Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhance OSV Parser to Include Mitigation Information with Fixed Package Versions #11459

Closed
wants to merge 16 commits into from
Closed

Enhance OSV Parser to Include Mitigation Information with Fixed Package Versions #11459

wants to merge 16 commits into from

Conversation

4b75726169736859
Copy link

@4b75726169736859 4b75726169736859 commented Dec 23, 2024
edited
Loading

⚠️ Note on feature completeness ⚠️

This pull request aligns with the current contribution guidelines by enhancing the OSV parser. The changes introduce mitigation details for vulnerabilities.

Description

This pull request enhances the OSC Scan parser by adding support for mitigation information, specifically the fixed versions of affected packages.

Key Changes:

  1. Extraction of Fixed Versions:

    • Added logic to parse the ranges field within the affected section of each vulnerability.
    • Extracted the fixed version from the events list when available and formatted it as:
      Upgrade to version: <fixed_version>.

  2. Integration of Mitigation:

    • Introduced a new mitigation field in findings to provide actionable guidance for resolving vulnerabilities.

  3. Enhanced Usability:

    • Improved the output of the parser to make it more informative and aligned with best practices in vulnerability management.

  4. Testing Support:

    • Standalone Python script to test the parser. The script reads a sample JSON file, executes the parser, and outputs the findings, including the mitigation details, for validation.

Test Results

Testing was conducted using the provided sample JSON file (test.json). The parser correctly identifies findings and includes mitigation details in its output.

Example Output:

  • Title: CVE-2024-50252_linux
  • Severity: Medium
  • Mitigation: Upgrade to version: 6.1.119-1
  • Description: Detailed vulnerability information.
  • References: Links to relevant advisories and fixes.

Additionally, I verified that:

  • Findings without a fixed version omit the mitigation field.
  • The parser handles malformed JSON gracefully by returning an empty findings list.

Unit tests are planned to extend dojo/unittests for comprehensive coverage of these changes.

Documentation

The documentation has been updated to reflect this new feature:

  • Added a note about the mitigation field in the parser's description.
  • Clarified that mitigation information will appear when available in the input JSON.

Checklist

  • Changes submitted against the dev branch.
  • PR named meaningfully for release notes.
  • Code is flake8 and Python 3.11 compliant.
  • Tests added to validate the parser's new functionality.
  • Proper label applied: Import Scans.

Labels

Import Scans, enhancement

Extra Information

This pull request enhances the usability of the OSV parser, making it more actionable by including mitigation details. It also aligns with existing parsers, such as WPScan, which already support fixed versions, ensuring consistency across DefectDojo.

If you need further clarifications or adjustments, feel free to let me know!

@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Dec 23, 2024
edited
Loading

DryRun Security Summary

The pull request includes various updates to the DefectDojo application, focusing on dependency management, documentation improvements, and feature enhancements, with no major security concerns identified.

Expand for full summary

Summary:

The code changes in this pull request cover a wide range of updates, including dependency version updates, documentation improvements, and feature enhancements across the DefectDojo application. From an application security perspective, the changes do not introduce any major security concerns, but there are a few areas that warrant further review and consideration:

  1. Dependency Management: The update to the package.json file for the defectdojo project should be reviewed to ensure that all dependencies are using the latest stable versions, and that any known security vulnerabilities have been addressed.

  2. Documentation Updates: The various documentation changes, such as updating the API documentation, Helm chart release workflow, and user guides, are generally positive improvements that help enhance the security and usability of the application. However, it's important to ensure that any user-supplied data in the documentation is properly sanitized and validated to prevent potential security issues like cross-site scripting (XSS) attacks.

  3. API and Integration Security: The changes related to the "API Connectors" and "Generic Findings Import" features highlight the need to ensure the proper implementation of secure authentication, authorization, and input validation mechanisms for these integration points. This is crucial to prevent potential security vulnerabilities from being introduced through these external connections.

  4. Hardcoded Values and Configurations: While not a major concern, some of the changes mention the use of hardcoded values, such as constants and default parameter values. It's generally recommended to make these values configurable or retrieve them from more dynamic sources to improve maintainability and reduce the risk of unintended consequences.

Overall, the changes in this pull request appear to be focused on improving the functionality, usability, and documentation of the DefectDojo application. From an application security perspective, the changes do not raise any immediate red flags, but it's important to continue monitoring the development and deployment of these features to ensure that the application's security posture is maintained.

