Coverage for src \ sec_report_kit \ parsers \ osv_scanner.py: 100%

39 statements  

« prev     ^ index     » next       coverage.py v7.14.0, created at 2026-05-13 08:06 +0530

1from __future__ import annotations 

2 

3from sec_report_kit.models import Finding 

4from sec_report_kit.services.normalize import normalize_severity 

5 

6 

7def _severity(vuln: dict) -> str: 

8 db_specific = vuln.get("database_specific") 

9 if isinstance(db_specific, dict) and db_specific.get("severity"): 

10 return normalize_severity(str(db_specific["severity"])) 

11 if isinstance(vuln.get("severity"), list) and vuln["severity"]: 

12 value = vuln["severity"][0] 

13 if isinstance(value, dict) and value.get("type") == "CVSS_V3": 

14 score = value.get("score") 

15 try: 

16 score = float(score) 

17 except (TypeError, ValueError): 

18 return "UNKNOWN" 

19 if score >= 9.0: 

20 return "CRITICAL" 

21 if score >= 7.0: 

22 return "HIGH" 

23 if score >= 4.0: 

24 return "MEDIUM" 

25 return "LOW" 

26 return "UNKNOWN" 

27 

28 

29def parse_osv_scanner_json(data: dict) -> list[Finding]: 

30 findings: list[Finding] = [] 

31 

32 for result in data.get("results", []) if isinstance(data, dict) else []: 

33 for package_block in result.get("packages", []) if isinstance(result, dict) else []: 

34 package = package_block.get("package", {}) if isinstance(package_block, dict) else {} 

35 pkg_name = str(package.get("name") or "-") 

36 pkg_version = str(package.get("version") or "-") 

37 

38 for vuln in package_block.get("vulnerabilities", []) if isinstance(package_block, dict) else []: 

39 aliases = vuln.get("aliases") if isinstance(vuln.get("aliases"), list) else [] 

40 vuln_id = str(vuln.get("id") or (aliases[0] if aliases else "-")) 

41 refs = vuln.get("references") if isinstance(vuln.get("references"), list) else [] 

42 primary_url = "" 

43 if refs and isinstance(refs[0], dict): 

44 primary_url = str(refs[0].get("url") or "") 

45 

46 findings.append( 

47 Finding( 

48 source_type="osv-scanner", 

49 target=str(result.get("source", {}).get("path") or "dependency-manifest"), 

50 severity=_severity(vuln), 

51 vulnerability_id=vuln_id, 

52 package=pkg_name, 

53 installed_version=pkg_version, 

54 fixed_version="-", 

55 title=str(vuln.get("summary") or vuln.get("details") or "OSV vulnerability"), 

56 primary_url=primary_url, 

57 ) 

58 ) 

59 

60 return findings