jenkinsci · uhafner · Jul 30, 2023 · Jul 26, 2023 · Jul 26, 2023 · Jul 26, 2023
diff --git a/SUPPORTED-FORMATS.md b/SUPPORTED-FORMATS.md
@@ -1,4 +1,4 @@
-<!--- DO NOT EDIT -- Generated at 2023-07-20T18:42:19.715720048 - Run the `main` method of `ParserRegistry` to regenerate after changing parsers -- DO NOT EDIT --->
+<!--- DO NOT EDIT -- Generated at 2023-07-26T22:22:13.878391 - Run the `main` method of `ParserRegistry` to regenerate after changing parsers -- DO NOT EDIT --->
 # Supported Report Formats
 
 The static analysis model supports the following report formats.
@@ -938,6 +938,22 @@ If your tool is supported, but some properties are missing (icon, URL, etc.), pl
                 -
             </td>
         </tr>
+        <tr>
+            <td>
+                grypescanner
+            </td>
+            <td>
+                <img src="https://user-images.githubusercontent.com/5199289/136855393-d0a9eef9-ccf1-4e2b-9d7c-7aad16a567e5.png" alt="Grype scanner" height="64" width="64">
+            </td>
+            <td>
+                <a href="https://github.com/anchore/grype">
+                    Grype scanner
+                </a>
+            </td>
+            <td>
+                **/grype-report.json
+            </td>
+        </tr>
         <tr>
             <td>
                 hadolint

diff --git a/src/main/java/edu/hm/hafner/analysis/Severity.java b/src/main/java/edu/hm/hafner/analysis/Severity.java
@@ -98,12 +98,15 @@ public static Severity guessFromString(@CheckForNull final String severity) {
         if (StringUtils.containsAnyIgnoreCase(severity, "error", "severe", "critical", "fatal")) {
             return Severity.ERROR;
         }
-        if (StringUtils.containsAnyIgnoreCase(severity, "info", "note")) {
+        if (StringUtils.containsAnyIgnoreCase(severity, "info", "note", "low")) {
             return Severity.WARNING_LOW;
         }
-        if (StringUtils.containsIgnoreCase(severity, "warning")) {
+        if (StringUtils.containsAnyIgnoreCase(severity, "warning", "medium")) {
             return Severity.WARNING_NORMAL;
         }
+        if (StringUtils.containsIgnoreCase(severity, "high")) {
+            return Severity.WARNING_HIGH;
+        }
         return Severity.WARNING_LOW;
     }
 

diff --git a/src/main/java/edu/hm/hafner/analysis/parser/GrypeParser.java b/src/main/java/edu/hm/hafner/analysis/parser/GrypeParser.java
@@ -0,0 +1,60 @@
+package edu.hm.hafner.analysis.parser;
+
+import static j2html.TagCreator.a;
+import static j2html.TagCreator.p;
+
+import org.json.JSONArray;
+import org.json.JSONObject;
+
+import edu.hm.hafner.analysis.Issue;
+import edu.hm.hafner.analysis.IssueBuilder;
+import edu.hm.hafner.analysis.Report;
+import edu.hm.hafner.analysis.Severity;
+
+/**
+ * JSON report parser for grype (https://plugins.jenkins.io/grypescanner/ /
+ * https://github.com/anchore/grype).
+ */
+public class GrypeParser extends JsonIssueParser {
+    private static final long serialVersionUID = -1369431674771459756L;
+
+    private static final String MATCHES_TAG = "matches";
+    private static final String VULNERABILIY_TAG = "vulnerability";
+    private static final String ARTIFACT_TAG = "artifact";
+    private static final String LOCATIONS_TAG = "locations";
+    private static final String PATH_TAG = "path";
+    private static final String DATA_SOURCE_TAG = "dataSource";
+    private static final String SEVERITY_TAG = "severity";
+    private static final String ID_TAG = "id";
+    private static final String DESCRIPTION_TAG = "description";
+
+    @Override
+    protected void parseJsonObject(final Report report, final JSONObject jsonReport, final IssueBuilder issueBuilder) {
+        final JSONArray matches = jsonReport.getJSONArray(MATCHES_TAG);
+        for (int i = 0; i < matches.length(); i++) {
+            final JSONObject match = matches.getJSONObject(i);
+            if (match.has(VULNERABILIY_TAG)) {
+                Issue issue = getIssue(issueBuilder, match);
+                report.add(issue);
+            }
+        }
+    }
+
+    private Issue getIssue(final IssueBuilder issueBuilder, final JSONObject match) {
+        JSONObject vuln = match.getJSONObject(VULNERABILIY_TAG);
+        String fileName = match.getJSONObject(ARTIFACT_TAG).getJSONArray(LOCATIONS_TAG).getJSONObject(0)
+                .getString(PATH_TAG);
+
+        return issueBuilder.setFileName(fileName)
+                .setCategory(vuln.getString(SEVERITY_TAG))
+                .setSeverity(Severity.guessFromString(vuln.getString(SEVERITY_TAG)))
+                .setType(vuln.getString(ID_TAG))
+                .setMessage(vuln.getString(DESCRIPTION_TAG))
+                .setOriginName("Grype")
+                .setPathName(fileName)
+                .setDescription(p().with(a()
+                        .withHref(vuln.getString(DATA_SOURCE_TAG))
+                        .withText(vuln.getString(DATA_SOURCE_TAG))).render())
+                .build();
+    }
+}
diff --git a/src/main/java/edu/hm/hafner/analysis/registry/GrypeDescriptor.java b/src/main/java/edu/hm/hafner/analysis/registry/GrypeDescriptor.java
@@ -0,0 +1,37 @@
+package edu.hm.hafner.analysis.registry;
+
+import edu.hm.hafner.analysis.IssueParser;
+import edu.hm.hafner.analysis.parser.GrypeParser;
+
+/**
+ * Descriptor for Grype report parser.
+ */
+public class GrypeDescriptor extends ParserDescriptor {
+    private static final String ID = "grypescanner";
+    private static final String NAME = "Grype scanner";
+
+    GrypeDescriptor() {
+        super(ID, NAME);
+    }
+
+    @Override
+    public IssueParser createParser(final Option... options) {
+        return new GrypeParser();
+    }
+
+    @Override
+    public String getPattern() {
+        return "**/grype-report.json";
+    }
+
+    @Override
+    public String getUrl() {
+        return "https://github.com/anchore/grype";
+    }
+
+    @Override
+    public String getIconUrl() {
+        return "https://user-images.githubusercontent.com/5199289/136855393-d0a9eef9-ccf1-4e2b-9d7c-7aad16a567e5.png";
+    }
+
+}
diff --git a/src/main/java/edu/hm/hafner/analysis/registry/ParserRegistry.java b/src/main/java/edu/hm/hafner/analysis/registry/ParserRegistry.java
@@ -92,6 +92,7 @@ public class ParserRegistry {
             new GnuFortranDescriptor(),
             new GoLintDescriptor(),
             new GoVetDescriptor(),
+            new GrypeDescriptor(),
             new HadoLintDescriptor(),
             new IarCstatDescriptor(),
             new IarDescriptor(),