Files Changed:

  1. components/package.json: Updates the defectdojo project version from 2.42.0-dev to 2.42.1.
  2. README.md: Updates the documentation links and the "Supported Installation Options" section.
  3. docs/content/en/api/_index.md: Updates the title of the API documentation page.
  4. .github/workflows/release-x-manual-helm-chart.yml: Updates the Helm chart release workflow.
  5. docs/content/en/changelog/_index.md: Updates the title of the changelog page.
  6. docs/content/en/cloud_management/_index.md: Updates the title and weight of the "DefectDojo Cloud" documentation page.
  7. docs/content/en/cloud_management/connectivity-troubleshooting.md: Expands the content of the "Connectivity Troubleshooting" documentation.
  8. docs/content/en/cloud_management/additional-cloud-instance.md: Updates the documentation for adding an additional Cloud instance.
  9. docs/content/en/connecting_your_tools/import_intro.md: Updates the documentation for the different import methods in DefectDojo.
  10. docs/content/en/changelog/changelog.md: Updates the changelog for the DefectDojo Pro (Cloud Version).
  11. docs/content/en/connecting_your_tools/connectors/_index.md: Updates the weight of the "API Connectors" documentation page.
  12. docs/content/en/connecting_your_tools/_index.md: Updates the title of the "Connecting Your Tools" documentation page.
  13. docs/content/en/connecting_your_tools/import_scan_files/_index.md: Updates the title and weight of the "How To Import Data" documentation page.
  14. docs/content/en/cloud_management/using-cloud-manager.md: Updates the weight of the "Using the Cloud Manager" documentation page.
  15. docs/content/en/connecting_your_tools/parsers/_index.md: Updates the title of the "Supported Report Types" documentation page.
  16. docs/content/en/connecting_your_tools/parsers/api/_index.md: Updates the weight of the "API Pull" documentation section.
  17. docs/content/en/connecting_your_tools/parsers/file/_index.md: Updates the weight of the "Files" documentation section.
  18. docs/content/en/customize_dojo/_index.md: Adds a new documentation page for the "Management &

Code Analysis

We ran 9 analyzers against 30 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Sensitive Files Analyzer 1 finding

View PR in the DryRun Dashboard.

@mtesauro
Copy link
Contributor

@4b75726169736859 You appear to have far more files in the PR than you should. Can you look at only including files related to your OSV parser changes.

paulOsinski and others added 3 commits January 2, 2025 09:54
@paulOsinski
Add pro release notes for 2.41.4 (#11483)
abd1e7f 
* add release notes for 2.41.4

* Update changelog.md

---------

Co-authored-by: Paul Osinski <[email protected]>
@paulOsinski @cneill
Docs maintenance - v2.41.4 (#11484)
a99f02d 
* update docs 'jira'

* rename finding_status_definitions

* update docs 'working with Findings'

* update docs 'dashboard-notifications'

* reorganize sidebar

* add emoji logos to headers

* fix broken links

* rm 'upgrading' pages from search results

* rm aws ami reference

* Update docs/content/en/customize_dojo/dashboard_notifications/about_custom_dashboard_tiles.md

Co-authored-by: Charles Neill <[email protected]>

* Update docs/content/en/customize_dojo/dashboard_notifications/about_custom_dashboard_tiles.md

Co-authored-by: Charles Neill <[email protected]>

* Update about_notifications.md

* update dashboard tiles article

* finish notifications QA

---------

Co-authored-by: Paul Osinski <[email protected]>
Co-authored-by: Charles Neill <[email protected]>
@paulOsinski
Update README.md (#11491)
16c0ae3
manuel-sommer
manuel-sommer suggested changes Jan 5, 2025
View reviewed changes
dojo/tools/osv_scanner/parser.py
@@ -70,8 +76,11 @@ def get_findings(self, file, test):
file_path=source_path,
references=reference,
)
if mitigation:
finding.mitigation = mitigation
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please also add unittests to your PR.

DefectDojo release bot and others added 11 commits January 6, 2025 14:38
Update versions in application files
848aa5e
@Maffooch
Merge pull request #11512 from DefectDojo/release/2.42.0
5f69079 
Release: Merge release into master from: release/2.42.0
@Maffooch
Helm Release: Downgrade GH-Release action
4d2bc4f
Update versions in application files
08fc8eb
@Maffooch
Merge pull request #11514 from DefectDojo/master-into-bugfix/2.42.0-2…
600eccc 
….43.0-dev

Release: Merge back 2.42.0 into bugfix from: master-into-bugfix/2.42.0-2.43.0-dev
@paulOsinski
Readme docs update (#11516)
000728a 
* add back ldap-authentication.md

* add back api-v2-docs.md

* update broken readme links

---------

Co-authored-by: Paul Osinski <[email protected]>
Update versions in application files
9b51fee
@rossops
Merge branch 'master' into release/2.42.1
5c64bbd
@rossops
Merge pull request #11557 from DefectDojo/release/2.42.1
0b4bfeb 
Release: Merge release into master from: release/2.42.1
@paulOsinski
update Pro changelog 2.42.0 (#11518)
65d3bc2 
* update Pro changelog 2.42.0

* qa 'share your Findings'

* changelog 2.42.2

* fix typo working_with_generated_reports.md

---------

Co-authored-by: Paul Osinski <[email protected]>
@4b75726169736859
Merge branch 'DefectDojo:master' into master
0f53ba7
@github-actions github-actions bot added the helm label Jan 15, 2025
@4b75726169736859 4b75726169736859 closed this by deleting the head repository Jan 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@manuel-sommer manuel-sommer manuel-sommer requested changes

Assignees
No one assigned
Labels
docs helm parser
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@4b75726169736859 @mtesauro @manuel-sommer @paulOsinski @Maffooch @rossops