django-DefectDojo icon indicating copy to clipboard operation
django-DefectDojo copied to clipboard
verified publisher icon DefectDojo

fix: fix severity lookup in Qualys parser

Open nv-pipo opened this issue 1 year ago • 2 comments

Description

Fixes a bug in the Qualys parser where the severity lookup was not correctly handling integer values. This caused incorrect severity values to be returned. The fix updates the severity lookup to convert the severity value to an integer before performing the lookup.

Test results

Ideally you extend the test suite in tests/ and dojo/unittests to cover the changed in this PR. Alternatively, describe what you have and haven't tested.

Documentation

Please update any documentation when needed in the documentation folder)

Checklist

This checklist is for your information.

  • [X] Make sure to rebase your PR against the very latest dev.
  • [X] Features/Changes should be submitted against the dev.
  • [X] Bugfixes should be submitted against the bugfix branch.
  • [X] Give a meaningful name to your PR, as it may end up being used in the release notes.
  • [X] Your code is flake8 compliant.
  • [X] Your code is python 3.11 compliant.
  • [X] If this is a new feature and not a bug fix, you've included the proper documentation in the docs at https://github.com/DefectDojo/django-DefectDojo/tree/dev/docs as part of this PR.
  • [X] Model changes must include the necessary migrations in the dojo/db_migrations folder.
  • [X] Add applicable tests to the unit tests.
  • [X] Add the proper label to categorize your PR.

Extra information

Please clear everything below when submitting your pull request, it's here purely for your information.

Moderators: Labels currently accepted for PRs:

  • Import Scans (for new scanners/importers)
  • enhancement
  • performance
  • feature
  • bugfix
  • maintenance (a.k.a chores)
  • dependencies
  • New Migration (when the PR introduces a DB migration)
  • settings_changes (when the PR introduces changes or new settings in settings.dist.py)

Contributors: Git Tips

Rebase on dev branch

If the dev branch has changed since you started working on it, please rebase your work after the current dev.

On your working branch mybranch:

git rebase dev mybranch

In case of conflict:

 git mergetool
 git rebase --continue

When everything's fine on your local branch, force push to your myOrigin remote:

git push myOrigin --force-with-lease

To cancel everything:

git rebase --abort

Squashing commits

git rebase -i origin/dev
  • Replace pick by fixup on the commits you want squashed out
  • Replace pick by reword on the first commit if you want to change the commit message
  • Save the file and quit your editor

Force push to your myOrigin remote:

git push myOrigin --force-with-lease

nv-pipo avatar May 14 '24 15:05 nv-pipo

Hi there :wave:, @dryrunsecurity here, below is a summary of our analysis and findings.

DryRun Security Status Findings
Configured Codepaths Analyzer :white_check_mark: 0 findings
Sensitive Files Analyzer :white_check_mark: 0 findings
AppSec Analyzer :white_check_mark: 0 findings
Authn/Authz Analyzer :white_check_mark: 0 findings
Secrets Analyzer :white_check_mark: 0 findings

[!Note] :green_circle: Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy :robot:. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The code changes in this pull request focus on improving the accuracy and reliability of the Qualys vulnerability data parsing in both the unittests and the Dojo application security tool. The key changes include:

  1. Severity Mapping: The code now uses a more comprehensive severity mapping system, which first looks up the severity value in a legacy dictionary and then in a non-legacy dictionary, ensuring accurate severity classification.

  2. CVSS Parsing: The code has been updated to handle CVSS3 and CVSS2 scores more robustly, using a dedicated split_cvss function to extract the CVSS score and vector from the XML data.

  3. Vulnerability Details: The code now extracts more detailed information about the vulnerabilities, such as the vulnerability type, category, QID, port, result evidence, and timestamps for when the vulnerability was first and last found.

These changes improve the quality and accuracy of the vulnerability data imported from Qualys, ensuring that the findings are correctly classified and prioritized within the application security management system. The increased level of detail about the vulnerabilities also provides security teams with more context to understand and address the identified issues.

Files Changed:

  1. unittests/tools/test_qualys_parser.py: The changes in this file are focused on improving the parsing of CVSS information and severity levels, including a bug fix for incorrectly classifying a "High" severity finding as "Critical". The changes are well-tested with a comprehensive set of unit tests.

