Mapping Critical to Error for Trivy Parser

Brings the Trivy severity mappings inline with the DependencyCheck ones
jenkinsci · Aug 9, 2022 · 5978059 · 5978059
1 parent 80d3a3d
commit 5978059
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 6 deletions.
diff --git a/src/main/java/edu/hm/hafner/analysis/parser/TrivyParser.java b/src/main/java/edu/hm/hafner/analysis/parser/TrivyParser.java
@@ -23,7 +23,6 @@
  */
 public class TrivyParser extends JsonIssueParser {
     private static final String VALUE_NOT_SET = "-";
-    private static final String TRIVY_VULNERABILITY_LEVEL_TAG_CRITICAL = "critcal";
     private static final String TRIVY_VULNERABILITY_LEVEL_TAG_HIGH = "high";
     private static final String TRIVY_VULNERABILITY_LEVEL_TAG_MEDIUM = "medium";
     private static final String TRIVY_VULNERABILITY_LEVEL_TAG_LOW = "low";
@@ -78,12 +77,11 @@ private Severity mapSeverity(final String string) {
         else if (TRIVY_VULNERABILITY_LEVEL_TAG_MEDIUM.equalsIgnoreCase(string)) {
             return Severity.WARNING_NORMAL;
         }
-        else if (TRIVY_VULNERABILITY_LEVEL_TAG_HIGH.equalsIgnoreCase(string)
-                || TRIVY_VULNERABILITY_LEVEL_TAG_CRITICAL.equalsIgnoreCase(string)) {
+        else if (TRIVY_VULNERABILITY_LEVEL_TAG_HIGH.equalsIgnoreCase(string)) {
             return Severity.WARNING_HIGH;
         }
         else {
-            return Severity.WARNING_HIGH;
+            return Severity.ERROR;
         }
     }
 

diff --git a/src/test/java/edu/hm/hafner/analysis/parser/TrivyParserTest.java b/src/test/java/edu/hm/hafner/analysis/parser/TrivyParserTest.java
@@ -50,6 +50,26 @@ void shouldHandleEmptyResultsJenkins67296() {
         assertThat(report).isEmpty();
     }
 
+    @Test
+    void shouldMapCorrectly() {
+        Report report = parse("trivy_result_0.20.0.json");
+
+        assertThat(report).hasSize(4);
+
+        assertThat(report.get(0))
+                .hasSeverity(Severity.WARNING_LOW)
+                .hasType("CVE-2017-6519");
+        assertThat(report.get(1))
+                .hasSeverity(Severity.WARNING_NORMAL)
+                .hasType("CVE-2020-8619");
+        assertThat(report.get(2))
+                .hasSeverity(Severity.WARNING_HIGH)
+                .hasType("CVE-2020-5555");
+        assertThat(report.get(3))
+                .hasSeverity(Severity.ERROR)
+                .hasType("CVE-2020-9999");
+    }
+
     @Test
     void brokenInput() {
         assertThatThrownBy(() -> parse("eclipse.txt")).isInstanceOf(ParsingException.class);

diff --git a/src/test/resources/edu/hm/hafner/analysis/parser/trivy_result_0.20.0.json b/src/test/resources/edu/hm/hafner/analysis/parser/trivy_result_0.20.0.json
@@ -147,7 +147,7 @@
           "LastModifiedDate": "2020-10-20T12:15:00Z"
         },
         {
-          "VulnerabilityID": "CVE-2020-9999",
+          "VulnerabilityID": "CVE-2020-5555",
           "PkgName": "generatedSample",
           "InstalledVersion": "32:9.11.13-6.el8_2.1",
           "FixedVersion": "32:9.11.20-5.el8",
@@ -177,4 +177,4 @@
       ]
     }
   ]
-}
+}