From edc8112a3d8ee891edb7f94cf6c793664ba8627c Mon Sep 17 00:00:00 2001 From: DefectDojo release bot Date: Mon, 8 Apr 2024 18:04:59 +0000 Subject: [PATCH 1/6] Update versions in application files --- components/package.json | 2 +- dojo/__init__.py | 2 +- helm/defectdojo/Chart.yaml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/components/package.json b/components/package.json index baf3a55892..41e9d22009 100644 --- a/components/package.json +++ b/components/package.json @@ -1,6 +1,6 @@ { "name": "defectdojo", - "version": "2.33.1", + "version": "2.34.0-dev", "license" : "BSD-3-Clause", "private": true, "dependencies": { diff --git a/dojo/__init__.py b/dojo/__init__.py index af78621888..4758913441 100644 --- a/dojo/__init__.py +++ b/dojo/__init__.py @@ -4,6 +4,6 @@ # Django starts so that shared_task will use this app. from .celery import app as celery_app # noqa: F401 -__version__ = '2.33.1' +__version__ = '2.34.0-dev' __url__ = 'https://github.com/DefectDojo/django-DefectDojo' __docs__ = 'https://documentation.defectdojo.com' diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml index d7d9428c7a..ae5a01ffa4 100644 --- a/helm/defectdojo/Chart.yaml +++ b/helm/defectdojo/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: "2.33.1" +appVersion: "2.34.0-dev" description: A Helm chart for Kubernetes to install DefectDojo name: defectdojo -version: 1.6.119 +version: 1.6.120-dev icon: https://www.defectdojo.org/img/favicon.ico maintainers: - name: madchap From 3cb060c9776b72cb636d4883695c04030fd7fac0 Mon Sep 17 00:00:00 2001 From: kiblik Date: Tue, 9 Apr 2024 01:51:54 +0200 Subject: [PATCH 2/6] Remove 'version' from docker-compose (#9831) --- docker-compose.override.debug.yml | 1 - docker-compose.override.dev.yml | 1 - docker-compose.override.https.yml | 1 - docker-compose.override.integration_tests.yml | 1 - docker-compose.override.unit_tests_cicd.yml | 1 - docker-compose.yml | 1 - 6 files changed, 6 deletions(-) diff --git a/docker-compose.override.debug.yml b/docker-compose.override.debug.yml index da656f60dd..a7ee38fc61 100644 --- a/docker-compose.override.debug.yml +++ b/docker-compose.override.debug.yml @@ -1,5 +1,4 @@ --- -version: '3.8' services: uwsgi: entrypoint: ['/wait-for-it.sh', '${DD_DATABASE_HOST}:${DD_DATABASE_PORT}', '-t', '30', '--', '/entrypoint-uwsgi-dev.sh'] diff --git a/docker-compose.override.dev.yml b/docker-compose.override.dev.yml index 0e1c8087e2..dd7589ec90 100644 --- a/docker-compose.override.dev.yml +++ b/docker-compose.override.dev.yml @@ -1,5 +1,4 @@ --- -version: '3.8' services: uwsgi: entrypoint: ['/wait-for-it.sh', '${DD_DATABASE_HOST}:${DD_DATABASE_PORT}', '-t', '30', '--', '/entrypoint-uwsgi-dev.sh'] diff --git a/docker-compose.override.https.yml b/docker-compose.override.https.yml index 474f08e0bd..abe06b4812 100644 --- a/docker-compose.override.https.yml +++ b/docker-compose.override.https.yml @@ -1,5 +1,4 @@ --- -version: '3.8' services: nginx: environment: diff --git a/docker-compose.override.integration_tests.yml b/docker-compose.override.integration_tests.yml index 7c39d42c15..92033e846e 100644 --- a/docker-compose.override.integration_tests.yml +++ b/docker-compose.override.integration_tests.yml @@ -1,5 +1,4 @@ --- -version: '3.8' services: integration-tests: build: diff --git a/docker-compose.override.unit_tests_cicd.yml b/docker-compose.override.unit_tests_cicd.yml index 0e403a755d..cc677ac41e 100644 --- a/docker-compose.override.unit_tests_cicd.yml +++ b/docker-compose.override.unit_tests_cicd.yml @@ -1,5 +1,4 @@ --- -version: '3.8' services: nginx: image: busybox:1.36.1-musl diff --git a/docker-compose.yml b/docker-compose.yml index a56a39e751..7d52c5db0b 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -6,7 +6,6 @@ # docker-compose.yml file is not intended for production use without first # customizing it to your particular situation. --- -version: '3.8' services: nginx: build: From c2059e8c3470cce65bba172ccd5cb7f8dce92dea Mon Sep 17 00:00:00 2001 From: Felix Hernandez Date: Fri, 12 Apr 2024 12:21:18 -0600 Subject: [PATCH 3/6] Checkmarx one parser support API exported files (#9917) * Checkmarx one parser support API exported files * fix fileName path * minor fixes --- dojo/tools/checkmarx_one/parser.py | 31 +- unittests/scans/checkmarx_one/api_export.json | 555 ++++++++++++++++++ unittests/tools/test_checkmarx_one_parser.py | 17 + 3 files changed, 601 insertions(+), 2 deletions(-) create mode 100644 unittests/scans/checkmarx_one/api_export.json diff --git a/dojo/tools/checkmarx_one/parser.py b/dojo/tools/checkmarx_one/parser.py index 699ac64e42..3de2980118 100644 --- a/dojo/tools/checkmarx_one/parser.py +++ b/dojo/tools/checkmarx_one/parser.py @@ -84,9 +84,9 @@ def get_findings(self, file, test): vulnerability.get("similarityId") ) findings.append(finding) - if result_type == "kics": + elif result_type == "kics": description = vulnerability.get("description") - file_path = vulnerability.get("data").get("filename") + file_path = vulnerability.get("data").get("filename", vulnerability.get("data").get("fileName")) finding = Finding( title=f'{description}', description=description, @@ -107,4 +107,31 @@ def get_findings(self, file, test): vulnerability.get("similarityId") ) findings.append(finding) + elif result_type in ["sca", "sca-container"]: + description = vulnerability.get("description") + finding = Finding( + title=description, + description=description, + date=date, + severity=vulnerability.get("severity").title(), + verified=vulnerability.get("state") != "TO_VERIFY", + test=test, + cwe=cwe, + static_finding=True, + ) + if