Parsing CSV exports

DefectDojo allows to sort, filter and further export vulnerabilities in different formats. Reports contain complete information about vulnerabilities which may look overwhelming. In certain cases, such as Dependency Checks, only few fields values will be sufficient to present or address the vulnerabilities.

Dependency check is an important step of each static analysis cycle and usually brings an extensive output, containing publicly known vulnerabilities for the external libraries or modules being invoked in the code.

We will use this as an example of the findings bulk export from the DefectDojo with further parsing and saving in the addressable form.

First click on the Trivy scan results, which was used to analyze the vulnerabilities of this project dependencies:

Here we have 96 revealed vulnerabilities, let’s export them in the CSV format:

We now have the findings.csv file containing all details for the 96 dependency vulnerabilities.

This is nice, but not well readable so we will extract only a few fields usually sufficient to address these issues to the developers. The next python script will help:

import os
import glob
import csv
from xlsxwriter.workbook import Workbook

def sort(risk,data):
    for row in data:
        if row[57] == risk:
            row[10] = row[10].split("NEWLINE  NEWLINE ")[1].replace(" NEWLINE","")
            row[45] = row[45].split(" NEWLINE ")[0]

            new_line = list(row[i] for i in [57, 85, 1, 2, 35, 10, 45])
            if new_line not in sorted:
                sorted.append(new_line)

for csvfile in glob.glob(os.path.join('.', '*.csv')):
    sorted = []
    workbook = Workbook(csvfile[:-4] + '.xlsx')
    worksheet = workbook.add_worksheet()

    with open(csvfile,encoding='utf8') as csv_file:
        csv_reader = csv.reader(csv_file, delimiter=',')
        data = list(csv_reader)

        for risk in ["Critical","High","Medium"]:
            sort(risk,data)

        id = 0

        for row in sorted:
            id += 1        
            row.insert(0,id)

        sorted.insert(0,["ID","Severity","CVE","Component","Component Version","Fixed in","Details","References"])

        for r, row in enumerate(sorted):
            for c, col in enumerate(row):
                worksheet.write(r, c, col)
    workbook.close()

Save this script in the same folder with findings.csv and execute it:

python trivy-dep-parse-csv.py

Check the results:

Now we have an XLSX which contains the data one can directly send to the product developers or embed in the report:

The same approach could be taken with other reports but beware every scan type produces a different set of information and therefore the CSV contents and fields positions will vary.