django-DefectDojo icon indicating copy to clipboard operation
django-DefectDojo copied to clipboard
verified publisher icon DefectDojo

[Fortify FPR Report] AttributeError caused by unexpected report structure

Open ArsArmandi opened this issue 1 year ago • 1 comments

Description

When trying to upload the attached fortify report (fpr Format), i get an Internal Server Error. The logs show that an AttributeError happens while accessing some nested XML elements inside the report. Here is the line that causes the error in the current master branch: line 33 in https://github.com/DefectDojo/django-DefectDojo/blob/master/dojo/tools/fortify/fpr_parser.py

Basically the code expects the the elements are nested like this: AnalysisInfo->Unified->Trace->Primary->Entry->Node->SourceLocation But in some reports the "Primary" element can have multiple child "Entry"-Elements. Some of these "Entry" elements contain "NodeRef" elements instead of "Node" elements. And that is where an AttributeError occurs. I couldnt find out what those NodeRefs are about.

Steps to reproduce Steps to reproduce the behavior:

  1. Upload attached fpr Report to any Engagement

Expected behavior Vulnerabilities should be extracted successfully

Deployment method (select with an X)

  • [ ] Docker Compose
  • [ x] Kubernetes
  • [ ] GoDojo

Environment information

  • DefectDojo version: 2.32.0

Logs [18/Apr/2024 11:26:31] ERROR [dojo.engagement.views:819] 'NoneType' object has no attribute 'find' Traceback (most recent call last): File "/app/dojo/engagement/views.py", line 803, in post test, finding_count, closed_finding_count, _ = importer.import_scan(scan, scan_type, engagement, user, environment, active=active, verified=verified, tags=tags, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/app/dojo/importers/importer/importer.py", line 336, in import_scan parsed_findings = parser.get_findings(scan, test) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/app/dojo/tools/fortify/parser.py", line 24, in get_findings return self.parse_fpr(filename, test) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/app/dojo/tools/fortify/parser.py", line 161, in parse_fpr SourceLocationpath = vuln.find(f"{namespace}AnalysisInfo").find(f"{namespace}Unified").find(f"{namespace}Trace").find(f"{namespace}Primary").find(f"{namespace}Entry").find(f"{namespace}Node").find(f"{namespace}SourceLocation").attrib.get("path") ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ AttributeError: 'NoneType' object has no attribute 'find'

Sample scan files fortify_sast_parrot_20240418_953_40_252978_380be8c.zip

ArsArmandi avatar Apr 18 '24 11:04 ArsArmandi

@manuel-sommer @mtesauro can anyone please check this issue?

schdief avatar May 13 '24 07:05 schdief

https://github.com/DefectDojo/django-DefectDojo/pull/10901

manuel-sommer avatar Sep 12 '24 20:09 manuel-sommer

PR merged

mtesauro avatar Sep 16 '24 01:09 mtesauro