Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix nuclei parser: invalid CWEs #11232

Merged
merged 1 commit into from
Nov 12, 2024
Merged

Conversation

fopina
Copy link
Contributor

@fopina fopina commented Nov 11, 2024

Description

There are several nuclei templates with non-numeric cwe-id entries, especially older ones such as https://github.com/projectdiscovery/nuclei-templates/blob/6636c0d2dd540645cc3472822beb4b3819ff8322/http/cves/2004/CVE-2004-0519.yaml#L21

This PR updates the parser to ignore those

Copy link

DryRun Security Summary

The pull request focuses on improving the handling of Nuclei security scanner results, specifically related to the parsing of CWE information, by adding a new test case to handle invalid CWE values and introducing a try-except block to handle cases where the CWE ID is not an integer, ensuring the reliability and robustness of the underlying systems.

Expand for full summary

Summary:

The changes in this pull request focus on improving the handling of Nuclei security scanner results, specifically related to the parsing of CWE (Common Weakness Enumeration) information. The key changes include:

  1. Adding a new test case to handle the scenario where the Nuclei scan result contains an invalid CWE value. This ensures that the NucleiParser can properly handle unexpected data, which is an important aspect of robust and secure application development.

  2. Introducing a try-except block in the dojo/tools/nuclei/parser.py file to handle cases where the CWE ID is not an integer. This is a reasonable approach to address issues with older Nuclei templates that may have non-standard CWE formats, ensuring that the parser can still extract valuable vulnerability information.

Overall, these changes demonstrate the importance of comprehensive testing and handling of edge cases in application security tooling, as they help to ensure the reliability and robustness of the underlying systems.

Files Changed:

  1. unittests/tools/test_nuclei_parser.py:

    • Added a new test case, test_parse_invalid_cwe, to handle the scenario where the Nuclei scan result contains an invalid CWE value.
    • The test case verifies that the NucleiParser can correctly process the scan result, even with an invalid CWE value.
  2. unittests/scans/nuclei/invalid_cwe.json:

    • This file is a new addition, providing a sample Nuclei scan result with an invalid CWE value.
    • The test case in test_nuclei_parser.py uses this file to validate the parser's behavior.
  3. dojo/tools/nuclei/parser.py:

    • Introduced a try-except block to handle cases where the CWE ID is not an integer.
    • This change ensures that the parser can still extract valuable vulnerability information, even if the Nuclei templates have non-standard CWE formats.

Code Analysis

We ran 9 analyzers against 3 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@mtesauro mtesauro merged commit d4959b8 into DefectDojo:dev Nov 12, 2024
72 checks passed
@fopina fopina deleted the fix/nuclei_parse_cwe branch November 13, 2024 00:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants