Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bundler Audit Parser - Support for GHSA-Only Findings #9649

Merged
merged 6 commits into from
Mar 4, 2024
Merged

Bundler Audit Parser - Support for GHSA-Only Findings #9649

merged 6 commits into from
Mar 4, 2024

Conversation

rh0dy
Copy link
Contributor

@rh0dy rh0dy commented Feb 29, 2024
edited
Loading

Description

Results from a bundler audit scan can include findings that contain a GHSA ID but not a CVE ID (see here). I think these types of findings occur for a few reasons, i.e. the GHSA hasn't been assigned a CVE ID yet or that it never will be assigned a CVE ID.

Currently, the bundler audit parser doesn't support these types of findings, which feels like we may be missing out on importing valid vulnerabilities into DefectDojo.

This PR is to support parsing of bundler audit findings that may only contain a GHSA but not a CVE ID:

Pasted Graphic 9

Test results

./dc-unittest.sh --profile postgres-redis --test-case unittests.tools.test_bundler_audit_parser.TestBundlerAuditParser

...

test_get_findings (unittests.tools.test_bundler_audit_parser.TestBundlerAuditParser.test_get_findings) ... ok
test_get_findings_version9 (unittests.tools.test_bundler_audit_parser.TestBundlerAuditParser.test_get_findings_version9) ... ok

----------------------------------------------------------------------
Ran 2 tests in 0.009s

OK
Pre

Documentation

N/A.

@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Feb 29, 2024
edited
Loading

Contextual Security Analysis

As DryRun Security performs checks, we’ll summarize them here. You can always dive into the detailed results in the section below for checks.

Status DryRun Security Check
Sensitive Functions Analyzer
Configured Sensitive Files Analyzer
Sensitive Files Analyzer

Chat with your AI-powered Security Buddy by typing @dryrunsecurity followed by your question into a comment.
Example: @dryrunsecurity What are common security issues with web application cookies?

Install and configure more repositories at DryRun Security

@rh0dy rh0dy marked this pull request as ready for review February 29, 2024 00:56
mtesauro
mtesauro approved these changes Feb 29, 2024
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

manuel-sommer
manuel-sommer suggested changes Feb 29, 2024
View reviewed changes
@mtesauro mtesauro merged commit ef07eb0 into DefectDojo:dev Mar 4, 2024
122 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cneill cneill cneill approved these changes

@mtesauro mtesauro mtesauro approved these changes

@devGregA devGregA devGregA approved these changes

@Maffooch Maffooch Maffooch approved these changes

@manuel-sommer manuel-sommer manuel-sommer approved these changes

Assignees
No one assigned
Labels
parser unittests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@rh0dy @cneill @mtesauro @devGregA @Maffooch @manuel-sommer