vulnerability.get("cveId"): + finding.unsaved_vulnerability_ids = [ + vulnerability.get("cveId") + ] + if vulnerability.get("id"): + finding.unique_id_from_tool = vulnerability.get( + "id" + ) + else: + finding.unique_id_from_tool = str( + vulnerability.get("similarityId") + ) + finding.unsaved_tags = [result_type] + findings.append(finding) + return findings diff --git a/unittests/scans/checkmarx_one/api_export.json b/unittests/scans/checkmarx_one/api_export.json new file mode 100644 index 0000000000..0c851b7256 --- /dev/null +++ b/unittests/scans/checkmarx_one/api_export.json @@ -0,0 +1,555 @@ +{ + "results": [ + { + "type": "kics", + "id": "704597058", + "similarityId": "05bdd0124158e318fae858d1428d56a824181ff2b786ef4bccb59c2e1682216e", + "status": "RECURRENT", + "state": "TO_VERIFY", + "severity": "MEDIUM", + "confidenceLevel": 0, + "created": "2024-04-03T11:42:23Z", + "firstFoundAt": "2023-12-04T11:56:51Z", + "foundAt": "2024-04-03T11:42:23Z", + "firstScanId": "046ee778-accb-45c9-9cd1-f79668c8cbeb", + "description": "Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.", + "data": { + "queryId": "555ab8f9-2001-455e-a077-f2d0f41e2fb9 [Taken from query_id]", + "queryName": "Unpinned Actions Full Length Commit SHA", + "group": "Supply-Chain [Taken from category]", + "queryUrl": "Unpinned Actions Full Length Commit SHA [Taken from query_name]", + "fileName": "/.github/workflows/checkmarx.yaml", + "line": 17, + "platform": "CICD", + "issueType": "IncorrectValue", + "expectedValue": "Action pinned to a full length commit SHA.", + "value": "Action is not pinned to a full length commit SHA." + }, + "comments": {}, + "vulnerabilityDetails": {} + }, + { + "type": "sast", + "id": "wUBV69FwAKwM2V0JMHrAf1C00Dk=", + "similarityId": "-624652752", + "status": "RECURRENT", + "state": "TO_VERIFY", + "severity": "MEDIUM", + "confidenceLevel": 0, + "created": "2024-04-08T20:12:22Z", + "firstFoundAt": "2024-04-08T17:07:12Z", + "foundAt": "2024-04-08T20:12:22Z", + "firstScanId": "06befdb0-0c91-4cfd-9e6b-dc447cf3c4fc", + "description": "/robot/SAC016 atendimento_seller.py relies HTTPS requests, in main. The get parameter, at line 50, effectively disables verification of the SSL certificate trust chain.\n\n", + "data": { + "queryId": 8957684266794785000, + "queryName": "SSL_Verification_Bypass", + "group": "Python_Medium_Threat", + "resultHash": "wUBV69FwAKwM2V0JMHrAf1C00Dk=", + "languageName": "Python", + "nodes": [ + { + "id": "R18ggKhxzyHu1g4VGRXnCzuYBTA=", + "line": 50, + "name": "false", + "column": 56, + "length": 5, + "method": "main", + "nodeID": 1235, + "domType": "BooleanLiteral", + "fileName": "/robot/SAC016 atendimento_seller.py", + "fullName": "false", + "typeName": "BooleanLiteral", + "methodLine": 14, + "definitions": "-1" + }, + { + "id": "OV9IntfK3HCqiF3UxKAAgUXKkAQ=", + "line": 50, + "name": "get", + "column": 29, + "length": 3, + "method": "main", + "nodeID": 1227, + "domType": "MethodInvokeExpr", + "fileName": "/robot/SAC016 atendimento_seller.py", + "fullName": "requests.get", + "typeName": "get", + "methodLine": 14, + "definitions": "0" + } + ] + }, + "comments": {}, + "vulnerabilityDetails": { + "cweId": 599, + "compliances": [ + "MOIS(KISA) Secure Coding 2021", + "OWASP ASVS", + "OWASP Top 10 2021", + "SANS top 25" + ] + } + }, + { + "type": "sast", + "id": "599424943", + "similarityId": "1012480974", + "status": "RECURRENT", + "state": "TO_VERIFY", + "severity": "LOW", + "confidenceLevel": 0, + "created": "2024-04-09T20:27:34Z", + "firstFoundAt": "2024-03-01T16:15:45Z", + "foundAt": "2024-04-09T20:27:34Z", + "firstScanId": "395dc4a5-4196-494a-971d-ed0369d64b52", + "description": "No checks to identify whether the device has been rooted were found.\n\n", + "data": { + "queryId": 5904646516379823000, + "queryName": "Missing_Rooted_Device_Check", + "group": "Kotlin_Android", + "resultHash": "vOqNOr/NihqjRTHlMQE8aI5223k=", + "languageName": "Kotlin", + "nodes": [ + { + "id": "YuN11R9zQZp9KpJJv+x8G4yMZkQ=", + "line": 13, + "name": "main", + "column": 5, + "length": 4, + "method": "main", + "nodeID": 20212, + "domType": "MethodDecl", + "fileName": "/src/main/kotlin/ca/com/squeaky-clean-fresh/centaurobackofficeapi/CentauroBackofficeApiApplication.kt", + "fullName": "main", + "methodLine": 13, + "definitions": "1" + } + ] + }, + "comments": {}, + "vulnerabilityDetails": { + "cweId": 693, + "compliances": null + } + }, + { + "type": "sca-container", + "id": "CVE-2024-28085", + "similarityId": "CVE-2024-28085", + "status": "RECURRENT", + "state": "TO_VERIFY", + "severity": "LOW", + "confidenceLevel": 0, + "created": "2024-04-09T20:26:39Z", + "firstFoundAt": "2024-04-08T07:51:56Z", + "foundAt": "2024-04-09T20:26:39Z", + "firstScanId": "2f38848b-48dc-4656-a44f-9a4576108c48", + "description": "wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.", + "data": { + "packageName": "libuuid1", + "packageVersion": "2.34-0.1ubuntu9.4", + "publishedAt": "2024-03-27T19:15:48+00:00", + "metadata": { + "enrichers": [ + "ResultIDEnrichResult", + "FirstFoundEnrichResult", + "StatusEnrichResult" + ] + } + }, + "comments": { + "comments": "" + }, + "vulnerabilityDetails": { + "cvssScore": 0, + "cveName": "", + "cweId": "", + "cvss": {} + } + }, + { + "type": "sast", + "id": "5JhJ3WKFg0HVdCiGPhzsHccG6RA=", + "similarityId": "375824765", + "status": "RECURRENT", + "state": "TO_VERIFY", + "severity": "MEDIUM", + "confidenceLevel": 0, + "created": "2024-04-09T20:27:34Z", + "firstFoundAt": "2024-03-25T13:20:06Z", + "foundAt": "2024-04-09T20:27:34Z", + "firstScanId": "e10744e2-8bd5-41b3-afcd-af0d5ea34753", + "description": "Method processOrder at line 18 of /src/main/kotlin/ca/com/squeaky-clean-fresh/centaurobackofficeapi/api/OrderIntegrationController.kt gets user input from element payload . This element’s value flows through the code without being validated, and is eventually used in a loop condition in mapToEntity at line 19 of /src/main/kotlin/ca/com/squeaky-clean-fresh/centaurobackofficeapi/infrastructure/repositories/informix/mappers/ItPedidosSiteAtMapper.kt. This constitutes an Unchecked Input for Loop Condition.