diff --git a/components/package.json b/components/package.json index 9d9a76aa27..df188fc700 100644 --- a/components/package.json +++ b/components/package.json @@ -1,6 +1,6 @@ { "name": "defectdojo", - "version": "2.25.0", + "version": "2.25.1", "license" : "BSD-3-Clause", "private": true, "dependencies": { diff --git a/dojo/__init__.py b/dojo/__init__.py index 784d73914c..885491924f 100644 --- a/dojo/__init__.py +++ b/dojo/__init__.py @@ -4,6 +4,6 @@ # Django starts so that shared_task will use this app. from .celery import app as celery_app # noqa -__version__ = '2.25.0' +__version__ = '2.25.1' __url__ = 'https://github.com/DefectDojo/django-DefectDojo' __docs__ = 'https://documentation.defectdojo.com' diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index 17483fbda6..09861a6af7 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -770,9 +770,11 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param 'TITLE': 'Defect Dojo API v2', 'DESCRIPTION': 'Defect Dojo - Open Source vulnerability Management made easy. Prefetch related parameters/responses not yet in the schema.', 'VERSION': __version__, + 'SCHEMA_PATH_PREFIX': "/api/v2", # OTHER SETTINGS # the following set to False could help some client generators # 'ENUM_ADD_EXPLICIT_BLANK_NULL_CHOICE': False, + 'PREPROCESSING_HOOKS': ['dojo.urls.drf_spectacular_preprocessing_filter_spec'], 'POSTPROCESSING_HOOKS': ['dojo.api_v2.prefetch.schema.prefetch_postprocessing_hook'], # show file selection dialogue, see https://github.com/tfranzel/drf-spectacular/issues/455 "COMPONENT_SPLIT_REQUEST": True, @@ -1418,7 +1420,7 @@ def saml2_attrib_map_format(dict): 'SARIF': DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE, 'Azure Security Center Recommendations Scan': DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL, 'Hadolint Dockerfile check': DEDUPE_ALGO_HASH_CODE, - 'Semgrep JSON Report': DEDUPE_ALGO_HASH_CODE, + 'Semgrep JSON Report': DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE, 'Generic Findings Import': DEDUPE_ALGO_HASH_CODE, 'Trufflehog3 Scan': DEDUPE_ALGO_HASH_CODE, 'Detect-secrets Scan': DEDUPE_ALGO_HASH_CODE, diff --git a/dojo/tools/semgrep/parser.py b/dojo/tools/semgrep/parser.py index 12a95e0557..1a39e42d9d 100644 --- a/dojo/tools/semgrep/parser.py +++ b/dojo/tools/semgrep/parser.py @@ -32,6 +32,11 @@ def get_findings(self, filename, test): nb_occurences=1, ) + # fingerprint detection + unique_id_from_tool = item.get("extra", {}).get("fingerprint") + if unique_id_from_tool: + finding.unique_id_from_tool = unique_id_from_tool + # manage CWE if "cwe" in item["extra"]["metadata"]: if isinstance(item["extra"]["metadata"].get("cwe"), list): diff --git a/dojo/urls.py b/dojo/urls.py index 8f52ece4bd..32455712fe 100755 --- a/dojo/urls.py +++ b/dojo/urls.py @@ -232,3 +232,13 @@ # sometimes urlpatterns needed be added from local_settings.py to avoid having to modify core defect dojo files if hasattr(settings, 'EXTRA_URL_PATTERNS'): urlpatterns += settings.EXTRA_URL_PATTERNS + + +# Remove any other endpoints that drf-spectacular is guessing should be in the swagger +def drf_spectacular_preprocessing_filter_spec(endpoints): + filtered = [] + for (path, path_regex, method, callback) in