Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Fortify FPR enhancements 2025 #12027

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Mar 25, 2025
Merged

Fortify FPR enhancements 2025 #12027

merged 9 commits into from
Mar 25, 2025

Conversation

valentijnscholten
Copy link
Member

@valentijnscholten valentijnscholten commented Mar 16, 2025
edited
Loading

Description
This PR:

  • Aligns the FPR parser and resulting data in Defect Dojo with the beheaviour of the XML parser
  • Uses logic from https://github.com/jaxley/python-fortify to calculate Severity (Friority)
  • Simplifies the XML parsing code by creating a dict of namespaces as parameter
  • Create a (simple) data model to hold the data that is parsed allowing it to be used in multiple places later
  • Set unique_id_from_tool to be the InstanceID field from the report. Not sure if this can be used for dedupe.

A future PR could change the XML parser to use the same data model.

fixes #11901
fixes #11903

Test results
Unit tests are extended and still working

Documentation
No updates needed.

@valentijnscholten
Copy link
Member Author

The VDL file contains some preformatted html content in certain tags:

2025-03-19 18_56_30-___WSL$_Ubuntu_home_valentijn_dd_unittests_scans_fortify_many_findings_audit fvd

Inside Defect Dojo this will look this this:

2025-03-19 18_48_45-View Finding _ DefectDojo

I am not sure what Defect Dojo should do here. Should we try to get Defect Dojo to render this preformatted html? Should we try to convert it to markdown? Should we strip the tags? Should we parse the HTML and try to turn it into meaningfull text?

For now I've just left it like this as this PR is already a considerable improvement.

The code snippets are rendering correctly in Defect Dojo:

2025-03-19 18_51_18-View Finding _ DefectDojo

@github-actions github-actions bot removed the docker label Mar 19, 2025
@valentijnscholten valentijnscholten marked this pull request as ready for review March 19, 2025 18:34
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Mar 19, 2025
edited
Loading

DryRun Security Summary

The pull request enhances Fortify vulnerability management by improving XML parsing security, implementing robust input validation, adding structured vulnerability extraction, and updating unit tests with more comprehensive security checks.

Expand for full summary

  1. Summary: Pull request introduces new data classes for Fortify vulnerability management, enhances FPR parser with improved XML parsing, and updates corresponding unit tests for better vulnerability scanning validation.

  2. Security Findings:

Namespace Handling Improvement:

  • XML namespace handling improved to prevent potential XML parsing vulnerabilities
  • Uses defusedxml to mitigate XML external entity (XXE) risks

Logging Security Considerations:

  • Added logging with logging.getLogger(__name__) for better traceability and potential security monitoring

Input Validation Enhancements:

  • More robust parsing of XML elements with explicit namespace handling
  • Added type hints and defensive programming techniques
  • Improved error handling in severity computation method

Potential Information Exposure Mitigation:

  • More structured approach to extracting vulnerability details
  • Careful handling of sensitive metadata like source locations

Computational Security:

  • Implemented nuanced severity computation method
  • Added try/except blocks to handle potential computational errors safely

Vulnerability Findings in Test Data:

  • Identified password management issues in HelloWorld.java
  • Findings with varying severity levels (Low and High)

View PR in the DryRun Dashboard.

@valentijnscholten valentijnscholten changed the title Fortify fixes 2025 Fortify FPR enhancements 2025 Mar 19, 2025
mtesauro
mtesauro approved these changes Mar 24, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@valentijnscholten valentijnscholten mentioned this pull request Mar 25, 2025
Closed
@Maffooch Maffooch merged commit ff09847 into DefectDojo:dev Mar 25, 2025
77 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mtesauro mtesauro mtesauro approved these changes

@dogboat dogboat dogboat approved these changes

@hblankenship hblankenship hblankenship approved these changes

@Maffooch Maffooch Maffooch approved these changes

Assignees
No one assigned
Labels
parser unittests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@valentijnscholten @mtesauro @dogboat @hblankenship @Maffooch