twistlock: defend against compliances being null (#13318)

valentijnscholten · web-flow · commit 75d9bb261af4 · 2025-10-03T21:54:59.000-05:00
* twistlock: defende against compliances being null

* twistlock: defende against compliances being null
diff --git a/docs/content/en/open_source/contributing/how-to-write-a-parser.md b/docs/content/en/open_source/contributing/how-to-write-a-parser.md
@@ -166,6 +166,17 @@ Good example:
        finding.cwe = data["mykey"]
 ```
 
+```python
+   finding.cwe = data.get("mykey", 123)
+```
+
+```python
+   some_list = data.get("key_of_the_list") or []
+```
+
+The finale example guards against cases where `key_of_the_list` is present, but `null`.
+
+
 ### Parsing of CVSS vectors
 
 Data can have `CVSS` vectors or scores. Defect Dojo use the `cvss` module provided by RedHat Security.
diff --git a/dojo/tools/twistlock/parser.py b/dojo/tools/twistlock/parser.py
@@ -177,13 +177,14 @@ def parse_json(self, json_output):
 
     def get_items(self, tree, test):
         items = {}
-        if "results" in tree:
+        results = tree.get("results") or []
+        if results:
             # Extract image metadata for impact field (Item 3)
-            result = tree["results"][0]
+            result = results[0]
             image_metadata = self.build_image_metadata(result)
 
             # Parse vulnerabilities
-            vulnerabilityTree = result.get("vulnerabilities", [])
+            vulnerabilityTree = result.get("vulnerabilities") or []
             for node in vulnerabilityTree:
                 item = get_item(node, test, image_metadata)
                 unique_key = node["id"] + str(
@@ -194,7 +195,7 @@ def get_items(self, tree, test):
                 items[unique_key] = item
 
             # Parse compliance findings
-            complianceTree = result.get("compliances", [])
+            complianceTree = result.get("compliances") or []
             for node in complianceTree:
                 item = get_compliance_item(node, test, image_metadata)
                 # Create unique key for compliance findings - prefer ID if available
@@ -326,11 +327,14 @@ def get_compliance_item(compliance, test, image_metadata=""):
 
 
 def convert_severity(severity):
-    if severity.lower() == "important":
+    if not severity:
+        return "Info"
+    sev_lower = severity.lower()
+    if sev_lower == "important":
         return "High"
-    if severity.lower() == "moderate":
+    if sev_lower == "moderate":
         return "Medium"
-    if severity.lower() in {"information", "informational", ""}:
+    if sev_lower in {"information", "informational", ""}:
         return "Info"
     return severity.title()
 
