Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhancements to Govulncheck parser #9339

Merged
merged 2 commits into from
Jan 19, 2024
Merged

Enhancements to Govulncheck parser #9339

merged 2 commits into from
Jan 19, 2024

Conversation

a-ruff
Copy link
Contributor

@a-ruff a-ruff commented Jan 16, 2024

Description

This Pull Request introduces several key enhancements to the govulncheck parser, aiming to provide more detailed and actionable vulnerability data within DefectDojo. The updates focus on enriching the parsed information with additional contextual details and traceability, making it easier for users to understand and act upon the findings.

Note :

  • Changes have been made to the parsing of the new govulncheck format. The old format is of course still supported.
  • Feel free to provide any suggestions or feedback for further improvements; If any part of the code is unclear, I can add explanatory comments or even rewrite sections for better clarity and understanding.

Key Changes :

  1. Richer finding title.
  • The parser now constructs the title using a combination of the Go vulnerability ID, the affected package name and the path within the package.
  • Example : GO-2023-2382 - Stdlib - Net/HTTP/Internal
  1. Detailed vulnerability description.
  • The parser now adds more descriptive details about each vulnerability, including summary, vulnerable functions and affected versions into the description.
  1. Inclusion of Trace information in the description of the finding.
  • The component version is now set to the first version available in the trace.
  • Previously, it was loaded from "schema_version", which is not related to the vulnerability.
  1. Inclusion of details about the impact of the finding.
  • The parser is now adding details about the impact of the vulnerability in the 'impact' field.
  1. Introduction of and optional custom severity field.
  • govulncheck is not providing severity information in its output. The parser has been updated to include an optional severity field which can be populated to set severity. This enhancement flexibility of the parser.

Screenshot:

Before :

before

After :

ex1 ex2 ex3 ex4 ex5

Test results
Tests have been updated with new tests to cover changes :


System check identified no issues (0 silenced).
test_parse_empty (unittests.tools.test_govulncheck_parser.TestGovulncheckParser.test_parse_empty) ... ok
test_parse_many_findings (unittests.tools.test_govulncheck_parser.TestGovulncheckParser.test_parse_many_findings) ... ok
test_parse_new_version_many_findings (unittests.tools.test_govulncheck_parser.TestGovulncheckParser.test_parse_new_version_many_findings) ... ok
test_parse_new_version_many_findings_custom_severity (unittests.tools.test_govulncheck_parser.TestGovulncheckParser.test_parse_new_version_many_findings_custom_severity) ... ok
test_parse_new_version_no_findings (unittests.tools.test_govulncheck_parser.TestGovulncheckParser.test_parse_new_version_no_findings) ... ok
test_parse_no_findings (unittests.tools.test_govulncheck_parser.TestGovulncheckParser.test_parse_no_findings) ... ok

----------------------------------------------------------------------
Ran 6 tests in 0.039s

OK
Destroying test database for alias 'default' ('test_defectdojo')...

Documentation

Do I need to update any documentation ?

Checklist

This checklist is for your information.

  • Make sure to rebase your PR against the very latest dev.
  • Features/Changes should be submitted against the dev.
  • Bugfixes should be submitted against the bugfix branch.
  • Give a meaningful name to your PR, as it may end up being used in the release notes.
  • Your code is flake8 compliant.
  • Your code is python 3.11 compliant.
  • If this is a new feature and not a bug fix, you've included the proper documentation in the docs at https://github.com/DefectDojo/django-DefectDojo/tree/dev/docs as part of this PR.
  • Model changes must include the necessary migrations in the dojo/db_migrations folder.
  • Add applicable tests to the unit tests.
  • Add the proper label to categorize your PR.

@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Jan 16, 2024
edited
Loading

Contextual Security Analysis

As DryRun Security performs checks, we’ll summarize them here. You can always dive into the detailed results in the section below for checks.

Status DryRun Security Check
AI-powered Sensitive Function Check
Configured Sensitive Files Check
AI-powered Sensitive Files Check

Chat with your AI-powered Security Buddy by typing @dryrunsecurity followed by your question into a comment.
Example: @dryrunsecurity What are common security issues with web application cookies?

Install and configure more repositories at DryRun Security

@a-ruff a-ruff marked this pull request as ready for review January 16, 2024 15:57
manuel-sommer
manuel-sommer reviewed Jan 16, 2024
View reviewed changes
unittests/scans/govulncheck/many_vulns_new_version.json Outdated
@@ -1,267 +1,194 @@
[
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @a-ruff ,

I would prefer if you would keep the already existing unittests report files and add an additional one if you advance govulncheck.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, I'll proceed with the change.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done ✅

@a-ruff a-ruff force-pushed the enhance_govulncheck_parser branch from 6553eab to 2088220 Compare January 17, 2024 10:33
@a-ruff
Copy link
Contributor Author

a-ruff commented Jan 17, 2024

The check "Detect Merge Conflicts" was failing. Following rebase instructions resolved the issue.

mtesauro
mtesauro approved these changes Jan 18, 2024
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@mtesauro mtesauro merged commit a002f73 into DefectDojo:dev Jan 19, 2024
121 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@blakeaowens blakeaowens blakeaowens approved these changes

@Maffooch Maffooch Maffooch approved these changes

@mtesauro mtesauro mtesauro approved these changes

@grendel513 grendel513 grendel513 approved these changes

@manuel-sommer manuel-sommer Awaiting requested review from manuel-sommer

Assignees
No one assigned
Labels
parser unittests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@a-ruff @grendel513 @mtesauro @Maffooch @manuel-sommer @blakeaowens