From 75bfe2643968de5b75e6a48f409482b89b1e9db4 Mon Sep 17 00:00:00 2001 From: DefectDojo release bot Date: Mon, 25 Sep 2023 14:29:42 +0000 Subject: [PATCH 01/12] Update versions in application files --- components/package.json | 2 +- dojo/__init__.py | 2 +- helm/defectdojo/Chart.yaml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/components/package.json b/components/package.json index 4682a6235fe..e4bc45adb6c 100644 --- a/components/package.json +++ b/components/package.json @@ -1,6 +1,6 @@ { "name": "defectdojo", - "version": "2.26.4", + "version": "2.27.0-dev", "license" : "BSD-3-Clause", "private": true, "dependencies": { diff --git a/dojo/__init__.py b/dojo/__init__.py index 0dad01ef5a2..7f86aafb6a1 100644 --- a/dojo/__init__.py +++ b/dojo/__init__.py @@ -4,6 +4,6 @@ # Django starts so that shared_task will use this app. from .celery import app as celery_app # noqa -__version__ = '2.26.4' +__version__ = '2.27.0-dev' __url__ = 'https://github.com/DefectDojo/django-DefectDojo' __docs__ = 'https://documentation.defectdojo.com' diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml index 2556daf1587..58868e098f5 100644 --- a/helm/defectdojo/Chart.yaml +++ b/helm/defectdojo/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: "2.26.4" +appVersion: "2.27.0-dev" description: A Helm chart for Kubernetes to install DefectDojo name: defectdojo -version: 1.6.88 +version: 1.6.89-dev icon: https://www.defectdojo.org/img/favicon.ico maintainers: - name: madchap From 44c336755a507556a04f5d62dd69446d0784da7b Mon Sep 17 00:00:00 2001 From: Paul Osinski <42211303+paulOsinski@users.noreply.github.com> Date: Wed, 27 Sep 2023 10:38:58 -0400 Subject: [PATCH 02/12] add parser documentation template to aws_prowler_v3.md (#8729) Co-authored-by: Paul Osinski --- .../parsers/file/aws_prowler_v3.md | 70 ++++++++++++++++++- 1 file changed, 69 insertions(+), 1 deletion(-) diff --git a/docs/content/en/integrations/parsers/file/aws_prowler_v3.md b/docs/content/en/integrations/parsers/file/aws_prowler_v3.md index 481af2a5733..7e98fb826e9 100644 --- a/docs/content/en/integrations/parsers/file/aws_prowler_v3.md +++ b/docs/content/en/integrations/parsers/file/aws_prowler_v3.md @@ -2,4 +2,72 @@ title: "AWS Prowler V3" toc_hide: true --- -AWS Prowler V3 file can be imported as JSON (`-M json`) file. + +### File Types +DefectDojo parser accepts a .json file. Please note: earlier versions of AWS Prowler create output data in a different format. See our other documentation if you are using an earlier version of AWS Prowler: https://documentation.defectdojo.com/integrations/parsers/file/aws_prowler/ + +JSON reports can be created from the [AWS Prowler V3 CLI](https://docs.prowler.cloud/en/latest/tutorials/reporting/#json) using the following command: `prowler -M json` + + +### Acceptable JSON Format +Parser expects an array of assessments. All properties are strings and are required by the parser. + +~~~ + +[ + { + "AssessmentStartTime": "example_timestamp", + "FindingUniqueId": "example_uniqueIdFromTool", + "Provider": "example_provider", + "CheckID": "acm_certificates_expiration_check", + "CheckTitle": "Check if ACM Certificates are about to expire in specific days or less", + "CheckType": [ + "Example ASFF-Compliant Finding Type" + ], + "ServiceName": "example_awsServiceName", + "SubServiceName": "", + "Status": "FAIL", + "StatusExtended": "Example status description", + "Severity": "example_severity", + "ResourceType": "AwsCertificateManagerCertificate", + "ResourceDetails": "", + "Description": "Example general test description.", + "Risk": "Example test impact description.", + "RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/acm-certificate-expiration-check.html", + "Remediation": { + "Code": { + "NativeIaC": "", + "Terraform": "", + "CLI": "", + "Other": "" + }, + "Recommendation": { + "Text": "Example recommendation.", + "Url": "https://docs.aws.amazon.com/config/latest/developerguide/example_related_documentation.html" + } + }, + "Compliance": { + "GDPR": [ + "article_32" + ], + ... + }, + "Categories": [], + "DependsOn": [], + "RelatedTo": [], + "Notes": "", + "Profile": null, + "AccountId": "example_accountId", + "OrganizationsInfo": null, + "Region": "example_region", + "ResourceId": "example.resource.id.com", + "ResourceArn": "arn:aws:acm:us-east-1:999999999999:certificate/ffffffff-0000-0000-0000-000000000000", + "ResourceTags": {} + } + ... +] + +~~~ + +### Sample Scan Data +Unit tests of AWS Prowler V3 JSON can be found at https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/aws_prowler_v3. \ No newline at end of file From ccba07cb7c5ebcc3e0bc62f1e521ed6722317c46 Mon Sep 17 00:00:00 2001 From: kiblik Date: Wed, 27 Sep 2023 18:45:49 +0200 Subject: [PATCH 03/12] setEnv: Fix symlink processing (#8736) --- docker/setEnv.