Generic parser update

[mykhailo-sindieiev]

Description

As per discussion in #13098
New DefectDojo finding fields will be supported by Generic Importer

Test results

The files unittests/scans/generic/generic_report_kev_cvssv4.json and unittests/scans/generic/generic_report_kev_cvssv4.csv are successfully parsed with updated parsers

Documentation

docs/content/en/connecting_your_tools/parsers/file/generic.md is updated

[valentijnscholten]

Thank you for your PR and welcome as a contributor.
Would you be able to extend the PR a little bit by:

• updating the csv parser
• updating the docs

[mykhailo-sindieiev]

Hello, thank you for the review. Working on changes

[dryrunsecurity]

This pull request contains a bug in dojo/tools/generic/csv_parser.py where CSV boolean fields (known_exploited, ransomware_used, fix_available) are converted using bool(row[…]), causing any non-empty string like "False", "0" or "No" to be interpreted as True and leading to incorrect data; the issue is non-blocking but should be fixed by parsing boolean strings explicitly (e.g., comparing normalized values or using a dedicated parser).

Improper Data Conversion for Boolean Fields in dojo/tools/generic/csv_parser.py

Vulnerability

Improper Data Conversion for Boolean Fields

Description

The code in dojo/tools/generic/csv_parser.py incorrectly converts string representations of boolean values from CSV input. Specifically, for the fields 'known_exploited', 'ransomware_used', and 'fix_available', it uses bool(row[...]). In Python, bool() evaluates any non-empty string, including 'False', '0', or 'No', as True. This means that if a CSV file contains 'False' for these boolean fields, the application will incorrectly interpret and store them as True, leading to data integrity issues and misrepresentation of security findings.

django-DefectDojo/dojo/tools/generic/csv_parser.py

Lines 81 to 106 in 60d89e7

	if len(cvss_objects) > 0:
	finding.cvssv3 = cvss_objects[0].clean_vector()
	if "CVSSV4" in row:
	cvss4_objects = cvss_parser.parse_cvss_from_text(row["CVSSV4"])
	if len(cvss4_objects) > 0:
	finding.cvssv4 = cvss4_objects[0].clean_vector()
	if "CVSSV4_score" in row:
	finding.cvssv4_score = float(row["CVSSV4_score"])
	if "kev_date" in row:
	finding.kev_date = parse(row["kev_date"])
	if "known_exploited" in row:
	finding.known_exploited = bool(row["known_exploited"])
	if "ransomware_used" in row:
	finding.ransomware_used = bool(row["ransomware_used"])
	if "fix_available" in row:
	finding.fix_available = bool(row["fix_available"])
	# manage endpoints
	if "Url" in row:
	finding.unsaved_endpoints = [

---

All finding details can be found in the DryRun Security Dashboard.

[mykhailo-sindieiev]

@valentijnscholten Could you share the link with me where should I update the docs? I think the changes in PR are not breaking changes to mention them in upgrade docs. But should I create a file here - https://github.com/DefectDojo/django-DefectDojo/tree/master/docs/content/en/open_source/upgrading and if I should, could you please share the next release number? Is it 2.50.2?

[valentijnscholten]

Thank you for looking into this. The doc I referred to is: https://github.com/DefectDojo/django-DefectDojo/blob/master/docs/content/en/connecting_your_tools/parsers/file/generic.md

[mykhailo-sindieiev]

Thank you for looking into this. The doc I referred to is: https://github.com/DefectDojo/django-DefectDojo/blob/master/docs/content/en/connecting_your_tools/parsers/file/generic.md

Done

[valentijnscholten]

Thanks a lot!