DefectDojo
Multiple CWEs on a single Finding
Some scan types parsed by DefectDojo are able to specify multiple CWEs for a single issue/vulnerability. For example, the Snyk scan format contains a identifiers.CWE field that contains a list of CWE IDs which apply to each identified vulnerability. Currently, this information is either lost during parsing or injected as a supplemental string in the references section.
For example, the sample Snyk scan found at django-DefectDojo/unittests/scans/snyk/single_project_many_vulns.json contains multiple CWEs on the first listed vulnerability:
{
"vulnerabilities": [
{
"CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"alternativeIds": [],
"creationTime": "2019-05-29T13:04:45.907245Z",
"credit": [
"JLLeitschuh"
],
"cvssScore": 5.6,
"description": "...<snip>...",
"disclosureTime": "2019-02-22T12:35:55Z",
"exploit": "Not Defined",
"fixedIn": [
"1.75"
],
"functions": [],
"functions_new": [],
"id": "SNYK-JAVA-COMBEUST-174815",
"identifiers": {
"CVE": [],
"CWE": [
"CWE-494",
"CWE-829"
]
},
...
When this is parsed, though, only the first CWE (CWE-494) is captured in the Finding.cwe field. The other CWE is only mentioned in the Finding.external_references field via a string like 'Several CWEs were reported: 494, 829' (although this also isn't working due to issue #7125. This is useful, but doesn't permit the full DefectDojo feature set to be used for CWE-829.
Ideally, I think the Finding model should contain a cwes field instead of a simple cwe field. The cwes field would be a list of integers representing all CWE IDs relevant to the Finding.
This model change would also require:
- All parsers are updated to create the
cwesfield instead of the currentcwefield - Tests are updated to verify the functionality
https://github.com/DefectDojo/django-DefectDojo/blob/d698a7a1ff2a914754a541140b236dd3092d7e8e/dojo/tools/microfocus_webinspect/parser.py#L61
