Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(DD_DEDUPLICATION_ALGORITHM_PER_PARSER + DD_HASHCODE_FIELDS_PER_SCANNER): Add checker of values #11244

Merged
merged 1 commit into from
Nov 15, 2024
Merged

feat(DD_DEDUPLICATION_ALGORITHM_PER_PARSER + DD_HASHCODE_FIELDS_PER_SCANNER): Add checker of values #11244

merged 1 commit into from
Nov 15, 2024

Conversation

kiblik
Copy link
Contributor

@kiblik kiblik commented Nov 12, 2024
edited
Loading

This PR:

  • Add real values for DD_DEDUPLICATION_ALGORITHM_PER_PARSER to documentation
  • Add checkers that DD_DEDUPLICATION_ALGORITHM_PER_PARSER and DD_HASHCODE_FIELDS_PER_SCANNER has the correct format

Tested manually on following scenarios:

  • Use-case DD_DEDUPLICATION_ALGORITHM_PER_PARSER: '{"Trivy scan": "DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL"}':
    • Result: AttributeError: DEDUP algorithm 'DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL' for 'Trivy scan' is not valid. Use one of following values: legacy, unique_id_from_tool, hash_code, unique_id_from_tool_or_hash_code
  • Use-case DD_DEDUPLICATION_ALGORITHM_PER_PARSER: '{"Trivy scan": "unique_id_from_tool_or_hash_code"}'
    • OK
  • Use-case DD_HASHCODE_FIELDS_PER_SCANNER: '{"Trivy scan": "cwe"}'
    • Result: TypeError: Fields definition 'cwe' for hashcode calculation of 'Trivy scan' is not valid. It needs to be list of strings but it is <class 'str'>.
  • Use-case DD_HASHCODE_FIELDS_PER_SCANNER: '{"Trivy scan": [1]}'
    • Result: AttributeError: Fields for hashcode calculation for Trivy scan are not valid. It needs to be list of strings. Some of fields are not string.
  • Use-case DD_HASHCODE_FIELDS_PER_SCANNER: '{"Trivy scan": ["cwe"]}'
    • OK

Context: https://owasp.slack.com/archives/C2P5BA8MN/p1731339375410859

@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Nov 12, 2024
edited
Loading

DryRun Security Summary

The provided code changes focus on enhancing the security-related configurations and documentation of the DefectDojo application, particularly improving the deduplication and hashcode calculation mechanisms, and providing more detailed information about various features, such as tags, risk acceptance, deduplication, SLA management, reporting, and metrics.

Expand for full summary

Summary:

The provided code changes focus on enhancing the security-related configurations and documentation of the DefectDojo application. The key changes include improvements to the deduplication and hashcode calculation mechanisms, which are crucial for effective vulnerability management. Additionally, the documentation updates provide more detailed information about various features, such as tags, risk acceptance, deduplication, SLA management, reporting, and metrics.

From an application security perspective, the deduplication and hashcode calculation configurations are particularly noteworthy. The ability to configure different deduplication algorithms and hashcode computation settings per scanner/parser helps improve the accuracy and reliability of the deduplication process, which is essential for effectively managing security findings. The inclusion of security-related settings, such as CSRF, session, and content security configurations, also helps strengthen the overall security of the application.

The documentation updates cover a wide range of features, providing users with a comprehensive understanding of the capabilities and security-related aspects of the DefectDojo application. This level of transparency and documentation is commendable, as it helps users make informed decisions and effectively utilize the security tools and features provided by the application.

Files Changed:

  1. dojo/settings/.settings.dist.py.sha256sum: This file contains a SHA-256 hash sum of the dojo/settings/.settings.dist.py configuration file. The change in the hash value indicates that the contents of the configuration file have been modified. It is important to review the actual changes to the configuration file to ensure that no security-sensitive information has been inadvertently exposed and that the changes do not introduce any security vulnerabilities.

  2. docs/content/en/usage/features.md: This file has been updated to provide more detailed information about the various features available in the DefectDojo application, including tags, risk acceptance, deduplication, SLA management, reporting, metrics, users, calendar, benchmarks, and the Endpoint Meta Importer. These documentation updates help users better understand the security-related aspects and capabilities of the application.

  3. dojo/settings/settings.dist.py: This file contains the settings configuration for the DefectDojo application. The changes focus on enhancing the deduplication and hashcode calculation configurations, which are crucial for effective vulnerability management. The code also includes security-related settings, such as CSRF, session, and content security configurations, which help improve the overall security of the application.

Code Analysis

We ran 9 analyzers against 3 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@github-actions github-actions bot added settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR docs labels Nov 12, 2024
@kiblik kiblik force-pushed the DD_DEDUPLICATION_checker branch 3 times, most recently from 7275641 to 48b7661 Compare November 12, 2024 15:28
@optimistic5
Copy link
Contributor

@kiblik thank you for improvment.
what about documentations?
Because when you read:

The available algorithms are:
DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL
DEDUPE_ALGO_HASH_CODE
DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE
DEDUPE_ALGO_LEGACY

I understand it like I need to use something like:

DD_DEDUPLICATION_ALGORITHM_PER_PARSER: '{"Trivy Scan": "DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL"}'

but DD expects:

DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL = "unique_id_from_tool"

@github-actions GitHub Actions
Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@kiblik kiblik force-pushed the DD_DEDUPLICATION_checker branch from 48b7661 to 133e2ef Compare November 12, 2024 17:24
@github-actions GitHub Actions
Copy link
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

@kiblik kiblik force-pushed the DD_DEDUPLICATION_checker branch from 133e2ef to 46f08eb Compare November 12, 2024 18:09
@kiblik kiblik closed this Nov 12, 2024
@kiblik kiblik reopened this Nov 12, 2024
@github-actions GitHub Actions
Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@kiblik kiblik force-pushed the DD_DEDUPLICATION_checker branch from 46f08eb to f00c756 Compare November 12, 2024 20:08
@github-actions GitHub Actions
Copy link
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

@github-actions GitHub Actions
Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@kiblik kiblik force-pushed the DD_DEDUPLICATION_checker branch from f00c756 to 8f7e4eb Compare November 12, 2024 21:58
@github-actions GitHub Actions
Copy link
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

mtesauro
mtesauro approved these changes Nov 12, 2024
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@github-actions GitHub Actions
Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@kiblik kiblik force-pushed the DD_DEDUPLICATION_checker branch from 8f7e4eb to a033ce8 Compare November 15, 2024 18:06
@github-actions GitHub Actions
Copy link
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

@Maffooch Maffooch merged commit cf452c8 into DefectDojo:bugfix Nov 15, 2024
73 checks passed
@kiblik kiblik deleted the DD_DEDUPLICATION_checker branch November 15, 2024 18:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@blakeaowens blakeaowens blakeaowens approved these changes

@Maffooch Maffooch Maffooch approved these changes

@mtesauro mtesauro mtesauro approved these changes

@cneill cneill cneill approved these changes

Assignees
No one assigned
Labels
docs settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@kiblik @optimistic5 @cneill @mtesauro @Maffooch @blakeaowens