Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Mobsfscan report files parsing fix #11278

Merged
merged 3 commits into from
Nov 22, 2024

Conversation

dmarushkin
Copy link
Contributor

Description

In mobsfscan reports each result can contain a list of files:

{
    "errors": [],
    "mobsfscan_version": "0.2.0",
    "results": {
      ...
      "android_kotlin_hardcoded": {
        "files": [
          {
            "file_path": "app/src/main/java/com/routes/domain/analytics/event/Signatures.kt",
            "match_lines": [
              10,
              10
            ],
            "match_position": [
              243,
              271
            ],
            "match_string": "key = \"hmi_busroutes_health\""
          }
        ],
        {
            "file_path": "app/src/main/java/com/routes/domain/analytics/event/Signatures2.kt",
            "match_lines": [
              20,
              20
            ],
            "match_position": [
              243,
              271
            ],
            "match_string": "key2 = \"hmi_busroutes_health\""
          }
        ],
        ....

In previous parser logic in finding stores only last file, and do not stores snippet.
In new logic finding added for each file and snippet added to description.

Also file and description added to hash fields in settings (God help me dial with sha256)

Test results

Fixed tests for many findings case.

@github-actions github-actions bot added settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR docs unittests ui parser helm labels Nov 17, 2024
@dmarushkin dmarushkin changed the base branch from master to bugfix November 17, 2024 22:15
Copy link

dryrunsecurity bot commented Nov 17, 2024

DryRun Security Summary

The pull request includes various updates and improvements to the application security-related functionality of the project, including configuration file updates, new security findings, and enhancements to the MobSF security scanner parser and its test suite.

Expand for full summary

Summary:

The code changes in this pull request cover various updates and improvements to the application security-related functionality of the project. The changes include:

  1. Updating the SHA-256 hash value of the configuration file, which should be reviewed carefully to ensure the integrity of the configuration changes.
  2. Adding a new finding to the MobSF security scanner's hardcoded sensitive information detection, which highlights the presence of a hardcoded string in the application's Kotlin source code.
  3. Modifying the configuration settings for the DefectDojo application, including updates to the SAML2 attribute mapping for the MobSF scan parser.
  4. Enhancing the MobsfscanParser class to handle various edge cases, such as multiple files per finding, deduplication of findings, and findings without associated files.
  5. Updating the test suite for the MobsfscanParser class to improve the robustness and accuracy of the security scanning process.

Overall, these changes appear to be focused on improving the security-related functionality and testing capabilities of the project. From an application security engineer's perspective, the changes seem reasonable and do not introduce any obvious security concerns. However, it's important to review the changes carefully, especially those related to configuration updates and the handling of sensitive information, to ensure that the application's security posture is not compromised.

Files Changed:

  1. dojo/settings/.settings.dist.py.sha256sum: The SHA-256 hash value of the configuration file has been updated, which should be reviewed to ensure the integrity of the configuration changes.
  2. unittests/scans/mobsfscan/many_findings.json: A new finding has been added to the hardcoded sensitive information detection, which identifies a hardcoded string in the application's Kotlin source code.
  3. dojo/settings/settings.dist.py: The configuration settings for the DefectDojo application have been updated, including changes to the SAML2 attribute mapping for the MobSF scan parser.
  4. dojo/tools/mobsfscan/parser.py: The MobsfscanParser class has been updated to handle various edge cases, such as multiple files per finding, deduplication of findings, and findings without associated files.
  5. unittests/tools/test_mobsfscan_parser.py: The test suite for the MobsfscanParser class has been updated to improve the robustness and accuracy of the security scanning process.

Code Analysis

We ran 9 analyzers against 5 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@Maffooch Maffooch merged commit bead48c into DefectDojo:bugfix Nov 22, 2024
73 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
parser settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR unittests
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants