Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ruff: Fix RUF052 #11499

Merged
merged 2 commits into from
Jan 15, 2025
Merged

Ruff: Fix RUF052 #11499

merged 2 commits into from
Jan 15, 2025

Conversation

kiblik
Copy link
Contributor

@kiblik kiblik commented Jan 3, 2025

Fix RUF052. Enabler for #11490. Alternative to #11450

@github-actions github-actions bot added the parser label Jan 3, 2025
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Jan 3, 2025
edited
Loading

DryRun Security Summary

The code changes enhance DefectDojo's vulnerability parsing and reporting capabilities by improving parsers for Qualys and Veracode scans, implementing rate limiting with account lockout, and focusing on more accurate and secure vulnerability data import.

Expand for full summary

Summary:

The provided code changes cover several improvements and enhancements to the DefectDojo application's vulnerability parsing and reporting functionalities. The key changes include:

  1. Qualys Vulnerability Parser: Improvements to the Qualys vulnerability parser, including better handling of CVSS scores, vulnerability status, description formatting, and extraction of CVE IDs and references. These changes help ensure accurate and complete vulnerability data is imported into DefectDojo.

  2. Rate Limiting and Account Lockout: Enhancements to the rate limiting decorator, which now includes the ability to enable account lockout for users who exceed the rate limit. This is an important security measure to protect the application from abuse.

  3. Qualys Infrastructure Scan Parser: Implementation of a new parser for Qualys Infrastructure Scan (WebGUI XML) reports, which extracts relevant vulnerability information such as host details, operating system, and vulnerability details. The parser uses secure practices like XML parsing and HTML sanitization.

  4. Veracode SAST and SCA Parsing: Improvements to the Veracode XML report parser, including separate handling for SAST (Static Application Security Testing) and SCA (Software Composition Analysis) findings. The changes ensure accurate representation of mitigation status, false positives, and deduplication of findings.

Overall, these code changes demonstrate a strong focus on improving the security and accuracy of vulnerability data imported into the DefectDojo application. The changes address various aspects of the vulnerability management process, from parsing and processing the raw scan data to providing enhanced reporting and tracking capabilities.

Files Changed:

  1. dojo/tools/qualys/parser.py: Improvements to the Qualys vulnerability parser, including better CVSS handling, vulnerability status tracking, and vulnerability description formatting.
  2. dojo/decorators.py: Enhancements to the rate limiting decorator, including the ability to enable account lockout for users who exceed the rate limit.
  3. dojo/tools/qualys_infrascan_webgui/parser.py: Implementation of a new parser for Qualys Infrastructure Scan (WebGUI XML) reports, which extracts host details and vulnerability information.
  4. dojo/tools/veracode/xml_parser.py: Improvements to the Veracode XML report parser, including separate handling for SAST and SCA findings, mitigation status tracking, and deduplication of findings.

Code Analysis

We ran 9 analyzers against 4 files and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

mtesauro
mtesauro approved these changes Jan 5, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

cneill
cneill requested changes Jan 11, 2025
View reviewed changes
dojo/decorators.py Outdated Show resolved Hide resolved
dojo/decorators.py Outdated Show resolved Hide resolved
@kiblik kiblik requested a review from cneill January 11, 2025 11:58
@Maffooch Maffooch merged commit d1e224e into DefectDojo:dev Jan 15, 2025
73 checks passed
@kiblik kiblik deleted the ruff_RUF052 branch January 15, 2025 17:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@blakeaowens blakeaowens blakeaowens approved these changes

@Maffooch Maffooch Maffooch approved these changes

@dogboat dogboat dogboat approved these changes

@mtesauro mtesauro mtesauro approved these changes

@cneill cneill Awaiting requested review from cneill

Assignees
No one assigned
Labels
parser
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@kiblik @cneill @mtesauro @dogboat @Maffooch @blakeaowens