feat(parsers): add Alert Logic CSV parser#14930
Open
skywalke34 wants to merge 8 commits into
Open
Conversation
github-actions
Bot
added
settings_changes
skywalke34
changed the title
Member
valentijnscholten
left a comment
valentijnscholten
left a comment
There was a problem hiding this comment.
Can you look at the failing tests?
Contributor
|
@skywalke34 
|
Empty __init__.py + stub parser.py with the 4 required methods returning placeholder values. Sets up the package for TDD tests to import against before the real implementation in Task 8. Authored by T. Walker - DefectDojo
Three fixtures matching the 26-column Alert Logic vulnerability export
shape (UTF-8 BOM, embedded CRLF in multi-line fields):
- no_vuln.csv — header only, 0 data rows
- one_vuln.csv — single Medium finding (HTTP/2 Rapid Reset)
- many_vulns.csv — 7 rows covering Info / Low / Medium / High / Critical,
with/without CVE, single & multi-IP (IPv4+IPv6),
CISA Known Exploited Yes/No, multi-line Description
and Resolution, a >500-char title for truncation test,
empty CVSS and empty Operating System edge cases.
All asset names, IPs, deployment names, and the customer account are
synthetic (reserved doc IP ranges 192.0.2.x / 198.51.100.x / 203.0.113.x;
.example.com hostnames; fictional AcmeCorp account). CVE identifiers and
their associated descriptions/resolutions are from public sources.
Authored by T. Walker - DefectDojo
Skeleton with 4 tests: get_scan_types, parse_no_findings, parse_one_finding, parse_many_findings. The one/many assertions fail against the Task 3 stub (which returns []) — that's the intended TDD red state. Full field-validation tests will be appended in Task 9 after the parser implementation lands in Task 8. Authored by T. Walker - DefectDojo
Parses Alert Logic vulnerability scan CSV exports (26 columns, UTF-8 with BOM, multi-line quoted fields). Single-format, monolithic implementation following the IriusRisk skeleton. Field mapping: - Vulnerability → title (truncated at 500 chars with ellipsis) - Severity → severity (direct 1:1 Info/Low/Medium/High/Critical) - CVSS Score → cvssv3_score (float, None if empty) - Asset Name → component_name - IP Address → unsaved_endpoints (comma-split IPv4/IPv6) - Protocol/Port → endpoint protocol + port (port 0 → omitted) - CVE → unsaved_vulnerability_ids - Resolution → mitigation - Vulnerability ID → unique_id_from_tool (stable native ID) - Description, Evidence, OS, Vuln Span ID, Vuln Key, Asset Key/Type, Service, Category, VPC/Network, Deployment Name, Customer Account, First Seen, Last Scanned, Published Date, Age (days), CISA KEV → description (markdown table) - CISA Known Exploited = Yes → unsaved_tags: ["cisa-known-exploited"] static_finding=True, dynamic_finding=False (infrastructure vulnerability scanner pattern, matches Qualys VMDR). All 7 fixture findings parse cleanly with correct severities, multi-IP endpoint extraction (IPv4+IPv6), title truncation, CVE list, CVSS score, and tags. endpoint.clean() passes on all 10 endpoints generated from the many_vulns fixture. Authored by T. Walker - DefectDojo
Adds 28 new tests on top of the TDD scaffold, bringing total coverage to 32 tests. Categories covered: - Scan-type metadata: get_label, get_description - Basic fields: title, severity, component_name, unique_id_from_tool, cvssv3_score, static/dynamic flags, mitigation content, description structure - Severity mapping: one test per source level (Info/Low/Medium/High/Critical) - Title truncation: long (>500) gets [:497] + "...", short stays as-is - unique_id_from_tool: distinct values per finding, matches source - Endpoints: single IPv4, multi-IP (IPv4+IPv6), IPv6-only, port=0 omission, endpoint.clean() on every endpoint - CVE handling: present and absent - CISA Known Exploited tag: added on "Yes", absent on "No" - CVSS score: parsed when present, None when empty - BOM handling: title resolves correctly (proves UTF-8 BOM is stripped) - Multi-line field preservation in description All 32 tests pass against the parser implementation from the previous commit. Authored by T. Walker - DefectDojo
