Bundler Audit Parser - Support for GHSA-Only Findings

[rh0dy]

Description

Results from a bundler audit scan can include findings that contain a GHSA ID but not a CVE ID (see here). I think these types of findings occur for a few reasons, i.e. the GHSA hasn't been assigned a CVE ID yet or that it never will be assigned a CVE ID.

Currently, the bundler audit parser doesn't support these types of findings, which feels like we may be missing out on importing valid vulnerabilities into DefectDojo.

This PR is to support parsing of bundler audit findings that may only contain a GHSA but not a CVE ID:

Test results

./dc-unittest.sh --profile postgres-redis --test-case unittests.tools.test_bundler_audit_parser.TestBundlerAuditParser

...

test_get_findings (unittests.tools.test_bundler_audit_parser.TestBundlerAuditParser.test_get_findings) ... ok
test_get_findings_version9 (unittests.tools.test_bundler_audit_parser.TestBundlerAuditParser.test_get_findings_version9) ... ok

----------------------------------------------------------------------
Ran 2 tests in 0.009s

OK
Pre

Documentation

N/A.

[dryrunsecurity]

Contextual Security Analysis

As DryRun Security performs checks, we’ll summarize them here. You can always dive into the detailed results in the section below for checks.

Status	DryRun Security Check
✅	Sensitive Functions Analyzer
✅	Configured Sensitive Files Analyzer
✅	Sensitive Files Analyzer

Chat with your AI-powered Security Buddy by typing @dryrunsecurity followed by your question into a comment.
Example: @dryrunsecurity What are common security issues with web application cookies?

Install and configure more repositories at DryRun Security

[mtesauro]

Approved