django-DefectDojo icon indicating copy to clipboard operation
django-DefectDojo copied to clipboard
verified publisher icon DefectDojo

Finding hash/dedupe changes

Open dogboat opened this issue 1 year ago • 1 comments

Description

This patch updates methods related to Finding hash computation and deduplication to support custom functionality. It refactors the setting of hash codes on a Finding into its own method. It adds a new method that, given a setting name, attempts to use the value of that setting to load a function and return it. It uses that method to attempt to load custom functionality in place of that new Finding set-hash method and the Finding Helper dedupe methods, falling back to existing functionality if no custom settings exist.

Test results

Findings still save as expected; if custom functionality is specified, it's called instead.

dogboat avatar Jun 11 '24 13:06 dogboat

Hi there :wave:, @dryrunsecurity here, below is a summary of our analysis and findings.

DryRun Security Status Findings
Server-Side Request Forgery Analyzer :white_check_mark: 0 findings
Configured Codepaths Analyzer :white_check_mark: 0 findings
IDOR Analyzer :white_check_mark: 0 findings
Sensitive Files Analyzer :white_check_mark: 0 findings
SQL Injection Analyzer :white_check_mark: 0 findings
Authn/Authz Analyzer :grey_exclamation: 1 finding
Secrets Analyzer :white_check_mark: 0 findings

[!Note] :green_circle: Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy :robot:. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The code changes in this pull request span several files in the DefectDojo application and cover various aspects of the application's security functionality. The key changes include improvements to the finding deduplication process, false positive history tracking, integration with external tools like JIRA, and the management of security findings and their associated data.

The changes to the default_importer.py file focus on enhancing the reliability and correctness of the close_old_findings function, which is responsible for automatically closing findings that are no longer present in the latest scan report. This is an important security control to maintain an accurate and up-to-date record of the application's security posture.

The changes to the finding/helper.py file demonstrate a comprehensive approach to handling the post-processing of security findings, with a focus on deduplication, false positive management, and integration with external tools like JIRA. These are all crucial aspects of an effective application security program.

The changes to the models.py file include improvements to the computation of the hash_code field, which is used for deduplication of findings, and the calculation of the sla_expiration_date field, which is used to track the time-to-remediate for findings. These changes enhance the security management capabilities of the DefectDojo application.

Finally, the changes to the utils.py file introduce a set of utility functions and classes that are commonly used throughout the application to handle various security-related tasks, such as encryption/decryption, credential management, notification management, and endpoint deduplication.

Files Changed:

  1. dojo/importers/default_importer.py: The changes in this file focus on improving the reliability and correctness of the close_old_findings function, which is responsible for automatically closing findings that are no longer present in the latest scan report.
  2. dojo/finding/helper.py: The changes in this file demonstrate a comprehensive approach to handling the post-processing of security findings, with a focus on deduplication, false positive management, and integration with external tools like JIRA.
  3. dojo/models.py: The changes in this file include improvements to the computation of the hash_code field, which is used for deduplication of findings, and the calculation of the sla_expiration_date field, which is used to track the time-to-remediate for findings.
  4. dojo/utils.py: The changes in this file introduce a set of utility functions and classes that are commonly used throughout the application to handle various security-related tasks, such as encryption/decryption, credential management, notification management, and endpoint deduplication.

Powered by DryRun Security

dryrunsecurity[bot] avatar Jun 11 '24 13:06 dryrunsecurity[bot]

DryRun Security Summary

This pull request focuses on improving the security-related functionality of the DefectDojo application, including optimizing the finding closure process, enhancing deduplication handling, improving engagement creation and filtering, and ensuring a reliable re-import process.

Expand for full summary

Summary:

The code changes in this pull request are focused on improving various aspects of the DefectDojo application, with a particular emphasis on the security-related functionality. The changes span several modules, including the importers, engagement management, models, and utility functions.

The key security-related improvements include:

  1. Optimization of Finding Closure Process: The changes to the default_importer.py file improve the efficiency and accuracy of the process for closing old findings that are no longer present in the latest scan report.

  2. Flexible Deduplication Handling: The changes to the default_reimporter.py and models.py files introduce more flexibility in choosing the appropriate deduplication algorithm based on the test being processed, which can improve the accuracy and reliability of the reimport process.

  3. Engagement Creation and Filtering: The changes to the engagement/views.py file introduce new methods for creating engagements and filtering them, which can help maintain the integrity and context of the security findings data.

  4. Improved Deduplication Functionality: The changes to the utils.py file focus on enhancing the deduplication functionality, including the ability to use custom deduplication methods and more robust handling of edge cases.

  5. Reliable Re-import Process: The changes to the test/views.py file introduce a new ReImportScanResultsView class that handles the re-import of scan results, with a focus on logging, error handling, and permission management.

Overall, these changes appear to be a positive step towards improving the security-related functionality and reliability of the DefectDojo application. As an application security engineer, I would recommend thoroughly reviewing these changes to ensure that they do not introduce any unintended security vulnerabilities and that they align with the organization's security requirements and best practices.

Files Changed:

  1. dojo/importers/default_importer.py: The changes optimize the process of closing old findings that are no longer present in the latest scan report, improving the efficiency and accuracy of the finding closure process.

  2. dojo/importers/default_reimporter.py: The changes introduce more flexibility in choosing the appropriate deduplication algorithm based on the test being processed, which can improve the accuracy and reliability of the reimport process.

  3. dojo/engagement/views.py: The changes introduce new methods for creating engagements and filtering them, which can help maintain the integrity and context of the security findings data.

  4. dojo/models.py: The changes focus on enhancing the deduplication functionality, including the ability to use custom deduplication methods and more robust handling of edge cases.

  5. dojo/utils.py: The changes introduce a new get_custom_method() function and modify the do_dedupe_finding() and set_duplicate() functions to improve the deduplication functionality.

  6. dojo/test/views.py: The changes introduce a new ReImportScanResultsView class that handles the re-import of scan results, with a focus on logging, error handling, and permission management.

Code Analysis

We ran 9 analyzers against 6 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Authn/Authz Analyzer 2 findings

Riskiness

:green_circle: Risk threshold not exceeded.

View PR in the DryRun Dashboard.

dryrunsecurity[bot] avatar Jul 08 '24 20:07 dryrunsecurity[bot]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

github-actions[bot] avatar Jul 29 '24 15:07 github-actions[bot]

Conflicts have been resolved. A maintainer will review the pull request shortly.

github-actions[bot] avatar Aug 01 '24 17:08 github-actions[bot]

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

sonarqubecloud[bot] avatar Aug 01 '24 17:08 sonarqubecloud[bot]