🐛 fix netsparker issue #10311 #10312

manuel-sommer · 2024-06-01T09:26:27Z

dryrunsecurity · 2024-06-01T09:26:50Z

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Configured Codepaths Analyzer	✅	0 findings
Sensitive Files Analyzer	✅	0 findings
AppSec Analyzer	✅	0 findings
Authn/Authz Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The code changes in this pull request appear to be focused on improving the reliability and accuracy of the Netsparker security scan report parsing functionality. The changes include the addition of a new unit test to validate the parser's behavior when processing a specific Netsparker scan report, as well as security-related improvements to the NetsparkerParser class to handle potential issues with the HttpRequest and HttpResponse fields in the parsed data.

Additionally, the pull request includes a JSON file containing the results of a Netsparker security scan on the website "www.sampleweb.org". The scan identified several security issues, including a cookie not marked as secure, an outdated version of the Bootstrap framework, and a cookie not marked as HttpOnly. These findings are all valid and should be addressed to improve the overall security posture of the application.

The proposed changes and the security issues identified in the Netsparker scan report are in line with best practices for secure web application development. The remediation actions suggested, such as marking cookies as secure and HttpOnly, as well as upgrading to the latest Bootstrap version, are reasonable steps to improve the security of the application.

Files Changed:

unittests/tools/test_netsparker_parser.py:
- A new test case, test_parse_file_issue_10311, has been added to the TestNetsparkerParser class to validate the parser's behavior when processing a Netsparker scan report for issue Netsparker scan import issue 'NoneType' object has no attribute 'encode' #10311.
- The test verifies that the parser correctly identifies 3 findings in the report and checks the severity, CWE ID, and date for each finding.
dojo/tools/netsparker/parser.py:
- The code changes ensure that the request and response variables are properly initialized, even if the corresponding HttpRequest and HttpResponse fields in the Netsparker data are missing or empty.
- The changes also ensure that the request and response values are converted to strings before being stored in the finding.unsaved_req_resp list.
unittests/scans/netsparker/issue_10311.json:
- This file contains the results of a Netsparker security scan on the website "www.sampleweb.org".
- The scan identified three main security issues: a cookie not marked as secure, an outdated version of the Bootstrap framework, and a cookie not marked as HttpOnly.

Powered by DryRun Security

manuel-sommer · 2024-06-01T09:33:02Z

Reopened due to merge conflict issue.

mtesauro

Approved

🐛 fix netsparker issue DefectDojo#10311

b12b6cd

github-actions bot added unittests parser labels Jun 1, 2024

fix

11ef283