🐛 reset description in progpilot after each finding

[manuel-sommer]

see discussion in #10044

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Configured Codepaths Analyzer	✅	0 findings
Sensitive Files Analyzer	✅	0 findings
AppSec Analyzer	✅	0 findings
Authn/Authz Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖.
Note that this summary is auto-generated and not meant to be a definitive list of security issues
but rather a helpful summary from a security perspective.

Summary:

The code change in this pull request is related to the ProgpilotParser class in the dojo/tools/progpilot/parser.py file. The change involves modifying the get_findings method to ensure that the description variable is reset for each finding during the iteration over the results list. This is a good practice to prevent any potential issues with findings sharing the same description, which could lead to data integrity or consistency problems.

From an application security perspective, the code appears to be handling the parsing of Progpilot security scan results correctly. The Finding objects created contain relevant information such as the vulnerability type, source and sink details, and the vulnerability description. The code also handles mapping the Progpilot-specific fields (e.g., vuln_cwe) to the appropriate fields in the Finding object, which is important for maintaining consistent data representation and analysis within the Dojo application. Overall, the code change seems to be a minor refactoring to improve the reliability and maintainability of the Progpilot parser.

Files Changed:

• dojo/tools/progpilot/parser.py: The get_findings method in the ProgpilotParser class has been modified to move the description variable initialization inside the for loop that iterates over the results list. This ensures that the description variable is reset for each finding, preventing any potential issues with findings sharing the same description.

Powered by DryRun Security

[mtesauro]

Approved

[manuel-sommer]

ah, lol. Thank you for the commit @cneill, you are right.

[nAgga3]

Would it be possible to approve the bug fix?

[nAgga3]

Good morning, @manuel-sommer unfortunately the fix does not resolve the parser issue. Unfortunately, the same behavior continues to occur that when there is a vulnerability of the "Security Misconfiguration" type, information from the previous vulnerability is brought and that when there are multiple vulnerabilities of the "Security Misconfiguration" type, it only brings information from a single one.

Sorry for my insistence

[manuel-sommer]

Hi @nAgga3 , did you test the latest version (2.34.4)?
I checked the code and did not see any inconsistencies. Please be more specific, e.g. make screenshots or upload a sample file. To me, this is fixed. You can open up a new issue if you want.