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker/setEnv.sh b/docker/setEnv.sh index 50499d1e14b..c6f998cdcb2 100755 --- a/docker/setEnv.sh +++ b/docker/setEnv.sh @@ -23,7 +23,7 @@ function show_current { function get_current { if [ -L ${override_link} ] then - # Check for Mac OSX + # Check for Mac OSX if [[ "$OSTYPE" == "darwin"* ]]; then # readlink is not native to mac, so this will work in it's place. symlink=$(python3 -c "import os; print(os.path.realpath('docker-compose.override.yml'))") @@ -31,7 +31,7 @@ function get_current { # Maintain the cleaner way symlink=$(readlink -f docker-compose.override.yml) fi - current_env=$(expr $(basename symlink) : "^docker-compose.override.\(.*\).yml$") + current_env=$(expr $(basename $symlink) : "^docker-compose.override.\(.*\).yml$") else current_env=release fi From a24c8ccc6691ac654b0a086c9129c2ba61b1cd0e Mon Sep 17 00:00:00 2001 From: Paul Osinski <42211303+paulOsinski@users.noreply.github.com> Date: Wed, 27 Sep 2023 12:46:24 -0400 Subject: [PATCH 04/12] add parser template to anchore_grype.md (#8718) Co-authored-by: Paul Work --- .../parsers/file/anchore_grype.md | 190 +++++++++++++++++- 1 file changed, 187 insertions(+), 3 deletions(-) diff --git a/docs/content/en/integrations/parsers/file/anchore_grype.md b/docs/content/en/integrations/parsers/file/anchore_grype.md index 855a1f777ea..1316d69c544 100644 --- a/docs/content/en/integrations/parsers/file/anchore_grype.md +++ b/docs/content/en/integrations/parsers/file/anchore_grype.md @@ -2,8 +2,192 @@ title: "Anchore Grype" toc_hide: true --- -Anchore Grype JSON report format generated with `-o json` option. +### File Types +DefectDojo parser accepts a .json file. +Anchore Grype JSON files are created using the Grype CLI, using the '-o json' option. See: https://github.com/anchore/grype + +**Example:** {{< highlight bash >}} -grype defectdojo/defectdojo-django:1.13.1 -o json > many_vulns.json -{{< /highlight >}} \ No newline at end of file +grype yourApp/example-page -o json > example_vulns.json +{{< /highlight >}} + + +### Acceptable JSON Format +All properties are expected as strings and are required by the parser. + +~~~ +{ + "matches": [ + { + "vulnerability": { + "id": "example-id", + "dataSource": "https://example.org/.../example-id", + "namespace": "exampleName", + "severity": "exampleSeverity", + "urls": [ + "https://example.org/.../example-id", + ... + ], + "cvss": [], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "first-related-example-id", + "dataSource": "https://example.org/.../related-example-id", + "namespace": "first-related-exampleName", + "severity": "first-related-exampleSeverity", + "urls": [ + "https://example.org/.../related-example-id", + ... + ], + "description": "first-example-description", + "cvss": [ + { + "version": "2.0", + "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N", + "metrics": { + "baseScore": 2.1, + "exploitabilityScore": 3.9, + "impactScore": 2.9 + }, + "vendorMetadata": {} + } + ] + }, + ... + ], + "matchDetails": [ + { + "matcher": "example-matcher", + "searchedBy": { + "distro": { + "type": "example-distrotype", + "version": "10" + }, + "namespace": "exampleName", + "package": { + "name": "example-package", + "version": "1.17-3+deb10u3" + } + }, + "found": { + "versionConstraint": "none (deb)" + } + } + ], + "artifact": { + "name": "example-artifact", + "version": "example-artifact-version", + "type": "example-type", + "locations": [ + { + "path": ".../examplePath/", + "layerID": "exampleLayerID" + }, + { + "path": ".../examplePath-2/", + "layerID": "exampleLayerID" + }, + ... + ], + "language": "", + "licenses": [ + "GPL-2" + ], + "cpes": [ + "example-cpe", + ... + ], + "purl": "pkg:deb/debian/libgssapi-krb5-2@1.17-3+deb10u3?arch=amd64", + "metadata": { + "Source": "krb5" + } + } + }, + ... + ], + "source": { + "type": "image", + "target": { + "userInput": "vulnerable-image:latest", + "imageID": "sha256:ce9898fd214aef9c994a42624b09056bdce3ff4a8e3f68dc242d967b80fcbeee", + "manifestDigest": "sha256:9d8825ab20ac86b40eb71495bece1608a302fb180384740697a28c2b0a5a0fc6", + "mediaType": "application/vnd.docker.distribution.manifest.v2+json", + "tags": [ + "vulnerable-image:latest" + ], + "imageSize": 707381791, + "layers": [ + { + "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", + "digest": "sha256:d000633a56813933cb0ac5ee3246cf7a4c0205db6290018a169d7cb096581046", + "size": 69238554 + }, + ... + ], + "manifest": "exampleManifestString==", + "config": "exampleConfigString", + "repoDigests": [] + } + }, + "distro": { + "name": "debian", + "version": "10", + "idLike": "" + }, + "descriptor": { + "name": "grype", + "version": "0.28.0", + "configuration": { + "configPath": "", + "output": "json", + "file": "", + "output-template-file": "", + "quiet": false, + "check-for-app-update": true, + "only-fixed": false, + "scope": "Squashed", + "log": { + "structured": false, + "level": "", + "file": "" + }, + "db": { + "cache-dir": "/home/user/.cache/grype/db", + "update-url": "https://toolbox-data.anchore.io/grype/databases/listing.json", + "ca-cert": "", + "auto-update": true, + "validate-by-hash-on-start": false + }, + "dev": { + "profile-cpu": false, + "profile-mem": false + }, + "fail-on-severity": "", + "registry": { + "insecure-skip-tls-verify": false, + "insecure-use-http": false, + "auth": [] + }, + "ignore": null, + "exclude": [] + }, + "db": { + "built": "2021-12-24T08:14:02Z", + "schemaVersion": 3, + "location": "/home/user/.cache/grype/db/3", + "checksum": "sha256:6c4777e1acea787e5335ccee6b5e4562cd1767b9cca138c07e0802efb2a74162", + "error": null + } + } +} +~~~ + +### Sample Scan Data +Sample Grype scans can be found at https://github.com/DefectDojo/sample-scan-files/tree/master/anchore_grype . \ No newline at end of file From 7f609ba61b9c1eee1b4e7a7514957513463d5827 Mon Sep 17 00:00:00 2001 From: Felix Hernandez Date: Wed, 27 Sep 2023 18:01:45 -0600 Subject: [PATCH 05/12] Excel Export throws 500 error code (#8735) * handle attribute error in excel and csv export. * added try.. catch when inserting in rows --------- Co-authored-by: Felix Hernandez --- dojo/reports/views.py | 90 +++++++++++++++++++++++++------------------ 1 file changed, 53 insertions(+), 37 deletions(-) diff --git a/dojo/reports/views.py b/dojo/reports/views.py index eefdc0315d5..06aef9ce627 100644 --- a/dojo/reports/views.py +++ b/dojo/reports/views.py @@ -848,10 +848,14 @@ def csv_export(request): if first_row: fields = [] for key in dir(finding): - if key not in excludes_list and (not callable(getattr(finding, key)) or key in allowed_attributes) and not key.startswith('_'): - if callable(getattr(finding, key)) and key not in allowed_attributes: - continue - fields.append(key) + try: + if key not in excludes_list and (not callable(getattr(finding, key)) or key in allowed_attributes) and not key.startswith('_'): + if callable(getattr(finding, key)) and key not in allowed_attributes: + continue + fields.append(key) + except Exception as exc: + logger.debug('Error in attribute: ' + str(exc)) + continue fields.append('test') fields.append('found_by') fields.append('engagement_id') @@ -867,19 +871,23 @@ def csv_export(request): if not first_row: fields = [] for key in dir(finding): - if key not in excludes_list and (not callable(getattr(finding, key)) or key in allowed_attributes) and not key.startswith('_'): - if not callable(getattr(finding, key)): - value = finding.__dict__.get(key) - if (key in allowed_foreign_keys or key in allowed_attributes) and getattr(finding, key): - if callable(getattr(finding, key)): - func = getattr(finding, key) - result = func() - value = result - else: - value = str(getattr(finding, key)) - if value and isinstance(value, str): - value = value.replace('\n', ' NEWLINE ').replace('\r', '') - fields.append(value) + try: + if key not in excludes_list and (not callable(getattr(finding, key)) or key in allowed_attributes) and not key.startswith('_'): + if not callable(getattr(finding, key)): + value = finding.__dict__.get(key) + if (key in allowed_foreign_keys or key in allowed_attributes) and getattr(finding, key): + if callable(getattr(finding, key)): + func = getattr(finding, key) + result = func() + value = result + else: + value = str(getattr(finding, key)) + if value and isinstance(value, str): + value = value.replace('\n', ' NEWLINE ').replace('\r', '') + fields.append(value) + except Exception as exc: + logger.debug('Error in attribute: ' + str(exc)) + continue fields.append(finding.test.title) fields.append(finding.test.test_type.name) fields.append(finding.test.engagement.id) @@ -934,12 +942,16 @@ def excel_export(request): if row_num == 1: col_num = 1 for key in dir(finding): - if key not in excludes_list and (not callable(getattr(finding, key)) or key in allowed_attributes) and not key.startswith('_'): - if callable(getattr(finding, key)) and key not in allowed_attributes: - continue - cell = worksheet.cell(row=row_num, column=col_num, value=key) - cell.font = font_bold - col_num += 1 + try: + if key not in excludes_list and (not callable(getattr(finding, key)) or key in allowed_attributes) and not key.startswith('_'): + if callable(getattr(finding, key)) and key not in allowed_attributes: + continue + cell = worksheet.cell(row=row_num, column=col_num, value=key) + cell.font = font_bold + col_num += 1 + except Exception as exc: + logger.debug('Error in attribute: ' + str(exc)) + continue cell = worksheet.cell(row=row_num, column=col_num, value='found_by') cell.font = font_bold col_num += 1 @@ -965,20 +977,24 @@ def excel_export(request): if row_num > 1: col_num = 1 for key in dir(finding): - if key not in excludes_list and (not callable(getattr(finding, key)) or key in allowed_attributes) and not key.startswith('_'): - if not callable(getattr(finding, key)): - value = finding.