Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

base trufflehog hashes on file_path and payload #9899

Closed
wants to merge 1 commit into from
Closed

base trufflehog hashes on file_path and payload #9899

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion dojo/settings/settings.dist.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1243,7 +1243,7 @@ def saml2_attrib_map_format(dict):
'KubeHunter Scan': ['title', 'description'],
'kube-bench Scan': ['title', 'vuln_id_from_tool', 'description'],
'Threagile risks report': ['title', 'cwe', "severity"],
'Trufflehog Scan': ['title', 'description', 'line'],
'Trufflehog Scan': ['file_path', 'payload'],
'Humble Json Importer': ['title'],
'MSDefender Parser': ['title', 'description'],
'HCLAppScan XML': ['title', 'description'],
Expand Down
3 changes: 2 additions & 1 deletion dojo/tools/trufflehog/parser.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -193,7 +193,8 @@ def get_findings_v3(self, data, test):
url="N/A",
dynamic_finding=False,
static_finding=True,
nb_occurences=1
nb_occurences=1,
payload=rawV2
brieucR marked this conversation as resolved.
Show resolved Hide resolved
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not seeing rawV2 used in any of the unit test files. Is this a new field? Would there be any concern for folks using older versions of truffle hog without rawV2 in their scan reports? In those cases, the only field that would be used for deduplication would be the file path

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Maffooch I had a further look on that, another way to do this would be using url.

This field can be completed using Trufflehog v2 and Trufflehog v3.
Furthermore it's unique as it contains path, commit_hash and line_number.

We can also add the component_name to make sure we add no regression from before.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With this update we make sure that any further change from Trufflehog or on the default description won't impact issue duplications

Copy link
Author

@brieucR brieucR May 6, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As url was left empty until now, projects might have issues when upgrading DefectDojo.
@Maffooch is there a migration mechanism so that I can write a script to fill url field for existing findings?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've created a new PR here:
#10118

)
dupes[dupe_key] = finding

Expand Down
Loading