diff --git a/src/test/java/edu/hm/hafner/analysis/parser/GrypeParserTest.java b/src/test/java/edu/hm/hafner/analysis/parser/GrypeParserTest.java
@@ -0,0 +1,47 @@
+package edu.hm.hafner.analysis.parser;
+
+import edu.hm.hafner.analysis.AbstractParserTest;
+import edu.hm.hafner.analysis.IssueParser;
+import edu.hm.hafner.analysis.Report;
+import edu.hm.hafner.analysis.Severity;
+import edu.hm.hafner.analysis.assertions.SoftAssertions;
+import static j2html.TagCreator.a;
+import static j2html.TagCreator.p;
+
+class GrypeParserTest extends AbstractParserTest {
+    protected GrypeParserTest() {
+        super("grype-report.json");
+    }
+
+    @Override
+    protected void assertThatIssuesArePresent(final Report report, final SoftAssertions softly) {
+        softly.assertThat(report).hasSize(3).hasDuplicatesSize(0);
+        softly.assertThat(report.get(0))
+                .hasFileName("tomcat-jdbc/8.0.28/tomcat-jdbc-8.0.28.jar")
+                .hasSeverity(Severity.WARNING_NORMAL)
+                .hasCategory("Medium")
+                .hasType("CVE-2015-5345")
+                .hasMessage(
+                        "The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character.")
+                .hasDescription(p().with(a()
+                        .withHref("https://nvd.nist.gov/vuln/detail/CVE-2015-5345")
+                        .withText("https://nvd.nist.gov/vuln/detail/CVE-2015-5345")).render());
+
+        softly.assertThat(report.get(2))
+                .hasFileName("tomcat-jdbc/8.0.28/tomcat-jdbc-8.0.28.jar")
+                .hasSeverity(Severity.WARNING_HIGH)
+                .hasCategory("High")
+                .hasType("CVE-2016-8745")
+                .hasMessage(
+                        "A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. The bug was first noticed in 8.5.x onwards where it appears the refactoring of the Connector code for 8.5.x onwards made it more likely that the bug was observed. Initially it was thought that the 8.5.x refactoring introduced the bug but further investigation has shown that the bug is present in all currently supported Tomcat versions.")
+
+                .hasDescription(p().with(a()
+                        .withHref("https://nvd.nist.gov/vuln/detail/CVE-2016-8745")
+                        .withText("https://nvd.nist.gov/vuln/detail/CVE-2016-8745")).render());
+    }
+
+    @Override
+    protected IssueParser createParser() {
+        return new GrypeParser();
+    }
+}