(feat) gosec parser: parse cwe_id and swap references if possible (#14581)

maxi-bee · web-flow · commit 3adfbde2e2d2 · 2026-03-26T16:51:34.000-06:00
* Updates gosec parser.py to take cwe

- changes the parser to take on CWE data when available
- falls back to hardcoded url + rule_id when the above isn't present (latest gosec versions)

* updates unittest files for gosec

- adds cwe data

* updates test_gosec_parser.py - adds cwe tests

* updates gosec parser - fixes protection on cwe_id conversion

- Added a protection on the cwe_id assignment via the integer convertion from string
diff --git a/dojo/tools/gosec/parser.py b/dojo/tools/gosec/parser.py
@@ -26,6 +26,7 @@ def get_findings(self, filename, test):
             references = ""
             findingdetail = ""
             title = ""
+            cwe_id = None
             filename = item.get("file")
             line = item.get("line")
             scanner_confidence = item.get("confidence")
@@ -40,11 +41,22 @@ def get_findings(self, filename, test):
             findingdetail += "```{}```".format(item["code"])
 
             sev = item["severity"]
-            # Best attempt at ongoing documentation provided by gosec, based on
-            # rule id
-            references = "https://securego.io/docs/rules/{}.html".format(
-                item["rule_id"],
-            ).lower()
+
+            # Extract CWE information if available
+            cwe_data = item.get("cwe", {})
+            if cwe_data:
+                cwe_id_str = cwe_data.get("id")
+                if cwe_id_str:
+                    cwe_id = int(cwe_id_str) if cwe_id_str.isdigit() else None
+                cwe_url = cwe_data.get("url")
+                if cwe_url:
+                    references = cwe_url
+
+            # If no CWE URL, fall back to gosec rule documentation
+            if not references:
+                references = "https://securego.io/docs/rules/{}.html".format(
+                    item["rule_id"],
+                ).lower()
 
             if scanner_confidence:
                 # Assign integer value to confidence.
@@ -76,6 +88,7 @@ def get_findings(self, filename, test):
                     references=references,
                     file_path=filename,
                     line=line,
+                    cwe=cwe_id,
                     scanner_confidence=scanner_confidence,
                     static_finding=True,
                 )
diff --git a/unittests/scans/gosec/many_vulns.json b/unittests/scans/gosec/many_vulns.json
@@ -3,6 +3,10 @@
 		{
 			"severity": "LOW",
 			"confidence": "HIGH",
+			"cwe": {
+				"id": "252",
+				"url": "https://cwe.mitre.org/data/definitions/252.html"
+			},
 			"rule_id": "G104",
 			"details": "Errors unhandled.",
 			"file": "/vagrant/go/src/govwa/app.go",
@@ -12,6 +16,10 @@
 		{
 			"severity": "LOW",
 			"confidence": "HIGH",
+			"cwe": {
+				"id": "252",
+				"url": "https://cwe.mitre.org/data/definitions/252.html"
+			},
 			"rule_id": "G104",
 			"details": "Errors unhandled.",
 			"file": "/vagrant/go/src/govwa/setting/setting.go",
@@ -30,6 +38,10 @@
 		{
 			"severity": "MEDIUM",
 			"confidence": "HIGH",
+			"cwe": {
+				"id": "327",
+				"url": "https://cwe.mitre.org/data/definitions/327.html"
+			},
 			"rule_id": "G501",
 			"details": "Blacklisted import crypto/md5: weak cryptographic primitive",
 			"file": "/vagrant/go/src/govwa/user/user.go",
@@ -39,6 +51,10 @@
 		{
 			"severity": "MEDIUM",
 			"confidence": "HIGH",
+			"cwe": {
+				"id": "327",
+				"url": "https://cwe.mitre.org/data/definitions/327.html"
+			},
 			"rule_id": "G401",
 			"details": "Use of weak cryptographic primitive",
 			"file": "/vagrant/go/src/govwa/user/user.go",
@@ -84,6 +100,10 @@
 		{
 			"severity": "MEDIUM",
 			"confidence": "LOW",
+			"cwe": {
+				"id": "79",
+				"url": "https://cwe.mitre.org/data/definitions/79.html"
+			},
 			"rule_id": "G203",
 			"details": "this method will not auto-escape HTML. Verify data is well formed.",
 			"file": "/vagrant/go/src/govwa/util/template.go",
@@ -201,6 +221,10 @@
 		{
 			"severity": "MEDIUM",
 			"confidence": "HIGH",
+			"cwe": {
+				"id": "89",
+				"url": "https://cwe.mitre.org/data/definitions/89.html"
+			},
 			"rule_id": "G201",
 			"details": "SQL string formatting",
 			"file": "/vagrant/go/src/govwa/vulnerability/sqli/function.go",
@@ -259,4 +283,4 @@
 		"nosec": 0,
 		"found": 28
 	}
-}
+}
diff --git a/unittests/tools/test_gosec_parser.py b/unittests/tools/test_gosec_parser.py
@@ -10,7 +10,26 @@ def test_parse_file_with_one_finding(self):
             parser = GosecParser()
             findings = parser.get_findings(testfile, Test())
             self.assertEqual(28, len(findings))
+
+            # Test first finding with CWE
             finding = findings[0]
             self.assertEqual("Low", finding.severity)
             self.assertEqual("/vagrant/go/src/govwa/app.go", finding.file_path)
             self.assertEqual(79, finding.line)
+            self.assertEqual(252, finding.cwe)
+            self.assertEqual("https://cwe.mitre.org/data/definitions/252.html", finding.references)
+
+            # Test finding without CWE (should fallback to gosec docs)
+            finding_no_cwe = findings[2]
+            self.assertIsNone(finding_no_cwe.cwe)
+            self.assertEqual("https://securego.io/docs/rules/g104.html", finding_no_cwe.references)
+
+            # Test finding with different CWE
+            finding_crypto = findings[3]
+            self.assertEqual(327, finding_crypto.cwe)
+            self.assertEqual("https://cwe.mitre.org/data/definitions/327.html", finding_crypto.references)
+
+            # Test SQL injection finding
+            finding_sqli = findings[22]
+            self.assertEqual(89, finding_sqli.cwe)
+            self.assertEqual("https://cwe.mitre.org/data/definitions/89.html", finding_sqli.references)