\n\n", + "data": { + "queryId": 7308467749988345000, + "queryName": "Unchecked_Input_for_Loop_Condition", + "group": "Kotlin_Medium_Threat", + "resultHash": "5JhJ3WKFg0HVdCiGPhzsHccG6RA=", + "languageName": "Kotlin", + "nodes": [ + { + "id": "jI5HZPnvmPZE7ku6EQQF7sEgS/U=", + "line": 18, + "name": "payload", + "column": 22, + "length": 7, + "method": "processOrder", + "nodeID": 20680, + "domType": "ParamDecl", + "fileName": "/src/main/kotlin/ca/com/squeaky-clean-fresh/centaurobackofficeapi/api/OrderIntegrationController.kt", + "fullName": "OrderIntegrationController.processOrder.payload", + "typeName": "OrderIntegrationRequest", + "methodLine": 17, + "definitions": "1" + }, + { + "id": "RlC8sPQzgE+XAnIxCQzXFBj7hdA=", + "line": 20, + "name": "payload", + "column": 43, + "length": 7, + "method": "processOrder", + "nodeID": 20660, + "domType": "UnknownReference", + "fileName": "/src/main/kotlin/ca/com/squeaky-clean-fresh/centaurobackofficeapi/api/OrderIntegrationController.kt", + "fullName": "OrderIntegrationController.processOrder.payload", + "typeName": "OrderIntegrationRequest", + "methodLine": 17, + "definitions": "1" + }, + { + "id": "4K5ae6rvN7weIiN4vKArfrkXKno=", + "line": 20, + "name": "orderV2Dto", + "column": 51, + "length": 10, + "method": "processOrder", + "nodeID": 20661, + "domType": "MemberAccess", + "fileName": "/src/main/kotlin/ca/com/squeaky-clean-fresh/centaurobackofficeapi/api/OrderIntegrationController.kt", + "fullName": "OrderIntegrationController.processOrder.payload.orderV2Dto", + "typeName": "OrderV2Dto", + "methodLine": 17, + "definitions": "1" + }, + { + "id": "ArGwisa9yeqMtJC7hiFHDmXMFdM=", + "line": 63, + "name": "order", + "column": 9, + "length": 5, + "method": "saveOrder", + "nodeID": 55152, + "domType": "ParamDecl", + "fileName": "/src/main/kotlin/ca/com/squeaky-clean-fresh/centaurobackofficeapi/service/OrderIntegrationService.kt", + "fullName": "OrderIntegrationService.saveOrder.order", + "typeName": "OrderV2Dto", + "methodLine": 62, + "definitions": "1" + }, + { + "id": "WOm76cc9Rxr1FvEQvMm19gENblU=", + "line": 88, + "name": "order", + "column": 57, + "length": 5, + "method": "saveOrder", + "nodeID": 54803, + "domType": "UnknownReference", + "fileName": "/src/main/kotlin/ca/com/squeaky-clean-fresh/centaurobackofficeapi/service/OrderIntegrationService.kt", + "fullName": "OrderIntegrationService.saveOrder.order", + "typeName": "OrderV2Dto", + "methodLine": 62, + "definitions": "1" + }, + { + "id": "ccApoHEYoJlhag1EhoWZ6TmE+VE=", + "line": 22, + "name": "order", + "column": 9, + "length": 5, + "method": "map", + "nodeID": 32399, + "domType": "ParamDecl", + "fileName": "/src/main/kotlin/ca/com/squeaky-clean-fresh/centaurobackofficeapi/infrastructure/repositories/informix/mappers/BaseMapper.kt", + "fullName": "BaseMapper.map.order", + "typeName": "OrderV2Dto", + "methodLine": 21, + "definitions": "1" + }, + { + "id": "I9skkjfUDYdzTwJf8t5EcTJ5bm8=", + "line": 26, + "name": "order", + "column": 29, + "length": 5, + "method": "map", + "nodeID": 32290, + "domType": "UnknownReference", + "fileName": "/src/main/kotlin/ca/com/squeaky-clean-fresh/centaurobackofficeapi/infrastructure/repositories/informix/mappers/BaseMapper.kt", + "fullName": "BaseMapper.map.order", + "typeName": "OrderV2Dto", + "methodLine": 21, + "definitions": "1" + }, + { + "id": "vqXXHbM8Uo7fycMJGvZY+nblwTc=", + "line": 26, + "name": "delivery", + "column": 35, + "length": 8, + "method": "map", + "nodeID": 32291, + "domType": "MemberAccess", + "fileName": "/src/main/kotlin/ca/com/squeaky-clean-fresh/centaurobackofficeapi/infrastructure/repositories/informix/mappers/BaseMapper.kt", + "fullName": "BaseMapper.map.order.delivery", + "typeName": "DeliveryDto", + "methodLine": 21, + "definitions": "1" + }, + { + "id": "QvfpBIOMR4wgnMezxwbon2E3vt8=", + "line": 26, + "name": "groups", + "column": 45, + "length": 6, + "method": "map", + "nodeID": 32292, + "domType": "MemberAccess", + "fileName": "/src/main/kotlin/ca/com/squeaky-clean-fresh/centaurobackofficeapi/infrastructure/repositories/informix/mappers/BaseMapper.kt", + "fullName": "BaseMapper.map.order.delivery.groups", + "typeName": "MutableSet", + "methodLine": 21, + "definitions": "1" + }, + { + "id": "5wwVv/Jt6kkaBhZrRDAcEs5lR2Y=", + "line": 26, + "name": "firstOrNull", + "column": 53, + "length": 11, + "method": "map", + "nodeID": 32295, + "domType": "MethodInvokeExpr", + "fileName": "/src/main/kotlin/ca/com/squeaky-clean-fresh/centaurobackofficeapi/infrastructure/repositories/informix/mappers/BaseMapper.kt", + "fullName": "BaseMapper.map.order.delivery.groups.firstOrNull", + "typeName": "firstOrNull", + "methodLine": 21, + "definitions": "0" + }, + { + "id": "uiMi2/1yDbGY7JWmiSLGRjY5OJ4=", + "line": 26, + "name": "deliveryGroup", + "column": 13, + "length": 13, + "method": "map", + "nodeID": 