endpoints: + # Remove all but DRF API endpoints + if path.startswith("/api/v2/"): + filtered.append((path, path_regex, method, callback)) + return filtered diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml index 42e478b86c..40c814cfca 100644 --- a/helm/defectdojo/Chart.yaml +++ b/helm/defectdojo/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: "2.25.0" +appVersion: "2.25.1" description: A Helm chart for Kubernetes to install DefectDojo name: defectdojo -version: 1.6.79 +version: 1.6.80 icon: https://www.defectdojo.org/img/favicon.ico maintainers: - name: madchap diff --git a/helm/defectdojo/templates/django-service.yaml b/helm/defectdojo/templates/django-service.yaml index 3156cc1af8..24fb8763f5 100644 --- a/helm/defectdojo/templates/django-service.yaml +++ b/helm/defectdojo/templates/django-service.yaml @@ -9,6 +9,12 @@ metadata: app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} helm.sh/chart: {{ include "defectdojo.chart" . }} +{{- if .Values.django.service.annotations }} + annotations: + {{- range $key, $value := .Values.django.service.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +{{- end }} spec: selector: defectdojo.org/component: django diff --git a/helm/defectdojo/values.yaml b/helm/defectdojo/values.yaml index 79a0db214c..435d79ba33 100644 --- a/helm/defectdojo/values.yaml +++ b/helm/defectdojo/values.yaml @@ -187,6 +187,8 @@ celery: django: annotations: {} + service: + annotations: {} affinity: {} ingress: enabled: true diff --git a/requirements.txt b/requirements.txt index acf1cd6789..caa0a271c4 100644 --- a/requirements.txt +++ b/requirements.txt @@ -38,7 +38,7 @@ openpyxl==3.1.2 xlrd==1.2.0 Pillow==10.0.0 # required by django-imagekit psycopg2-binary==2.9.6 -cryptography==41.0.2 +cryptography==41.0.3 python-dateutil==2.8.2 pytz==2023.3 redis==4.6.0 diff --git a/tests/false_positive_history_test.py b/tests/false_positive_history_test.py index 9d18e0d815..5b0b36a244 100644 --- a/tests/false_positive_history_test.py +++ b/tests/false_positive_history_test.py @@ -73,6 +73,8 @@ def edit_toggle_false_positive(self, finding_url): driver.find_element(By.LINK_TEXT, "Edit Finding").click() # Click on Active checkbox driver.find_element(By.ID, "id_active").click() + # Click on Verified checkbox + driver.find_element(By.ID, "id_verified").click() # Click on False Positive checkbox driver.find_element(By.ID, "id_false_p").click() # Send diff --git a/unittests/scans/semgrep/semgrep_version_1_30_0_line_26.json b/unittests/scans/semgrep/semgrep_version_1_30_0_line_26.json new file mode 100644 index 0000000000..1de52e18f1 --- /dev/null +++ b/unittests/scans/semgrep/semgrep_version_1_30_0_line_26.json @@ -0,0 +1,463 @@ +{ + "errors": [], + "paths": { + "_comment": "", + "scanned": [ + "test.go" + ] + }, + "results": [ + { + "check_id": "go.lang.security.audit.net.formatted-template-string.formatted-template-string", + "end": { + "col": 31, + "line": 30, + "offset": 689 + }, + "extra": { + "engine_kind": "OSS", + "fingerprint": "f900d4624c2a2c2cae7cb9c94c4fb9df53a242700f19122be398d33598deb554a3fa3af3ba3864af95c90694505624e04e9e1c86fb96338f1feb40bd8b07ef2e_0", + "is_ignored": false, + "lines": " tmpl := \"

