Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Import of NPM Audit result not working when paths are empty. #7897

Closed
pr3l14t0r opened this issue Mar 28, 2023 · 1 comment
Closed

Import of NPM Audit result not working when paths are empty. #7897

pr3l14t0r opened this issue Mar 28, 2023 · 1 comment
Labels
bug

Comments

@pr3l14t0r
Copy link

Ahoi! There seems to be a problem with the NPM Audit parser.
In the report i do get from my tool, some paths entries are empty in the resulting json.
Example (stripped):

    "1089551": {
      "findings": [
        {
          "version": "6.0.23",
          "paths": []
        },
        {
          "version": "5.2.18",
          "paths": []
        },
        {
          "version": "7.0.32",
          "paths": []
        }
      ],

If i use the sample json file, the import works. But changing an arbitrary paths entry to "paths": [] will lead to the same error that i get for my result file:

DEBUG [dojo.importers.importer.importer:297] IMPORT_SCAN: Parse findings
ERROR [dojo.engagement.views:698] list index out of range
Traceback (most recent call last):
File "/app/dojo/engagement/views.py", line 682, in import_scan_results
test, finding_count, closed_finding_count, _ = importer.import_scan(scan, scan_type, engagement, user, environment, active=active, verified=verified, tags=tags,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/dojo/importers/importer/importer.py", line 300, in import_scan
 parsed_findings = parser.get_findings(scan, test)
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 File "/app/dojo/tools/npm_audit/parser.py", line 24, in get_findings
return self.get_items(tree, test)
 ^^^^^^^^^^^^^^^^^^^^^^^^^^
 File "/app/dojo/tools/npm_audit/parser.py", line 55, in get_items
 item = get_item(node, test)
 ^^^^^^^^^^^^^^^^^^^^
 File "/app/dojo/tools/npm_audit/parser.py", line 99, in get_item
file_path=censor_path_hashes(item_node['findings'][0]['paths'][0]),
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^
 IndexError: list index out of range

My best guess would be that the function censor_path_hashes is handling empty paths arrays incorrectly. Could you help me out here?

** Reproduction **

Prepare sample file:

  1. Download the sample NPM Scan
  2. Open the json file. Within the advisories nodes, choose one or a few finding subnodes and change the "paths" value to "paths": []
  3. Save the file.

In DefectDojo:

  1. In a random engagement, try to add Findings via the Import Scan results feature/button.
  2. Fill in necessary fields
  3. As Scan Type choose NPM Audit Scan
  4. Select the previously prepared file as the file to upload.
  5. Observe that the import did fail:

image

Also notice the log files. In my case - using a containerized environment - inspect the logs of the uwsgi container.
@pr3l14t0r pr3l14t0r added the bug label Mar 28, 2023
manuel-sommer added a commit to manuel-sommer/django-DefectDojo that referenced this issue Jan 20, 2024
@manuel-sommer
🐛 fix npm audit, issue DefectDojo#7897
4316750
@manuel-sommer manuel-sommer mentioned this issue Jan 20, 2024
Merged
cneill pushed a commit that referenced this issue Jan 30, 2024
@manuel-sommer
🐛 fix npm audit, issue #7897 (#9374)
6eaca27
@manuel-sommer
Copy link
Contributor

Can you close this @mtesauro ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mtesauro @manuel-sommer @pr3l14t0r