32289, + "domType": "Declarator", + "fileName": "/src/main/kotlin/ca/com/squeaky-clean-fresh/centaurobackofficeapi/infrastructure/repositories/informix/mappers/BaseMapper.kt", + "fullName": "BaseMapper.map.deliveryGroup", + "typeName": "DeliveryGroupDto", + "methodLine": 21, + "definitions": "1" + }, + { + "id": "nDCCjXl74JdHqzJPV6+rik6FUg8=", + "line": 29, + "name": "deliveryGroup", + "column": 50, + "length": 13, + "method": "map", + "nodeID": 32396, + "domType": "UnknownReference", + "fileName": "/src/main/kotlin/ca/com/squeaky-clean-fresh/centaurobackofficeapi/infrastructure/repositories/informix/mappers/BaseMapper.kt", + "fullName": "BaseMapper.map.deliveryGroup", + "typeName": "DeliveryGroupDto", + "methodLine": 21, + "definitions": "1" + }, + { + "id": "uNhJeYxfnJL5Rd2BvPaUINnS344=", + "line": 15, + "name": "deliveryGroup", + "column": 9, + "length": 13, + "method": "mapToEntity", + "nodeID": 35790, + "domType": "ParamDecl", + "fileName": "/src/main/kotlin/ca/com/squeaky-clean-fresh/centaurobackofficeapi/infrastructure/repositories/informix/mappers/ItPedidosSiteAtMapper.kt", + "fullName": "ItPedidosSiteAtMapper.mapToEntity.deliveryGroup", + "typeName": "DeliveryGroupDto", + "methodLine": 12, + "definitions": "1" + }, + { + "id": "p8KGK04SPIrcD1ip3F9L34cHr1o=", + "line": 19, + "name": "deliveryGroup", + "column": 46, + "length": 13, + "method": "mapToEntity", + "nodeID": 35569, + "domType": "UnknownReference", + "fileName": "/src/main/kotlin/ca/com/squeaky-clean-fresh/centaurobackofficeapi/infrastructure/repositories/informix/mappers/ItPedidosSiteAtMapper.kt", + "fullName": "ItPedidosSiteAtMapper.mapToEntity.deliveryGroup", + "typeName": "DeliveryGroupDto", + "methodLine": 12, + "definitions": "1" + } + ] + }, + "comments": {}, + "vulnerabilityDetails": { + "cweId": 606, + "compliances": [ + "OWASP Top 10 2021" + ] + } + }, + { + "type": "sca-container", + "id": "CVE-2020-26137", + "similarityId": "CVE-2020-26137", + "status": "RECURRENT", + "state": "TO_VERIFY", + "severity": "MEDIUM", + "confidenceLevel": 0, + "created": "2024-04-09T20:26:39Z", + "firstFoundAt": "2024-01-31T18:15:29Z", + "foundAt": "2024-04-09T20:26:39Z", + "firstScanId": "8635c62c-d0ef-423b-97ca-44866fa1157b", + "description": "urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.", + "data": { + "packageName": "urllib3", + "packageVersion": "1.25.8", + "publishedAt": "2020-09-30T18:15:00+00:00", + "metadata": { + "enrichers": [ + "ResultIDEnrichResult", + "FirstFoundEnrichResult", + "StatusEnrichResult" + ] + } + }, + "comments": { + "comments": "" + }, + "vulnerabilityDetails": { + "cvssScore": 0, + "cveName": "", + "cweId": "CWE-74", + "cvss": { + "version": 3, + "attackVector": "NETWORK", + "availability": "NONE", + "cvss3severity": "Medium", + "authentication": "NONE", + "confidentiality": "LOW", + "integrityImpact": "LOW", + "attackComplexity": "LOW" + } + } + }, + { + "type": "sca", + "id": "Cxda14f253-4e52", + "similarityId": "Cxda14f253-4e52", + "status": "RECURRENT", + "state": "TO_VERIFY", + "severity": "LOW", + "confidenceLevel": 0, + "created": "2024-03-21T23:18:03Z", + "firstFoundAt": "2023-08-21T11:55:47Z", + "foundAt": "2024-03-21T23:18:03Z", + "firstScanId": "7ef7bca2-18e6-41ac-8182-252e6e0eefa7", + "description": "The package `bluebird` is vulnerable to memory leak, when running the function longStackTraces() with the flag `--expose_gc`. This causes a significant increase in the memory usage, affecting the server's availability.", + "data": { + "packageIdentifier": "Npm-bluebird-3.7.2", + "publishedAt": "2016-04-24T21:00:00+00:00", + "recommendations": "", + "recommendedVersion": "", + "exploitableMethods": null, + "packageData": [ + { + "url": "https://github.com/petkaantonov/bluebird/issues/1080", + "type": "Issue", + "comment": "https://github.com/petkaantonov/bluebird/issues/1080" + } + ] + }, + "comments": { + "comments": "" + }, + "vulnerabilityDetails": { + "cvssScore": 3.700000047683716, + "cveName": "CWE-401", + "cweId": "CWE-401", + "cvss": { + "version": 3, + "attackVector": "NETWORK", + "availability": "LOW", + "cvss3severity": "Low", + "confidentiality": "NONE", + "attackComplexity": "HIGH" + } + } + }, + { + "type": "sca", + "id": "CVE-2023-44270", + "similarityId": "CVE-2023-44270", + "status": "RECURRENT", + "state": "TO_VERIFY", + "severity": "MEDIUM", + "confidenceLevel": 0, + "created": "2024-03-21T23:18:03Z", + "firstFoundAt": "2023-10-24T19:06:36Z", + "foundAt": "2024-03-21T23:18:03Z", + "firstScanId": "99c3412d-bfb5-4ebc-b465-96f406da4467", + "description": "An issue was discovered in postcss versions prior to 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.", + "data": { + "packageIdentifier": "Npm-postcss-7.0.39", + "publishedAt": "2023-09-29T10:44:00+00:00", + "recommendations": "", + "recommendedVersion": "8.4.31", + "exploitableMethods": null, + "packageData": [ + { + "url": "https://github.com/advisories/GHSA-7fh5-64p2-3v2j", + "type": "Advisory", + "comment": "https://github.com/advisories/GHSA-7fh5-64p2-3v2j" + }, + { + "url": "https://github.com/postcss/postcss/releases/tag/8.4.31", + "type": "Release Note", + "comment": "https://github.com/postcss/postcss/releases/tag/8.4.31" + }, + { + "url": "https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5", + "type": "Commit", + "comment": "https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5" + } + ] + }, + "comments": { + "comments": "" + }, + "vulnerabilityDetails": { + "cvssScore": 