Skip to content

fix(govulncheck): reject SARIF reports with a clear error pointing to the SARIF scan type#15087

Merged
Maffooch merged 1 commit into
DefectDojo:devfrom
valentijnscholten:fix-govulncheck-sarif-detection
Jun 26, 2026
Merged

fix(govulncheck): reject SARIF reports with a clear error pointing to the SARIF scan type#15087
Maffooch merged 1 commit into
DefectDojo:devfrom
valentijnscholten:fix-govulncheck-sarif-detection

Conversation

@valentijnscholten

@valentijnscholten valentijnscholten commented Jun 25, 2026

Copy link
Copy Markdown
Member

What

The Govulncheck Scanner parsers only handle govulncheck's native JSON output
(govulncheck -format json). When a govulncheck SARIF report
(govulncheck -format sarif) is uploaded to a Govulncheck Scanner scan type:

  • Govulncheck Scanner (V1) crashed with an opaque KeyError: 'Vulns'
  • Govulncheck Scanner V2 silently returned 0 findings

Both detect a SARIF document (top-level runs key) and now raise a clear
ValueError telling the user to import govulncheck SARIF output via the generic
SARIF scan type instead.

A note was added to the Govulncheck docs page documenting this.

Why not parse SARIF here?

The generic SARIF parser already imports govulncheck SARIF correctly (findings,
severities, descriptions). Duplicating SARIF handling in the govulncheck parser
to gain only component_name/CVE — and component_version isn't even present in
govulncheck SARIF — isn't worth the maintenance surface. The right fix is to fail
fast with guidance toward the correct scan type.

Testing

  • unittests/tools/test_govulncheck_parser.py: added test_parse_sarif_is_rejected
    to both the V1 and V2 test classes.
  • New fixture unittests/scans/govulncheck/issue_15033_sarif.json (trimmed
    govulncheck SARIF, one result per severity level).

Refs #15033

🤖 Generated with Claude Code

@valentijnscholten @claude
fix(govulncheck): reject SARIF reports with a clear error pointing to…
9788a2c 
… the SARIF scan type

The Govulncheck Scanner parsers only handle govulncheck's native JSON output.
When a govulncheck SARIF report (govulncheck -format sarif) is uploaded to a
Govulncheck Scanner scan type, V1 crashed with an opaque KeyError ('Vulns') and
V2 silently returned 0 findings.

Detect a SARIF document (top-level 'runs' key) in both parsers and raise a
ValueError instructing the user to use the generic 'SARIF' scan type instead.
Add a note to the Govulncheck docs page. Refs DefectDojo#15033.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@valentijnscholten valentijnscholten added this to the 3.1.0 milestone Jun 25, 2026
@valentijnscholten valentijnscholten marked this pull request as ready for review June 25, 2026 20:04
mtesauro
mtesauro approved these changes Jun 26, 2026
View reviewed changes

@mtesauro mtesauro left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@Maffooch Maffooch merged commit 1de84a4 into DefectDojo:dev Jun 26, 2026
148 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtesauro mtesauro mtesauro approved these changes
@dogboat dogboat dogboat approved these changes
@paulOsinski paulOsinski paulOsinski approved these changes
@Maffooch Maffooch Maffooch approved these changes
@Jino-T Jino-T Awaiting requested review from Jino-T
@blakeaowens blakeaowens Awaiting requested review from blakeaowens

Assignees

No one assigned

Labels

docs parser unittests

Projects

None yet

Milestone

3.1.0

Development

Successfully merging this pull request may close these issues.

5 participants

@valentijnscholten @mtesauro @dogboat @paulOsinski @Maffooch