Merge pull request #12829 from DefectDojo/release/2.48.3

Release: Merge release into master from: release/2.48.3

Author: Maffooch

components/package.json

@@ -1,6 +1,6 @@
 {
   "name": "defectdojo",
-  "version": "2.48.2",
+  "version": "2.48.3",
   "license" : "BSD-3-Clause",
   "private": true,
   "dependencies": {

dojo/__init__.py

@@ -4,6 +4,6 @@
 # Django starts so that shared_task will use this app.
 from .celery import app as celery_app  # noqa: F401
 
-__version__ = "2.48.2"
+__version__ = "2.48.3"
 __url__ = "https://github.com/DefectDojo/django-DefectDojo"
 __docs__ = "https://documentation.defectdojo.com"

dojo/api_v2/serializers.py

@@ -2062,7 +2062,7 @@ def get_findings_count(self, obj) -> int:
 
     # TODO: maybe extend_schema_field is needed here?
     def get_findings_list(self, obj) -> list[int]:
-        return obj.open_findings_list
+        return obj.open_findings_list()
 
 
 class CommonImportScanSerializer(serializers.Serializer):

dojo/models.py

@@ -1322,12 +1322,10 @@ def get_breadcrumbs(self):
     def get_product_type(self):
         return self.prod_type if self.prod_type is not None else "unknown"
 
-    # only used in APIv2 serializers.py, query should be aligned with findings_count
-    @cached_property
+    # only used in APIv2 serializers.py, should be deprecated or at least prefetched
     def open_findings_list(self):
-        findings = Finding.objects.filter(test__engagement__product=self,
-                                          active=True)
-        return [i.id for i in findings]
+        findings = Finding.objects.filter(test__engagement__product=self, active=True).values_list("id", flat=True)
+        return list(findings)
 
     @property
     def has_jira_configured(self):

dojo/templatetags/display_tags.py

@@ -185,10 +185,13 @@ def percentage(fraction, value):
 
 @register.filter
 def format_epss(value):
+    if value is None:
+        return "N.A."
+
     try:
         return f"{value:.2%}"
     except (ValueError, TypeError):
-        return "N.A."
+        return "error"
 
 
 def asvs_calc_level(benchmark_score):

dojo/tools/anchore_grype/parser.py

@@ -1,10 +1,13 @@
 import json
+import logging
 
 from cvss import parser as cvss_parser
 from cvss.cvss3 import CVSS3
 
 from dojo.models import Finding
 
+logger = logging.getLogger(__name__)
+
 
 class AnchoreGrypeParser:
 
@@ -27,7 +30,9 @@ def get_description_for_scan_types(self, scan_type):
         )
 
     def get_findings(self, file, test):
+        logger.debug(f"file: {file}")
         data = json.load(file)
+        logger.debug(f"data: {data}")
         dupes = {}
         for item in data.get("matches", []):
             vulnerability = item["vulnerability"]
@@ -57,6 +62,7 @@ def get_findings(self, file, test):
                 rel_description = related_vulnerability.get("description")
                 rel_cvss = related_vulnerability.get("cvss")
                 rel_epss = related_vulnerability.get("epss")
+                rel_vuln_id = related_vulnerability.get("id")
             vulnerability_ids = self.get_vulnerability_ids(
                 vuln_id, related_vulnerabilities,
             )
@@ -162,10 +168,15 @@ def get_findings(self, file, test):
                 finding_cvss3 = self.get_cvss(vuln_cvss)
             if not finding_cvss3 and rel_cvss:
                 finding_cvss3 = self.get_cvss(rel_cvss)
-
+            # https://github.com/DefectDojo/django-DefectDojo/issues/12819
+            # the parser seems focues on only parsing the first related vulnerability
+            # this fixes the mentioned github issue, but a more thorough rewrite might be needed
+            # if the problem persists / we get more real world sample reports.
             finding_epss_score, finding_epss_percentile = self.get_epss_values(vuln_id, vuln_epss)
             if finding_epss_score is None and rel_epss:
-                finding_epss_score, finding_epss_percentile = self.get_epss_values(vuln_id, rel_epss)
+                finding_epss_score, finding_epss_percentile = self.get_epss_values(rel_vuln_id, rel_epss)
+                if finding_epss_score is None and rel_vuln_id:
+                    finding_epss_score, finding_epss_percentile = self.get_epss_values(vuln_id, vuln_epss)
 
             dupe_key = finding_title
             if dupe_key in dupes:
@@ -211,17 +222,23 @@ def get_cvss(self, cvss):
         return None
 
     def get_epss_values(self, vuln_id, epss_list):
+        if not isinstance(epss_list, list):
+            logger.debug(f"epss_list is not a list: {epss_list}")
+            return None, None
+
         if isinstance(epss_list, list):
+            logger.debug(f"epss_list: {epss_list}")
             for epss_data in epss_list:
                 if epss_data.get("cve") != vuln_id:
                     continue
                 try:
                     epss_score = float(epss_data.get("epss"))
                     epss_percentile = float(epss_data.get("percentile"))
                 except (TypeError, ValueError):
-                    pass
+                    logger.debug(f"epss_data is not a float: {epss_data}")
                 else:
                     return epss_score, epss_percentile
+        logger.debug(f"epss not found for vuln_id: {vuln_id} in epss_list: {epss_list}")
         return None, None
 
     def get_vulnerability_ids(self, vuln_id, related_vulnerabilities):

dojo/tools/dependency_check/parser.py

@@ -9,6 +9,7 @@
 from packageurl import PackageURL
 
 from dojo.models import Finding
+from dojo.utils import parse_cvss_data
 
 logger = logging.getLogger(__name__)
 
@@ -23,6 +24,54 @@ class DependencyCheckParser:
         "critical": "Critical",
     }
 
+    CVSS_V3_MAPPINGS = {
+        "attackVector": {
+            "NETWORK": "N",
+            "ADJACENT": "A",
+            "LOCAL": "L",
+            "PHYSICAL": "P",
+            "N": "N",
+            "A": "A",
+            "L": "L",
+            "P": "P",
+        },
+        "attackComplexity": {"LOW": "L", "HIGH": "H", "L": "L", "H": "H"},
+        "privilegesRequired": {
+            "NONE": "N",
+            "LOW": "L",
+            "HIGH": "H",
+            "N": "N",
+            "L": "L",
+            "H": "H",
+        },
+        "userInteraction": {"NONE": "N", "REQUIRED": "R", "N": "N", "R": "R"},
+        "scope": {"UNCHANGED": "U", "CHANGED": "C", "U": "U", "C": "C"},
+        "confidentialityImpact": {
+            "NONE": "N",
+            "LOW": "L",
+            "HIGH": "H",
+            "N": "N",
+            "L": "L",
+            "H": "H",
+        },
+        "integrityImpact": {
+            "NONE": "N",
+            "LOW": "L",
+            "HIGH": "H",
+            "N": "N",
+            "L": "L",
+            "H": "H",
+        },
+        "availabilityImpact": {
+            "NONE": "N",
+            "LOW": "L",
+            "HIGH": "H",
+            "N": "N",
+            "L": "L",
+            "H": "H",
+        },
+    }
+
     def add_finding(self, finding, dupes):
         key_str = "|".join(
             [
@@ -164,6 +213,55 @@ def get_component_name_and_version_from_dependency(
 