5.300000190734863, + "cveName": "CWE-74", + "cweId": "CWE-74", + "cvss": { + "version": 3, + "attackVector": "NETWORK", + "availability": "NONE", + "cvss3severity": "Medium", + "confidentiality": "NONE", + "attackComplexity": "LOW" + } + } + } + ], + "totalCount": 7 + } \ No newline at end of file diff --git a/unittests/tools/test_checkmarx_one_parser.py b/unittests/tools/test_checkmarx_one_parser.py index 31d6fdbed5..4cda49a26e 100644 --- a/unittests/tools/test_checkmarx_one_parser.py +++ b/unittests/tools/test_checkmarx_one_parser.py @@ -45,3 +45,20 @@ def test_checkmarx_one_no_findings(self): parser = CheckmarxOneParser() findings = parser.get_findings(testfile, Test()) self.assertEqual(0, len(findings)) + + def test_checkmarx_one_new_format(self): + with open("unittests/scans/checkmarx_one/api_export.json") as testfile: + parser = CheckmarxOneParser() + findings = parser.get_findings(testfile, Test()) + self.assertEqual(8, len(findings)) + with self.subTest(i=0): + for finding in findings: + self.assertIsNotNone(finding.unique_id_from_tool) + self.assertIsNotNone(finding.title) + self.assertIsNotNone(finding.test) + self.assertIsNotNone(finding.date) + self.assertIsNotNone(finding.severity) + self.assertIsNotNone(finding.description) + finding_test = findings[0] + self.assertEqual("Medium", finding_test.severity) + self.assertEqual("/.github/workflows/checkmarx.yaml", finding_test.file_path) From 01914af2e4d4da6df2de281d7c62962b82c14ea0 Mon Sep 17 00:00:00 2001 From: manuelsommer <47991713+manuel-sommer@users.noreply.github.com> Date: Mon, 15 Apr 2024 18:51:00 +0200 Subject: [PATCH 4/6] :bug: jake json output in cyclonedx not parsed (#9873) * :bug: jake json output in cyclonedx not parsed * remove jake as it is invalid * flake8 * remove cyclonedx_cwe --- unittests/scans/cyclonedx/cyclonedx_cwe.json | 71 --- unittests/scans/cyclonedx/jake.json | 602 ------------------- unittests/tools/test_cyclonedx_parser.py | 15 - 3 files changed, 688 deletions(-) delete mode 100644 unittests/scans/cyclonedx/cyclonedx_cwe.json delete mode 100644 unittests/scans/cyclonedx/jake.json diff --git a/unittests/scans/cyclonedx/cyclonedx_cwe.json b/unittests/scans/cyclonedx/cyclonedx_cwe.json deleted file mode 100644 index dddc849d1e..0000000000 --- a/unittests/scans/cyclonedx/cyclonedx_cwe.json +++ /dev/null @@ -1,71 +0,0 @@ -{ - "bomFormat": "CycloneDX", - "specVersion": "1.4", - "version": "1", - "serialNumber": "fb206469-0178-4dec-9397-987f51f4d4e0", - "vulnerabilities": [ - { - "id": "CVE-2018-10054", - "source": { - "url": "https://www.exploit-db.com/exploits/44422/", - "name": "Vendor Disclosure" - }, - "ratings": [ - { - "score": 6.5, - "severity": "medium", - "method": "CVSSv2", - "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P" - }, - { - "score": 8.8, - "severity": "high", - "method": "CVSSv3", - "vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" - } - ], - "created": "2018-06-25T00:00:00.000+0000", - "published": "2018-03-29T00:00:00.000+0000", - "updated": "2022-06-17T00:00:00.000+0000", - "cwes": [ - 20 - ], - "description": "Arbitrary Code Execution H2 Database Engine is vulnerable to arbitrary code execution.It allows an authorized user to inject arbitrary java code using H2 SQL ALIAS command `CREATE ALIAS`.", - "affects": [ - { - "ref": "maven:com.h2database:h2:2.1.210:" - } - ], - "properties": [ - { - "name": "Vulnerability Link", - "value": "https://www.exploit-db.com/exploits/44422/" - }, - { - "name": "Vulnerability Link", - "value": "https://mthbernardes.github.io/rce/2018/03/14/abusing-h2-database-alias.html" - }, - { - "name": "Vulnerability Link", - "value": "http://blog.datomic.com/2018/03/important-security-update.html" - }, - { - "name": "Vulnerability Link", - "value": "https://forum.datomic.com/t/important-security-update-0-9-5697/379" - }, - { - "name": "Vulnerability Link", - "value": "https://github.com/h2database/h2database/blob/f97a3dcc856c012b45112cea48d0f1e1bc5518b4/h2/src/main/org/h2/server/web/WebServer.java#L279-L280" - }, - { - "name": "Vulnerability Link", - "value": "https://github.com/h2database/h2database/blob/f97a3dcc856c012b45112cea48d0f1e1bc5518b4/h2/src/main/org/h2/server/web/WebServer.java#L267" - }, - { - "name": "Vulnerability Link", - "value": "https://lists.apache.org/thread.html/582d4165de6507b0be82d5a6f9a1ce392ec43a00c9fed32bacf7fe1e@%3Cuser.ignite.apache.org%3E" - } - ] - } - ] -} diff --git a/unittests/scans/cyclonedx/jake.json b/unittests/scans/cyclonedx/jake.json deleted file mode 100644 index 93333275c4..0000000000 --- a/unittests/scans/cyclonedx/jake.json +++ /dev/null @@ -1,602 +0,0 @@ -{ - "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", - "bomFormat": "CycloneDX", - "specVersion": "1.4", - "serialNumber": "urn:uuid:121d3591-2fa5-46f1-bf7f-8647df93fa82", - "version": 1, - "metadata": { - "timestamp": "2022-01-23T21:32:26.030422+00:00", - "tools": [ - { - "vendor": "CycloneDX", - "name": "cyclonedx-python-lib", - "version": "1.1.1", - "externalReferences": [ - { - "type": "build-system", - "url": "https://github.com/CycloneDX/cyclonedx-python-lib/actions" - }, - { - "type": "distribution", - "url": "https://pypi.org/project/cyclonedx-python-lib/" - }, - { - "type": "documentation", - "url": "https://cyclonedx.github.io/cyclonedx-python-lib/" - }, - { - "type": "issue-tracker", - "url": "https://github.com/CycloneDX/cyclonedx-python-lib/issues" - }, - { - "type": "license", - "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE" - }, - { - "type": "release-notes", - "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md" - }, - { - "type": "vcs", - "url": "https://github.com/CycloneDX/cyclonedx-python-lib" - }, - { - "type": "website", - "url": "https://cyclonedx.org" - } - ] - } - ] - }, - "components": [ - { - "type": "library", - "author": "Andrey Petrov", - "name": "urllib3", - "version": "1.26.8", - "licenses": [ - { - "expression": "MIT" - } - ], - "purl": "pkg:pypi/urllib3@1.26.8" - }, - { - "type": "library", - "name": "types-toml", - "version": "0.10.1", - "licenses": [ - { - "expression": "Apache-2.0 license" - } - ], - "purl": "pkg:pypi/types-toml@0.10.1" - }, - { - "type": "library", - "name": "types-setuptools", - "version": "57.4.4", - "licenses": [ - { - "expression": "Apache-2.0 license" - } - ], - "purl": "pkg:pypi/types-setuptools@57.4.4" - }, - { - "type": "library", - "author": "William Pearson", - "name": "toml", - "version": "0.10.2", - "licenses": [ - { - "expression": "MIT" - } - ], - "purl": "pkg:pypi/toml@0.10.2" - }, - { - "type": "library", - "author": "Markus Siemens", - "name": "tinydb", - "version": "4.6.1", - "licenses": [ - { - "expression": "MIT" - } - ], - "purl": "pkg:pypi/tinydb@4.6.1" - }, - { - "type": "library", - "author": "Python Packaging Authority", - "name": "setuptools", - "version": "58.1.0", - "purl": "pkg:pypi/setuptools@58.1.0" - }, - { - "type": "library", - "author": "Will McGugan", - "name": "rich", - "version": "11.0.0", - "licenses": [ - { - "expression": "MIT" - } - ], - "purl": "pkg:pypi/rich@11.0.0" - }, - { - "type": "library", - "author": "Kenneth Reitz", - "name": "requests", - "version": "2.27.1", - "licenses": [ - { - "expression": "Apache 2.0" - } - ], - "purl": "pkg:pypi/requests@2.27.1" - }, - { - "type": "library", - "author": "Stuart Bishop", - "name": "pytz", - "version": "2021.3", - "licenses": [ - { - "expression": "MIT" - } - ], - "purl": "pkg:pypi/pytz@2021.3" - }, - { - "type": "library", - "author": "Georg Brandl", - "name": "Pygments", - "version": "2.11.2", - "licenses": [ - { - "expression": "BSD License" - } - ], - "purl": "pkg:pypi/pygments@2.11.2" - }, - { - "type": "library", - "author": "A lot of people", - "name": "pyflakes", - "version": "2.4.0", - "licenses": [ - { - "expression": "MIT" - } - ], - "purl": "pkg:pypi/pyflakes@2.4.0" - }, - { - "type": "library", - "author": "Peter Waller (Thanks to Christopher Jones and Stefano Rivera)", - "name": "pyfiglet", - "version": "0.8.post1", - "licenses": [ - { - "expression": "MIT" - } - ], - "purl": "pkg:pypi/pyfiglet@0.8.post1" - }, - { - "type": "library", - "author": "Johann C. Rocholl", - "name": "pycodestyle", - "version": "2.8.0", - "licenses": [ - { - "expression": "Expat license" - } - ], - "purl": "pkg:pypi/pycodestyle@2.8.0" - }, - { - "type": "library", - "author": "Donal Mee", - "name": "polling2", - "version": "0.5.0", - "purl": "pkg:pypi/polling2@0.5.0" - }, - { - "type": "library", - "author": "The pip developers", - "name": "pip", - "version": "21.2.4", - "licenses": [ - { - "expression": "MIT" - } - ], - "purl": "pkg:pypi/pip@21.2.4" - }, - { - "type": "library", - "author": "the purl authors", - "name": "packageurl-python", - "version": "0.9.6", - "licenses": [ - { - "expression": "MIT" - } - ], - "purl": "pkg:pypi/packageurl-python@0.9.6" - }, - { - "type": "library", - "author": "Paul Horton", - "name": "ossindex-lib", - "version": "0.2.1", - "licenses": [ - { - "expression": "Apache-2.0" - } - ], - "purl": "pkg:pypi/ossindex-lib@0.2.1" - }, - { - "type": "library", - "author": "Ian Cordasco", - "name": "mccabe", - "version": "0.6.1", - "licenses": [ - { - "expression": "Expat license" - } - ], - "purl": "pkg:pypi/mccabe@0.6.1" - }, - { - "type": "library", - "author": "Sonatype Community", - "name": "jake", - "version": "1.4.0", - "licenses": [ - { - "expression": "Apache-2.0" - } - ], - "purl": "pkg:pypi/jake@1.4.0" - }, - { - "type": "library", - "author": "Kim Davies", - "name": "idna", - "version": "3.3", - "licenses": [ - { - "expression": "BSD-3-Clause" - } - ], - "purl": "pkg:pypi/idna@3.3" - }, - { - "type": "library", - "author": "Tarek Ziade", - "name": "flake8", - "version": "4.0.1", - "licenses": [ - { - "expression": "MIT" - } - ], - "purl": "pkg:pypi/flake8@4.0.1" - }, - { - "type": "library", - "author": "Django Software Foundation", - "name": "Django", - "version": "2.0.1", - "licenses": [ - { - "expression": "BSD" - } - ], - "purl": "pkg:pypi/django@2.0.1" - }, - { - "type": "library", - "author": "Paul Horton", - "name": "cyclonedx-python-lib", - "version": "1.1.1", - "licenses": [ - { - "expression": "Apache-2.0" - } - ], - "purl": "pkg:pypi/cyclonedx-python-lib@1.1.1" - }, - { - "type": "library", - "author": "Steven Springett", - "name": "cyclonedx-bom", - "version": "2.0.0", - "licenses": [ - { - "expression": "Apache-2.0" - } - ], - "purl": "pkg:pypi/cyclonedx-bom@2.0.0" - }, - { - "type": "library", - "author": "Bibek Kafle , Roland Shoemaker ", - "name": "commonmark", - "version": "0.9.1", - "licenses": [ - { - "expression": "BSD-3-Clause" - } - ], - "purl": "pkg:pypi/commonmark@0.9.1" - }, - { - "type": "library", - "author": "Jonathan Hartley", - "name": "colorama", - "version": "0.4.4", - "licenses": [ - { - "expression": "BSD" - } - ], - "purl": "pkg:pypi/colorama@0.4.4" - }, - { - "type": "library", - "author": "Ahmed TAHRI @Ousret", - "name": "charset-normalizer", - "version": "2.0.10", - "licenses": [ - { - "expression": "MIT" - } - ], - "purl": "pkg:pypi/charset-normalizer@2.0.10" - }, - { - "type": "library", - "author": "Kenneth