Ruff: Add and fix D411

[kiblik]

Add D411 and fix https://docs.astral.sh/ruff/rules/no-blank-line-before-section/

[dryrunsecurity]

DryRun Security Summary

The provided code changes focus on improving the security-related capabilities of the Dojo application security tool, including updates to the Ruff linter configuration, and the parsing of vulnerability data from various sources (IntSights, WhiteHat Sentinel, and Qualys) to enhance vulnerability management and risk assessment.

Expand for full summary

Summary:

The provided code changes cover various updates to the Dojo application security tool, including the configuration for the Ruff linter and the parsing of vulnerability data from different sources (IntSights, WhiteHat Sentinel, and Qualys).

The Ruff linter configuration change is focused on improving code style and quality, which can indirectly enhance the security of the codebase. While this change does not introduce any direct security concerns, it's important to regularly review the Ruff configuration to ensure it aligns with the project's security requirements and considers incorporating additional security-focused rules or checks as needed.

The changes to the IntSights, WhiteHat Sentinel, and Qualys parsers demonstrate a security-conscious approach to handling and processing vulnerability data. The key aspects include accurate severity mapping, CWE extraction, description and solution parsing, endpoint association, and deduplication of findings. These features are crucial for effective vulnerability management and risk assessment within the Dojo application security platform.

Overall, the code changes appear to be focused on improving the functionality and security-related capabilities of the Dojo tool, with no obvious security vulnerabilities introduced. However, it's always important to review the entire codebase and the broader application context to ensure the application's security posture remains robust and resilient to potential attacks.

Files Changed:

1. ruff.toml: The changes add the D411 rule to the select list in the [lint] section, which enforces the "one-blank-line-between-summary-and-description" convention for Python docstrings. This change does not introduce any direct security concerns but can indirectly improve the security of the codebase by promoting better coding practices.

2. dojo/tools/intsights/parser.py: The changes add a new line in the _build_finding_description method, which is used to build a markdown-formatted description for each finding (alert) extracted from the IntSights report. The changes do not introduce any obvious security vulnerabilities, but the way the findings are processed and stored in the duplicates dictionary could have security implications that should be reviewed.

3. dojo/tools/whitehat_sentinel/parser.py: The changes demonstrate a robust approach to importing WhiteHat Sentinel vulnerability data into the DefectDojo application security management platform. Key aspects include severity mapping, CWE extraction, description and solution parsing, endpoint extraction, and duplicate handling, all of which are important for effective vulnerability management.

4. dojo/tools/qualys/csv_parser.py: The changes focus on accurately parsing and processing Qualys CSV vulnerability reports, including CVSS vector extraction, CVE data cleaning, severity mapping, vulnerability tracking, endpoint handling, and mitigation tracking. These features are crucial for maintaining a comprehensive vulnerability management program and making informed decisions about remediation priorities.

Code Analysis

We ran 9 analyzers against 4 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[mtesauro]

Approved

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.