From 8f8e6cb2a00175587ad19e08e8bcceb3bd393129 Mon Sep 17 00:00:00 2001
From: maxi-bee <84531851+maxi-bee@users.noreply.github.com>
Date: Mon, 23 Mar 2026 16:56:37 +0100
Subject: [PATCH 1/4] Updates gosec parser.py to take cwe

- changes the parser to take on CWE data when available
- falls back to hardcoded url + rule_id when the above isn't present (latest gosec versions)
---
 dojo/tools/gosec/parser.py | 23 ++++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)

diff --git a/dojo/tools/gosec/parser.py b/dojo/tools/gosec/parser.py
index d7e32f46a85..e473b306598 100644
--- a/dojo/tools/gosec/parser.py
+++ b/dojo/tools/gosec/parser.py
@@ -26,6 +26,7 @@ def get_findings(self, filename, test):
             references = ""
             findingdetail = ""
             title = ""
+            cwe_id = None
             filename = item.get("file")
             line = item.get("line")
             scanner_confidence = item.get("confidence")
@@ -40,11 +41,22 @@ def get_findings(self, filename, test):
             findingdetail += "```{}```".format(item["code"])
 
             sev = item["severity"]
-            # Best attempt at ongoing documentation provided by gosec, based on
-            # rule id
-            references = "https://securego.io/docs/rules/{}.html".format(
-                item["rule_id"],
-            ).lower()
+
+            # Extract CWE information if available
+            cwe_data = item.get("cwe", {})
+            if cwe_data:
+                cwe_id_str = cwe_data.get("id")
+                if cwe_id_str:
+                    cwe_id = int(cwe_id_str)
+                cwe_url = cwe_data.get("url")
+                if cwe_url:
+                    references = cwe_url
+
+            # If no CWE URL, fall back to gosec rule documentation
+            if not references:
+                references = "https://securego.io/docs/rules/{}.html".format(
+                    item["rule_id"],
+                ).lower()
 
             if scanner_confidence:
                 # Assign integer value to confidence.
@@ -76,6 +88,7 @@ def get_findings(self, filename, test):
                     references=references,
                     file_path=filename,
                     line=line,
+                    cwe=cwe_id,
                     scanner_confidence=scanner_confidence,
                     static_finding=True,
                 )

From 0f9ff4bf155d81d7460ab6df8a0835cf9336b05d Mon Sep 17 00:00:00 2001
From: maxi-bee <84531851+maxi-bee@users.noreply.github.com>
Date: Mon, 23 Mar 2026 17:00:16 +0100
Subject: [PATCH 2/4] updates unittest files for gosec

- adds cwe data
---
 unittests/scans/gosec/many_vulns.json | 26 +++++++++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)

diff --git a/unittests/scans/gosec/many_vulns.json b/unittests/scans/gosec/many_vulns.json
index 05138f8a5c5..18456fac3f4 100644
--- a/unittests/scans/gosec/many_vulns.json
+++ b/unittests/scans/gosec/many_vulns.json
@@ -3,6 +3,10 @@
 		{
 			"severity": "LOW",
 			"confidence": "HIGH",
+			"cwe": {
+				"id": "252",
+				"url": "https://cwe.mitre.org/data/definitions/252.html"
+			},
 			"rule_id": "G104",
 			"details": "Errors unhandled.",
 			"file": "/vagrant/go/src/govwa/app.go",
@@ -12,6 +16,10 @@
 		{
 			"severity": "LOW",
 			"confidence": "HIGH",
+			"cwe": {
+				"id": "252",
+				"url": "https://cwe.mitre.org/data/definitions/252.html"
+			},
 			"rule_id": "G104",
 			"details": "Errors unhandled.",
 			"file": "/vagrant/go/src/govwa/setting/setting.go",
@@ -30,6 +38,10 @@
 		{
 			"severity": "MEDIUM",
 			"confidence": "HIGH",
+			"cwe": {
+				"id": "327",
+				"url": "https://cwe.mitre.org/data/definitions/327.html"
+			},
 			"rule_id": "G501",
 			"details": "Blacklisted import crypto/md5: weak cryptographic primitive",
 			"file": "/vagrant/go/src/govwa/user/user.go",
@@ -39,6 +51,10 @@
 		{
 			"severity": "MEDIUM",
 			"confidence": "HIGH",
+			"cwe": {
+				"id": "327",
+				"url": "https://cwe.mitre.org/data/definitions/327.html"
+			},
 			"rule_id": "G401",
 			"details": "Use of weak cryptographic primitive",
 			"file": "/vagrant/go/src/govwa/user/user.go",
@@ -84,6 +100,10 @@
 		{
 			"severity": "MEDIUM",
 			"confidence": "LOW",
+			"cwe": {
+				"id": "79",
+				"url": "https://cwe.mitre.org/data/definitions/79.html"
+			},
 			"rule_id": "G203",
 			"details": "this method will not auto-escape HTML. Verify data is well formed.",
 			"file": "/vagrant/go/src/govwa/util/template.go",
@@ -201,6 +221,10 @@
 		{
 			"severity": "MEDIUM",
 			"confidence": "HIGH",
+			"cwe": {
+				"id": "89",
+				"url": "https://cwe.mitre.org/data/definitions/89.html"
+			},
 			"rule_id": "G201",
 			"details": "SQL string formatting",
 			"file": "/vagrant/go/src/govwa/vulnerability/sqli/function.go",
@@ -259,4 +283,4 @@
 		"nosec": 0,
 		"found": 28
 	}
-}
\ No newline at end of file
+}

