Skip to content

tags from parser: fix parsers, add tests and fallback #14111

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Maffooch merged 3 commits into from
Jan 20, 2026
Merged

tags from parser: fix parsers, add tests and fallback #14111

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
7ad90c0
tags from parser: fix parsers, add tests and fallback
valentijnscholten Jan 17, 2026
23c67b2
fix tag merge
valentijnscholten Jan 17, 2026
b005a9e
comments
valentijnscholten Jan 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion dojo/importers/default_importer.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -212,7 +212,13 @@ def process_findings(
if self.service is not None:
unsaved_finding.service = self.service

# Force parsers to use unsaved_tags (stored in below after saving)
# Parsers shouldn't use the tags field, and use unsaved_tags instead.
# Merge any tags set by parser into unsaved_tags
tags_from_parser = unsaved_finding.tags if isinstance(unsaved_finding.tags, list) else []
unsaved_tags_from_parser = unsaved_finding.unsaved_tags if isinstance(unsaved_finding.unsaved_tags, list) else []
merged_tags = unsaved_tags_from_parser + tags_from_parser
if merged_tags:
unsaved_finding.unsaved_tags = merged_tags
unsaved_finding.tags = None
finding = self.process_cve(unsaved_finding)
# Calculate hash_code before saving based on unsaved_endpoints and unsaved_vulnerability_ids
Expand Down
8 changes: 7 additions & 1 deletion dojo/importers/default_reimporter.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -912,7 +912,13 @@ def finding_post_processing(
self.endpoint_manager.chunk_endpoints_and_disperse(finding, finding_from_report.unsaved_endpoints)
if len(self.endpoints_to_add) > 0:
self.endpoint_manager.chunk_endpoints_and_disperse(finding, self.endpoints_to_add)
# Parsers must use unsaved_tags to store tags, so we can clean them
# Parsers shouldn't use the tags field, and use unsaved_tags instead.
# Merge any tags set by parser into unsaved_tags
tags_from_parser = finding_from_report.tags if isinstance(finding_from_report.tags, list) else []
unsaved_tags_from_parser = finding_from_report.unsaved_tags if isinstance(finding_from_report.unsaved_tags, list) else []
merged_tags = unsaved_tags_from_parser + tags_from_parser
if merged_tags:
finding_from_report.unsaved_tags = merged_tags
if finding_from_report.unsaved_tags:
cleaned_tags = clean_tags(finding_from_report.unsaved_tags)
if isinstance(cleaned_tags, list):
Expand Down
7 changes: 3 additions & 4 deletions dojo/tools/codechecker/parser.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,7 @@ def get_item(vuln):
else:
title = unique_id_from_tool

return Finding(
finding = Finding(
title=title,
description=description,
severity=severity,
Expand All @@ -113,10 +113,9 @@ def get_item(vuln):
sast_source_line=sast_source_line,
static_finding=True,
dynamic_finding=False,
tags=[
vuln["analyzer_name"],
],
)
finding.unsaved_tags = [vuln["analyzer_name"]]
return finding


def get_mapped_severity(severity):
Expand Down
2 changes: 1 addition & 1 deletion dojo/tools/meterian/parser.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,8 +69,8 @@ def do_get_findings(self, single_security_report, scan_date, test):
dynamic_finding=False,
file_path="Manifest file",
unique_id_from_tool=advisory["id"],
tags=[language],
)
finding.unsaved_tags = [language]

if "cve" in advisory:
if advisory["cve"] != "N/A":
Expand Down
2 changes: 1 addition & 1 deletion dojo/tools/sarif/parser.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -269,7 +269,7 @@ def get_items_from_result(self, result, rules, artifacts, run_date):
# manage tags provided in the report and rule and remove duplicated
tags = list(set(get_properties_tags(rule) + get_properties_tags(result)))
tags = [s.removeprefix("external/cwe/") for s in tags]
finding.tags = tags
finding.unsaved_tags = tags