\" + customerId + \"

\"\n\n\n return template.HTML(tmpl)", + "message": "Found a formatted template string passed to 'template.HTML()'. 'template.HTML()' does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "license": "Commons Clause License Condition v1.0[LGPL-2.1-only]", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://golang.org/pkg/html/template/#HTML" + ], + "semgrep.dev": { + "rule": { + "origin": "community", + "rule_id": "8GUjDW", + "url": "https://semgrep.dev/playground/r/e1TNz3/go.lang.security.audit.net.formatted-template-string.formatted-template-string", + "version_id": "e1TNz3" + } + }, + "shortlink": "https://sg.run/weE0", + "source": "https://semgrep.dev/r/go.lang.security.audit.net.formatted-template-string.formatted-template-string", + "subcategory": [ + "audit" + ], + "technology": [ + "go" + ] + }, + "metavars": { + "$T": { + "abstract_content": "tmpl", + "end": { + "col": 9, + "line": 27, + "offset": 594 + }, + "start": { + "col": 5, + "line": 27, + "offset": 590 + } + }, + "$X": { + "abstract_content": "\"

\"+customerId", + "end": { + "col": 44, + "line": 27, + "offset": 629 + }, + "start": { + "col": 13, + "line": 27, + "offset": 598 + } + }, + "$Y": { + "abstract_content": "\"

\"", + "end": { + "col": 68, + "line": 27, + "offset": 653 + }, + "start": { + "col": 47, + "line": 27, + "offset": 632 + } + } + }, + "severity": "WARNING" + }, + "path": "test.go", + "start": { + "col": 5, + "line": 27, + "offset": 590 + } + }, + { + "check_id": "go.lang.security.audit.net.formatted-template-string.formatted-template-string", + "end": { + "col": 82, + "line": 54, + "offset": 1365 + }, + "extra": { + "engine_kind": "OSS", + "fingerprint": "031880af370966b08c1806fde9119ea4c44be84c62070337dca38612f90d6bb71c5b2375ee4b74d4d78f1bb795e146c22083569f6e42a27277418809f3205224_0", + "is_ignored": false, + "lines": " return template.HTML(\"

\" + customerId + \"

\")", + "message": "Found a formatted template string passed to 'template.HTML()'. 'template.HTML()' does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "license": "Commons Clause License Condition v1.0[LGPL-2.1-only]", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://golang.org/pkg/html/template/#HTML" + ], + "semgrep.dev": { + "rule": { + "origin": "community", + "rule_id": "8GUjDW", + "url": "https://semgrep.dev/playground/r/e1TNz3/go.lang.security.audit.net.formatted-template-string.formatted-template-string", + "version_id": "e1TNz3" + } + }, + "shortlink": "https://sg.run/weE0", + "source": "https://semgrep.dev/r/go.lang.security.audit.net.formatted-template-string.formatted-template-string", + "subcategory": [ + "audit" + ], + "technology": [ + "go" + ] + }, + "metavars": { + "$T": { + "abstract_content": "\"

\"+customerId", + "end": { + "col": 57, + "line": 54, + "offset": 1340 + }, + "start": { + "col": 26, + "line": 54, + "offset": 1309 + } + }, + "$X": { + "abstract_content": "\"

\"", + "end": { + "col": 81, + "line": 54, + "offset": 1364 + }, + "start": { + "col": 60, + "line": 54, + "offset": 1343 + } + } + }, + "severity": "WARNING" + }, + "path": "test.go", + "start": { + "col": 12, + "line": 54, + "offset": 1295 + } + }, + { + "check_id": "go.lang.security.audit.net.formatted-template-string.formatted-template-string", + "end": { + "col": 58, + "line": 61, + "offset": 1575 + }, + "extra": { + "engine_kind": "OSS", + "fingerprint": "18795c725c42a323357bf6a126fb895e11b764e80f583a69df3bd5c1812caf2259eab742aa70fcfb1663444041ea4795dfa53cc90cbe1eae03625c3feccddd53_0", + "is_ignored": false, + "lines": " return template.HTML(\"

\" + customerId)", + "message": "Found a formatted template string passed to 'template.HTML()'. 'template.HTML()' does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "license": "Commons Clause License Condition v1.0[LGPL-2.1-only]", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://golang.org/pkg/html/template/#HTML" + ], + "semgrep.dev": { + "rule": { + "origin": "community", + "rule_id": "8GUjDW", + "url": "https://semgrep.dev/playground/r/e1TNz3/go.lang.security.audit.net.formatted-template-string.formatted-template-string", + "version_id": "e1TNz3" + } + }, + "shortlink": "https://sg.run/weE0", + "source": "https://semgrep.dev/r/go.lang.security.audit.net.formatted-template-string.formatted-template-string", + "subcategory": [ + "audit" + ], + "technology": [ + "go" + ] + }, + "metavars": { + "$T": { + "abstract_content": "\"

