Split Github Vulnerability Scan into separate SCA & SAST parsers (#12773)

* Refactor GithubVulnerability parser and add GithubSAST parser

* More GithubVulnerability and GithubSAST parser improvements

* Add documentation

* Add tests, update docs, and add hash code fields

* Fix Github vulnerability parser unit test

* Unit tests and parser tweaks

* Rm files pushed by mistake

* Revert certain removals from unit test

* Add EPSS field population and update unit tests

* Removed some unnecessary comments and formatting

* Ruff formatting

* Fix unit tests

* Ruff formatting

* Fix unit test

* Github Vulnerability parser and docs tweaks, and upgrade instructions

* Politeness

* Fix dependabot update pr link parsing

* Backwards compatability

* Revert 2.49 docs change and add 2.51

* Add 2.51 upgrade doc

* Smol 2.51 upgrade doc fix

* Move imports to top

* Ruff lint fix

---------

Co-authored-by: Zeke Tierkel <zeketierkel@Zekes-MacBook-Pro.local>
Co-authored-by: valentijnscholten <valentijnscholten@gmail.com>

Author: 3 people

docs/content/en/connecting_your_tools/parsers/file/github_sast.md

@@ -0,0 +1,9 @@
+---
+title: "Github SAST Scan"
+toc_hide: true
+---
+Import findings in JSON format from Github Code Scanning REST API:
+<https://docs.github.com/en/rest/code-scanning/code-scanning>
+
+### Sample Scan Data
+Sample Github SAST scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/github_sast).