         return None, None
 
+    def get_severity_and_cvss_meta(self, vulnerability, namespace) -> dict:
+        # Get the base severity from the report
+        severity = vulnerability.findtext(f"{namespace}severity")
+        cvssv3 = None
+        cvssv3_score = None
+        # Attempt to add the CVSSv3 score, and update the severity accordingly
+        if (cvssv3_node := vulnerability.find(namespace + "cvssV3")) is not None:
+            try:
+                vector_parts = [
+                    f"AV:{self.CVSS_V3_MAPPINGS['attackVector'][cvssv3_node.findtext(f'{namespace}attackVector')]}",
+                    f"AC:{self.CVSS_V3_MAPPINGS['attackComplexity'][cvssv3_node.findtext(f'{namespace}attackComplexity')]}",
+                    f"PR:{self.CVSS_V3_MAPPINGS['privilegesRequired'][cvssv3_node.findtext(f'{namespace}privilegesRequired')]}",
+                    f"UI:{self.CVSS_V3_MAPPINGS['userInteraction'][cvssv3_node.findtext(f'{namespace}userInteraction')]}",
+                    f"S:{self.CVSS_V3_MAPPINGS['scope'][cvssv3_node.findtext(f'{namespace}scope')]}",
+                    f"C:{self.CVSS_V3_MAPPINGS['confidentialityImpact'][cvssv3_node.findtext(f'{namespace}confidentialityImpact')]}",
+                    f"I:{self.CVSS_V3_MAPPINGS['integrityImpact'][cvssv3_node.findtext(f'{namespace}integrityImpact')]}",
+                    f"A:{self.CVSS_V3_MAPPINGS['availabilityImpact'][cvssv3_node.findtext(f'{namespace}availabilityImpact')]}",
+                ]
+                version = cvssv3_node.findtext("version") or "3.1"
+                vector = f"CVSS:{version}/" + "/".join(vector_parts)
+                if cvss_data := parse_cvss_data(vector):
+                    cvssv3 = cvss_data.get("vector")
+                    cvssv3_score = cvss_data.get("score")
+                    severity = cvss_data.get("severity")
+            except Exception as e:
+                # Only log the error - there is not much we can do to recover from this
+                logger.debug(e)
+        elif (cvssv2_node := vulnerability.find(namespace + "cvssV2")) is not None:
+            severity = cvssv2_node.findtext(f"{namespace}severity").lower().capitalize()
+
+        # handle if the severity have something not in the mapping
+        # default to 'Medium' and produce warnings in logs
+        if severity:
+            if severity.strip().lower() not in self.SEVERITY_MAPPING:
+                logger.warning(
+                    f"Warning: Unknow severity value detected '{severity}'. Bypass to 'Medium' value",
+                )
+                severity = "Medium"
+            else:
+                severity = self.SEVERITY_MAPPING[severity.strip().lower()]
+        else:
+            severity = "Medium"
+
+        return {
+            "severity": severity,
+            "cvssv3": cvssv3,
+            "cvssv3_score": cvssv3_score,
+        }
+
     def get_finding_from_vulnerability(
         self, dependency, related_dependency, vulnerability, test, namespace,
     ):
@@ -238,36 +336,6 @@ def get_finding_from_vulnerability(
         # some changes in v6.0.0 around CVSS version information
         # https://github.com/jeremylong/DependencyCheck/pull/2781
 
-        cvssv2_node = vulnerability.find(namespace + "cvssV2")
-        cvssv3_node = vulnerability.find(namespace + "cvssV3")
-        severity = vulnerability.findtext(f"{namespace}severity")
-        if not severity:
-            if cvssv3_node is not None:
-                severity = (
-                    cvssv3_node.findtext(f"{namespace}baseSeverity")
-                    .lower()
-                    .capitalize()
-                )
-            elif cvssv2_node is not None:
-                severity = (
-                    cvssv2_node.findtext(f"{namespace}severity")
-                    .lower()
-                    .capitalize()
-                )
-
-        # handle if the severity have something not in the mapping
-        # default to 'Medium' and produce warnings in logs
-        if severity:
-            if severity.strip().lower() not in self.SEVERITY_MAPPING:
-                logger.warning(
-                    f"Warning: Unknow severity value detected '{severity}'. Bypass to 'Medium' value",
-                )
-                severity = "Medium"
-            else:
-                severity = self.SEVERITY_MAPPING[severity.strip().lower()]
-        else:
-            severity = "Medium"
-
         reference_detail = None
         references_node = vulnerability.find(namespace + "references")
 
@@ -315,7 +383,6 @@ def get_finding_from_vulnerability(
             test=test,
             cwe=cwe,
             description=description,
-            severity=severity,
             mitigation=mitigation,
             mitigated=mitigated,
             is_mitigated=is_Mitigated,
@@ -326,6 +393,7 @@ def get_finding_from_vulnerability(
             references=reference_detail,
             component_name=component_name,
             component_version=component_version,
+            **self.get_severity_and_cvss_meta(vulnerability, namespace),
         )
 
         if vulnerability_id:

dojo/tools/trivy/parser.py

@@ -17,6 +17,13 @@
     "UNKNOWN": "Info",
 }
 
+CVSS_SEVERITY_SOURCES = [
+    "nvd",
+    "ghsa",
+    "redhat",
+    "bitnami",
+]
+
 DESCRIPTION_TEMPLATE = """{title}
 **Target:** {target}
 **Type:** {type}
@@ -243,28 +250,29 @@ def get_result_items(self, test, results, service_name=None, artifact_name=""):
                 try:
                     vuln_id = vuln.get("VulnerabilityID", "0")
                     package_name = vuln["PkgName"]
-                    severity_source = vuln.get("SeveritySource", None)
-                    cvss = vuln.get("CVSS", None)
+                    detected_severity_source = vuln.get("SeveritySource", None)
+                    cvss = vuln.get("CVSS", {})
+                    cvssclass = None
                     cvssv3 = None
                     cvssv3_score = None
-                    if severity_source is not None and cvss is not None:
+                    # Iterate over the possible severity sources tom find the first match
+                    for severity_source in [detected_severity_source, *CVSS_SEVERITY_SOURCES]:
                         cvssclass = cvss.get(severity_source, None)
                         if cvssclass is not None:
-                            if cvssclass.get("V3Score") is not None:
-                                severity = self.convert_cvss_score(cvssclass.get("V3Score"))
-                                cvssv3_string = dict(cvssclass).get("V3Vector")
-                                cvss_data = parse_cvss_data(cvssv3_string)
-                                if cvss_data:
-                                    cvssv3 = cvss_data.get("vector")
-                                    cvssv3_score = cvss_data.get("score")
-                            elif cvssclass.get("V3Score") is not None:
-                                cvssv3_score = cvssclass.get("V3Score")
-                            elif cvssclass.get("V2Score") is not None:
-                                severity = self.convert_cvss_score(cvssclass.get("V2Score"))
-                            else:
-                                severity = self.convert_cvss_score(None)
+                            break
+                    # Parse the CVSS class if it is not None
+                    if cvssclass is not None:
+                        if cvss_data := parse_cvss_data(cvssclass.get("V3Vector", "")):
+                            cvssv3 = cvss_data.get("vector")
+                            cvssv3_score = cvss_data.get("score")
+                            severity = cvss_data.get("severity")
+                        elif (cvss_v3_score := cvssclass.get("V3Score")) is not None:
+                            cvssv3_score = cvss_v3_score
+                            severity = self.convert_cvss_score(cvss_v3_score)
+                        elif (cvss_v2_score := cvssclass.get("V2Score")) is not None:
+                            severity = self.convert_cvss_score(cvss_v2_score)
                         else:
-                            severity = TRIVY_SEVERITIES[vuln["Severity"]]
+                            severity = self.convert_cvss_score(None)
                     else:
                         severity = TRIVY_SEVERITIES[vuln["Severity"]]
                     if target_class == "os-pkgs" or target_class == "lang-pkgs":

helm/defectdojo/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v2
-appVersion: "2.48.2"
+appVersion: "2.48.3"
 description: A Helm chart for Kubernetes to install DefectDojo
 name: defectdojo
-version: 1.6.197
+version: 1.6.198
 icon: https://www.defectdojo.org/img/favicon.ico
 maintainers:
   - name: madchap