Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Discording number of vulnerabilities after the import of Aqua Scan result #10586

Closed
kzzz1 opened this issue Jul 18, 2024 · 9 comments
Closed

Discording number of vulnerabilities after the import of Aqua Scan result #10586

kzzz1 opened this issue Jul 18, 2024 · 9 comments
Labels
bug

Comments

@kzzz1
Copy link

kzzz1 commented Jul 18, 2024
edited
Loading

Bug description
We are integrating Aqua Scan to DefectDojo. I noticed that sometimes the number of vulnerabilities found in my Aqua scan report is not the same as the number of findings I have when I import the report to DefectDojo, sometimes it's less. I don't think this is the normal behavior?

Steps to reproduce
Steps to reproduce the behavior:

  1. Scan an image with the aquascanner. I scanned the Juice-shop image but this happens in different images quite often.
  2. Import the Aqua scan results to defect-dojo
  3. The results in Aqua:
    image
  4. The results after the import in DefectDojo
    image

I looked in the Aqua parser code, I think this may be the issue:
image

A unique key is made with the resource's cpe and the vuln's name. But sometimes those 2 are the same. Maybe we could add the resource's path to that key to make it really unique? Here is an example. The vulnerability CVE-2024-4068 appears only one time in defectdojo, the cpe and vuln's name are the same, but the path is different. If I change the cpe directly in the json aqua scan file, I can now see one more vulnerabilities in defectdojo.

image

image

Expected behavior
Having the same number of vulnerabilities in Defect-Dojo after the import of the Aqua scan report
@kzzz1 kzzz1 added the bug label Jul 18, 2024
manuel-sommer added a commit to manuel-sommer/django-DefectDojo that referenced this issue Jul 19, 2024
@manuel-sommer
🐛 fix aqua issue DefectDojo#10586
39dbf0f
@manuel-sommer manuel-sommer mentioned this issue Jul 19, 2024
Merged
mtesauro pushed a commit that referenced this issue Jul 22, 2024
@manuel-sommer
🐛 fix aqua issue #10586 (#10595)
f636221
@manuel-sommer
Copy link
Contributor

this can be closed @mtesauro

@kzzz1 kzzz1 closed this as completed Jul 24, 2024
@kzzz1
Copy link
Author

kzzz1 commented Aug 9, 2024

@manuel-sommer the fix worked good with the path added to the unique key, I now have the same number of vulnerabilities in DefectDojo than in my Aqua Report. But I'm wondering if we could display that path somewhere? I guess it's too long to put it in the finding's title, but maybe if we add a 'Path' tab after the 'Component Name' and the 'Component Version' ? Because right now we can't tell why the 2 vulnerabilities here are displayed twice (because they have different paths).
image
image

@manuel-sommer
Copy link
Contributor

I added the path into the description field.

@kzzz1
Copy link
Author

kzzz1 commented Aug 9, 2024

@manuel-sommer sorry if I don't see it. Here?
image

@manuel-sommer
Copy link
Contributor

Only available for the other fix.

@kzzz1
Copy link
Author

kzzz1 commented Aug 9, 2024

@manuel-sommer okay , you mean we can see the path in the description field for the sensitive datas only, that's right?

@manuel-sommer
Copy link
Contributor

yeah. do you need it also for the other findings?

@kzzz1
Copy link
Author

kzzz1 commented Aug 9, 2024

@manuel-sommer yeah I think it could be practical to see the path somewhere for the vulnerabilities also? Else I have something like this in the list and even when I click on one item I don't see the path in the description or somewhere else, I think it may be confusing if we don't know why they are listed multiple times in the list without more info on the path...
image

@manuel-sommer
Copy link
Contributor

Done @kzzz1 See PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@manuel-sommer @kzzz1