Hacker One Parser: Add support for Bug Bounty Program reports

[Maffooch]

Adds support for Bug Bounty Program reports from Hacker One

[sc-7581]

[dryrunsecurity]

DryRun Security Summary

The provided code changes focus on improving the handling of Hacker One vulnerability and bug bounty program data in the Dojo application security tool, including enhanced separation of concerns, improved parsing logic, support for vulnerability ID extraction, and expanded test coverage.

Expand for full summary

Summary:

The provided code changes cover various updates to the Dojo application security tool, focusing on the handling of Hacker One vulnerability and bug bounty program data. The key changes include:

1. Improved Separation of Concerns: The H1Parser class has been refactored to have two distinct classes, HackerOneVulnerabilityDisclosureProgram and HackerOneBugBountyProgram, to handle the parsing of different types of Hacker One reports. This separation of concerns improves the modularity and maintainability of the code.

2. Enhanced Parsing Logic: The parsing logic has been significantly improved, with better handling of different JSON and CSV formats, more robust error handling, and more detailed mapping of Hacker One report fields to DefectDojo finding properties. This enhances the reliability and accuracy of the Hacker One report parsing functionality.

3. Vulnerability ID Handling: The code now supports extracting and associating CVE IDs with the generated findings, which is an important feature for effectively tracking and managing security vulnerabilities.

4. Expanded Test Coverage: The changes introduce a comprehensive test suite, covering various scenarios for both Vulnerability Disclosure Program (VDP) and Bug Bounty Program (BBP) data formats. This ensures that the H1Parser can correctly process and handle the different types of data that may be encountered in real-world scenarios.

Overall, the changes appear to be a significant improvement to the Hacker One report parsing functionality, which is a crucial feature for organizations that leverage Hacker One as part of their vulnerability management and bug bounty programs. The improved separation of concerns, enhanced parsing logic, and expanded test coverage reduce the risk of bugs and edge cases, thereby enhancing the security and integrity of the DefectDojo application.

Files Changed:

1. dojo/tools/h1/parser.py: This file has undergone a significant update, with the introduction of two distinct classes, HackerOneVulnerabilityDisclosureProgram and HackerOneBugBountyProgram, to handle the parsing of different types of Hacker One reports. The parsing logic has been improved, and the code now supports the extraction and association of CVE IDs with the generated findings.

2. dojo/settings/settings.dist.py: This change adds a new entry to the saml2_attrib_map_format dictionary, which is used to map SAML attributes to Django user model fields. The new entry is for "HackerOne Cases" and maps the "title" and "severity" attributes to the corresponding fields. This change is related to the integration of SAML authentication with the Hacker One platform.

3. unittests/scans/h1/ directory: Several files in this directory have been updated, including bug_bounty_many.csv, bug_bounty_one.json, bug_bounty_one.csv, bug_bounty_many.json, bug_bounty_zero.json, and bug_bounty_zero.csv. These changes introduce new test data, including details of security vulnerabilities found through the Hacker One bug bounty program, such as sensitive information disclosure, unauthorized access, and cross-site scripting (XSS) issues.

4. unittests/tools/test_h1_parser.py: This file contains the unit tests for the H1Parser class. The changes introduce new test cases to cover different scenarios for both the Vulnerability Disclosure Program (VDP) and Bug Bounty Program (BBP) data formats, ensuring comprehensive test coverage for the parsing functionality.

Code Analysis

We ran 9 analyzers against 13 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[mtesauro]

Approved

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.