  2. dojo/tools/qualys/parser.py: The changes in this file enhance the Qualys vulnerability scanner parser in the Dojo application security tool. The improvements include a more comprehensive severity mapping system, robust CVSS parsing, and the extraction of additional vulnerability details, all of which contribute to the accurate representation of Qualys scan data within the Dojo application.

Powered by DryRun Security

dryrunsecurity[bot] avatar May 14 '24 15:05 dryrunsecurity[bot]

Would you mind adding a unit test here with an example file that triggers the bug you mention, in order to validate this fix and ensure we don't have a regression?

cneill avatar May 14 '24 18:05 cneill

Would you mind adding a unit test here with an example file that triggers the bug you mention, in order to validate this fix and ensure we don't have a regression?

Should I close this PR and open a new one with the UNITTEST?

nv-pipo avatar May 15 '24 08:05 nv-pipo

Would you mind adding a unit test here with an example file that triggers the bug you mention, in order to validate this fix and ensure we don't have a regression?

Should I close this PR and open a new one with the UNITTEST?

You can push a new commit to your branch with the unit test and it will update this PR automatically. You're welcome to create a new PR if you want, but it's not strictly necessary.

mtesauro avatar May 16 '24 02:05 mtesauro

@mtesauro I added the unit test.

Additional changes follow the logic of https://github.com/DefectDojo/django-DefectDojo/issues/6248#issuecomment-1164293652. Pull severity from 'SEVERITY' field in source XML, if not available, try to extract it from CVSS_VALUE field, if neither are available: default to Informational and log a warning. Before this PR: it was the other way around: first 'CVSS_VALUE' then 'SEVERITY'.

nv-pipo avatar May 16 '24 12:05 nv-pipo

@mtesauro I added the unit test.

Additional changes follow the logic of #6248 (comment). Pull severity from 'SEVERITY' field in source XML, if not available, try to extract it from CVSS_VALUE field, if neither are available: default to Informational and log a warning. Before this PR: it was the other way around: first 'CVSS_VALUE' then 'SEVERITY'.

@nv-pipo This makes sense to me - be warned we've see 2 instances where the CVSS score from a vendor's tool does not match the "word" severity reported in the same scan export e.g. Report says "High" but the CVSS score is a "Low" when you calculate it from the CVSS vector. This is the reason we generally use the 'word' severity and then fall back to the CVSS score if it's not available.

You'd like to think vendors could make their 'word' score match CVSS but :shrug:

mtesauro avatar May 16 '24 17:05 mtesauro

@mtesauro I added the unit test. Additional changes follow the logic of #6248 (comment). Pull severity from 'SEVERITY' field in source XML, if not available, try to extract it from CVSS_VALUE field, if neither are available: default to Informational and log a warning. Before this PR: it was the other way around: first 'CVSS_VALUE' then 'SEVERITY'.

@nv-pipo This makes sense to me - be warned we've see 2 instances where the CVSS score from a vendor's tool does not match the "word" severity reported in the same scan export e.g. Report says "High" but the CVSS score is a "Low" when you calculate it from the CVSS vector. This is the reason we generally use the 'word' severity and then fall back to the CVSS score if it's not available.

You'd like to think vendors could make their 'word' score match CVSS but 🤷

It may be a case where they get CVSS info from NVD or similar but then decide based on their own analysis that the implied severity is wrong. In that case, I expect they probably don't update the CVSS score/vector.

cneill avatar May 16 '24 18:05 cneill

@Maffooch and @mtesauro, As requested, I've updated the code to remove the fallback to cvss_value. (code looks cleaner, simpler now 👍 )

There seem to be some build problems, but I doubt it has anything to do with this PR (ran the Qualys unit_tests locally without problems). Please advise how to fix. Thanks!

nv-pipo avatar May 22 '24 09:05 nv-pipo

@nv-pipo

There seem to be some build problems, but I doubt it has anything to do with this PR (ran the Qualys unit_tests locally without problems). Please advise how to fix. Thanks!

There was a commit in Dev that broke the tests that require building a container. The best way to fix is to rebase against what's currently in the Dev branch (the fix to what broke tests has been merged already)

mtesauro avatar May 22 '24 21:05 mtesauro

@mtesauro Great! all tests passed.

@Maffooch, could you change your approval status?

nv-pipo avatar May 24 '24 06:05 nv-pipo