Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kubescape: Reduce the size of steps to reproduce #11542

Merged
merged 1 commit into from
Jan 15, 2025
Merged

Kubescape: Reduce the size of steps to reproduce #11542

merged 1 commit into from
Jan 15, 2025

Conversation

maxi-bee
Copy link
Contributor

@maxi-bee maxi-bee commented Jan 10, 2025
edited
Loading

  • This is a change on the kubescape parser
  • It removes the resource objects (a whole manifest) from "steps to reproduce" as it is often so long (thousands of lines) that conflicts with the default Jira configurations of maximum accepted length of fields, resulting on the failing to create a Jira ticket via the Defect Dojo integration
  • Note that also, there is arguably little value on storing this very large objects on the database (for duplicate and original findings)
  • Potentially, the Jira integration should validate that, but that isn't possibly the case

@maxi-bee
Update kubescape parser.py
cc0f86c 
- removes the resource objects (a whole manifest) from "steps to reproduce" as it is often so long (thousands of lines) that conflicts with the default Jira configurations
- potentially, the Jira integration should validate that, but that isn't possibly the case
- note that also, there is arguably little value on storing this very large objects on the database (for duplicates and originals)
@dryrunsecurity DryRunSecurity
Copy link

DryRun Security Summary

The code change improves security by removing lines that could expose sensitive information in the steps_to_reproduce field of the Finding object, now only including the list of failed rules.

Expand for full summary

Summary:

The provided code change is a security-focused improvement to the KubescapeParser class in the dojo/tools/kubescape/parser.py file. The changes involve removing two lines of code that were previously responsible for including the entire resource object in the steps_to_reproduce field of the Finding object. This could have potentially led to the inclusion of sensitive information in the finding, which would be a security concern.

By removing these lines, the steps_to_reproduce field now only includes the list of failed rules, which is a more focused and appropriate information to include in the finding. This change reduces the risk of accidentally exposing sensitive data in the finding, which is an important security best practice. From an application security perspective, this code change is a positive step towards improving the security of the application.

Files Changed:

  • dojo/tools/kubescape/parser.py: The changes in this file are focused on the get_findings method of the KubescapeParser class. The code previously included the entire resource object in the steps_to_reproduce field of the Finding object, which could have led to the exposure of sensitive information. The updated code removes these lines, ensuring that only the list of failed rules is included in the steps_to_reproduce field, which is a more appropriate and secure approach.

Code Analysis

We ran 9 analyzers against 1 file and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

a-ruff
a-ruff approved these changes Jan 10, 2025
View reviewed changes
Copy link
Contributor

@a-ruff a-ruff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Maffooch Maffooch changed the title Update kubescape parser.py Kubescape: Reduce the size of steps to reproduce Jan 10, 2025
mtesauro
mtesauro approved these changes Jan 13, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@mtesauro mtesauro merged commit ad5040e into DefectDojo:dev Jan 15, 2025
72 checks passed
@maxi-bee maxi-bee deleted the patch-1 branch January 17, 2025 12:55
@maxi-bee
Copy link
Contributor Author

Hey folks. Once this is merged to dev when is this expected to hit a release?

@mtesauro
Copy link
Contributor

DefectDojo does minor releases every month that takes the dev branch and merges that to master/main. Those happen generally on the first Monday of the month.

The releases between the minor releases are based on the bugfix branch and happen every Monday between minor releases.

In the case of this PR, it will be released in 2.43.0 on Feb 3rd.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cneill cneill cneill approved these changes

@mtesauro mtesauro mtesauro approved these changes

@Maffooch Maffooch Maffooch approved these changes

@blakeaowens blakeaowens blakeaowens approved these changes

@a-ruff a-ruff a-ruff approved these changes

Assignees
No one assigned
Labels
parser
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@maxi-bee @mtesauro @cneill @Maffooch @blakeaowens @a-ruff