docs/content/en/connecting_your_tools/parsers/file/github_vulnerability.md

@@ -1,5 +1,5 @@
 ---
-title: "Github Vulnerability"
+title: "Github Vulnerability Scan"
 toc_hide: true
 ---
 Import findings from Github vulnerability scan (GraphQL Query):
@@ -15,6 +15,8 @@ vulnerabilityAlerts (RepositoryVulnerabilityAlert object)
     + createdAt (optional)
     + vulnerableManifestPath
     + state (optional)
+    + dependabotUpdate (DependabotUpdate object) (optional)
+        + pullRequest (PullRequest object) (optional)
     + securityVulnerability (SecurityVulnerability object)
         + severity (CRITICAL/HIGH/LOW/MODERATE)
         + package (optional)
@@ -27,10 +29,17 @@ vulnerabilityAlerts (RepositoryVulnerabilityAlert object)
                     + value
                 + references (optional)
                     + url (optional)
-                + cvss (optional)
+                + cvss (optional - deprecated, use cvssSeverities instead)
                     + score (optional)
                     + vectorString (optional)
+                + cvssSeverities (optional)
+                    + cvssV3 (CVSS object) (optional)
+                        + score (optional)
+                        + vectorString (optional)
                 + cwes (optional)
+                + epss (EPSS object) (optional)
+                    + percentage (optional)
+                    + percentile (optional)
 ```
 
 References:

docs/content/en/open_source/upgrading/2.51.md

@@ -48,6 +48,13 @@ The following Helm chart values have been modified in this release:
 - **Enhanced probe configuration for Celery**: Added support for customizing liveness, readiness, and startup probes in both Celery beat and worker deployments.
 - **Enhanced environment variable management**: All deployments now include `extraEnv` support for adding custom environment variables. For backwards compatibility, `.Values.extraEnv` can be used to inject common environment variables to all workloads.
 
+## GitHub Scan Type and Parser Updates
+The Github Vulnerability scan type and parser has been split into two disctinct scan types:
+- [Github Vulnerability](https://github.com/DefectDojo/django-DefectDojo/blob/master/docs/content/en/connecting_your_tools/parsers/file/github_vulnerability.md) (original)
+- [Github SAST](https://github.com/DefectDojo/django-DefectDojo/blob/master/docs/content/en/connecting_your_tools/parsers/file/github_sast.md)
+
+The original Github Vulnerability scan type will continue to accept SCA vulnerabilities uploaded in GitHub's GraphQL format, as it has always done. It will also continue to accept SAST uploads, however we recommend upgrading to the new Github SAST scan type for uploading these types of vulnerabilities going forward. This new scan type will accept the raw JSON response from [GitHub's REST API for code scanning alerts](https://docs.github.com/en/rest/code-scanning/code-scanning). Sample Github SAST scan data can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/github_sast).
+
 ### Other changes
 
 - **Celery pod annotations**: Now we can add annotations to Celery beat/worker pods separately.

dojo/settings/settings.dist.py

@@ -1337,6 +1337,7 @@ def saml2_attrib_map_format(din):
     "JFrog Xray On Demand Binary Scan": ["title", "component_name", "component_version"],
     "Scout Suite Scan": ["file_path", "vuln_id_from_tool"],  # for now we use file_path as there is no attribute for "service"
     "Meterian Scan": ["cwe", "component_name", "component_version", "description", "severity"],
+    "Github SAST Scan": ["vuln_id_from_tool", "severity", "file_path", "line"],
     "Github Vulnerability Scan": ["title", "severity", "component_name", "vulnerability_ids", "file_path"],
     "Github Secrets Detection Report": ["title", "file_path", "line"],
     "Solar Appscreener Scan": ["title", "file_path", "line", "severity"],
@@ -1583,6 +1584,7 @@ def saml2_attrib_map_format(din):
     "Scout Suite Scan": DEDUPE_ALGO_HASH_CODE,
     "AWS Security Hub Scan": DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL,
     "Meterian Scan": DEDUPE_ALGO_HASH_CODE,
+    "Github SAST Scan": DEDUPE_ALGO_HASH_CODE,
     "Github Vulnerability Scan": DEDUPE_ALGO_HASH_CODE,
     "Github Secrets Detection Report": DEDUPE_ALGO_HASH_CODE,
     "Cloudsploit Scan": DEDUPE_ALGO_HASH_CODE,

dojo/tools/github_sast/__init__.py

@@ -0,0 +1,84 @@
+import json
+from urllib.parse import urlparse
+
+from dojo.models import Finding
+
+
+class GithubSASTParser:
+    def get_scan_types(self):
+        return ["Github SAST Scan"]
+
+    def get_label_for_scan_types(self, scan_type):
+        return scan_type
+
+    def get_description_for_scan_types(self, scan_type):
+        return "GitHub SAST report file can be imported in JSON format."
+
+    def get_findings(self, filename, test):
+        data = json.load(filename)
+        if not isinstance(data, list):
+            error_msg = "Invalid SAST report format, expected a JSON list of alerts."
+            raise TypeError(error_msg)
+
+        findings = []
+        for vuln in data:
+            rule = vuln.get("rule", {})
+            inst = vuln.get("most_recent_instance", {})
+            loc = inst.get("location", {})
+            html_url = vuln.get("html_url")
+            rule_id = rule.get("id")
+            title = f"{rule.get('description')} ({rule_id})"
+            severity = rule.get("security_severity_level", "Info").title()
+            active = vuln.get("state") == "open"
+
+            # Build description with context
+            desc_lines = []
+            if html_url:
+                desc_lines.append(f"GitHub Alert: [{html_url}]({html_url})")
+            owner = repo = None
+            commit_sha = inst.get("commit_sha")
+            if html_url:
+                parsed = urlparse(html_url)
+                parts = parsed.path.strip("/").split("/")
+                # URL is /<owner>/<repo>/security/... so parts[0]=owner, parts[1]=repo
+                if len(parts) >= 2:
+                    owner, repo = parts[0], parts[1]
+            if owner and repo and commit_sha and loc.get("path") and loc.get("start_line"):
+                file_link = (
+                    f"{parsed.scheme}://{parsed.netloc}/"
+                    f"{owner}/{repo}/blob/{commit_sha}/"
+                    f"{loc['path']}#L{loc['start_line']}"
+                )
+                desc_lines.append(f"Location: [{loc['path']}:{loc['start_line']}]({file_link})")
+            elif loc.get("path") and loc.get("start_line"):
+                # fallback if something is missing
+                desc_lines.append(f"Location: {loc['path']}:{loc['start_line']}")
+            msg = inst.get("message", {}).get("text")
+            if msg:
+                desc_lines.append(f"Message: {msg}")
+            if severity:
+                desc_lines.append(f"Rule Severity: {severity}")
+            if rule.get("full_description"):
+                desc_lines.append(f"Description: {rule.get('full_description')}")
+            description = "\n".join(desc_lines)
+
+            finding = Finding(
+                title=title,
+                test=test,
+                description=description,
+                severity=severity,
+                active=active,
+                static_finding=True,
+                dynamic_finding=False,
+                vuln_id_from_tool=rule_id,
+            )
+
+            # File path & line
+            finding.file_path = loc.get("path")
+            finding.line = loc.get("start_line")
+
+            if html_url:
+                finding.url = html_url
+
+            findings.append(finding)
+        return findings