Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhance OSV Parser to Include Mitigation Information with Fixed Package Versions #11458

Closed
wants to merge 5 commits into from
Closed

Enhance OSV Parser to Include Mitigation Information with Fixed Package Versions #11458

wants to merge 5 commits into from

Conversation

4b75726169736859
Copy link

Description

This pull request enhances the OSV Scan parser by adding support for mitigation information, specifically the fixed versions of affected packages.

Key Changes:

  1. Extraction of Fixed Versions:

    • Added logic to parse the ranges field within the affected section of each vulnerability.
    • Extracted the fixed version from the events list when available and formatted it as:
      Upgrade to version: <fixed_version>.

  2. Integration of Mitigation:

    • Introduced a new mitigation field in findings to provide actionable guidance for resolving vulnerabilities.

  3. Enhanced Usability:

    • Improved the output of the parser to make it more informative and aligned with best practices in vulnerability management.

  4. Testing Support:

    • Standalone Python script to test the parser. The script reads a sample JSON file, executes the parser, and outputs the findings, including the mitigation details, for validation.

Test Results

Testing was conducted using the provided sample JSON file (test.json). The parser correctly identifies findings and includes mitigation details in its output.

Example Output:

  • Title: CVE-2024-50252_linux
  • Severity: Medium
  • Mitigation: Upgrade to version: 6.1.119-1
  • Description: Detailed vulnerability information.
  • References: Links to relevant advisories and fixes.

Additionally, I verified that:

  • Findings without a fixed version omit the mitigation field.
  • The parser handles malformed JSON gracefully by returning an empty findings list.

Unit tests are planned to extend dojo/unittests for comprehensive coverage of these changes.

Documentation

The documentation has been updated to reflect this new feature:

  • Added a note about the mitigation field in the parser's description.
  • Clarified that mitigation information will appear when available in the input JSON.

Checklist

  • Changes submitted against the dev branch.
  • PR named meaningfully for release notes.
  • Code is flake8 and Python 3.11 compliant.
  • Tests added to validate the parser's new functionality.
  • Proper label applied: Import Scans.

Labels

Import Scans, enhancement

Extra Information

This pull request enhances the usability of the OSVScannerParser, making it more actionable by including mitigation details. It also aligns with existing parsers, such as WPScan, which already support fixed versions, ensuring consistency across DefectDojo.

If you need further clarifications or adjustments, feel free to let me know!

dependabot bot and others added 5 commits December 16, 2024 18:06
@dependabot
Bump nanoid from 3.3.7 to 3.3.8 in /docs (DefectDojo#11421)
209fbb4 
Bumps [nanoid](https://github.com/ai/nanoid) from 3.3.7 to 3.3.8.
- [Release notes](https://github.com/ai/nanoid/releases)
- [Changelog](https://github.com/ai/nanoid/blob/main/CHANGELOG.md)
- [Commits](ai/nanoid@3.3.7...3.3.8)

---
updated-dependencies:
- dependency-name: nanoid
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@paulOsinski
[docs] Pro Docs release notes - 2.41.2 (DefectDojo#11420)
f6be5e8 
Co-authored-by: Paul Osinski <[email protected]>
@Maffooch
Release Drafter: Update upgrade notes link
e80b7d9
@paulOsinski @Maffooch
2.41.1: docs maintenance (DefectDojo#11413)
f1d6d02 
* qa connectors: merge articles, fix links

* qa 'connecting tools': labels, weights, content

* qa user mgmt docs: weights, content, links

* fix broken links

* fix upgrade notes typo

---------

Co-authored-by: Paul Osinski <[email protected]>
Co-authored-by: Cody Maffucci <[email protected]>
Introducing a mechanism to extract and include mitigation information…
a23d126 
… (fixed versions)
@dryrunsecurity DryRunSecurity
Copy link

DryRun Security Summary

The pull request focuses on improving the documentation for DefectDojo's application security platform, providing more detailed guidance on features like Connectors, import workflows, user management, and findings management to enhance users' understanding of the platform's security capabilities.