\"", + "end": { + "col": 44, + "line": 61, + "offset": 1561 + }, + "start": { + "col": 26, + "line": 61, + "offset": 1543 + } + }, + "$X": { + "abstract_content": "customerId", + "end": { + "col": 57, + "line": 61, + "offset": 1574 + }, + "propagated_value": { + "svalue_abstract_content": "r.URL.Query().Get(\"id\")", + "svalue_end": { + "col": 42, + "line": 58, + "offset": 1472 + }, + "svalue_start": { + "col": 19, + "line": 58, + "offset": 1449 + } + }, + "start": { + "col": 47, + "line": 61, + "offset": 1564 + } + } + }, + "severity": "WARNING" + }, + "path": "test.go", + "start": { + "col": 12, + "line": 61, + "offset": 1529 + } + }, + { + "check_id": "go.lang.security.audit.net.formatted-template-string.formatted-template-string", + "end": { + "col": 31, + "line": 71, + "offset": 1890 + }, + "extra": { + "engine_kind": "OSS", + "fingerprint": "9d2e74567ab26a1d82545fcb12aeee62c0114385756213c3a4f0252c9e7233300490727af8c9cd3bba6194084f10dcaab03ac907162b58afa6370da6fbbd12fc_0", + "is_ignored": false, + "lines": " tmpl, err := fmt.Printf(\"

%s

\", customerId)\n if err != nil {\n return template.HTML(\"\")\n }\n return template.HTML(tmpl)", + "message": "Found a formatted template string passed to 'template.HTML()'. 'template.HTML()' does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "license": "Commons Clause License Condition v1.0[LGPL-2.1-only]", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://golang.org/pkg/html/template/#HTML" + ], + "semgrep.dev": { + "rule": { + "origin": "community", + "rule_id": "8GUjDW", + "url": "https://semgrep.dev/playground/r/e1TNz3/go.lang.security.audit.net.formatted-template-string.formatted-template-string", + "version_id": "e1TNz3" + } + }, + "shortlink": "https://sg.run/weE0", + "source": "https://semgrep.dev/r/go.lang.security.audit.net.formatted-template-string.formatted-template-string", + "subcategory": [ + "audit" + ], + "technology": [ + "go" + ] + }, + "metavars": { + "$ERR": { + "abstract_content": "err", + "end": { + "col": 14, + "line": 67, + "offset": 1729 + }, + "start": { + "col": 11, + "line": 67, + "offset": 1726 + } + }, + "$P": { + "abstract_content": "Printf", + "end": { + "col": 28, + "line": 67, + "offset": 1743 + }, + "start": { + "col": 22, + "line": 67, + "offset": 1737 + } + }, + "$T": { + "abstract_content": "tmpl", + "end": { + "col": 9, + "line": 67, + "offset": 1724 + }, + "start": { + "col": 5, + "line": 67, + "offset": 1720 + } + } + }, + "severity": "WARNING" + }, + "path": "test.go", + "start": { + "col": 5, + "line": 67, + "offset": 1720 + } + }, + { + "check_id": "go.lang.security.audit.net.formatted-template-string.formatted-template-string", + "end": { + "col": 91, + "line": 77, + "offset": 2127 + }, + "extra": { + "engine_kind": "OSS", + "fingerprint": "d5ee587632748693a7a70a22212cf105cdd778ee28678f970d4aed05a525226c14db4d8cd51ff6ec7e3d4f22b41c6788feebabf1f4bd70d9f8fb57ca8e70fb2b_0", + "is_ignored": false, + "lines": " return template.HTML(fmt.Sprintf(\"

