Thanks to visit codestin.com
Credit goes to github.com

Skip to content

πŸŽ‰ Implement Fortify Webinspect new report format #12155

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 12 commits into from
Apr 17, 2025
Merged

πŸŽ‰ Implement Fortify Webinspect new report format #12155

merged 12 commits into from
Apr 17, 2025

Conversation

manuel-sommer
Copy link
Contributor

@manuel-sommer manuel-sommer marked this pull request as ready for review April 4, 2025 05:49
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Apr 4, 2025
edited
Loading

DryRun Security Summary

The text describes a Fortify XML parser patch addressing multiple security vulnerabilities, including XML parsing risks, potential information exposure, endpoint handling risks, cookie transmission weaknesses, and improved error handling mechanisms.

Expand for full summary

Summary: The summaries describe a Fortify XML parser patch and a corresponding unit test, focusing on XML parsing security and testing a specific security finding related to cookie transmission.

Security Findings:

  1. XML Parsing Security Risks

    • Uses defusedxml.ElementTree for XML attack protection
    • Implements XML structure validation

  2. Potential Information Exposure

    • Extracts detailed vulnerability information
    • Captures raw HTTP responses potentially containing sensitive data
    • Includes detailed file paths and line numbers in findings

  3. Endpoint Handling Risk

    • Creates Endpoint objects with host and port information
    • Potential exposure of internal network details

  4. Cookie Security Vulnerability

    • Test reveals a finding about cookies not being sent over SSL
    • Potential for sensitive session information interception
    • Indicates a medium-severity security weakness in cookie transmission

  5. Error Handling Considerations

    • Raises ValueError for unrecognized XML structures
    • Prevents silent parsing failures

View PR in the DryRun Dashboard.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Apr 7, 2025

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Apr 7, 2025

Conflicts have been resolved. A maintainer will review the pull request shortly.

@manuel-sommer manuel-sommer reopened this Apr 7, 2025
@valentijnscholten
Copy link
Member

At first glance the parsing code looks quite different. Is this really just a new report format of the same scan type? If it is, will there be any impact on deduplication/reimport?

@manuel-sommer
Copy link
Contributor Author

manuel-sommer commented Apr 7, 2025
edited
Loading

The report format differs from the one before. I did not specifically test deduplication here.
At the moment, I also don't have time to test this.

mtesauro
mtesauro approved these changes Apr 8, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@valentijnscholten
Copy link
Member

Couple of remarks:

  • To me it seems like a different scan result not just a different format. Might be better to split if off and/or make the docs more clear on how this report can be generated
  • Can you rename the sample scan to be more descriptive of what it is, i.e. webinspect_4_2_many_findings.xml
  • The naming of the variables seems different to what we usually do, see my remarks inline.

@Maffooch Maffooch added this to the 2.45.2 milestone Apr 11, 2025
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Apr 15, 2025
edited
Loading

DryRun Security

This pull request reveals multiple security vulnerabilities across different areas, including potential information disclosure risks, endpoint handling concerns, XML parsing challenges, insecure cookie transmission, and metadata handling issues that could compromise system security and expose sensitive internal information.

πŸ’­ Unconfirmed Findings (5)
Vulnerability Information Disclosure Risks
Description Potential security vulnerabilities where raw HTTP responses and detailed finding descriptions could expose sensitive internal system information and details.
Vulnerability Endpoint Handling Vulnerability
Description Risk of exposing internal network details through the creation of Endpoint objects, which requires careful implementation and management.
Vulnerability XML Parsing Considerations
Description Security concerns with XML parsing, including the need for careful input handling despite using defusedxml.ElementTree. External link references require thorough vetting to prevent potential security risks.
Vulnerability Cookie Security Finding
Description Security issue identified where cookies are not being sent over SSL, potentially allowing information interception during transmission.
Vulnerability Severity and Metadata Handling
Description Potential information leakage through detailed severity and finding metadata. Default fallback to 'Info' severity could potentially mask critical security issues.

All finding details can be found in the DryRun Security Dashboard.

@manuel-sommer
Copy link
Contributor Author

manuel-sommer commented Apr 15, 2025
edited
Loading

Couple of remarks:

  • To me it seems like a different scan result not just a different format. Might be better to split if off and/or make the docs more clear on how this report can be generated
  • Can you rename the sample scan to be more descriptive of what it is, i.e. webinspect_4_2_many_findings.xml
  • The naming of the variables seems different to what we usually do, see my remarks inline.

Regarding the way this new report is generated: I asked in the issue and waiting for a reply.

@github-actions github-actions bot added the docs label Apr 15, 2025
@manuel-sommer manuel-sommer reopened this Apr 15, 2025
valentijnscholten
valentijnscholten requested changes Apr 15, 2025
View reviewed changes
Copy link
Member

@valentijnscholten valentijnscholten left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As per my commit suggestions, shouldn't the variables used in the new parser method be named like we do everywhere else?

@Maffooch Maffooch requested a review from blakeaowens April 17, 2025 17:45
@Maffooch Maffooch merged commit c5f921d into DefectDojo:bugfix Apr 17, 2025
78 checks passed
@manuel-sommer manuel-sommer deleted the issue_12065 branch April 18, 2025 07:33
valentijnscholten pushed a commit that referenced this pull request Apr 21, 2025
@manuel-sommer @valentijnscholten
πŸŽ‰ Implement Fortify Webinspect new report format (#12155)
a6176b0 
* πŸŽ‰ Implement Fortify Webinspect new report format

* update

* fix

* update

* update

* update

* update

* update

* update according to comment

* docs update

* fix
Maffooch pushed a commit that referenced this pull request Apr 21, 2025
@manuel-sommer @Maffooch
πŸŽ‰ Implement Fortify Webinspect new report format (#12155)
553a609 
* πŸŽ‰ Implement Fortify Webinspect new report format

* update

* fix

* update

* update

* update

* update

* update

* update according to comment

* docs update

* fix
Maffooch pushed a commit that referenced this pull request Apr 21, 2025
@manuel-sommer @Maffooch
πŸŽ‰ Implement Fortify Webinspect new report format (#12155)
1514c1b 
* πŸŽ‰ Implement Fortify Webinspect new report format

* update

* fix

* update

* update

* update

* update

* update

* update according to comment

* docs update

* fix
Maffooch pushed a commit that referenced this pull request Apr 21, 2025
@manuel-sommer @Maffooch
πŸŽ‰ Implement Fortify Webinspect new report format (#12155)
dd0e9f3 
* πŸŽ‰ Implement Fortify Webinspect new report format

* update

* fix

* update

* update

* update

* update

* update

* update according to comment

* docs update

* fix
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mtesauro mtesauro mtesauro approved these changes

@valentijnscholten valentijnscholten valentijnscholten approved these changes

@Maffooch Maffooch Maffooch approved these changes

@blakeaowens blakeaowens blakeaowens approved these changes

Assignees
No one assigned
Labels
docs parser unittests
Projects
None yet
Milestone
2.45.2
Development

Successfully merging this pull request may close these issues.
5 participants
@manuel-sommer @valentijnscholten @mtesauro @Maffooch @blakeaowens