Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AnchoreCTL_Vulns parser: removes URL and corrects mapping if no fix for mitigation field #11623

Merged
merged 3 commits into from
Jan 28, 2025
Merged

AnchoreCTL_Vulns parser: removes URL and corrects mapping if no fix for mitigation field #11623

merged 3 commits into from
Jan 28, 2025

Conversation

maxi-bee
Copy link
Contributor

@maxi-bee maxi-bee commented Jan 23, 2025
edited
Loading

  • removes the URL from the mitigation field as that is already on the references
  • Writes a better message on the mitigation field to avoid:
Upgrade to libssl3 None
  • note: this should not modify default deduplication for such parser

⚠️ Note on feature completeness ⚠️

We are narrowing the scope of acceptable enhancements to DefectDojo in preparation for v3. Learn more here:
https://github.com/DefectDojo/django-DefectDojo/blob/master/readme-docs/CONTRIBUTING.md

Description

Describe the feature / bug fix implemented by this PR.
If this is a new parser, the parser guide may be worth (re)reading.

Test results

Ideally you extend the test suite in tests/ and dojo/unittests to cover the changed in this PR.
Alternatively, describe what you have and haven't tested.

Documentation

Please update any documentation when needed in the documentation folder)

Checklist

This checklist is for your information.

  • Make sure to rebase your PR against the very latest dev.
  • Features/Changes should be submitted against the dev.
  • Bugfixes should be submitted against the bugfix branch.
  • Give a meaningful name to your PR, as it may end up being used in the release notes.
  • Your code is flake8 compliant.
  • Your code is python 3.11 compliant.
  • If this is a new feature and not a bug fix, you've included the proper documentation in the docs at https://github.com/DefectDojo/django-DefectDojo/tree/dev/docs as part of this PR.
  • Model changes must include the necessary migrations in the dojo/db_migrations folder.
  • Add applicable tests to the unit tests.
  • Add the proper label to categorize your PR.

Extra information

Please clear everything below when submitting your pull request, it's here purely for your information.

Moderators: Labels currently accepted for PRs:

  • Import Scans (for new scanners/importers)
  • enhancement
  • performance
  • feature
  • bugfix
  • maintenance (a.k.a chores)
  • dependencies
  • New Migration (when the PR introduces a DB migration)
  • settings_changes (when the PR introduces changes or new settings in settings.dist.py)

Contributors: Git Tips

Rebase on dev branch

If the dev branch has changed since you started working on it, please rebase your work after the current dev.

On your working branch mybranch:

git rebase dev mybranch

In case of conflict:

 git mergetool
 git rebase --continue

When everything's fine on your local branch, force push to your myOrigin remote:

git push myOrigin --force-with-lease

To cancel everything:

git rebase --abort

Squashing commits

git rebase -i origin/dev
  • Replace pick by fixup on the commits you want squashed out
  • Replace pick by reword on the first commit if you want to change the commit message
  • Save the file and quit your editor

Force push to your myOrigin remote:

git push myOrigin --force-with-lease

@maxi-bee
Update anchorectl_vulns parser.py
0747305 
- removes the URL from the mitigation field as that is already on the references
- Only writes on the mitigation field if there is actually a fix available for it to avoid some the following results:
```
Upgrade to libssl3 None
```
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Jan 23, 2025
edited
Loading

DryRun Security Summary

The pull request improves the AnchoreCTLVulnsParser class by enhancing mitigation information and CVSS v3 score calculation for more accurate vulnerability reporting in the DefectDojo application.

Expand for full summary

Summary:

The code changes in this pull request focus on improving the functionality of the AnchoreCTLVulnsParser class, which is responsible for parsing the AnchoreCTL vulnerability report and creating Finding objects for the DefectDojo application. The key changes include:

  1. The mitigation field in the Finding object is now set based on whether a fix is available or not, providing more informative mitigation information to the user.
  2. The calculation of the cvssv3_base_score has been improved to handle cases where the CVSS v3 score is not available in the first element of the vendorData array, but is present in the second element.

These changes are positive from an application security perspective, as they provide more accurate and comprehensive vulnerability information to the user. The updated mitigation information helps the user understand the appropriate remediation steps, while the improved CVSS v3 score calculation ensures that the severity of the vulnerabilities is accurately represented, which is crucial for risk assessment and prioritization.

Files Changed:

  • dojo/tools/anchorectl_vulns/parser.py: The changes in this file are related to the AnchoreCTLVulnsParser class, which is responsible for parsing the AnchoreCTL vulnerability report and creating Finding objects. The key changes include:
    • The mitigation field in the Finding object is now set based on whether a fix is available or not, providing more informative mitigation information to the user.
    • The calculation of the cvssv3_base_score has been improved to handle cases where the CVSS v3 score is not available in the first element of the vendorData array, but is present in the second element.

Code Analysis

We ran 9 analyzers against 1 file and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

@maxi-bee maxi-bee changed the title AnchoreCTL_Vulns parser: removes URL and corrects mapping when no fix available on mitigation field AnchoreCTL_Vulns parser: removes URL and corrects mapping if no fix for mitigation field Jan 23, 2025
@maxi-bee
Update anchorectl_vulns parser.py
a323f37 
- removes the URL from the mitigation field as that is already on the references
- Writes a better message on the mitigation field to avoid:
```
Upgrade to libssl3 None
```
- note: this should not modify default deduplication for such parser
mtesauro
mtesauro approved these changes Jan 23, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@mtesauro mtesauro merged commit 09dc10d into DefectDojo:dev Jan 28, 2025
73 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Maffooch Maffooch Maffooch approved these changes

@hblankenship hblankenship hblankenship approved these changes

@dogboat dogboat dogboat approved these changes

@mtesauro mtesauro mtesauro approved these changes

Assignees
No one assigned
Labels
parser
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@maxi-bee @mtesauro @dogboat @hblankenship @Maffooch