Reitz", - "name": "certifi", - "version": "2021.10.8", - "licenses": [ - { - "expression": "MPL-2.0" - } - ], - "purl": "pkg:pypi/certifi@2021.10.8" - } - ], - "vulnerabilities": [ - { - "bom-ref": "c7129ff8-08bc-4afe-82ec-7d97b9491741", - "id": "CVE-2021-33203", - "source": { - "name": "Oss Index", - "url": "https://ossindex.sonatype.org/vulnerability/c7129ff8-08bc-4afe-82ec-7d97b9491741?component-type=pypi&component-name=django&utm_source=python-oss-index-lib%400.2.1&utm_medium=integration" - }, - "references": [ - { - "source": { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33203" - } - } - ], - "ratings": [ - { - "source": { - "name": "Oss Index", - "url": "https://ossindex.sonatype.org/vulnerability/c7129ff8-08bc-4afe-82ec-7d97b9491741?component-type=pypi&component-name=django&utm_source=python-oss-index-lib%400.2.1&utm_medium=integration" - }, - "score": 7.5, - "severity": "high", - "method": "CVSSv3", - "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" - } - ], - "description": "[CVE-2021-33203] Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential ...", - "detail": "Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories." - }, - { - "bom-ref": "c9b6a6a5-01a4-4d4c-b480-b9d6825dc4d0", - "id": "CVE-2018-7536", - "source": { - "name": "Oss Index", - "url": "https://ossindex.sonatype.org/vulnerability/c9b6a6a5-01a4-4d4c-b480-b9d6825dc4d0?component-type=pypi&component-name=django&utm_source=python-oss-index-lib%400.2.1&utm_medium=integration" - }, - "references": [ - { - "source": { - "url": "https://www.djangoproject.com/weblog/2018/mar/06/security-releases/" - } - }, - { - "source": { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7536" - } - } - ], - "ratings": [ - { - "source": { - "name": "Oss Index", - "url": "https://ossindex.sonatype.org/vulnerability/c9b6a6a5-01a4-4d4c-b480-b9d6825dc4d0?component-type=pypi&component-name=django&utm_source=python-oss-index-lib%400.2.1&utm_medium=integration" - }, - "score": 5.3, - "severity": "medium", - "method": "CVSSv3", - "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" - } - ], - "description": "[CVE-2018-7536] Incorrect Regular Expression", - "detail": "An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable." - }, - { - "bom-ref": "40fb7665-767b-40f5-bb08-3d0ed295cfaf", - "id": "CVE-2018-7537", - "source": { - "name": "Oss Index", - "url": "https://ossindex.sonatype.org/vulnerability/40fb7665-767b-40f5-bb08-3d0ed295cfaf?component-type=pypi&component-name=django&utm_source=python-oss-index-lib%400.2.1&utm_medium=integration" - }, - "references": [ - { - "source": { - "url": "https://www.djangoproject.com/weblog/2018/mar/06/security-releases/" - } - }, - { - "source": { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7537" - } - } - ], - "ratings": [ - { - "source": { - "name": "Oss Index", - "url": "https://ossindex.sonatype.org/vulnerability/40fb7665-767b-40f5-bb08-3d0ed295cfaf?component-type=pypi&component-name=django&utm_source=python-oss-index-lib%400.2.1&utm_medium=integration" - }, - "score": 5.3, - "severity": "medium", - "method": "CVSSv3", - "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" - } - ], - "description": "[CVE-2018-7537] Incorrect Regular Expression", - "detail": "An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable." - }, - { - "bom-ref": "87a595e6-8e97-40a3-8677-13bd76364267", - "id": "CVE-2018-14574", - "source": { - "name": "Oss Index", - "url": "https://ossindex.sonatype.org/vulnerability/87a595e6-8e97-40a3-8677-13bd76364267?component-type=pypi&component-name=django&utm_source=python-oss-index-lib%400.2.1&utm_medium=integration" - }, - "references": [ - { - "source": { - "url": "https://www.djangoproject.com/weblog/2018/aug/01/security-releases/" - } - }, - { - "source": { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14574" - } - } - ], - "ratings": [ - { - "source": { - "name": "Oss Index", - "url": "https://ossindex.sonatype.org/vulnerability/87a595e6-8e97-40a3-8677-13bd76364267?component-type=pypi&component-name=django&utm_source=python-oss-index-lib%400.2.1&utm_medium=integration" - }, - "score": 6.1, - "severity": "medium", - "method": "CVSSv3", - "vector": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" - } - ], - "description": "[CVE-2018-14574] URL Redirection to Untrusted Site (\"Open Redirect\")", - "detail": "django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect." - }, - { - "bom-ref": "4fe076be-8570-4056-beec-dd93d99543bd", - "id": "CVE-2019-3498", - "source": { - "name": "Oss Index", - "url": "https://ossindex.sonatype.org/vulnerability/4fe076be-8570-4056-beec-dd93d99543bd?component-type=pypi&component-name=django&utm_source=python-oss-index-lib%400.2.1&utm_medium=integration" - }, - "references": [ - { - "source": { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3498" - } - } - ], - "ratings": [ - { - "source": { - "name": "Oss Index", - "url": "https://ossindex.sonatype.org/vulnerability/4fe076be-8570-4056-beec-dd93d99543bd?component-type=pypi&component-name=django&utm_source=python-oss-index-lib%400.2.1&utm_medium=integration" - }, - "score": 6.5, - "severity": "medium", - "method": "CVSSv3", - "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" - } - ], - "description": "[CVE-2019-3498] Improper Input Validation", - "detail": "In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content." - }, - { - "bom-ref": "eeeaf73f-4e79-4d40-b6c1-75c75f5460a1", - "id": "CVE-2019-6975", - "source": { - "name": "Oss