refactor: Update all modules to use new create_finding signature

Updated 10 modules to use the new create_finding() signature with required rule_id and found_by parameters: - llm_analyzer.py: Added FoundBy and LLMContext for AI-detected findings - bandit_analyzer.py: Added tool attribution and moved CWE/confidence to proper fields - security_analyzer.py: Updated all three finding types (secrets, SQL injection, dangerous functions) - mypy_analyzer.py: Added tool attribution and moved column info to column_start - mobsf_scanner.py: Updated all 6 finding types (permissions, manifest, code analysis, behavior) with proper line number handling - opengrep_android.py: Added tool attribution, proper CWE/OWASP formatting, and confidence mapping - dependency_scanner.py: Added pip-audit attribution for CVE findings - file_scanner.py: Updated both sensitive file and enumeration findings - cargo_fuzzer.py: Added fuzzer type attribution for crash findings - atheris_fuzzer.py: Added fuzzer type attribution for Python crash findings All modules now properly track: - Finding source (module, tool name, version, type) - Confidence levels (high/medium/low) - CWE and OWASP mappings where applicable - LLM context for AI-detected issues
2026-05-31 21:31:35 +02:00 · 2025-11-02 15:36:30 +01:00
parent 99cee284b6
commit fccd8f32ab
10 changed files with 275 additions and 46 deletions
@@ -21,12 +21,12 @@ from pathlib import Path
 from typing import Dict, Any, List

 try:
-    from toolbox.modules.base import BaseModule, ModuleMetadata, ModuleResult, ModuleFinding
+    from toolbox.modules.base import BaseModule, ModuleMetadata, ModuleResult, ModuleFinding, FoundBy
 except ImportError:
    try:
-        from modules.base import BaseModule, ModuleMetadata, ModuleResult, ModuleFinding
+        from modules.base import BaseModule, ModuleMetadata, ModuleResult, ModuleFinding, FoundBy
    except ImportError:
-        from src.toolbox.modules.base import BaseModule, ModuleMetadata, ModuleResult, ModuleFinding
+        from src.toolbox.modules.base import BaseModule, ModuleMetadata, ModuleResult, ModuleFinding, FoundBy

 logger = logging.getLogger(__name__)

@@ -201,11 +201,22 @@ class DependencyScanner(BaseModule):

                recommendation = f"Upgrade {package_name} to a fixed version: {', '.join(fix_versions)}" if fix_versions else f"Check for updates to {package_name}"

+                # Create FoundBy attribution
+                found_by = FoundBy(
+                    module="dependency_scanner",
+                    tool_name="pip-audit",
+                    tool_version="unknown",
+                    type="tool"
+                )
+
                finding = self.create_finding(
+                    rule_id=f"vulnerable_dependency_{package_name}",
                    title=f"Vulnerable dependency: {package_name} ({vuln_id})",
                    description=f"{description}\n\nAffected package: {package_name} {package_version}",
                    severity=severity,
                    category="vulnerable-dependency",
+                    found_by=found_by,
+                    confidence="high",  # pip-audit uses official CVE database
                    file_path=str(rel_path),
                    recommendation=recommendation,
                    metadata={