From eee98a2780401920ad62502397e99d99ff6c77d5 Mon Sep 17 00:00:00 2001
From: Rony Xavier <rx294@nyu.edu>
Date: Tue, 16 Mar 2021 09:22:59 -0400
Subject: [PATCH] Jfrog Mapper: Display CVE data in control Desc (#81)

Signed-off-by: Rony Xavier <rxavier@mitre.org>

Co-authored-by: Rony Xavier <rxavier@mitre.org>
---
 lib/heimdall_tools/jfrog_xray_mapper.rb | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/lib/heimdall_tools/jfrog_xray_mapper.rb b/lib/heimdall_tools/jfrog_xray_mapper.rb
index ef906a6..843ea88 100644
--- a/lib/heimdall_tools/jfrog_xray_mapper.rb
+++ b/lib/heimdall_tools/jfrog_xray_mapper.rb
@@ -57,6 +57,14 @@ def finding(vulnerability)
       [finding]
     end
 
+    def format_control_desc(vulnerability)
+      text = []
+      info = vulnerability['component_versions']['more_details']
+      text << info['description'].to_s
+      text << "cves: #{info['cves'].to_s }" unless info['cves'].nil?
+      text.join("<br>")
+    end
+
     def nist_tag(cweid)
       entries = @cwe_nist_mapping.select { |x| cweid.include?(x[:cweid].to_s) && !x[:nistid].nil? }
       tags = entries.map { |x| x[:nistid] }
@@ -119,7 +127,7 @@ def to_hdf
         # If thats a case MD5 hash is used to collapse vulnerability findings of the same type.
         item['id']                 = vulnerability['id'].empty? ? OpenSSL::Digest::MD5.digest(vulnerability['summary'].to_s).unpack("H*")[0].to_s : vulnerability['id']
         item['title']              = vulnerability['summary'].to_s
-        item['desc']               = vulnerability['component_versions']['more_details']['description'].to_s
+        item['desc']               = format_control_desc(vulnerability)
         item['impact']             = impact(vulnerability['severity'].to_s) 
         item['code']               = NA_STRING
         item['results']            = finding(vulnerability)