Documents the Alert Logic CSV parser including: - File-export workflow from the Alert Logic console - Default deduplication strategy (unique_id_from_tool + hashcode fallback) - Complete 26-column field mapping table (expandable) - Additional Finding field settings (static/dynamic flags, active default) - Special processing notes covering severity conversion, title truncation, description construction, endpoint multi-IP / IPv6 / port-zero handling, deduplication algorithm, CVE handling, CISA Known Exploited tagging, and UTF-8 BOM + multi-line field handling Authored by T. Walker - DefectDojo
Adds Alert Logic Scan entries to: - HASHCODE_FIELDS_PER_SCANNER with ["title", "component_name", "vuln_id_from_tool"] (fallback when Vulnerability ID is missing on a row) - DEDUPLICATION_ALGORITHM_PER_PARSER as DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE (uses Vulnerability ID as the stable native identifier with hashcode fallback) Mirrors the Qualys VMDR dedup pattern (same field set, same algorithm). Authored by T. Walker - DefectDojo
The Endpoint model is deprecated and raises NotImplementedError when V3_FEATURE_LOCATIONS is enabled. Build LocationData URL locations in that mode and fall back to Endpoint otherwise, matching the established parser migration pattern (e.g. Qualys VMDR). Endpoint tests now read via the get_unsaved_locations helper so they pass under both settings. Authored by T. Walker - DefectDojo
skywalke34
force-pushed
the
alertlogic-parser
branch
from
809fc00 to
87cff15
Compare
Contributor
Author
|
the dev baseline got V3_FEATURE_LOCATIONS feature flag after I cut the branch, causing the Endpoint model to raise NotImplementedError. I retested with V3_FEATURE_LOCATIONS = True / False and all tests should now pass. |
valentijnscholten
approved these changes
Jun 2, 2026
Jino-T
approved these changes
Jun 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a parser for Alert Logic vulnerability scan CSV exports.
dojo.tools.alertlogic.parser.AlertlogicParserMirrors the structure of recent single-format parsers (IriusRisk #14384) and the dedup pattern of Qualys VMDR (#14453). Alert Logic emits a stable native
Vulnerability ID, so deduplication usesDEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODEwith hashcode fallback fields["title", "component_name", "vuln_id_from_tool"].Files
dojo/tools/alertlogic/{__init__.py,parser.py}— parser (166 lines)unittests/tools/test_alertlogic_parser.py— 32 tests (severity matrix, title truncation, single + multi-IP + IPv6 endpoints,endpoint.clean(), BOM handling, CVE present/absent, CISA Known Exploited tagging, CVSS score parsing, multi-line description preservation)unittests/scans/alertlogic/{no_vuln,one_vuln,many_vulns}.csv— synthetic fixtures (real public CVE data; reserved-doc IPs192.0.2.x/198.51.100.x/203.0.113.x;.example.comhostnames; fictionalAcmeCorpaccount)docs/content/supported_tools/parsers/file/alertlogic.md— field mapping, severity mapping, special processing notesdojo/settings/settings.dist.py— registersAlert Logic ScaninHASHCODE_FIELDS_PER_SCANNERandDEDUPLICATION_ALGORITHM_PER_PARSERTest plan
ruff check dojo/tools/alertlogic/ unittests/tools/test_alertlogic_parser.py— cleanendpoint.clean()validated on all 10 endpoints generated from themany_vulnsfixturemany_vulns.csvinto an engagement; findings displayed correctly with proper severities, endpoints, and tagsNotes
Severity values map 1:1 (Info → Info, Low → Low, etc.) — no normalization needed.
Protocol/PortvalueTCP/0is treated as "no specific port" and the port is omitted from the endpoint. CISA Known Exploited rows receive acisa-known-exploitedtag.