Mend SCA Parser update

dojo/tools/mend/parser.py

@@ -39,6 +39,7 @@ def _build_common_output(node, lib_name=None):
             description = "No Description Available"
             cvss3_score = None
             mitigation = "N/A"
+            locations = []
             if "component" in node:
                 description = (
                     "**Vulnerability Description**: "
@@ -56,18 +57,20 @@ def _build_common_output(node, lib_name=None):
                     + "**Library Type**: "
                     + node["component"].get("libraryType", "")
                     + "\n"
-                    + "**Location Found**: "
-                    + node["component"].get("path", "")
-                    + "\n"
-                    + "**Direct or Transitive Dependency**: "
-                    + node["component"].get("dependencyType", "")
-                    + "\n"
                 )
                 lib_name = node["component"].get("name")
                 component_name = node["component"].get("artifactId")
                 component_version = node["component"].get("version")
-                impact = node["component"].get("dependencyType")
+                impact = (
+                    "**Direct or Transitive Vulnerability**: "
+                    + node["component"].get("dependencyType", "")
+                    + "\n"
+                )
                 cvss3_score = node["vulnerability"].get("score", None)
+                component_path = node["component"].get("path", None)
+                if component_path:
+                    locations.append(component_path)
+
                 if "topFix" in node:
                     try:
                         topfix_node = node.get("topFix")
@@ -159,7 +162,6 @@ def _build_common_output(node, lib_name=None):
                         "Error handling local paths for vulnerability.",
                     )
 
-            locations = []
             if "locations" in node:
                 try:
                     locations_node = node.get("locations", [])
@@ -171,8 +173,10 @@ def _build_common_output(node, lib_name=None):
                     logger.exception(
                         "Error handling local paths for vulnerability.",
                     )
+            if locations and len(", ".join(locations)) > 3999:
+                locations = [loc[:3999] for loc in locations]
 
-            filepaths = locations or filepaths
+            filepaths = filepaths
 
             new_finding = Finding(
                 title=title,
@@ -188,7 +192,8 @@ def _build_common_output(node, lib_name=None):
                 dynamic_finding=True,
                 cvssv3=cvss3_vector,
                 cvssv3_score=float(cvss3_score) if cvss3_score is not None else None,
-                impact=impact,
+                impact=impact if impact is not None else None,
+                steps_to_reproduce="**Locations Found**: " + ", ".join(locations) if locations is not None else None,
             )
             if cve:
                 new_finding.unsaved_vulnerability_ids = [cve]

unittests/tools/test_mend_parser.py

@@ -42,7 +42,7 @@ def test_parse_file_with_one_sca_vuln_finding(self):
             findings = parser.get_findings(testfile, Test())
             self.assertEqual(1, len(findings))
             finding = list(findings)[0]
-            self.assertEqual("D:\\MendRepo\\test-product\\test-project\\test-project-subcomponent\\path\\to\\the\\Java\\commons-codec-1.6_donotuse.jar", finding.file_path)
+            self.assertEqual("**Locations Found**: D:\\MendRepo\\test-product\\test-project\\test-project-subcomponent\\path\\to\\the\\Java\\commons-codec-1.6_donotuse.jar", finding.steps_to_reproduce)
 
     def test_parse_file_with_no_vuln_has_no_findings_platform(self):
         with open("unittests/scans/mend/mend-sca-platform-api3-no-findings.json", encoding="utf-8") as testfile: