datetime.utcfromtimestamp() is scheduled for removal

[manuel-sommer]

No description provided.

[dryrunsecurity]

DryRun Security Summary

The provided code changes focus on improving the parsing and handling of security scan reports from various tools, ensuring accurate representation of security findings in the UTC timezone and implementing security-conscious features such as vulnerability deduplication, comprehensive vulnerability details extraction, and handling of "interesting findings" to enhance the security and effectiveness of the Dojo application security management platform.

Expand for full summary

Summary:

The provided code changes focus on improving the parsing and handling of security scan reports from various tools, including Checkmarx, Contrast Security, Checkmarx One, and WPScan. The key changes involve updating the datetime parsing logic to ensure that the date and time of the identified security findings are correctly represented in the UTC timezone. This is an important security-related enhancement, as it ensures that the timeline of security events is accurately captured and can be used for effective security monitoring, analysis, and reporting.

Additionally, the changes demonstrate a security-conscious approach to parsing and importing security scan results, with features such as vulnerability deduplication, extraction of comprehensive vulnerability details (including title, description, severity, CWE, references, component information, and mitigation guidance), and handling of "interesting findings" that may not be classified as traditional vulnerabilities. These features contribute to the overall security and effectiveness of the Dojo application security management platform.

The inclusion of comprehensive unit tests for the WPScan parser further reinforces the commitment to ensuring the reliability and accuracy of the security data imported into the Dojo application. These tests cover a wide range of scenarios, helping to ensure that the parser can handle various types of input data and correctly identify and report on the discovered vulnerabilities.

Files Changed:

1. dojo/tools/checkmarx/parser.py: The changes in this file update the datetime parsing logic in the _parse_date function to use datetime.fromtimestamp() with the datetime.UTC timezone, instead of datetime.utcfromtimestamp(). This ensures that the date and time of the security findings are correctly parsed and stored in the UTC timezone.

2. dojo/tools/contrast/parser.py: Similar to the changes in the Checkmarx parser, the Contrast Security parser has been updated to use datetime.fromtimestamp() with the datetime.UTC timezone for datetime parsing. The code also includes logic for deduplicating security findings and extracting information about affected endpoints and associated request/response data.

3. dojo/tools/checkmarx_one/parser.py: The changes in this file also involve updating the datetime parsing logic in the _parse_date function to use datetime.fromtimestamp() with the datetime.UTC timezone, instead of datetime.utcfromtimestamp().

4. dojo/tools/wpscan/parser.py: The changes in this file focus on the WPScan parser, which is responsible for parsing the JSON report generated by the WPScan tool and creating security findings in the Dojo application. The changes include updating the datetime handling, comprehensive vulnerability extraction, handling of "interesting findings", and a deduplication mechanism to ensure that duplicate findings are not created.

5. unittests/tools/test_wpscan_parser.py: This file contains unit tests for the WpscanParser class. The changes in this pull request update the expected datetime values in the unit tests to include the timezone information (UTC), ensuring that the tests accurately reflect the expected behavior of the parser.

Code Analysis

We ran 9 analyzers against 5 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[mtesauro]

Nice catch 👍

[mtesauro]

Approved