%s

\", customerId))", + "message": "Found a formatted template string passed to 'template.HTML()'. 'template.HTML()' does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "license": "Commons Clause License Condition v1.0[LGPL-2.1-only]", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://golang.org/pkg/html/template/#HTML" + ], + "semgrep.dev": { + "rule": { + "origin": "community", + "rule_id": "8GUjDW", + "url": "https://semgrep.dev/playground/r/e1TNz3/go.lang.security.audit.net.formatted-template-string.formatted-template-string", + "version_id": "e1TNz3" + } + }, + "shortlink": "https://sg.run/weE0", + "source": "https://semgrep.dev/r/go.lang.security.audit.net.formatted-template-string.formatted-template-string", + "subcategory": [ + "audit" + ], + "technology": [ + "go" + ] + }, + "metavars": { + "$P": { + "abstract_content": "Sprintf", + "end": { + "col": 37, + "line": 77, + "offset": 2073 + }, + "start": { + "col": 30, + "line": 77, + "offset": 2066 + } + } + }, + "severity": "WARNING" + }, + "path": "test.go", + "start": { + "col": 12, + "line": 77, + "offset": 2048 + } + } + ], + "version": "1.30.0" +} \ No newline at end of file diff --git a/unittests/scans/semgrep/semgrep_version_1_30_0_line_27.json b/unittests/scans/semgrep/semgrep_version_1_30_0_line_27.json new file mode 100644 index 0000000000..1de52e18f1 --- /dev/null +++ b/unittests/scans/semgrep/semgrep_version_1_30_0_line_27.json @@ -0,0 +1,463 @@ +{ + "errors": [], + "paths": { + "_comment": "", + "scanned": [ + "test.go" + ] + }, + "results": [ + { + "check_id": "go.lang.security.audit.net.formatted-template-string.formatted-template-string", + "end": { + "col": 31, + "line": 30, + "offset": 689 + }, + "extra": { + "engine_kind": "OSS", + "fingerprint": "f900d4624c2a2c2cae7cb9c94c4fb9df53a242700f19122be398d33598deb554a3fa3af3ba3864af95c90694505624e04e9e1c86fb96338f1feb40bd8b07ef2e_0", + "is_ignored": false, + "lines": " tmpl := \"

\" + customerId + \"

\"\n\n\n return template.HTML(tmpl)", + "message": "Found a formatted template string passed to 'template.HTML()'. 'template.HTML()' does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "license": "Commons Clause License Condition v1.0[LGPL-2.1-only]", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://golang.org/pkg/html/template/#HTML" + ], + "semgrep.dev": { + "rule": { + "origin": "community", + "rule_id": "8GUjDW", + "url": "https://semgrep.dev/playground/r/e1TNz3/go.lang.security.audit.net.formatted-template-string.formatted-template-string", + "version_id": "e1TNz3" + } + }, + "shortlink": "https://sg.run/weE0", + "source": "https://semgrep.dev/r/go.lang.security.audit.net.formatted-template-string.formatted-template-string", + "subcategory": [ + "audit" + ], + "technology": [ + "go" + ] + }, + "metavars": { + "$T": { + "abstract_content": "tmpl", + "end": { + "col": 9, + "line": 27, + "offset": 594 + }, + "start": { + "col": 5, + "line": 27, + "offset": 590 + } + }, + "$X": { + "abstract_content": "\"

\"+customerId", + "end": { + "col": 44, + "line": 27, + "offset": 629 + }, + "start": { + "col": 13, + "line": 27, + "offset": 598 + } + }, + "$Y": { + "abstract_content": "\"

\"", + "end": { + "col": 68, + "line": 27, + "offset": 653 + }, + "start": { + "col": 47, + "line": 27, + "offset": 632 + } + } + }, + "severity": "WARNING" + }, + "path": "test.go", + "start": { + "col": 5, + "line": 27, + "offset": 590 + } + }, + { + "check_id": "go.lang.security.audit.net.formatted-template-string.formatted-template-string", + "end": { + "col": 82, + "line": 54, + "offset": 1365 + }, + "extra": { + "engine_kind": "OSS", + "fingerprint": "031880af370966b08c1806fde9119ea4c44be84c62070337dca38612f90d6bb71c5b2375ee4b74d4d78f1bb795e146c22083569f6e42a27277418809f3205224_0", + "is_ignored": false, + "lines": " return template.HTML(\"

\" + customerId + \"

\")", + "message": "Found a formatted template string passed to 'template.HTML()'. 'template.HTML()' does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "license": "Commons Clause License Condition v1.0[LGPL-2.1-only]", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://golang.org/pkg/html/template/#HTML" + ], + "semgrep.dev": { + "rule": { + "origin": "community", + "rule_id": "8GUjDW", + "url": "https://semgrep.dev/playground/r/e1TNz3/go.lang.security.audit.net.formatted-template-string.formatted-template-string", + "version_id": "e1TNz3" + } + }, + "shortlink": "https://sg.run/weE0", + "source": "https://semgrep.dev/r/go.lang.security.audit.net.formatted-template-string.formatted-template-string", + "subcategory": [ + "audit" + ], + "technology": [ + "go" + ] + }, + "metavars": { + "$T": { + "abstract_content": "\"

\"+customerId", + "end": { + "col": 57, + "line": 54, + "offset": 1340 + }, + "start": { + "col": 26, + "line": 54, + "offset": 1309 + } + }, + "$X": { + "abstract_content": "\"

\"", + "end": { + "col": 81, + "line": 54, + "offset": 1364 + }, + "start": { + "col": 60, + "line": 54, + "offset": 1343 + } + } + }, + "severity": "WARNING" + }, + "path": "test.go", + "start": { + "col": 12, + "line": 54, + "offset": 1295 + } + }, + { + "check_id": "go.lang.security.audit.net.formatted-template-string.formatted-template-string", + "end": { + "col": 58, + "line": 61, + "offset": 1575 + }, + "extra": { + "engine_kind": "OSS", + "fingerprint": "18795c725c42a323357bf6a126fb895e11b764e80f583a69df3bd5c1812caf2259eab742aa70fcfb1663444041ea4795dfa53cc90cbe1eae03625c3feccddd53_0", + "is_ignored": false, + "lines": " return template.HTML(\"

\" + customerId)", + "message": "Found a formatted template string passed to 'template.HTML()'. 'template.HTML()' does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "license": "Commons Clause License Condition v1.0[LGPL-2.1-only]", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://golang.org/pkg/html/template/#HTML" + ], + "semgrep.dev": { + "rule": { + "origin": "community", + "rule_id": "8GUjDW", + "url": "https://semgrep.dev/playground/r/e1TNz3/go.lang.security.audit.net.formatted-template-string.formatted-template-string", + "version_id": "e1TNz3" + } + }, + "shortlink": "https://sg.run/weE0", + "source": "https://semgrep.dev/r/go.lang.security.audit.net.formatted-template-string.formatted-template-string", + "subcategory": [ + "audit" + ], + "technology": [ + "go" + ] + }, + "metavars": { + "$T": { + "abstract_content": "\"

\"", + "end": { + "col": 44, + "line": 61, + "offset": 1561 + }, + "start": { + "col": 26, + "line": 61, + "offset": 1543 + } + }, + "$X": { + "abstract_content": "customerId", + "end": { + "col": 57, + "line": 61, + "offset": 1574 + }, + "propagated_value": { + "svalue_abstract_content": "r.URL.Query().Get(\"id\")", + "svalue_end": { + "col": 42, + "line": 58, + "offset": 1472 + }, + "svalue_start": { + "col": 19, + "line": 58, + "offset": 1449 + } + }, + "start": { + "col": 47, + "line": 61, + "offset": 1564 + } + } + }, + "severity": "WARNING" + }, + "path": "test.go", + "start": { + "col": 12, + "line": 61, + "offset": 1529 + } + }, + { + "check_id": "go.lang.security.audit.net.formatted-template-string.formatted-template-string", + "end": { + "col": 31, + "line": 71, + "offset": 1890 + }, + "extra": { + "engine_kind": "OSS", + "fingerprint": "9d2e74567ab26a1d82545fcb12aeee62c0114385756213c3a4f0252c9e7233300490727af8c9cd3bba6194084f10dcaab03ac907162b58afa6370da6fbbd12fc_0", + "is_ignored": false, + "lines": " tmpl, err := fmt.Printf(\"