__dict__.get(key) - if (key in allowed_foreign_keys or key in allowed_attributes) and getattr(finding, key): - if callable(getattr(finding, key)): - func = getattr(finding, key) - result = func() - value = result - else: - value = str(getattr(finding, key)) - if value and isinstance(value, datetime): - value = value.replace(tzinfo=None) - worksheet.cell(row=row_num, column=col_num, value=value) - col_num += 1 + try: + if key not in excludes_list and (not callable(getattr(finding, key)) or key in allowed_attributes) and not key.startswith('_'): + if not callable(getattr(finding, key)): + value = finding.__dict__.get(key) + if (key in allowed_foreign_keys or key in allowed_attributes) and getattr(finding, key): + if callable(getattr(finding, key)): + func = getattr(finding, key) + result = func() + value = result + else: + value = str(getattr(finding, key)) + if value and isinstance(value, datetime): + value = value.replace(tzinfo=None) + worksheet.cell(row=row_num, column=col_num, value=value) + col_num += 1 + except Exception as exc: + logger.debug('Error in attribute: ' + str(exc)) + continue worksheet.cell(row=row_num, column=col_num, value=finding.test.test_type.name) col_num += 1 worksheet.cell(row=row_num, column=col_num, value=finding.test.engagement.id) From 2d3cf0b8941a2670e71a8b8717c7a7332312db1e Mon Sep 17 00:00:00 2001 From: Daryl Walleck Date: Thu, 28 Sep 2023 21:14:53 -0500 Subject: [PATCH 06/12] Temporarily pin versions of chrome and chrome webdriver (#8755) --- Dockerfile.integration-tests-debian | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile.integration-tests-debian b/Dockerfile.integration-tests-debian index 70536d17e62..259c8dc0f90 100644 --- a/Dockerfile.integration-tests-debian +++ b/Dockerfile.integration-tests-debian @@ -25,7 +25,7 @@ RUN \ echo "deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google-chrome.list && \ apt-get -y update && \ apt-get -y install \ - google-chrome-stable \ + google-chrome-stable=117.0.5938.132-1 \ && \ apt-get clean && \ rm -rf /var/lib/apt/lists && \ @@ -38,7 +38,7 @@ WORKDIR /opt/chrome-driver RUN \ chrome_version=$(apt-cache show google-chrome-stable | grep Version | awk '{print $2}' | cut -d '-' -f 1) && \ chrome_version_blob=$(curl -k https://googlechromelabs.github.io/chrome-for-testing/known-good-versions-with-downloads.json | jq ".versions[] | select(.version==\"$chrome_version\")") && \ - chromedriver_url=$(echo $chrome_version_blob | jq -r ".downloads.chromedriver[] | select(.platform==\"linux64\") | .url") && \ + chromedriver_url=https://edgedl.me.gvt1.com/edgedl/chrome/chrome-for-testing/117.0.5938.92/linux64/chromedriver-linux64.zip && \ wget $chromedriver_url && \ unzip -j chromedriver-linux64.zip chromedriver-linux64/chromedriver && \ rm -rf chromedriver-linux64.zip && \ From 34e271a0d93507c7227b0839f94f52ae5ba7d121 Mon Sep 17 00:00:00 2001 From: Felix Hernandez Date: Fri, 29 Sep 2023 15:14:20 -0600 Subject: [PATCH 07/12] update govulncheck parser to new format (#8743) Co-authored-by: Felix Hernandez Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> --- dojo/tools/govulncheck/parser.py | 112 +++++--- .../govulncheck/many_vulns_new_version.json | 267 ++++++++++++++++++ unittests/tools/test_govulncheck_parser.py | 15 + 3 files changed, 350 insertions(+), 44 deletions(-) create mode 100644 unittests/scans/govulncheck/many_vulns_new_version.json diff --git a/dojo/tools/govulncheck/parser.py b/dojo/tools/govulncheck/parser.py index 21c4a905762..a10f5759649 100644 --- a/dojo/tools/govulncheck/parser.py +++ b/dojo/tools/govulncheck/parser.py @@ -44,50 +44,74 @@ def get_findings(self, scan_file, test): except Exception: raise ValueError("Invalid JSON format") else: - if data["Vulns"]: - list_vulns = data["Vulns"] - for cve, elems in groupby( - list_vulns, key=lambda vuln: vuln["OSV"]["aliases"][0] - ): - first_elem = list(islice(elems, 1)) - d = { - "cve": cve, - "severity": SEVERITY, - "title": first_elem[0]["OSV"]["id"], - "component_name": first_elem[0]["OSV"]["affected"][0][ - "package" - ]["name"], - "component_version": self.get_version( - data, first_elem[0]["RequireSink"] - ), - } - d["references"] = first_elem[0]["OSV"]["references"][0][ - "url" - ] - d["url"] = first_elem[0]["OSV"]["affected"][0][ - "database_specific" - ]["url"] - d["unique_id_from_tool"] = first_elem[0]["OSV"]["id"] - vuln_methods = set( - first_elem[0]["OSV"]["affected"][0][ - "ecosystem_specific" - ]["imports"][0]["symbols"] - ) - impact = set( - self.get_location(data, first_elem[0]["CallSink"]) - ) - for elem in elems: - impact.update( - self.get_location(data, elem["CallSink"]) + if isinstance(data, dict): + if data["Vulns"]: + list_vulns = data["Vulns"] + for cve, elems in groupby( + list_vulns, key=lambda vuln: vuln["OSV"]["aliases"][0] + ): + first_elem = list(islice(elems, 1)) + d = { + "cve": cve, + "severity": SEVERITY, + "title": first_elem[0]["OSV"]["id"], + "component_name": first_elem[0]["OSV"]["affected"][0][ + "package" + ]["name"], + "component_version": self.get_version( + data, first_elem[0]["RequireSink"] + ), + } + d["references"] = first_elem[0]["OSV"]["references"][0][ + "url" + ] + d["url"] = first_elem[0]["OSV"]["affected"][0][ + "database_specific" + ]["url"] + d["unique_id_from_tool"] = first_elem[0]["OSV"]["id"] + vuln_methods = set( + first_elem[0]["OSV"]["affected"][0][ + "ecosystem_specific" + ]["imports"][0]["symbols"] ) - vuln_methods.update( - elem["OSV"]["affected"][0]["ecosystem_specific"][ - "imports" - ][0]["symbols"] + impact = set( + self.get_location(data, first_elem[0]["CallSink"]) ) - d["impact"] = "; ".join(impact) if impact else None - d[ - "description" - ] = f"Vulnerable functions: {'; '.join(vuln_methods)}" - findings.append(Finding(**d)) + for elem in elems: + impact.update( + self.get_location(data, elem["CallSink"]) + ) + vuln_methods.update( + elem["OSV"]["affected"][0]["ecosystem_specific"][ + "imports" + ][0]["symbols"] + ) + d["impact"] = "; ".join(impact) if impact else None + d[ + "description" + ] = f"Vulnerable functions: {'; '.join(vuln_methods)}" + findings.append(Finding(**d)) + elif isinstance(data, list): + for elem in data: + if 'osv' in elem.keys(): + cve = elem["osv"]["aliases"][0] + d = { + "cve": cve, + "severity": SEVERITY, + "title": elem["osv"]["id"], + "component_name": elem["osv"]["affected"][0]["package"]["name"], + "component_version": elem["osv"]["schema_version"] + } + d["references"] = elem["osv"]["references"][0]["url"] + d["url"] = elem["osv"]["database_specific"]["url"] + d["unique_id_from_tool"] = elem["osv"]["id"] + vuln_methods = set( + elem["osv"]["affected"][0][ + "ecosystem_specific" + ]["imports"][0].get("symbols", []) + ) + d[ + "description" + ] = f"Vulnerable functions: {'; '.join(vuln_methods)}" + findings.append(Finding(**d)) return findings diff --git a/unittests/scans/govulncheck/many_vulns_new_version.json b/unittests/scans/govulncheck/many_vulns_new_version.json new file mode 100644 index 00000000000..0dbd64a4198 --- /dev/null +++ b/unittests/scans/govulncheck/many_vulns_new_version.json @@ -0,0 +1,267 @@ +[ + { + "config": { + "protocol_version": "v1.0.0", + "scanner_name": "govulncheck", + "scanner_version": "v1.0.0", + "db": "https://vuln.go.dev", + "db_last_modified": "2023-08-11T01:41:48Z", + "go_version": "go1.20.1", + "scan_level": "symbol" + } + },{ + "progress": { + "message": "Scanning your code and 554 packages across 80 dependent modules for known vulnerabilities..." + } + },{ + "osv": { + "schema_version": "1.3.1", + "id": "GO-2023-1840", + "modified": "2023-06-12T18:45:41Z", + "published": "2023-06-08T20:16:06Z", + "aliases": [ + "CVE-2023-29403" + ], + "summary": "Unsafe behavior in setuid/setgid binaries in runtime", + "details": "On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors.\n\nIf a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.19.10" + }, + { + "introduced": "1.20.0-0" + }, + { + "fixed": "1.20.5" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "runtime" + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/60272" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/501223" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ" + } + ], + "credits": [ + { + "name": "Vincent Dehors from Synacktiv" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-1840" + } + } + }, { + "finding": { + "osv": "GO-2023-1840", + "fixed_version": "v1.20.5", + "trace": [ + { + "module": "stdlib", + "version": "v1.20.1", + "package": "runtime", + "function": "BlockProfile" + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "runtime/pprof", + "function": "writeProfileInternal", + "position": { + "filename": "/usr/local/go/src/runtime/pprof/pprof.go", + "offset": 27563, + "line": 867, + "column": 25 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "runtime/pprof", + "function": "writeBlock", + "position": { + "filename": "/usr/local/go/src/runtime/pprof/pprof.go", + "offset": 27040, + "line": 856, + "column": 29 + } + }, + { + "module": "stdlib", + "version": "v1.20.1", + "package": "runtime/pprof", + "function": "WriteTo", + "receiver": "*Profile", + "position": { + "filename": "/usr/local/go/src/runtime/pprof/pprof.go", + "offset": 10453, + "line": 329, + "column": 17 + } + }, + { + "module": "go.elastic.co/apm", + "version": "v1.15.0", + "package": "go.elastic.co/apm", + "function": "newLookupProfilingState$1", + "position": { + "filename": "/Users/Ma1tobiose/pkg/mod/go.elastic.co/apm@v1.15.0/profiling.go", + "offset": 2067, + "line": 64, + "column": 25 + } + }, + { + "module": "go.elastic.co/apm", + "version": "v1.15.0", + "package": "go.elastic.co/apm", + "function": "profile", + "receiver": "*profilingState", + "position": { + "filename": "/Users/Ma1tobiose/pkg/mod/go.elastic.co/apm@v1.15.0/profiling.go", + "offset": 4506, + "line": 149, + "column": 30 + } + }, + { + "module": "go.elastic.co/apm", + "version": "v1.15.0", + "package": "go.elastic.co/apm", + "function": "start$1", + "position": { + "filename": "/Users/Ma1tobiose/pkg/mod/go.elastic.co/apm@v1.15.0/profiling.go", + "offset": 3898, + "line": 128, + "column": 26 + } + }, + { + "module": "go.elastic.co/apm", + "version": "v1.15.0", + "package": "go.elastic.co/apm", + "function": "start", + "receiver": "*profilingState", + "position": { + "filename": "/Users/Ma1tobiose/pkg/mod/go.elastic.co/apm@v1.15.0/profiling.go", + "offset": 3811, + "line": 126, + "column": 2 + } + }, + { + "module": "go.elastic.co/apm", + "version": "v1.15.0", + "package": "go.elastic.co/apm", + "function": "loop", + "receiver": "*Tracer", + "position": { + "filename": "/Users/Ma1tobiose/pkg/mod/go.elastic.co/apm@v1.15.0/tracer.go", + "offset": 34540, + "line": 1065, + "column": 27 + } + }, + { + "module": "go.elastic.co/apm", + "version": "v1.15.0", + "package": "go.elastic.co/apm", + "function": "newTracer", + "position": { + "filename": "/Users/Ma1tobiose/pkg/mod/go.elastic.co/apm@v1.15.0/tracer.go", + "offset": 15939, + "line": 496, + "column": 2 + } + }, + { + "module": "go.elastic.co/apm", + "version": "v1.15.0", + "package": "go.elastic.co/apm", + "function": "init#2", + "position": { + "filename": "/Users/Ma1tobiose/pkg/mod/go.elastic.co/apm@v1.15.0/tracer.go", + "offset": 1884, + "line": 64, + "column": 27 + } + }, + { + "module": "go.elastic.co/apm", + "version": "v1.15.0", + "package": "go.elastic.co/apm", + "function": "init", + "position": { + "filename": "/Users/Ma1tobiose/pkg/mod/go.elastic.co/apm@v1.15.0/breakdown.go", + "offset": 794, + "line": 18, + "column": 1 + } + }, + { + "module": "testproject", + "package": "testproject/sdk/trace", + "function": "init", + "position": { + "filename": "/tmp/testproject/sdk/trace/apm.go", + "offset": 75, + "line": 9, + "column": 2 + } + }, + { + "module": "testproject", + "package": "testproject/sdk/logger", + "function": "init", + "position": { + "filename": "/tmp/testproject/sdk/logger/hooks.go", + "offset": 134, + "line": 8, + "column": 2 + } + }, + { + "module": "testproject", + "package": "testproject", + "function": "init", + "position": { + "filename": "/tmp/testproject/main.go", + "offset": 545, + "line": 13, + "column": 2 + } + } + ] + } + } +] \ No newline at end of file diff --git a/unittests/tools/test_govulncheck_parser.py b/unittests/tools/test_govulncheck_parser.py index 195ee9cbabe..b046e24a1c1 100644 --- a/unittests/tools/test_govulncheck_parser.py +++ b/unittests/tools/test_govulncheck_parser.py @@ -20,6 +20,21 @@ def test_parse_no_findings(self): findings = parser.get_findings(testfile, Test()) self.assertEqual(0, len(findings)) + def test_parse_new_version_findings(self): + testfile = open("unittests/scans/govulncheck/many_vulns_new_version.json") + parser = GovulncheckParser() + findings = parser.get_findings(testfile, Test()) + self.assertEqual(1, len(findings)) + with self.subTest(i=0): + finding = findings[0] + self.assertEqual("GO-2023-1840", finding.title) + self.assertEqual("Info", finding.severity) + self.assertEqual("CVE-2023-29403", finding.cve) + self.assertEqual("stdlib", finding.component_name) + self.assertEqual("1.3.1", finding.component_version) + self.assertIsNotNone(finding.description) + self.assertEqual("https://go.dev/issue/60272", finding.references) + def test_parse_many_findings(self): testfile = open("unittests/scans/govulncheck/many_vulns.json") parser = GovulncheckParser() From 9ec3124a45eae801580a1dcca000a70324a956f6 Mon Sep 17 00:00:00 2001 From: Paul Osinski <42211303+paulOsinski@users.noreply.github.com> Date: Mon, 2 Oct 2023 09:44:15 -0400 Subject: [PATCH 08/12] add parser documentation for burp scan & burp-enterprise (#8764) * add html parser information to burp_enterprise.md * add xml parser info to burp.md --------- Co-authored-by: Paul Osinski --- .../en/integrations/parsers/file/burp.md | 36 +++++++++++++++++++ .../parsers/file/burp_enterprise.md | 11 +++++- 2 files changed, 46 insertions(+), 1 deletion(-) diff --git a/docs/content/en/integrations/parsers/file/burp.md b/docs/content/en/integrations/parsers/file/burp.md index c6efa5d4a89..84af321e355 100644 --- a/docs/content/en/integrations/parsers/file/burp.md +++ b/docs/content/en/integrations/parsers/file/burp.md @@ -2,7 +2,43 @@ title: "Burp XML" toc_hide: true --- +### File Types +DefectDojo parser accepts Burp Issue data as an .xml file. +To parse an HTML file instead, use this method: https://documentation.defectdojo.com/integrations/parsers/file/burp_enterprise/ + When the Burp report is generated, **the recommended option is Base64 encoding both the request and response fields** - e.g. check the box that says \"Base64-encode requests and responses\". These fields will be processed and made available in the \'Finding View\' page. + +See also: Burp documentation - XML export is described under "Export Issue data". https://portswigger.net/burp/documentation/enterprise/work-with-scan-results/generate-reports + +### Acceptable XML Format +All XML elements are required and will be parsed as strings. + +~~~ + + + exampleSerialNumber + exampleTypeNumber + Example Issue Name + http://bwa + + + Example Severity + Firm + + + + + + + false + + + ... + +~~~ + +### Sample Scan Data +Sample Burp scans can be found at https://github.com/DefectDojo/sample-scan-files/tree/master/burp. \ No newline at end of file diff --git a/docs/content/en/integrations/parsers/file/burp_enterprise.md b/docs/content/en/integrations/parsers/file/burp_enterprise.md index 65b60e07fd1..18338bbb5d5 100644 --- a/docs/content/en/integrations/parsers/file/burp_enterprise.md +++ b/docs/content/en/integrations/parsers/file/burp_enterprise.md @@ -2,4 +2,13 @@ title: "Burp Enterprise Scan" toc_hide: true --- -Import HTML reports from Burp Enterprise Edition + +### File Types +DefectDojo parser accepts a Standard Report as an HTML file. To parse an XML file instead, use this method: https://documentation.defectdojo.com/integrations/parsers/file/burp/ + +See also Burp documentation for info on how to export a Standard Report: +https://portswigger.net/burp/documentation/enterprise/work-with-scan-results/generate-reports + + +### Sample Reports +A standard Burp Enterprise HTML Report can be found at https://github.com/DefectDojo/django-DefectDojo/blob/master/unittests/scans/burp_enterprise/many_vulns.html. From 985034b436ce9e65cb81589ee6d178f590cce17c Mon Sep 17 00:00:00 2001 From: Paul Osinski <42211303+paulOsinski@users.noreply.github.com> Date: Mon, 2 Oct 2023 09:44:36 -0400 Subject: [PATCH 09/12] add parser formatting to bandit.md (#8757) * add parser formatting to bandit.md * add parser formatting to bandit.md --------- Co-authored-by: Paul Osinski Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> --- .../en/integrations/parsers/file/bandit.md | 65 ++++++++++++++++++- 1 file changed, 64 insertions(+), 1 deletion(-) diff --git a/docs/content/en/integrations/parsers/file/bandit.md b/docs/content/en/integrations/parsers/file/bandit.md index a1773574546..cf2734e0f57 100644 --- a/docs/content/en/integrations/parsers/file/bandit.md +++ b/docs/content/en/integrations/parsers/file/bandit.md @@ -2,4 +2,67 @@ title: "Bandit" toc_hide: true --- -JSON report format + +### File Types +DefectDojo parser accepts a .json file. + +To export a .json file from Bandit, you will need to install and run the .json report formatter from your Bandit instance. +See Bandit documentation: https://bandit.readthedocs.io/en/latest/formatters/index.html + + +### Acceptable JSON Format +All properties are expected as strings, except "metrics" properties, which are expected as numbers. All properties are required by the parser. + +~~~ +{ + "errors": [], + "generated_at": "example-timestamp", + "metrics": { + "_totals": { + "CONFIDENCE.HIGH": 1.0, + "CONFIDENCE.LOW": 0.0, + "CONFIDENCE.MEDIUM": 0.0, + "CONFIDENCE.UNDEFINED": 0.0, + "SEVERITY.HIGH": 0.0, + "SEVERITY.LOW": 1.0, + "SEVERITY.MEDIUM": 0.0, + "SEVERITY.UNDEFINED": 0.0, + "loc": 2, + "nosec": 0 + }, + "one/one.py": { + "CONFIDENCE.HIGH": 1.0, + "CONFIDENCE.LOW": 0.0, + "CONFIDENCE.MEDIUM": 0.0, + "CONFIDENCE.UNDEFINED": 0.0, + "SEVERITY.HIGH": 0.0, + "SEVERITY.LOW": 1.0, + "SEVERITY.MEDIUM": 0.0, + "SEVERITY.UNDEFINED": 0.0, + "loc": 2, + "nosec": 0 + } + ... + }, + "results": [ + { + "code": "1 import os\n2 assert False\n", + "filename": "example.filename", + "issue_confidence": "example_confidence", + "issue_severity": "example_severity", + "issue_text": "Example issue description.", + "line_number": 2, + "line_range": [ + 2 + ], + "more_info": "https://bandit.readthedocs.io/en/latest/plugins/b101_assert_used.html", + "test_id": "B101", + "test_name": "assert_used" + } + ... + ] +} +~~~ + +### Sample Scan Data +Sample Bandit scans can be found at https://github.com/DefectDojo/sample-scan-files/tree/master/bandit. \ No newline at end of file From d94aeb6827e4fe91b48f51057f70cdb7400ecc5f Mon Sep 17 00:00:00 2001 From: Paul Osinski <42211303+paulOsinski@users.noreply.github.com> Date: Mon, 2 Oct 2023 09:44:54 -0400 Subject: [PATCH 10/12] update acceptable json on awssecurityhub.md (#8756) Co-authored-by: Paul Osinski Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> --- .../parsers/file/awssecurityhub.md | 87 ++++++++++++++++++- 1 file changed, 85 insertions(+), 2 deletions(-) diff --git a/docs/content/en/integrations/parsers/file/awssecurityhub.md b/docs/content/en/integrations/parsers/file/awssecurityhub.md index 416388376f5..826eae53a5c 100644 --- a/docs/content/en/integrations/parsers/file/awssecurityhub.md +++ b/docs/content/en/integrations/parsers/file/awssecurityhub.md @@ -2,5 +2,88 @@ title: "AWS Security Hub" toc_hide: true --- -The JSON output from AWS Security Hub exported with the `aws securityhub get-findings` () -command. \ No newline at end of file +### File Types +DefectDojo parser accepts a .json file. + +JSON reports can be created from the [AWS Security Hub CLI](https://docs.aws.amazon.com/cli/latest/reference/securityhub/get-findings.html) using the following command: `aws securityhub get-findings`. + + +### Acceptable JSON Format +Parser expects a .json file, with an array of Findings contained