DefectDojo
:sparkles: merge acunetix and acunetix360
Contextual Security Analysis
As DryRun Security performs checks, we’ll summarize them here. You can always dive into the detailed results in the section below for checks.
| Status | DryRun Security Check |
|---|---|
| ✅ | Sensitive Functions Analyzer |
| ❌ | Configured Sensitive Files Analyzer |
| ✅ | Sensitive Files Analyzer |
Chat with your AI-powered Security Buddy by typing @dryrunsecurity followed by your question into a comment.
Example: @dryrunsecurity What are common security issues with web application cookies?
Install and configure more repositories at DryRun Security
![dryrunsecurity[bot] avatar](https://avatars.githubusercontent.com/in/377039?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hi there :wave:, @dryrunsecurity here, below is a summary of our analysis and findings.
| DryRun Security | Status | Findings |
|---|---|---|
| Sensitive Functions Analyzer | :white_check_mark: | 0 findings |
| Configured Sensitive Files Analyzer | :x: | 1 findings |
| Sensitive Files Analyzer | :grey_exclamation: | 5 findings |
[!Note] :red_circle: Risk threshold exceeded. Adding a reviewer if one is configured in
.dryrunsecurity.yaml.notification list: @mtesauro @grendel513
[!Tip] Get answers to your security questions. Add a comment in this PR starting with @dryrunsecurity. For example...
@dryrunsecurity What are common security issues with web application cookies?
Powered by DryRun Security
I reverted my last commit as I guess that a revert action for this db migration is technically not possible.
Hi @mtesauro, I already have 4 approvals here, but what about this PR and https://github.com/DefectDojo/django-DefectDojo/discussions/9690 ?
@manuel-sommer About this PR and #9690
From what I understand about Acunetix and Acunetix360, they are both DAST scanners from the same vendor with different file formats (XML and JSON).
So, I'd expect they are similar enough to have a combined parser and still be able to write a good dedup algorithm. When they were separated parsers, they had matching dedup algorithms so I don't see the same problem as combining say a DAST, and SCA tools output if from the same vendor.
About the 4 approvals and no merge, I was waiting to hear back from @blakeaowens since he raised the question about migrations.
I am fine with no reverse-migration method for this PR. @manuel-sommer @mtesauro
Hi @mtesauro, fyi, I updated db migrations. It would be nice if we could merge this.
@manuel-sommer Sure thing. Closed and opened this to try to get that Flake8 test happy. Once that's happy, we're good to merge.
Hi @manuel-sommer, We got some errors after this change, are you from the acx team? if so, can you pls slack me, (Emrah KONDUR)
No, I am not from the acunetix team. If you submit a new issue with sample findings, I can help you fix the problem
There isn't an issue I created yet. Acunetix and Acunetix360 are different products, why do we need to merge them? I couldn't see these details on the task.
Thank you for helping, this is the example issue we got after this change.
{ statusCode = BadRequest, content = {"scan_type":["\"Acunetix360 Scan\" is not a valid choice."],"message":"{'scan_type': [ErrorDetail(string='\"Acunetix360 Scan\" is not a valid choice.', code='invalid_choice')]}"}
Should we revert these changes or proceed with a separate task to solve this problem? @manuel-sommer
The both products were merged because they origin from one vendor. You just have to select scan_type = Acunetix Scan. Please remove "360". Then, it should be fine. See here: https://defectdojo.github.io/django-DefectDojo/getting_started/upgrading/2.33/ @mtesauro shall we add "Acunetix360 Scan" to here: https://github.com/DefectDojo/django-DefectDojo/blob/83fae48bf00d4f1299d4c1cacba23bffb2b57781/dojo/tools/acunetix/parser.py#L9 ? Then, I can make a PR.
Hi @manuel-sommer I will try without the 360 suffix, if it works we can change it on our side (360 code base),
Can you please inform the relevant vendor in advance about such changes? FYI @mtesauro
Hi @manuel-sommer We discussed it with the team and decided to use both Acunetix and Acunetix360, these are different products and have different customers. It might be confusing because our customers have used these products as Acunetix Premium and Acunetix360 for many years. Even the teams in charge of products are different. https://www.acunetix.com/product/acunetix360/ https://www.acunetix.com/product/premium/ Also, we have concerns about if one of the report models is changed, we should also consider the compatibility of the other. So it would be better to use them separately. Could you please revert this change?
Kindly remind @mtesauro, it is a bit urgent, it affected many of our customers.
Hi @ekondur, on the topic of collaborating we had reached out to Acunetix previously about partnership, but didn't receive a response.
Hi @devGregA I'm sorry, I have no idea why there was no receive. Can you please inform us about the process so we can revert it and publish it as soon as possible?
@ekondur This is merged already in dev. The dev branch is merged into a release on the first Monday of every month which means this will go in next Monday aka the first Monday in May which will be 2.34.0
@mtesauro do you mean rolling back this issue? because I can't see the acunetix360 parser in the current code. Is it published to the demo (https://demo.defectdojo.org/) I can't see the Acunetix 360 scan option as well.