Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enhance OSV Parser to Include Mitigation Information with Fixed Package Versions #11459

Open
wants to merge 6 commits into
base: dev
Choose a base branch
from

Conversation

4b75726169736859
Copy link

@4b75726169736859 4b75726169736859 commented Dec 23, 2024

⚠️ Note on feature completeness ⚠️

This pull request aligns with the current contribution guidelines by enhancing the OSV parser. The changes introduce mitigation details for vulnerabilities.


Description

This pull request enhances the OSC Scan parser by adding support for mitigation information, specifically the fixed versions of affected packages.

Key Changes:

  1. Extraction of Fixed Versions:

    • Added logic to parse the ranges field within the affected section of each vulnerability.
    • Extracted the fixed version from the events list when available and formatted it as:
      Upgrade to version: <fixed_version>.
  2. Integration of Mitigation:

    • Introduced a new mitigation field in findings to provide actionable guidance for resolving vulnerabilities.
  3. Enhanced Usability:

    • Improved the output of the parser to make it more informative and aligned with best practices in vulnerability management.
  4. Testing Support:

    • Standalone Python script to test the parser. The script reads a sample JSON file, executes the parser, and outputs the findings, including the mitigation details, for validation.

Test Results

Testing was conducted using the provided sample JSON file (test.json). The parser correctly identifies findings and includes mitigation details in its output.

Example Output:

  • Title: CVE-2024-50252_linux
  • Severity: Medium
  • Mitigation: Upgrade to version: 6.1.119-1
  • Description: Detailed vulnerability information.
  • References: Links to relevant advisories and fixes.

Additionally, I verified that:

  • Findings without a fixed version omit the mitigation field.
  • The parser handles malformed JSON gracefully by returning an empty findings list.

Unit tests are planned to extend dojo/unittests for comprehensive coverage of these changes.


Documentation

The documentation has been updated to reflect this new feature:

  • Added a note about the mitigation field in the parser's description.
  • Clarified that mitigation information will appear when available in the input JSON.

Checklist

  • Changes submitted against the dev branch.
  • PR named meaningfully for release notes.
  • Code is flake8 and Python 3.11 compliant.
  • Tests added to validate the parser's new functionality.
  • Proper label applied: Import Scans.

Labels

Import Scans, enhancement


Extra Information

This pull request enhances the usability of the OSV parser, making it more actionable by including mitigation details. It also aligns with existing parsers, such as WPScan, which already support fixed versions, ensuring consistency across DefectDojo.


If you need further clarifications or adjustments, feel free to let me know!

dependabot bot and others added 6 commits December 16, 2024 18:06
Bumps [nanoid](https://github.com/ai/nanoid) from 3.3.7 to 3.3.8.
- [Release notes](https://github.com/ai/nanoid/releases)
- [Changelog](https://github.com/ai/nanoid/blob/main/CHANGELOG.md)
- [Commits](ai/nanoid@3.3.7...3.3.8)

---
updated-dependencies:
- dependency-name: nanoid
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* qa connectors: merge articles, fix links

* qa 'connecting tools': labels, weights, content

* qa user mgmt docs: weights, content, links

* fix broken links

* fix upgrade notes typo

---------

Co-authored-by: Paul Osinski <[email protected]>
Co-authored-by: Cody Maffucci <[email protected]>
Copy link

DryRun Security Summary

The pull request focuses on updating DefectDojo's documentation to improve clarity, security guidance, and user understanding of features like API Connectors, import functionality, user management, and SSO configuration, primarily for the DefectDojo Pro version.

Expand for full summary

Summary:

The changes in this pull request are primarily focused on updating the documentation for the DefectDojo application security tool. The changes cover a wide range of topics, including the API Connectors feature, the import and sync functionality, user management and permissions, and the overall documentation structure.

From an application security perspective, the changes do not introduce any obvious security vulnerabilities. The documentation updates aim to provide more clarity and guidance to users on how to securely configure and use the various features of DefectDojo. Key security-related updates include:

  1. Emphasizing that the API Connectors, Universal Importer, and other advanced features are only available in the DefectDojo Pro version, which helps to ensure proper access control and licensing.
  2. Providing detailed instructions on securely setting up API-driven integrations and automating the import of security scan data.
  3. Enhancing the documentation around user management, permissions, and roles to ensure proper access control and least privilege principles.
  4. Improving the documentation for the SSO configuration, which is a crucial security feature for web applications.

Overall, the changes in this pull request appear to be focused on improving the security-related documentation and guidance for the DefectDojo application. While the changes do not directly impact the application's security, they demonstrate the team's commitment to providing users with the necessary information to securely configure and use the tool.

Files Changed:

  1. docs/content/en/connecting_your_tools/connectors/_index.md: Updated the title and weight of the "API Connectors" documentation page, and added a note that the feature is a DefectDojo Pro-only feature.
  2. docs/content/en/about_defectdojo/new_user_checklist.md: Updated the documentation links and section titles to improve clarity and accuracy.
  3. .github/release-drafter.yml: Updated the URL for the "Upgrade notes in the documentation" section.
  4. docs/content/en/changelog/changelog.md: Added entries for the DefectDojo Pro (Cloud Version) application, including updates to the Connectors feature and other functionality improvements.
  5. docs/content/en/connecting_your_tools/connectors/about_connectors.md: Added a note that Connectors are a Pro-only feature and provided a quick-start guide for setting up new Connectors.
  6. docs/content/en/connecting_your_tools/connectors/add_edit_connectors.md: Updated the documentation for adding and editing Connectors, including guidance on API keys and URL locations.
  7. docs/content/en/connecting_your_tools/connectors/connectors_tool_reference.md: Expanded the documentation to provide more detailed instructions for setting up Connectors for various security tools.
  8. docs/content/en/connecting_your_tools/connectors/manage_records.md: Updated the title and added a new section on editing, ignoring, and deleting records.
  9. docs/content/en/connecting_your_tools/connectors/manage_operations.md: Provided more detailed information on the "Discover" and "Sync" operations performed by Connectors.
  10. docs/content/en/connecting_your_tools/external_tools.md: Added a note that the Universal Importer and Dojo-CLI tools are DefectDojo Pro-only features.
  11. docs/content/en/connecting_your_tools/import_intro.md: Expanded the documentation on the different import methods available in DefectDojo.
  12. docs/content/en/connecting_your_tools/import_scan_files/_index.md: Updated the weight of the "Import Scans" documentation page.
  13. docs/content/en/connecting_your_tools/import_scan_files/api_pipeline_modelling.md: Provided more guidance on using the API for automating the import of scan files.
  14. docs/content/en/connecting_your_tools/import_scan_files/import_scan_ui.md: Clarified the functionality of the "Import Scan Form" feature.
  15. docs/content/en/connecting_your_tools/import_scan_files/smart_upload.md: Enhanced the documentation for the "Smart Upload" feature, which automatically routes findings to the appropriate products.
  16. docs/content/en/user_management/_index.md: Updated the title and description of the "User Management" documentation section.
  17. `docs/content/en/connecting

Code Analysis

We ran 9 analyzers against 30 files and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

@mtesauro
Copy link
Contributor

@4b75726169736859 You appear to have far more files in the PR than you should. Can you look at only including files related to your OSV parser changes.

@@ -70,8 +76,11 @@ def get_findings(self, file, test):
file_path=source_path,
references=reference,
)
if mitigation:
finding.mitigation = mitigation
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please also add unittests to your PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants