fix

Author: manuel-sommer

dojo/tools/pingcastle/parser.py

@@ -9,8 +9,9 @@
 
 
 class PingCastleParser:
+
     CVE_REGEX = re.compile(r"(CVE-\d{4}-\d{4,7})", re.IGNORECASE)
-    # keep severity order for minimal contextual bumping
+
     _SEVERITY_ORDER = ["Info", "Low", "Medium", "High", "Critical"]
 
     def get_scan_types(self):
@@ -36,16 +37,18 @@ def get_findings(self, file, test):
             model = rr.findtext("Model") or ""
             risk_id = rr.findtext("RiskId") or ""
             rationale = rr.findtext("Rationale") or ""
-            # base severity from points
+
             severity = self._map_points_to_severity(points)
-            # minimal contextual bumping (CVE mention, missing mitigation, DC scope, Exposure category)
             severity = self._apply_contextual_bump(
                 severity=severity,
                 category=category,
                 model=model,
                 risk_id=risk_id,
                 rationale=rationale,
             )
+            if not severity or severity not in self._SEVERITY_ORDER:
+                severity = "Info"
+
             title = f"[PingCastle] {risk_id} ({category}/{model})"
             description = self._compose_risk_rule_description(
                 domain_fqdn=domain_fqdn,
@@ -92,8 +95,6 @@ def get_findings(self, file, test):
         findings.extend(list(dupes.values()))
         return findings
 
-    # --- helpers ---
-
     def _compose_risk_rule_description(
         self,
         domain_fqdn,
@@ -140,7 +141,6 @@ def _collect_domain_controllers(self, root):
                 "ips": ips,
                 "rpc_interfaces": [],
             }
-            # RPC interfaces
             for rpc in dc.findall("RPCInterfacesOpen/HealthcheckDCRPCInterface"):
                 dc_info["rpc_interfaces"].append({
                     "ip": rpc.attrib.get("IP", ""),
@@ -149,7 +149,6 @@ def _collect_domain_controllers(self, root):
                     "function": rpc.attrib.get("Function", ""),
                 })
             dc_infos.append(dc_info)
-            # Endpoints: DC name + IPs
             if name:
                 endpoints.append(Endpoint(host=name))
             endpoints.extend(Endpoint(host=ip) for ip in ips)
@@ -244,23 +243,19 @@ def _is_dc_specific_risk(risk_id: str, model: str = "", rationale: str = "") ->
         rid = (risk_id or "").strip()
         mod = (model or "").strip()
         rat = (rationale or "").strip().lower()
-        # 1) Explicit prefixes commonly used by PingCastle for DC-specific checks
         dc_prefixes = ("A-DC-", "S-DC-")
         if rid.startswith(dc_prefixes):
             return True
-        # 2) Known DC-specific RiskIds (extend as needed)
         dc_specific_ids = {
             "A-DC-Spooler",
             "A-DC-Coerce",
-            "A-AuditDC",          # audit policy on domain controllers
-            "S-DC-SubnetMissing",  # DC subnet declaration incomplete
+            "A-AuditDC",
+            "S-DC-SubnetMissing",
         }
         if rid in dc_specific_ids:
             return True
-        # 3) Model hints: "Audit" with a DC-focused RiskId, or PassTheCredential but DC scoped
         if mod == "Audit" and rid.endswith("DC"):
             return True
-        # 4) Rationale heuristic: mentions DC presence/quantity
         dc_markers = (
             " from ",
             " dc",
@@ -270,7 +265,6 @@ def _is_dc_specific_risk(risk_id: str, model: str = "", rationale: str = "") ->
         )
         return bool(any(marker in rat for marker in dc_markers))
 
-    # --- minimal contextual bumping ---
     def _apply_contextual_bump(self, severity: str, category: str = "", model: str = "",
                                risk_id: str = "", rationale: str = "") -> str:
         """
@@ -280,22 +274,22 @@ def _apply_contextual_bump(self, severity: str, category: str = "", model: str =
         - If DC-specific -> bump by 1 level.
         - If category is 'Exposure' -> bump by 1 level.
         """
-        current = severity
-        idx = self._SEVERITY_ORDER.index(current)
+        if not severity or severity not in self._SEVERITY_ORDER:
+            severity = "Info"
+        idx = self._SEVERITY_ORDER.index(severity)
         rat = (rationale or "").lower()
         cat = (category or "").strip().lower()
 
-        # CVE present
         if self.CVE_REGEX.search(rationale or ""):
             idx = min(idx + 1, len(self._SEVERITY_ORDER) - 1)
             mitigation_markers = ("mitigation", "not set", "disabled", "missing", "not enabled", "enable")
             if any(m in rat for m in mitigation_markers):
                 idx = max(idx, self._SEVERITY_ORDER.index("Medium"))
 
-        # DC-specific
         if self._is_dc_specific_risk(risk_id, model, rationale):
             idx = min(idx + 1, len(self._SEVERITY_ORDER) - 1)
 
-        # Exposure category
         if cat == "exposure":
             idx = min(idx + 1, len(self._SEVERITY_ORDER) - 1)
+
+        return self._SEVERITY_ORDER[idx]

unittests/tools/test_pingcastle_parser.py

@@ -35,16 +35,16 @@ def test_many_findings(self):
         spooler = next((f for f in findings if f.vuln_id_from_tool == "A-DC-Spooler"), None)
         self.assertIsNotNone(spooler)
         self.assertEqual(spooler.title, "[PingCastle] A-DC-Spooler (Anomalies/PassTheCredential)")
-        self.assertEqual(spooler.severity, "Medium")
+        self.assertEqual(spooler.severity, "High")
         self.assertTrue(len(getattr(spooler, "unsaved_endpoints", [])) > 0)
         ds_heuristics = next((f for f in findings if f.vuln_id_from_tool == "A-DsHeuristicsLDAPSecurity"), None)
         self.assertIsNotNone(ds_heuristics)
         self.assertEqual(ds_heuristics.title, "[PingCastle] A-DsHeuristicsLDAPSecurity (Anomalies/Reconnaissance)")
-        self.assertEqual(ds_heuristics.severity, "Info")
+        self.assertEqual(ds_heuristics.severity, "Medium")
         self.assertTrue(
             hasattr(ds_heuristics, "unsaved_vulnerability_ids")
             and len(ds_heuristics.unsaved_vulnerability_ids) >= 1,
         )
         coerce = next((f for f in findings if f.vuln_id_from_tool == "A-DC-Coerce"), None)
         self.assertIsNotNone(coerce)
-        self.assertEqual(coerce.severity, "Medium")
+        self.assertEqual(coerce.severity, "High")