%s

\", customerId)\n if err != nil {\n return template.HTML(\"\")\n }\n return template.HTML(tmpl)", + "message": "Found a formatted template string passed to 'template.HTML()'. 'template.HTML()' does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "license": "Commons Clause License Condition v1.0[LGPL-2.1-only]", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://golang.org/pkg/html/template/#HTML" + ], + "semgrep.dev": { + "rule": { + "origin": "community", + "rule_id": "8GUjDW", + "url": "https://semgrep.dev/playground/r/e1TNz3/go.lang.security.audit.net.formatted-template-string.formatted-template-string", + "version_id": "e1TNz3" + } + }, + "shortlink": "https://sg.run/weE0", + "source": "https://semgrep.dev/r/go.lang.security.audit.net.formatted-template-string.formatted-template-string", + "subcategory": [ + "audit" + ], + "technology": [ + "go" + ] + }, + "metavars": { + "$ERR": { + "abstract_content": "err", + "end": { + "col": 14, + "line": 67, + "offset": 1729 + }, + "start": { + "col": 11, + "line": 67, + "offset": 1726 + } + }, + "$P": { + "abstract_content": "Printf", + "end": { + "col": 28, + "line": 67, + "offset": 1743 + }, + "start": { + "col": 22, + "line": 67, + "offset": 1737 + } + }, + "$T": { + "abstract_content": "tmpl", + "end": { + "col": 9, + "line": 67, + "offset": 1724 + }, + "start": { + "col": 5, + "line": 67, + "offset": 1720 + } + } + }, + "severity": "WARNING" + }, + "path": "test.go", + "start": { + "col": 5, + "line": 67, + "offset": 1720 + } + }, + { + "check_id": "go.lang.security.audit.net.formatted-template-string.formatted-template-string", + "end": { + "col": 91, + "line": 77, + "offset": 2127 + }, + "extra": { + "engine_kind": "OSS", + "fingerprint": "d5ee587632748693a7a70a22212cf105cdd778ee28678f970d4aed05a525226c14db4d8cd51ff6ec7e3d4f22b41c6788feebabf1f4bd70d9f8fb57ca8e70fb2b_0", + "is_ignored": false, + "lines": " return template.HTML(fmt.Sprintf(\"

%s

\", customerId))", + "message": "Found a formatted template string passed to 'template.HTML()'. 'template.HTML()' does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability.", + "metadata": { + "category": "security", + "confidence": "MEDIUM", + "cwe": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + ], + "cwe2021-top25": true, + "cwe2022-top25": true, + "impact": "MEDIUM", + "license": "Commons Clause License Condition v1.0[LGPL-2.1-only]", + "likelihood": "LOW", + "owasp": [ + "A07:2017 - Cross-Site Scripting (XSS)", + "A03:2021 - Injection" + ], + "references": [ + "https://golang.org/pkg/html/template/#HTML" + ], + "semgrep.dev": { + "rule": { + "origin": "community", + "rule_id": "8GUjDW", + "url": "https://semgrep.dev/playground/r/e1TNz3/go.lang.security.audit.net.formatted-template-string.formatted-template-string", + "version_id": "e1TNz3" + } + }, + "shortlink": "https://sg.run/weE0", + "source": "https://semgrep.dev/r/go.lang.security.audit.net.formatted-template-string.formatted-template-string", + "subcategory": [ + "audit" + ], + "technology": [ + "go" + ] + }, + "metavars": { + "$P": { + "abstract_content": "Sprintf", + "end": { + "col": 37, + "line": 77, + "offset": 2073 + }, + "start": { + "col": 30, + "line": 77, + "offset": 2066 + } + } + }, + "severity": "WARNING" + }, + "path": "test.go", + "start": { + "col": 12, + "line": 77, + "offset": 2048 + } + } + ], + "version": "1.30.0" +} \ No newline at end of file diff --git a/unittests/tools/test_semgrep_parser.py b/unittests/tools/test_semgrep_parser.py index f9dd62375c..074cb15e96 100644 --- a/unittests/tools/test_semgrep_parser.py +++ b/unittests/tools/test_semgrep_parser.py @@ -108,3 +108,16 @@ def test_parse_cwe_list(self): self.assertEqual("javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage", finding.vuln_id_from_tool) self.assertIn("const app = express();", finding.description) self.assertIn("A CSRF middleware was not detected in your express application. Ensure you are either using one such as `csurf` or `csrf` (see rule references) and/or you are properly doing CSRF validation in your routes with a token or cookies.", finding.description) + + def test_different_lines_same_fingerprint(self): + testfile = open("unittests/scans/semgrep/semgrep_version_1_30_0_line_26.json") + parser = SemgrepParser() + findings_first = parser.get_findings(testfile, Test()) + testfile.close() + testfile = open("unittests/scans/semgrep/semgrep_version_1_30_0_line_27.json") + parser = SemgrepParser() + findings_second = parser.get_findings(testfile, Test()) + testfile.close() + self.assertEqual(len(findings_first), len(findings_second)) + for first, second in zip(findings_first, findings_second): + self.assertEqual(first.unique_id_from_tool, second.unique_id_from_tool)