Expand for full summary

Summary:

The changes in this pull request are primarily focused on improving the documentation for the DefectDojo application security platform. The updates cover a wide range of features and functionality, including:

  1. Connectors: The documentation provides more details on the Connectors feature, which allows integrating DefectDojo with various security tools to automatically import and manage vulnerability data. The documentation emphasizes that Connectors are a Pro-only feature and highlights the security best practices around API key management and data mapping.

  2. Import and Reimport: The documentation has been enhanced to explain the different import and reimport workflows, including the automatic handling of new, ignored, closed, and reopened findings. This helps security teams understand the data management processes and their security implications.

  3. User Management: The documentation has been updated to provide more comprehensive guidance on user permissions, roles, and group management. The security-focused aspects, such as the superuser requirement for configuration permissions and the principle of least privilege, are well-documented.

  4. Findings Management: The documentation introduces the core vulnerability tracking and management functionality of DefectDojo, highlighting the security-centric features like EPSS scoring, risk acceptance workflows, and trend monitoring.

Overall, the changes in this pull request appear to be focused on improving the security posture of the DefectDojo application by enhancing the documentation and providing more clarity around the security-relevant features and best practices. These updates should help users better understand and leverage the security capabilities of the platform.

Files Changed:

  • docs/content/en/about_defectdojo/new_user_checklist.md: Documentation update to improve the user experience and onboarding process for new DefectDojo users.
  • docs/content/en/connecting_your_tools/connectors/_index.md: Documentation update to provide more information about the API Connectors feature, including the Pro-only nature of this functionality.
  • .github/release-drafter.yml: Update to the release-drafter configuration file, changing the documentation link in the release notes template.
  • docs/content/en/changelog/changelog.md: Changes to the changelog, including updates to the Connectors, Jira integration, Risk Acceptance, and SLA Enforcement features.
  • docs/content/en/connecting_your_tools/connectors/add_edit_connectors.md: Documentation update providing more details on the Connectors feature and the security considerations around API keys and credentials.
  • docs/content/en/connecting_your_tools/connectors/about_connectors.md: Documentation update introducing the Connectors feature and highlighting its Pro-only nature.
  • docs/content/en/connecting_your_tools/connectors/connectors_tool_reference.md: Documentation update providing guidance on securely integrating various security tools with DefectDojo, including recommendations for dedicated bot accounts and least privilege.
  • docs/content/en/connecting_your_tools/connectors/manage_operations.md: Documentation update explaining the Discover and Sync operations performed by the API connectors, and how the vulnerability data is organized in DefectDojo.
  • docs/content/en/connecting_your_tools/connectors/manage_records.md: Documentation update providing more information on managing records, including the different record states and the ability to remap, ignore, or delete records.
  • docs/content/en/connecting_your_tools/import_scan_files/_index.md: Documentation update changing the weight property of the "Import Scan Files" page.
  • docs/content/en/connecting_your_tools/external_tools.md: Documentation update highlighting the Pro-only nature of the Universal Importer and Dojo-CLI tools, and emphasizing best practices for secure API key management.
  • docs/content/en/connecting_your_tools/import_intro.md: Documentation update improving the clarity and organization of the different import methods available in DefectDojo.
  • docs/content/en/connecting_your_tools/import_scan_files/import_scan_ui.md: Documentation update focused on improving the clarity and usability of the "Import Scan Form" feature.
  • docs/content/en/connecting_your_tools/import_scan_files/smart_upload.md: Documentation update providing more details on the "Smart Upload" feature, including the handling of unassigned findings.
  • docs/content/en/connecting_your_tools/parsers/_index.md: Documentation update changing the weight property of the "Supported Reports" page.
  • `docs/content/en/connecting

Code Analysis

We ran 9 analyzers against 30 files and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
docs parser
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@4b75726169736859 @paulOsinski @Maffooch