if (finding.getChannelVulnerability() == null) {
log.warn("The finding did not have a ChannelVulnerability so no vulnerability could be parsed.");
return null;
}
Vulnerability returnVulnerability = null;
String locationVariableHash, locationHash, variableHash;
GenericVulnerability genericVulnerability = finding.getChannelVulnerability().getGenericVulnerability();
if (genericVulnerability == null
|| genericVulnerability.getName() == null
|| genericVulnerability.getName().trim().equals("")) {
log.warn("No generic vulnerability was found for the Channel Vulnerability with code "
+ finding.getChannelVulnerability().getCode());
return null;
}
Vulnerability vulnerability = new Vulnerability();
vulnerability.openVulnerability(Calendar.getInstance());
vulnerability.setGenericVulnerability(genericVulnerability);
vulnerability.setSurfaceLocation(finding.getSurfaceLocation());
// TODO calculate some sort of threshold here and figure out whether or not we want to keep
// the calculated url path or not.
vulnerability.setCalculatedUrlPath(finding.getCalculatedUrlPath());
if (finding.getIsStatic()) {
vulnerability.setCalculatedFilePath(finding.getCalculatedFilePath());
}
if (finding.isMarkedFalsePositive()) {
log.info("Creating a false positive vulnerability from a finding marked false positive.");
vulnerability.setIsFalsePositive(finding.isMarkedFalsePositive());
}
String vulnName = genericVulnerability.getName();
if (finding.getChannelSeverity() != null) {
vulnerability.setGenericSeverity(getGenericSeverity(finding));
}
String param = null;
if (finding.getSurfaceLocation() != null) {
param = finding.getSurfaceLocation().getParameter();
}
if (finding.getSurfaceLocation() != null
&& finding.getSurfaceLocation().getPath() != null
&& !finding.getSurfaceLocation().getPath().equals("")) {
if (param != null) {
// if we get here, all three variables are present. Hash all of
// them.
locationVariableHash = hashFindingInfo(vulnName, finding
.getSurfaceLocation().getPath(), param);
locationHash = hashFindingInfo(vulnName, finding
.getSurfaceLocation().getPath(), null);
variableHash = hashFindingInfo(vulnName, null, param);
vulnerability.setLocationVariableHash(locationVariableHash);
vulnerability.setLocationHash(locationHash);
vulnerability.setVariableHash(variableHash);
returnVulnerability = vulnerability;
} else {
// if we get here, we just have location and CWE.
locationHash = hashFindingInfo(vulnName, finding
.getSurfaceLocation().getPath(), null);
vulnerability.setLocationHash(locationHash);
returnVulnerability = vulnerability;
}
} else if (param != null) {
// if we get here, we have variable and CWE
variableHash = hashFindingInfo(vulnName, null, param);
vulnerability.setVariableHash(variableHash);
returnVulnerability = vulnerability;
} else {
log.warn("The finding had neither path nor parameter and no vulnerability could be parsed.");
}
if (returnVulnerability != null) {
vulnerability.setFindings(new ArrayList<Finding>());
vulnerability.getFindings().add(finding);
finding.setFirstFindingForVuln(true);
finding.setVulnerability(vulnerability);
}
return returnVulnerability;