feat(cra): SBOM- + DAST-Findings aus dem Scanner-MCP konsumieren
CI / detect-changes (push) Successful in 8s
CI / branch-name (push) Has been skipped
CI / secret-scan (push) Has been skipped
CI / dep-audit (push) Has been skipped
CI / guardrail-integrity (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / build-sha-integrity (push) Successful in 6s
CI / validate-canonical-controls (push) Successful in 10s
CI / loc-budget (push) Successful in 20s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / nodejs-build (push) Has been skipped
CI / test-go (push) Successful in 1m4s
CI / iace-gt-coverage (push) Successful in 15s
CI / test-python-backend (push) Successful in 24s
CI / test-python-document-crawler (push) Has been skipped
CI / test-python-dsms-gateway (push) Has been skipped
CI / detect-changes (push) Successful in 8s
CI / branch-name (push) Has been skipped
CI / secret-scan (push) Has been skipped
CI / dep-audit (push) Has been skipped
CI / guardrail-integrity (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / build-sha-integrity (push) Successful in 6s
CI / validate-canonical-controls (push) Successful in 10s
CI / loc-budget (push) Successful in 20s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / nodejs-build (push) Has been skipped
CI / test-go (push) Successful in 1m4s
CI / iace-gt-coverage (push) Successful in 15s
CI / test-python-backend (push) Successful in 24s
CI / test-python-document-crawler (push) Has been skipped
CI / test-python-dsms-gateway (push) Has been skipped
Sharangs compliance-scanner-agent exponiert SBOM (sbom_vuln_report) + DAST (list_dast_findings) als eigene MCP-Tools (nicht via list_findings). Neuer fetch_all_findings(repo_id) zieht list_findings + SBOM + DAST in EINER MCP-Session und normalisiert ins Finding-Schema: - SBOM: ein Finding pro verwundbarem Paket (nicht pro CVE), cwe=CWE-1395 -> deterministisch CRA-AI-22 (robust gegen Paketnamen wie "sqlite"). - DAST: cwe/endpoint/vuln_type uebernommen -> Mapping via cwe/keywords. assess-from-scanner nutzt fetch_all_findings + liefert source.breakdown (code/sbom/dast). DAST hat im MCP keinen repo_id-Filter -> dast_repo_scoped:false (deployment-weit, transparent geflaggt). Echte MCP-Daten: Kitchenasty 58 code + 35 sbom + 81 dast -> 174 gemappt (Coverage 94,3%, alle 35 SBOM -> CRA-AI-22). Enthaelt zusaetzlich das Qdrant->Prod-Kopierскript (#42, verbatim macmini->prod). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Benjamin Bönisch
@@ -57,3 +57,130 @@ async def fetch_findings(
|
||||
|
||||
texts = [c.text for c in (result.content or []) if getattr(c, "type", "") == "text"]
|
||||
return parse_findings_text(texts[0]) if texts else []
|
||||
|
||||
|
||||
# --- SBOM + DAST consumption (Sharang's scanner exposes these as dedicated MCP
|
||||
# tools, not via list_findings) -------------------------------------------------
|
||||
|
||||
_SEV_BY_RANK = {4: "critical", 3: "high", 2: "medium", 1: "low"}
|
||||
_SEV_RANK = {v: k for k, v in _SEV_BY_RANK.items()}
|
||||
|
||||
|
||||
def normalize_sbom_report(text: str) -> list:
|
||||
"""sbom_vuln_report -> one finding per VULNERABLE PACKAGE (not per CVE — a repo
|
||||
can have hundreds of CVEs but ~dozens of packages). scan_type='dependency' so
|
||||
the CRA mapper routes it to dependency-monitoring (CRA-AI-22)."""
|
||||
try:
|
||||
data = json.loads(text)
|
||||
except (json.JSONDecodeError, TypeError):
|
||||
return []
|
||||
if not isinstance(data, dict):
|
||||
return []
|
||||
repo_id = data.get("repo_id", "")
|
||||
out = []
|
||||
for pkg in data.get("packages") or []:
|
||||
vulns = pkg.get("vulnerabilities") or []
|
||||
if not vulns:
|
||||
continue
|
||||
ids, seen, best = [], set(), 0
|
||||
for v in vulns:
|
||||
vid = v.get("id")
|
||||
if vid and vid not in seen:
|
||||
seen.add(vid)
|
||||
ids.append(vid)
|
||||
best = max(best, _SEV_RANK.get((v.get("severity") or "").lower(), 0))
|
||||
name, ver = pkg.get("name", ""), pkg.get("version", "")
|
||||
pm = pkg.get("package_manager", "") or ""
|
||||
shown = ", ".join(ids[:8]) + (" …" if len(ids) > 8 else "")
|
||||
out.append({
|
||||
"id": f"sbom:{repo_id}:{name}@{ver}",
|
||||
"repo_id": repo_id,
|
||||
"title": f"Verwundbare Abhängigkeit: {name} {ver} ({len(ids)} Schwachstelle(n))",
|
||||
"description": f"Abhängigkeit {name} {ver} ({pm}) mit bekannten Schwachstellen: {shown}.",
