Merge pull request #10851 from DefectDojo/bugfix

Bugfix -> Dev: Release 2.38.0

Author: Maffooch

dojo/importers/default_reimporter.py

@@ -476,6 +476,13 @@ def process_matched_special_status_finding(
         ):
             self.unchanged_items.append(existing_finding)
             return existing_finding, True
+        # If the finding is risk accepted and inactive in Defectdojo we do not sync the status from the scanner
+        # We also need to add the finding to 'unchanged_items' as otherwise it will get mitigated by the reimporter
+        # (Risk accepted findings are not set to mitigated by Defectdojo)
+        # We however do not exit the loop as we do want to update the endpoints (in case some endpoints were fixed)
+        elif existing_finding.risk_accepted and not existing_finding.active:
+            self.unchanged_items.append(existing_finding)
+            return existing_finding, False
         # The finding was not an exact match, so we need to add more details about from the
         # new finding to the existing. Return False here to make process further
         return existing_finding, False

dojo/tools/npm_audit_7_plus/parser.py

@@ -121,7 +121,10 @@ def get_item(item_node, tree, test):
     elif item_node["via"] and isinstance(item_node["via"][0], dict):
         title = item_node["via"][0]["title"]
         component_name = item_node["nodes"][0]
-        cwe = item_node["via"][0]["cwe"][0]
+        if len(item_node["via"][0]["cwe"]) > 0:
+            cwe = item_node["via"][0]["cwe"][0]
+        else:
+            cwe = None
         references.append(item_node["via"][0]["url"])
         unique_id_from_tool = str(item_node["via"][0]["source"])
         cvssv3 = item_node["via"][0]["cvss"]["vectorString"]
@@ -144,15 +147,11 @@ def get_item(item_node, tree, test):
             if isinstance(vuln, dict):
                 references.append(vuln["url"])
 
-    if len(cwe):
-        cwe = int(cwe.split("-")[1])
-
     dojo_finding = Finding(
         title=title,
         test=test,
         severity=severity,
         description=description,
-        cwe=cwe,
         mitigation=mitigation,
         references=", ".join(references),
         component_name=component_name,
@@ -166,6 +165,10 @@ def get_item(item_node, tree, test):
         vuln_id_from_tool=unique_id_from_tool,
     )
 
+    if cwe is not None:
+        cwe = int(cwe.split("-")[1])
+        dojo_finding.cwe = cwe
+
     if (cvssv3 is not None) and (len(cvssv3) > 0):
         dojo_finding.cvssv3 = cvssv3
 

helm/defectdojo/templates/initializer-job.yaml

@@ -53,7 +53,7 @@ spec:
         command:
         - '/bin/bash'
         - '-c'
-        - '/wait-for-it.sh ${DD_DATABASE_HOST:-postgres}:${DD_DATABASE_PORT:-5432} -t 30 -s -- /bin/echo Database is up'
+        - '/wait-for-it.sh ${DD_DATABASE_HOST:-postgres}:${DD_DATABASE_PORT:-5432} -t 300 -s -- /bin/echo Database is up'
         image: '{{ template "django.uwsgi.repository" . }}:{{ .Values.tag }}'
         imagePullPolicy: {{ .Values.imagePullPolicy }}
         {{- if .Values.securityContext.enabled }}

unittests/scans/npm_audit_7_plus/issue_10801.json

@@ -0,0 +1,56 @@
+{
+  "auditReportVersion": 2,
+  "vulnerabilities": {
+    "got": {
+      "name": "got",
+      "severity": "moderate",
+      "isDirect": false,
+      "via": [
+        {
+          "source": 1088948,
+          "name": "got",
+          "dependency": "got",
+          "title": "Got allows a redirect to a UNIX socket",
+          "url": "https://github.com/advisories/GHSA-pfrx-2q88-qq97",
+          "severity": "moderate",
+          "cwe": [],
+          "cvss": {
+            "score": 5.3,
+            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
+          },
+          "range": "<11.8.5"
+        }
+      ],
+      "effects": [
+      ],
+      "range": "<11.8.5",
+      "nodes": [
+        "node_modules/got"
+      ],
+      "fixAvailable": {
+        "name": "nodemon",
+        "version": "3.1.4",
+        "isSemVerMajor": true
+      }
+    }
+  },
+  "metadata": {
+    "vulnerabilities": {
+      "info": 0,
+      "low": 0,
+      "moderate": 0,
+      "high": 1,
+      "critical": 0,
+      "total": 1
+    },
+    "dependencies": {
+      "prod": 98,
+      "dev": 0,
+      "optional": 0,
+      "peer": 0,
+      "peerOptional": 0,
+      "total": 97
+    }
+  }
+}
+

unittests/test_import_reimport.py

@@ -1115,7 +1115,7 @@ def test_import_reimport_keep_false_positive_and_out_of_scope(self):
         active_findings_before = self.get_test_findings_api(test_id, active=True)
         self.assert_finding_count_json(0, active_findings_before)
 
-        with assertTestImportModelsCreated(self, reimports=1, affected_findings=1, created=1):
+        with assertTestImportModelsCreated(self, reimports=1, affected_findings=1, created=1, untouched=1):
             reimport0 = self.reimport_scan_with_params(test_id, self.zap_sample0_filename)
 
         self.assertEqual(reimport0["test"], test_id)

unittests/tools/test_npm_audit_7_plus_parser.py

@@ -40,3 +40,14 @@ def test_npm_audit_7_plus_parser_with_many_vuln_has_many_findings(self):
             self.assertIsNotNone(finding.description)
             self.assertGreater(len(finding.description), 0)
             self.assertEqual("@vercel/fun", finding.title)
+
+    def test_npm_audit_7_plus_parser_issue_10801(self):
+        testfile = open(path.join(path.dirname(__file__), "../scans/npm_audit_7_plus/issue_10801.json"), encoding="utf-8")
+        parser = NpmAudit7PlusParser()
+        findings = parser.get_findings(testfile, Test())
+        testfile.close()
+        self.assertEqual(1, len(findings))
+        with self.subTest(i=0):
+            finding = findings[0]
+            self.assertEqual("Medium", finding.severity)
+            self.assertEqual(0, finding.cwe)