within a single JSON object. All properties are strings and are required by the parser. + +~~~ +{ + "findings": [ + { + "SchemaVersion": "2018-10-08", + "Id": "arn:aws:securityhub:us-east-1:012345678912:subscription/aws-foundational-security-best-practices/v/1.0.0/IAM.5/finding/de861909-2d26-4e45-bd86-19d2ab6ceef1", + "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub", + "GeneratorId": "aws-foundational-security-best-practices/v/1.0.0/IAM.5", + "AwsAccountId": "012345678912", + "Types": [ + "Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices" + ], + "FirstObservedAt": "2020-06-08T14:33:07.560Z", + "LastObservedAt": "2020-06-14T21:02:53.940Z", + "CreatedAt": "2020-06-08T14:33:07.560Z", + "UpdatedAt": "2020-06-14T21:02:53.454Z", + "Severity": { + "Product": 0, + "Label": "INFORMATIONAL", + "Normalized": 0, + "Original": "INFORMATIONAL" + }, + "Title": "IAM.5 MFA should be enabled for all IAM users that have console password", + "Description": "This AWS control checks whether AWS Multi-Factor Authentication (MFA) is enabled for all AWS Identity and Access Management (IAM) users that use a console password.", + "Remediation": { + "Recommendation": { + "Text": "For directions on how to fix this issue, please consult the AWS Security Hub Foundational Security Best Practices documentation.", + "Url": "https://docs.aws.amazon.com/console/securityhub/IAM.5/remediation" + } + }, + "ProductFields": { + "StandardsArn": "arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0", + "StandardsSubscriptionArn": "arn:aws:securityhub:us-east-1:012345678912:subscription/aws-foundational-security-best-practices/v/1.0.0", + "ControlId": "IAM.5", + "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/IAM.5/remediation", + "RelatedAWSResources:0/name": "securityhub-mfa-enabled-for-iam-console-access-9ae73a2f", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "StandardsControlArn": "arn:aws:securityhub:us-east-1:012345678912:control/aws-foundational-security-best-practices/v/1.0.0/IAM.5", + "aws/securityhub/SeverityLabel": "INFORMATIONAL", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/annotation": "AWS Config evaluated your resources against the rule. The rule did not apply to the AWS resources in its scope, the specified resources were deleted, or the evaluation results were deleted.", + "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:012345678912:subscription/aws-foundational-security-best-practices/v/1.0.0/IAM.5/finding/de861909-2d26-4e45-bd86-19d2ab6ceef1" + }, + "Resources": [ + { + "Type": "AwsAccount", + "Id": "AWS::::Account:012345678912", + "Partition": "aws", + "Region": "us-east-1" + } + ], + "Compliance": { + "Status": "PASSED", + "StatusReasons": [ + { + "ReasonCode": "CONFIG_EVALUATIONS_EMPTY", + "Description": "AWS Config evaluated your resources against the rule. The rule did not apply to the AWS resources in its scope, the specified resources were deleted, or the evaluation results were deleted." + } + ] + }, + "WorkflowState": "NEW", + "Workflow": { + "Status": "NEW" + }, + "RecordState": "ACTIVE" + }, + ... + ] +} + + +~~~ + +### Sample Scan Data +Sample scan data for testing purposes can be found at https://github.com/DefectDojo/sample-scan-files/tree/master/awssecurityhub. \ No newline at end of file From df7e4c279821f6a372c90f48a90817bbb09795c4 Mon Sep 17 00:00:00 2001 From: kiblik Date: Mon, 2 Oct 2023 15:45:13 +0200 Subject: [PATCH 11/12] Fix "data model" link in Features (#8744) --- docs/content/en/usage/features.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/en/usage/features.md b/docs/content/en/usage/features.md index 5edce92c741..fdd3e19480d 100644 --- a/docs/content/en/usage/features.md +++ b/docs/content/en/usage/features.md @@ -8,7 +8,7 @@ weight: 2 ## Tags In DefectDojo, tags are a first class citizen and are recognized as the facilitators -of organization within each level of the [data model](../models.md). Tags are +of organization within each level of the [data model](../models). Tags are ideal for grouping objects in a manner that can be filtered out into smaller, more digestible chunks. From 54e9f917891b6d567331dbee3280ca66ef54c30e Mon Sep 17 00:00:00 2001 From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Date: Mon, 2 Oct 2023 08:47:16 -0500 Subject: [PATCH 12/12] Correct product revenue value on the product details page (#8741) --- dojo/templates/dojo/view_product_details.html | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dojo/templates/dojo/view_product_details.html b/dojo/templates/dojo/view_product_details.html index d3be7c45aea..cc216a79d99 100644 --- a/dojo/templates/dojo/view_product_details.html +++ b/dojo/templates/dojo/view_product_details.html @@ -473,7 +473,7 @@

0 %} {% if prod.revenue < 1000000 %}{{ prod.revenue|intcomma }}{% else %}{{ prod.revenue|intword }}{% endif %} {% else %} - {{ prod.user_records|notspecified }} + {{ prod.revenue|notspecified }} {% endif %} @@ -696,4 +696,4 @@