|
||||
"scan_type": "dependency",
|
||||
# CWE-1395 (Dependency on Vulnerable Third-Party Component) → the CWE
|
||||
# path maps deterministically to CRA-AI-22, robust against package
|
||||
# names that happen to contain keyword tokens (e.g. "sqlite" → "sql").
|
||||
"cwe": "CWE-1395",
|
||||
"severity": _SEV_BY_RANK.get(best, "medium"),
|
||||
"location": f"{pm}:{name}@{ver}" if pm else f"{name}@{ver}",
|
||||
})
|
||||
return out
|
||||
|
||||
|
||||
def normalize_dast(text: str) -> list:
|
||||
"""list_dast_findings -> findings (carry cwe + endpoint + vuln_type so the CRA
|
||||
mapper routes them via cwe/keywords). scan_type='dast'."""
|
||||
out = []
|
||||
for d in parse_findings_text(text):
|
||||
if not isinstance(d, dict):
|
||||
continue
|
||||
out.append({
|
||||
"id": d.get("_id") or d.get("id") or "",
|
||||
"repo_id": d.get("repo_id") or "",
|
||||
"title": d.get("title", ""),
|
||||
"description": " ".join(x for x in [d.get("vuln_type", ""), d.get("description", "")] if x),
|
||||
"scan_type": "dast",
|
||||
"cwe": str(d.get("cwe", "") or ""),
|
||||
"severity": (d.get("severity") or "").lower(),
|
||||
"location": d.get("endpoint") or d.get("target_id") or "",
|
||||
"exploited": bool(d.get("exploitable", False)),
|
||||
})
|
||||
return out
|
||||
|
||||
|
||||
async def _open_and_call(url: str, tok: str, calls: list) -> dict:
|
||||
"""Open ONE MCP session and run [(tool, params), ...] -> {tool: text}. A tool
|
||||
that errors yields '' (best-effort; the assessment degrades, never breaks)."""
|
||||
from mcp.client.session import ClientSession
|
||||
from mcp.client.streamable_http import streamablehttp_client
|
||||
|
||||
headers = {"Authorization": f"Bearer {tok}"} if tok else None
|
||||
out: dict = {}
|
||||
async with streamablehttp_client(url, headers=headers) as (read, write, _):
|
||||
async with ClientSession(read, write) as session:
|
||||
await session.initialize()
|
||||
for tool, params in calls:
|
||||
try:
|
||||
res = await session.call_tool(tool, params)
|
||||
texts = [c.text for c in (res.content or []) if getattr(c, "type", "") == "text"]
|
||||
out[tool] = texts[0] if texts else ""
|
||||
except Exception:
|
||||
out[tool] = ""
|
||||
return out
|
||||
|
||||
|
||||
async def fetch_all_findings(
|
||||
repo_id: Optional[str] = None,
|
||||
severity: Optional[str] = None,
|
||||
limit: int = 200,
|
||||
base_url: Optional[str] = None,
|
||||
token: Optional[str] = None,
|
||||
include_dast: bool = True,
|
||||
) -> dict:
|
||||
"""Pull list_findings + SBOM-vulns + DAST in one MCP session and return a
|
||||
unified finding list plus a per-source breakdown. SBOM is repo-scoped
|
||||
(sbom_vuln_report requires repo_id); DAST has no repo_id filter in the MCP, so
|
||||
it is deployment-wide (flagged in the breakdown). Returns {} on no config."""
|
||||
url = (base_url or SCANNER_MCP_URL).rstrip("/")
|
||||
tok = token or SCANNER_MCP_TOKEN
|
||||
if not url:
|
||||
return {"findings": [], "breakdown": {}}
|
||||
|
||||
calls = [("list_findings", {"limit": limit, **({"repo_id": repo_id} if repo_id else {}),
|
||||
**({"severity": severity} if severity else {})})]
|
||||
if repo_id:
|
||||
calls.append(("sbom_vuln_report", {"repo_id": repo_id}))
|
||||
if include_dast:
|
||||
calls.append(("list_dast_findings", {"limit": limit,
|
||||
**({"severity": severity} if severity else {})}))
|
||||
|
||||
res = await _open_and_call(url, tok, calls)
|
||||
code = parse_findings_text(res.get("list_findings", ""))
|
||||
sbom = normalize_sbom_report(res.get("sbom_vuln_report", "")) if repo_id else []
|
||||
dast = normalize_dast(res.get("list_dast_findings", "")) if include_dast else []
|
||||
return {
|
||||
"findings": code + sbom + dast,
|
||||
"breakdown": {"code": len(code), "sbom": len(sbom), "dast": len(dast),
|
||||
"dast_repo_scoped": False},
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user