Index", - "url": "https://ossindex.sonatype.org/vulnerability/eeeaf73f-4e79-4d40-b6c1-75c75f5460a1?component-type=pypi&component-name=django&utm_source=python-oss-index-lib%400.2.1&utm_medium=integration" - }, - "references": [ - { - "source": { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6975" - } - } - ], - "ratings": [ - { - "source": { - "name": "Oss Index", - "url": "https://ossindex.sonatype.org/vulnerability/eeeaf73f-4e79-4d40-b6c1-75c75f5460a1?component-type=pypi&component-name=django&utm_source=python-oss-index-lib%400.2.1&utm_medium=integration" - }, - "score": 7.5, - "severity": "high", - "method": "CVSSv3", - "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - } - ], - "description": "[CVE-2019-6975] Uncontrolled Resource Consumption (\"Resource Exhaustion\")", - "detail": "Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function." - }, - { - "bom-ref": "90cfba6a-ddc9-4708-b131-5d875e8c558d", - "id": "CVE-2018-6188", - "source": { - "name": "Oss Index", - "url": "https://ossindex.sonatype.org/vulnerability/90cfba6a-ddc9-4708-b131-5d875e8c558d?component-type=pypi&component-name=django&utm_source=python-oss-index-lib%400.2.1&utm_medium=integration" - }, - "references": [ - { - "source": { - "url": "https://www.djangoproject.com/weblog/2018/feb/01/security-releases/" - } - }, - { - "source": { - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6188" - } - } - ], - "ratings": [ - { - "source": { - "name": "Oss Index", - "url": "https://ossindex.sonatype.org/vulnerability/90cfba6a-ddc9-4708-b131-5d875e8c558d?component-type=pypi&component-name=django&utm_source=python-oss-index-lib%400.2.1&utm_medium=integration" - }, - "score": 7.5, - "severity": "high", - "method": "CVSSv3", - "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" - } - ], - "description": "[CVE-2018-6188] Information Exposure", - "detail": "django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive." - } - ] -} \ No newline at end of file diff --git a/unittests/tools/test_cyclonedx_parser.py b/unittests/tools/test_cyclonedx_parser.py index 162a108aeb..ef0371bf09 100644 --- a/unittests/tools/test_cyclonedx_parser.py +++ b/unittests/tools/test_cyclonedx_parser.py @@ -284,21 +284,6 @@ def test_cyclonedx_1_4_jake_json(self): ) self.assertEqual(datetime.date(2022, 1, 28), datetime.datetime.date(finding.date)) - def test_cyclonedx_json_cwe(self): - """CycloneDX version 1.4 JSON format""" - with open("unittests/scans/cyclonedx/cyclonedx_cwe.json") as file: - parser = CycloneDXParser() - findings = parser.get_findings(file, Test()) - for finding in findings: - self.assertIn(finding.severity, Finding.SEVERITIES) - finding.clean() - self.assertEqual(1, len(findings)) - with self.subTest(i=0): - finding = findings[0] - self.assertEqual("High", finding.severity) - self.assertEqual("CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", finding.cvssv3) - self.assertEqual(20, finding.cwe) - def test_cyclonedx_1_4_xml_cvssv31(self): """CycloneDX version 1.4 XML format""" with open("unittests/scans/cyclonedx/log4j.xml") as file: From 8d9a940b8c5b2c737f8a0b8c233bfe84a10f9cfc Mon Sep 17 00:00:00 2001 From: manuelsommer <47991713+manuel-sommer@users.noreply.github.com> Date: Mon, 15 Apr 2024 20:09:22 +0200 Subject: [PATCH 5/6] fixme from cobalt parser (#9921) --- dojo/tools/cobalt/parser.py | 8 -------- 1 file changed, 8 deletions(-) diff --git a/dojo/tools/cobalt/parser.py b/dojo/tools/cobalt/parser.py index 172982dd67..ea03fb33cf 100644 --- a/dojo/tools/cobalt/parser.py +++ b/dojo/tools/cobalt/parser.py @@ -27,16 +27,8 @@ def get_findings(self, filename, test): reader = csv.DictReader( io.StringIO(content), delimiter=",", quotechar='"' ) - csvarray = [] - dupes = dict() - - # FIXME double loop, could lead to performance pb if the number of - # issues is big for row in reader: - csvarray.append(row) - - for row in csvarray: finding = Finding(test=test) finding.title = ( row["Title"] if row["Title"][0] != "'" else row["Title"][1:] From 66c46c65b6d668a9528b7d3c2ea0979a00b25ac9 Mon Sep 17 00:00:00 2001 From: DefectDojo release bot Date: Mon, 15 Apr 2024 18:10:23 +0000 Subject: [PATCH 6/6] Update versions in application files --- components/package.json | 2 +- dojo/__init__.py | 2 +- helm/defectdojo/Chart.yaml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/components/package.json b/components/package.json index 41e9d22009..414b261866 100644 --- a/components/package.json +++ b/components/package.json @@ -1,6 +1,6 @@ { "name": "defectdojo", - "version": "2.34.0-dev", + "version": "2.33.2", "license" : "BSD-3-Clause", "private": true, "dependencies": { diff --git a/dojo/__init__.py b/dojo/__init__.py index 4758913441..d97cb16476 100644 --- a/dojo/__init__.py +++ b/dojo/__init__.py @@ -4,6 +4,6 @@ # Django starts so that shared_task will use this app. from .celery import app as celery_app # noqa: F401 -__version__ = '2.34.0-dev' +__version__ = '2.33.2' __url__ = 'https://github.com/DefectDojo/django-DefectDojo' __docs__ = 'https://documentation.defectdojo.com' diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml index ae5a01ffa4..0f892f8ccc 100644 --- a/helm/defectdojo/Chart.yaml +++ b/helm/defectdojo/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: "2.34.0-dev" +appVersion: "2.33.2" description: A Helm chart for Kubernetes to install DefectDojo name: defectdojo -version: 1.6.120-dev +version: 1.6.120 icon: https://www.defectdojo.org/img/favicon.ico maintainers: - name: madchap