Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add DTSA to vulnid #11302

Open
wants to merge 5 commits into
base: bugfix
Choose a base branch
from
Open

Conversation

manuel-sommer
Copy link
Contributor

@manuel-sommer manuel-sommer commented Nov 21, 2024

@github-actions github-actions bot added the settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR label Nov 21, 2024
Copy link

dryrunsecurity bot commented Nov 21, 2024

DryRun Security Summary

The pull request updates the configuration files for the DefectDojo application, including a change to the SHA-256 checksum file for the settings.dist.py file and the addition of new vulnerability URL mappings to the settings.dist.py file, which do not introduce any immediate security concerns.

Expand for full summary

Summary:

The changes in this pull request are focused on updating configuration files for the DefectDojo application. The first change updates the SHA-256 checksum file for the settings.dist.py configuration file, while the second change adds new vulnerability URL mappings to the settings.dist.py file itself.

From an application security perspective, the changes do not introduce any immediate security concerns. The update to the checksum file is a routine maintenance task to ensure the integrity of the configuration file, and the addition of new vulnerability URL mappings is an enhancement to the application's functionality.

However, it is important to ensure that the new hash value in the checksum file is correct and that the settings.dist.py file has been properly reviewed for any security vulnerabilities or issues. Additionally, the process of updating the checksum file should be secure, and the new hash value should be properly propagated to any systems or environments that rely on it.

Files Changed:

  1. dojo/settings/.settings.dist.py.sha256sum: This file contains a SHA-256 hash value that can be used to verify the integrity of the settings.dist.py file. The code change updates the hash value from 93f0a72eaae484814b5b38dba8dc57d529ea3c414b7fa4da8b2e347851dba46e to 697aa434382990cee958fe4876b00edb0ee30275fce26fb14ce5f6b59833c9e1.

  2. dojo/settings/settings.dist.py: This file is a configuration file for the DefectDojo application. The code change adds new vulnerability URL mappings to the VULNERABILITY_URLS dictionary, allowing the application to generate links to vulnerability information for specific vulnerability identifiers (e.g., DSA, DTSA, TEMP).

Code Analysis

We ran 9 analyzers against 2 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@mtesauro
Copy link
Contributor

@manuel-sommer OK, I have to ask, where are you finding all these? None of them surprised me that they exist but I'm super curious if these are being reported by a tool you're using or if you're just searching around to find them.

Sorry, my curiosity is getting the better of me. 😄

@manuel-sommer
Copy link
Contributor Author

manuel-sommer commented Nov 21, 2024

A mixture of both. Multiple of them were reported through tools. I regularly review the findings and from time to time I find vulnids which can't be resolved. Then, I make a PR. Also, to deal with this in future scenarios, I advanced my research for future occurances of other findings. --> e.g. https://linuxsecurity.com/ --> Advisories
Last, before I use a scanner, I review the appropriate parser and fix as many inconsistencies as possible for future use.

Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

Copy link
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

Copy link
Contributor

@Maffooch Maffooch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, my curiosity is getting the better of me. 😄

I have been very curious as well 😂 you're quite the detective @manuel-sommer

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants