuvera opened this issue 1 year ago • 1 comments

Add a parser for the Coverity SAST tool.

There is already a parser for Coverity but it covers only the JSON output from an outdated Coverity Connect endpoint (v2 is the current version).

Nevertheless it is possible to get a JSON report directly from the CLI with coverity scan --project-dir <project_dir> --local <result_file> --local-format json.

https://sig-product-docs.synopsys.com/bundle/coverity-docs/page/cli/topics/commit_configuration.html#local_configuration

tschaepe-secuvera avatar May 02 '24 12:05 tschaepe-secuvera

Hi there :wave:, @dryrunsecurity here, below is a summary of our analysis and findings.

DryRun Security Status Findings
Configured Codepaths Analyzer :white_check_mark: 0 findings
Sensitive Files Analyzer :white_check_mark: 0 findings
AppSec Analyzer :white_check_mark: 0 findings
Authn/Authz Analyzer :white_check_mark: 0 findings
Secrets Analyzer :white_check_mark: 0 findings

[!Note] :green_circle: Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy :robot:. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

This pull request contains a mix of changes, including documentation updates, new parser implementation, configuration updates, and unit tests. From an application security perspective, the changes are focused on improving the integration and handling of Coverity Scan results within the DefectDojo application.

The key security-relevant changes are:

  1. Coverity Scan JSON Report Documentation: The addition of documentation for the Coverity Scan JSON Report parser provides clear instructions for users on how to generate the required JSON report and integrate it into the DefectDojo workflow. This helps ensure the successful and secure integration of Coverity scan results.

  2. Coverity Scan JSON Parser Implementation: The new implementation of the Coverity Scan JSON Report parser is a valuable addition, as it allows the DefectDojo application to process and analyze the security findings from Coverity scans. The parser's focus on extracting and mapping security-relevant information is a positive security enhancement.

  3. Deduplication and Hashcode Configuration Updates: The changes to the deduplication and hashcode calculation configurations in the settings.dist.py file aim to improve the accuracy and flexibility of the vulnerability deduplication process. This can help reduce the noise in the reported findings and provide a more reliable vulnerability management experience.

  4. Unit Tests for Coverity Scan Parser: The addition of unit tests for the Coverity Scan parser helps ensure the correctness and reliability of the parser's functionality, which is crucial for maintaining the integrity of the security assessment process.

Overall, the changes in this pull request demonstrate a focus on improving the security-related functionality and integration of the DefectDojo application, particularly in the context of Coverity Scan result handling. These changes can help strengthen the application's security posture and provide users with more accurate and reliable vulnerability management capabilities.

Files Changed:

  1. docs/content/en/integrations/parsers/file/coverity_scan.md: This file introduces new documentation for the Coverity Scan JSON Report parser, providing instructions and examples for users.

  2. dojo/tools/coverity_scan/parser.py: This file contains the implementation of the Coverity Scan JSON Report parser, which extracts and processes security-relevant findings from the Coverity Scan output.

  3. dojo/settings/settings.dist.py: This file includes changes to the deduplication and hashcode calculation configurations, allowing more flexibility and accuracy in handling vulnerability findings.

  4. unittests/scans/coverity_scan/many_vulns.json, unittests/scans/coverity_scan/no_vuln.json, and unittests/scans/coverity_scan/one_vuln.json: These files contain sample Coverity Scan results used for testing the Coverity Scan parser.

  5. unittests/tools/test_coverity_scan_parser.py: This file includes unit tests for the Coverity Scan parser, ensuring the correctness and reliability of the parser's functionality.

Powered by DryRun Security

dryrunsecurity[bot] avatar May 02 '24 12:05 dryrunsecurity[bot]