functions/ConvertFrom-JFrogToCodeDx.ps1
| <# .SYNOPSIS Converts a JFrog XRay JSON report to a Code Dx report for importing results. .DESCRIPTION Used to convert a JFrog XRay JSON report file to a Code Dx XML format so it can be imported. Does not currently process CVE list since XRay lists multiple CWEs, CVEs and CVSS scores per component and Code Dx only supports a single CWE. This may be revisited in the future, or when native support of XRay is adopted. .EXAMPLE ConvertFrom-JFrogToCodeDX [scan_file_to_process] [output_directory] ConvertFrom-JFrogToCodeDX "/home/my/path/file to process.json" "/my/workspace/folder" #> Function ConvertFrom-JFrogToCodeDx { [cmdletbinding()] param( [Parameter(Mandatory=$true)] [string]$SourceScanFilepath, [Parameter(Mandatory=$true)] [string]$OutputDir ) #Setup variables $CDate = Get-Date -format "yyyy-MM-dd-HHmmss" $OutputFilePath = $OutputDir.Trim("""") + "\JF2CDX-" + $CDate + ".xml" # Enable for Debugging # #$SourceScanFilepath = "JFrog.json" #$OutputFilePath = "C:\Users\aacuna\Documents\repos\powershell\Code Dx\JF2CDX-" + $CDate + ".xml" $SourceScanFile = $SourceScanFilepath.Trim("""") $ToolName = "JFrog" $NativeIDName = "JFrog ID" $NativeID $cwe $description $locationFile $locationLine $reportDate #Setup Code Dx output doc [xml]$doc = New-Object System.Xml.XmlDocument $dec = $doc.CreateXmlDeclaration("1.0","UTF-8",$null) $updateXML= $doc.AppendChild($dec) $reportComment = "JFrog to Code Dx - Generated $CDate" $updateXML= $doc.AppendChild($doc.CreateComment($reportComment)) $root = $doc.CreateNode("element","report",$null) #read source file and create custom PSO $SourceScanData = Get-Content -Raw -Encoding UTF8 -Path $SourceScanFile | ConvertFrom-Json #pull report date attributes and reformat for Code Dx file $reportDate = $CDate.Substring(0,10) #Set Root attributes $root.SetAttribute("date",$reportDate) $root.SetAttribute("tool",$ToolName) #create findings Element $fds = $doc.CreateNode("element","findings",$null) #Get parent array of results $Results = $SourceScanData.data $Results | ForEach-Object{ #Create Code Dx elements $fd = $doc.CreateNode("element","finding",$null) $id = $doc.CreateNode("element","native-id",$null) $cwe = $doc.CreateNode("element","cwe",$null) $desc = $doc.CreateNode("element","description",$null) $tl = $doc.CreateNode("element","tool",$null) $loc = $doc.CreateNode("element","location",$null) $md = $doc.CreateNode("element","metadata",$null) #Set finding "fd" attributes $fd.SetAttribute("severity", $_.severity.ToLower()) $fd.SetAttribute("type","component") #$fd.SetAttribute("status", "new") #Set Native ID attributes $id.SetAttribute("name",$NativeIDName) $id.SetAttribute("value", $_.id) #Set CWE attributes $cwe.SetAttribute("id","937") #Set Tool attributes $tl.SetAttribute("name",$ToolName) $tl.SetAttribute("category","Security") $tl.SetAttribute("code", "Vulnerable Component") #Split Component information to get group, name, and version info $arrComp = $_.source_comp_id.Split(":") $compGroup = $arrComp[1].Substring(2) $compArtifactName = $arrComp[2] $compVersion = $arrComp[3] #build location node and attributes $loc.SetAttribute("type","logical") $loc.SetAttribute("path", $_.component) #Add Component Name element to Metadata $e = $doc.CreateNode("element","value",$null) $e.SetAttribute("key","Component Name") $e.InnerText = $compArtifactName $updateXML= $md.AppendChild($e) #Add Component Version element to Metadata $e = $doc.CreateNode("element","value",$null) $e.SetAttribute("key","Component Version") $e.InnerText = $compVersion $updateXML= $md.AppendChild($e) #Add Component Group element to Metadata $e = $doc.CreateNode("element","value",$null) $e.SetAttribute("key","Component Group ID") $e.InnerText = $compGroup $updateXML= $md.AppendChild($e) #collect Vulnerable Versions List $arrVVersion = $_.component_versions.vulnerable_versions $VersionList = $null $arrVVersion | ForEach-Object { If($VersionList.length -gt 0){ $VersionList = $VersionList + " , " + $_ } Else{ $VersionList = $_ } } #Add Vulnerable Version List element to Metadata $e = $doc.CreateNode("element","value",$null) $e.SetAttribute("key","Vulnerable Versions") $e.InnerText = $VersionList $updateXML= $md.AppendChild($e) #collect Fixed Versions List $arrVVersion = $_.component_versions.fixed_versions $VersionList = $null $arrVVersion | ForEach-Object { If($VersionList.length -gt 0){ $VersionList = $VersionList + " , " + $_ } Else{ $VersionList = $_ } } #Add Fixed Version List element to Metadata $e = $doc.CreateNode("element","value",$null) $e.SetAttribute("key","Fixed Versions") $e.InnerText = $VersionList $updateXML= $md.AppendChild($e) #Build Description info $resDesc = "Summary: " + $_.summary + "`n`nDescription: " + $_.component_versions.more_details.description #Set description attributes $desc.SetAttribute("format", "plain-text") $desc.InnerText = $resDesc #Capture CVEs node $arrCVEs = $_.component_versions.more_details.cves <# #Build CVE List Nodes $cves = $doc.CreateNode("element","cves",$null) $cves | ForEach-Object{ $cve = $doc.CreateNode("element","cve",$null) $cveArr = $_."Vulnerability Name".split("-") $cve.SetAttribute("sequence-number",$cveArr[2]) $cve.SetAttribute("year",$cveArr[1]) $updateXML= $cves.AppendChild($cve) $updateXML= $fd.AppendChild($cves) } #> #append remaining children to finding $updateXML= $fd.AppendChild($id) $updateXML= $fd.AppendChild($cwe) $updateXML= $fd.AppendChild($tl) $updateXML= $fd.AppendChild($loc) $updateXML= $fd.AppendChild($desc) $updateXML= $fd.AppendChild($md) #append finding to findings $updateXML= $fds.AppendChild($fd) } $updateXML= $root.AppendChild($fds) $updateXML= $doc.AppendChild($root) | Out-Null Write-Host "Outputing file to: $OutputFilePath" $doc.Save($OutputFilePath) } |