✨ merge acunetix and acunetix360

[manuel-sommer]

No description provided.

[dryrunsecurity]

Contextual Security Analysis

As DryRun Security performs checks, we’ll summarize them here. You can always dive into the detailed results in the section below for checks.

Status	DryRun Security Check
✅	Sensitive Functions Analyzer
❌	Configured Sensitive Files Analyzer
✅	Sensitive Files Analyzer

Chat with your AI-powered Security Buddy by typing @dryrunsecurity followed by your question into a comment.
Example: @dryrunsecurity What are common security issues with web application cookies?

Install and configure more repositories at DryRun Security

[manuel-sommer]

Ready to review @mtesauro

[mtesauro]

Approved

[manuel-sommer]

@cneill and @Maffooch could you please review and merge this?

[manuel-sommer]

friendly reminder @cneill and @Maffooch

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Sensitive Functions Analyzer	✅	0 findings
Configured Sensitive Files Analyzer	❌	1 findings
Sensitive Files Analyzer	❕	5 findings

Note

🔴 Risk threshold exceeded. Adding a reviewer if one is configured in .dryrunsecurity.yaml.

notification list: @mtesauro @grendel513

Tip

Get answers to your security questions. Add a comment in this PR starting with @DryRunSecurity. For example...

@dryrunsecurity What are common security issues with web application cookies?

Powered by DryRun Security

[manuel-sommer]

Hi @mtesauro, I already have 4 approvals here, but what about this PR and #9690 ?

[mtesauro]

@manuel-sommer About this PR and #9690

From what I understand about Acunetix and Acunetix360, they are both DAST scanners from the same vendor with different file formats (XML and JSON).

So, I'd expect they are similar enough to have a combined parser and still be able to write a good dedup algorithm. When they were separated parsers, they had matching dedup algorithms so I don't see the same problem as combining say a DAST, and SCA tools output if from the same vendor.

About the 4 approvals and no merge, I was waiting to hear back from @blakeaowens since he raised the question about migrations.

[manuel-sommer]

Friendly reminder @blakeaowens

[blakeaowens]

I am fine with no reverse-migration method for this PR. @manuel-sommer @mtesauro

[manuel-sommer]

Hi @mtesauro, fyi, I updated db migrations. It would be nice if we could merge this.

[mtesauro]

@manuel-sommer Sure thing. Closed and opened this to try to get that Flake8 test happy. Once that's happy, we're good to merge.

[ekondur]

Hi @manuel-sommer,
We got some errors after this change, are you from the acx team? if so, can you pls slack me, (Emrah KONDUR)

[manuel-sommer]

No, I am not from the acunetix team. If you submit a new issue with sample findings, I can help you fix the problem

[ekondur]

There isn't an issue I created yet. Acunetix and Acunetix360 are different products, why do we need to merge them? I couldn't see these details on the task.
Thank you for helping, this is the example issue we got after this change.
{ statusCode = BadRequest, content = {"scan_type":["\"Acunetix360 Scan\" is not a valid choice."],"message":"{'scan_type': [ErrorDetail(string='\"Acunetix360 Scan\" is not a valid choice.', code='invalid_choice')]}"}
Should we revert these changes or proceed with a separate task to solve this problem? @manuel-sommer

[manuel-sommer]

The both products were merged because they origin from one vendor.
You just have to select scan_type = Acunetix Scan. Please remove "360". Then, it should be fine.
See here: https://defectdojo.github.io/django-DefectDojo/getting_started/upgrading/2.33/
@mtesauro shall we add "Acunetix360 Scan" to here:

django-DefectDojo/dojo/tools/acunetix/parser.py

Line 9 in 83fae48

return ["Acunetix Scan"]

? Then, I can make a PR.

[ekondur]

Hi @manuel-sommer
I will try without the 360 suffix, if it works we can change it on our side (360 code base),

Can you please inform the relevant vendor in advance about such changes? FYI @mtesauro

[ekondur]

Hi @manuel-sommer
We discussed it with the team and decided to use both Acunetix and Acunetix360, these are different products and have different customers. It might be confusing because our customers have used these products as Acunetix Premium and Acunetix360 for many years. Even the teams in charge of products are different.
https://www.acunetix.com/product/acunetix360/
https://www.acunetix.com/product/premium/
Also, we have concerns about if one of the report models is changed, we should also consider the compatibility of the other. So it would be better to use them separately.
Could you please revert this change?

[manuel-sommer]

Waiting for the answer from @mtesauro

[ekondur]

Kindly remind @mtesauro, it is a bit urgent, it affected many of our customers.

[devGregA]

Hi @ekondur, on the topic of collaborating we had reached out to Acunetix previously about partnership, but didn't receive a response.

[ekondur]

Hi @devGregA I'm sorry, I have no idea why there was no receive. Can you please inform us about the process so we can revert it and publish it as soon as possible?

[ekondur]

Any update @manuel-sommer @devGregA @mtesauro?

[mtesauro]

@ekondur This is merged already in dev. The dev branch is merged into a release on the first Monday of every month which means this will go in next Monday aka the first Monday in May which will be 2.34.0

[ekondur]

@mtesauro do you mean rolling back this issue? because I can't see the acunetix360 parser in the current code. Is it published to the demo (https://demo.defectdojo.org/) I can't see the Acunetix 360 scan option as well.