# manage fingerprints
# fingerprinting in SARIF is more complete than in current implementation
Expand Down
8 changes: 4 additions & 4 deletions dojo/tools/sonarqube/sonarqube_restapi_json.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,10 +55,10 @@ def get_json_items(self, json_content, test, mode):
severity=self.severitytranslator(issue.get("severity")),
static_finding=True,
dynamic_finding=False,
tags=["bug"],
line=line,
date=date,
)
item.unsaved_tags = ["bug"]
elif issue.get("type") == "VULNERABILITY":
key = issue.get("key")
rule = issue.get("rule")
Expand Down Expand Up @@ -129,10 +129,10 @@ def get_json_items(self, json_content, test, mode):
cwe=cwe,
cvssv3_score=cvss,
file_path=component,
tags=["vulnerability"],
line=line,
date=date,
)
item.unsaved_tags = ["vulnerability"]
vulnids = []
if "Reference: CVE" in message:
cve_pattern = r"Reference: CVE-\d{4}-\d{4,7}"
Expand Down Expand Up @@ -200,10 +200,10 @@ def get_json_items(self, json_content, test, mode):
static_finding=True,
dynamic_finding=False,
file_path=component,
tags=["code_smell"],
line=line,
date=date,
)
item.unsaved_tags = ["code_smell"]
items.append(item)
if json_content.get("hotspots"):
for hotspot in json_content.get("hotspots"):
Expand Down Expand Up @@ -249,10 +249,10 @@ def get_json_items(self, json_content, test, mode):
static_finding=True,
dynamic_finding=False,
file_path=component,
tags=["hotspot"],
line=line,
date=date,
)
item.unsaved_tags = ["hotspot"]
items.append(item)
return items

Expand Down
2 changes: 1 addition & 1 deletion dojo/tools/sysdig_cli/parser.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -138,7 +138,7 @@ def parse_csv(self, arr_data, test):
tags = []
if row.vulnerability_id:
tags.append(clean_tags("VulnId:" + row.vulnerability_id))
finding.tags = tags
finding.unsaved_tags = tags
finding.dynamic_finding = False
finding.static_finding = True
finding.description += "\n\n###Vulnerability Details"
Expand Down
8 changes: 4 additions & 4 deletions dojo/tools/trivy/parser.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -323,10 +323,10 @@ def get_result_items(self, test, results, service_name=None, artifact_name=""):
static_finding=True,
dynamic_finding=False,
fix_available=fix_available,
tags=[vul_type, target_class],
service=service_name,
**status_fields,
)
finding.unsaved_tags = [vul_type, target_class]

if vuln_id:
finding.unsaved_vulnerability_ids = [vuln_id]
Expand Down Expand Up @@ -379,9 +379,9 @@ def get_result_items(self, test, results, service_name=None, artifact_name=""):
fix_available=True,
static_finding=True,
dynamic_finding=False,
tags=[target_type, target_class],
service=service_name,
)
finding.unsaved_tags = [target_type, target_class]
items.append(finding)

secrets = target_data.get("Secrets", [])
Expand Down Expand Up @@ -410,9 +410,9 @@ def get_result_items(self, test, results, service_name=None, artifact_name=""):
static_finding=True,
dynamic_finding=False,
fix_available=True,
tags=[target_class],
service=service_name,
)
finding.unsaved_tags = [target_class]
items.append(finding)

licenses = target_data.get("Licenses", [])
Expand Down Expand Up @@ -444,9 +444,9 @@ def get_result_items(self, test, results, service_name=None, artifact_name=""):
static_finding=True,
dynamic_finding=False,
fix_available=True,
tags=[target_class],
service=service_name,
)
finding.unsaved_tags = [target_class]
items.append(finding)

return items
Expand Down
2 changes: 1 addition & 1 deletion dojo/tools/trivy_operator/checks_handler.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ def handle_checks(self, labels, checks, test):
fix_available=True,
)
if resource_namespace:
finding.tags = resource_namespace
finding.unsaved_tags = [resource_namespace]
if check_id:
finding.unsaved_vulnerability_ids = [UniformTrivyVulnID().return_uniformed_vulnid(check_id)]
findings.append(finding)
Expand Down
2 changes: 1 addition & 1 deletion dojo/tools/trivy_operator/secrets_handler.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,6 @@ def handle_secrets(self, labels, secrets, test):
fix_available=True,
)
if resource_namespace:
finding.tags = resource_namespace
finding.unsaved_tags = [resource_namespace]
findings.append(finding)
return findings
2 changes: 1 addition & 1 deletion dojo/tools/trivy_operator/vulnerability_handler.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,9 +86,9 @@ def handle_vulns(self, labels, vulnerabilities, test):
dynamic_finding=False,
service=service,
file_path=file_path,
tags=[tag for tag in finding_tags if tag],
fix_available=fix_available,
)
finding.unsaved_tags = [tag for tag in finding_tags if tag]
if vuln_id:
finding.unsaved_vulnerability_ids = [UniformTrivyVulnID().return_uniformed_vulnid(vuln_id)]
findings.append(finding)
Expand Down
Loading