From 54a118fa29a61767aae40c9e4b863f37a2d326e0 Mon Sep 17 00:00:00 2001
From: maxi-bee <84531851+maxi-bee@users.noreply.github.com>
Date: Mon, 23 Mar 2026 17:02:13 +0100
Subject: [PATCH 3/4] updates test_gosec_parser.py - adds cwe tests

---
 unittests/tools/test_gosec_parser.py | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/unittests/tools/test_gosec_parser.py b/unittests/tools/test_gosec_parser.py
index d402a61f48a..51b5eee063e 100644
--- a/unittests/tools/test_gosec_parser.py
+++ b/unittests/tools/test_gosec_parser.py
@@ -10,7 +10,26 @@ def test_parse_file_with_one_finding(self):
             parser = GosecParser()
             findings = parser.get_findings(testfile, Test())
             self.assertEqual(28, len(findings))
+
+            # Test first finding with CWE
             finding = findings[0]
             self.assertEqual("Low", finding.severity)
             self.assertEqual("/vagrant/go/src/govwa/app.go", finding.file_path)
             self.assertEqual(79, finding.line)
+            self.assertEqual(252, finding.cwe)
+            self.assertEqual("https://cwe.mitre.org/data/definitions/252.html", finding.references)
+
+            # Test finding without CWE (should fallback to gosec docs)
+            finding_no_cwe = findings[2]
+            self.assertIsNone(finding_no_cwe.cwe)
+            self.assertEqual("https://securego.io/docs/rules/g104.html", finding_no_cwe.references)
+
+            # Test finding with different CWE
+            finding_crypto = findings[3]
+            self.assertEqual(327, finding_crypto.cwe)
+            self.assertEqual("https://cwe.mitre.org/data/definitions/327.html", finding_crypto.references)
+
+            # Test SQL injection finding
+            finding_sqli = findings[22]
+            self.assertEqual(89, finding_sqli.cwe)
+            self.assertEqual("https://cwe.mitre.org/data/definitions/89.html", finding_sqli.references)

From fc2634f1d1a5138aa7af85bb0156c565809f32b2 Mon Sep 17 00:00:00 2001
From: maxi-bee <84531851+maxi-bee@users.noreply.github.com>
Date: Mon, 23 Mar 2026 22:05:20 +0100
Subject: [PATCH 4/4] updates gosec parser - fixes protection on cwe_id
 conversion

- Added a protection on the cwe_id assignment via the integer convertion from string
---
 dojo/tools/gosec/parser.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dojo/tools/gosec/parser.py b/dojo/tools/gosec/parser.py
index e473b306598..3e6a737f065 100644
--- a/dojo/tools/gosec/parser.py
+++ b/dojo/tools/gosec/parser.py
@@ -47,7 +47,7 @@ def get_findings(self, filename, test):
             if cwe_data:
                 cwe_id_str = cwe_data.get("id")
                 if cwe_id_str:
-                    cwe_id = int(cwe_id_str)
+                    cwe_id = int(cwe_id_str) if cwe_id_str.isdigit() else None
                 cwe_url = cwe_data.get("url")
                 if cwe_url:
                     references = cwe_url