Thanks to visit codestin.com
Credit goes to github.com

Skip to content

🔨 RustyHog: handle empty reports correctly to fix #10584 #12129

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Apr 7, 2025
Merged

🔨 RustyHog: handle empty reports correctly to fix #10584 #12129

merged 3 commits into from
Apr 7, 2025

Conversation

manuel-sommer
Copy link
Contributor

@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Mar 29, 2025
edited
Loading

DryRun Security Summary

Documentation and code updates for the Rusty Hog parser in DefectDojo revealed potential security risks related to information exposure, metadata sensitivity, and parsing vulnerabilities in the parser implementation.

Expand for full summary

Summary: Documentation and code updates for Rusty Hog parser in DefectDojo, including method modifications, scan type expansions, and test suite refactoring.

Security Findings:

  1. Potential Information Exposure in Parser

    • Location: dojo/tools/rusty_hog/parser.py
    • Risk: Parser extracts and logs detailed metadata including commit hashes, file paths, and line numbers
    • Explanation: Sensitive information could be unintentionally disclosed through finding logs

  2. Parsing Metadata Sensitivity

    • Location: dojo/tools/rusty_hog/parser.py
    • Risk: Findings are marked with high severity by default
    • Explanation: Automatic high-severity marking could lead to potential information disclosure or misrepresentation of actual risk

  3. Input Parsing Potential Risks

    • Location: dojo/tools/rusty_hog/parser.py
    • Risk: While input validation has been improved, there are still potential parsing vulnerabilities
    • Explanation: Complex parsing logic with multiple scan types could introduce unexpected behavior or parsing edge cases

View PR in the DryRun Dashboard.

@valentijnscholten valentijnscholten changed the title 🔨 Rework RustyHog to fix #10584 🔨 RustyHog: handle empty reports correctly to fix #10584 Mar 29, 2025
@valentijnscholten
Copy link
Member

I have changed the title slightly to make it more clear as it ends up in the release notes.

@manuel-sommer manuel-sommer requested a review from Maffooch March 31, 2025 21:23
valentijnscholten
valentijnscholten requested changes Apr 1, 2025
View reviewed changes
@Maffooch Maffooch requested a review from hblankenship April 7, 2025 15:59
@Maffooch Maffooch added this to the 2.45.1 milestone Apr 7, 2025
@Maffooch Maffooch merged commit 7d0f185 into DefectDojo:bugfix Apr 7, 2025
78 checks passed
@manuel-sommer manuel-sommer deleted the rework_rustyhog branch April 7, 2025 22:35
Maffooch added a commit that referenced this pull request Apr 21, 2025
@manuel-sommer @Maffooch
🔨 RustyHog: handle empty reports correctly to fix #10584 (#12129)
06f63d7 
* 🔨 Rework RustyHog to fix #10584

* Update docs/content/en/connecting_your_tools/parsers/file/rusty_hog.md

Co-authored-by: Cody Maffucci <[email protected]>

* update

---------

Co-authored-by: Cody Maffucci <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@valentijnscholten valentijnscholten valentijnscholten approved these changes

@dogboat dogboat dogboat approved these changes

@hblankenship hblankenship hblankenship approved these changes

@Maffooch Maffooch Maffooch approved these changes

Assignees
No one assigned
Labels
docs parser unittests
Projects
None yet
Milestone
2.45.1
Development

Successfully merging this pull request may close these issues.
5 participants
@manuel-sommer @valentijnscholten @dogboat @hblankenship @Maffooch