Class: HeimdallTools::SnykMapper

Inherits:
Object
  • Object
show all
Defined in:
lib/heimdall_tools/snyk_mapper.rb

Instance Method Summary collapse

Constructor Details

#initialize(synk_json, _name = nil) ⇒ SnykMapper

Returns a new instance of SnykMapper.


32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
# File 'lib/heimdall_tools/snyk_mapper.rb', line 32

def initialize(synk_json, _name = nil)
  @synk_json = synk_json

  begin
    @cwe_nist_mapping = parse_mapper
    @projects = JSON.parse(synk_json)

    # Cover single and multi-project scan use cases.
    unless @projects.is_a?(Array)
      @projects = [@projects]
    end
  rescue StandardError => e
    raise "Invalid Snyk JSON file provided Exception: #{e}"
  end
end

Instance Method Details

#collapse_duplicates(controls) ⇒ Object

Snyk report could have multiple vulnerability entries for multiple findings of same issue type. The meta data is identical across entries method collapse_duplicates return unique controls with applicable findings collapsed into it.


106
107
108
109
110
111
112
113
114
115
116
# File 'lib/heimdall_tools/snyk_mapper.rb', line 106

def collapse_duplicates(controls)
  unique_controls = []

  controls.map { |x| x['id'] }.uniq.each do |id|
    collapsed_results = controls.select { |x| x['id'].eql?(id) }.map { |x| x['results'] }
    unique_control = controls.find { |x| x['id'].eql?(id) }
    unique_control['results'] = collapsed_results.flatten
    unique_controls << unique_control
  end
  unique_controls
end

#desc_tags(data, label) ⇒ Object


99
100
101
# File 'lib/heimdall_tools/snyk_mapper.rb', line 99

def desc_tags(data, label)
  { data: data || NA_STRING, label: label || NA_STRING }
end

#extract_scaninfo(project) ⇒ Object


48
49
50
51
52
53
54
55
56
57
58
59
60
61
# File 'lib/heimdall_tools/snyk_mapper.rb', line 48

def extract_scaninfo(project)
  info = {}
  begin
    info['policy'] = project['policy']
    reg = Regexp.new(SNYK_VERSION_REGEX, Regexp::IGNORECASE)
    info['version'] = info['policy'].scan(reg).join
    info['projectName'] = project['projectName']
    info['summary'] = project['summary']

    info
  rescue StandardError => e
    raise "Error extracting project info from Synk JSON file provided Exception: #{e}"
  end
end

#finding(vulnerability) ⇒ Object


63
64
65
66
67
68
69
70
71
72
# File 'lib/heimdall_tools/snyk_mapper.rb', line 63

def finding(vulnerability)
  finding = {}
  finding['status'] = 'failed'
  finding['code_desc'] = "From : [ #{vulnerability['from'].join(' , ')} ]"
  finding['run_time'] = NA_FLOAT

  # Snyk results does not profile scan timestamp; using current time to satisfy HDF format
  finding['start_time'] = NA_STRING
  [finding]
end

#impact(severity) ⇒ Object


87
88
89
# File 'lib/heimdall_tools/snyk_mapper.rb', line 87

def impact(severity)
  IMPACT_MAPPING[severity.to_sym]
end

#nist_tag(cweid) ⇒ Object


74
75
76
77
78
# File 'lib/heimdall_tools/snyk_mapper.rb', line 74

def nist_tag(cweid)
  entries = @cwe_nist_mapping.select { |x| cweid.include?(x[:cweid].to_s) && !x[:nistid].nil? }
  tags = entries.map { |x| x[:nistid] }
  tags.empty? ? DEFAULT_NIST_TAG : tags.flatten.uniq
end

#parse_identifiers(vulnerability, ref) ⇒ Object


80
81
82
83
84
85
# File 'lib/heimdall_tools/snyk_mapper.rb', line 80

def parse_identifiers(vulnerability, ref)
  # Extracting id number from reference style CWE-297
  vulnerability['identifiers'][ref].map { |e| e.split("#{ref}-")[1] }
rescue StandardError
  []
end

#parse_mapperObject


91
92
93
94
95
96
97
# File 'lib/heimdall_tools/snyk_mapper.rb', line 91

def parse_mapper
  csv_data = CSV.read(CWE_NIST_MAPPING_FILE, **{ encoding: 'UTF-8',
                                               headers: true,
                                               header_converters: :symbol,
                                               converters: :all })
  csv_data.map(&:to_hash)
end

#to_hdfObject


118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
# File 'lib/heimdall_tools/snyk_mapper.rb', line 118

def to_hdf
  project_results = {}
  @projects.each do |project|
    controls = []
    project['vulnerabilities'].each do |vulnerability|
      printf("\rProcessing: %s", $spinner.next)

      item = {}
      item['tags']               = {}
      item['descriptions']       = []
      item['refs']               = NA_ARRAY
      item['source_location']    = NA_HASH
      item['descriptions']       = NA_ARRAY

      item['title']              = vulnerability['title'].to_s
      item['id']                 = vulnerability['id'].to_s
      item['desc']               = vulnerability['description'].to_s
      item['impact']             = impact(vulnerability['severity'])
      item['code']               = ''
      item['results']            = finding(vulnerability)
      item['tags']['nist']       = nist_tag(parse_identifiers(vulnerability, 'CWE'))
      item['tags']['cweid']      = parse_identifiers(vulnerability, 'CWE')
      item['tags']['cveid']      = parse_identifiers(vulnerability, 'CVE')
      item['tags']['ghsaid']     = parse_identifiers(vulnerability, 'GHSA')

      controls << item
    end
    controls = collapse_duplicates(controls)
    scaninfo = extract_scaninfo(project)
    results = HeimdallDataFormat.new(profile_name: scaninfo['policy'],
                                     version: scaninfo['version'],
                                     title: "Snyk Project: #{scaninfo['projectName']}",
                                     summary: "Snyk Summary: #{scaninfo['summary']}",
                                     controls: controls,
                                     target_id: scaninfo['projectName'])
    project_results[scaninfo['projectName']] = results.to_hdf
  end
  project_results
end