Merge branch 'bugfix' into ibmapp_parserfixavailable

Author: manuel-sommer

dojo/__init__.py

@@ -4,6 +4,6 @@
 # Django starts so that shared_task will use this app.
 from .celery import app as celery_app  # noqa: F401
 
-__version__ = "2.52.0"
+__version__ = "2.52.1"
 __url__ = "https://github.com/DefectDojo/django-DefectDojo"
 __docs__ = "https://documentation.defectdojo.com"

dojo/importers/default_importer.py

@@ -226,7 +226,11 @@ def process_findings(
             # Process any endpoints on the endpoint, or added on the form
             self.process_endpoints(finding, self.endpoints_to_add)
             # Parsers must use unsaved_tags to store tags, so we can clean them
-            finding.tags = clean_tags(finding.unsaved_tags)
+            cleaned_tags = clean_tags(finding.unsaved_tags)
+            if isinstance(cleaned_tags, list):
+                finding.tags.set(cleaned_tags)
+            elif isinstance(cleaned_tags, str):
+                finding.tags.set([cleaned_tags])
             # Process any files
             self.process_files(finding)
             # Process vulnerability IDs

dojo/importers/default_reimporter.py

@@ -693,8 +693,12 @@ def finding_post_processing(
         if len(self.endpoints_to_add) > 0:
             self.endpoint_manager.chunk_endpoints_and_disperse(finding, self.endpoints_to_add)
         # Parsers must use unsaved_tags to store tags, so we can clean them
-        if finding.unsaved_tags:
-            finding.tags = clean_tags(finding.unsaved_tags)
+        if finding_from_report.unsaved_tags:
+            cleaned_tags = clean_tags(finding_from_report.unsaved_tags)
+            if isinstance(cleaned_tags, list):
+                finding.tags.set(cleaned_tags)
+            elif isinstance(cleaned_tags, str):
+                finding.tags.set([cleaned_tags])
         # Process any files
         if finding_from_report.unsaved_files:
             finding.unsaved_files = finding_from_report.unsaved_files

dojo/tools/jfrog_xray_unified/parser.py

@@ -104,7 +104,8 @@ def get_item(vulnerability, test):
     else:
         title = vulnerability["summary"]
 
-    references = "\n".join(vulnerability["references"])
+    references_str = vulnerability.get("references")
+    references = "\n".join(references_str) if isinstance(references_str, list) else (references_str if isinstance(references_str, str) else "")
 
     scan_time = datetime.strptime(
         vulnerability["artifact_scan_time"], "%Y-%m-%dT%H:%M:%S%z",
@@ -118,15 +119,18 @@ def get_item(vulnerability, test):
     # remove package type from component name
     component_name = component_name.split("://", 1)[1]
 
-    tags = ["packagetype_" + vulnerability["package_type"]]
+    tags = []
+    package_type = vulnerability.get("package_type")
+    if package_type:
+        tags.append("packagetype_" + package_type)
 
     # create the finding object
     finding = Finding(
         title=title,
         test=test,
         severity=severity,
         description=(
-            vulnerability["description"] + "\n\n" + extra_desc
+            vulnerability.get("description", vulnerability.get("summary")) + "\n\n" + extra_desc
         ).strip(),
         mitigation=mitigation,
         component_name=component_name,

helm/defectdojo/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: "2.53.0-dev"
 description: A Helm chart for Kubernetes to install DefectDojo
 name: defectdojo
-version: 1.8.1-dev
+version: 1.8.2-dev
 icon: https://defectdojo.com/hubfs/DefectDojo_favicon.png
 maintainers:
   - name: madchap
@@ -34,8 +34,4 @@ dependencies:
 #     description: Critical bug
 annotations:
   artifacthub.io/prerelease: "true"
-  artifacthub.io/changes: |
-    - kind: fixed
-      description: Broken rendering of media PVC
-    - kind: fixed
-      description: Typo in description of digests
+  artifacthub.io/changes: ""

helm/defectdojo/README.md

@@ -495,7 +495,7 @@ kubectl delete pvc data-defectdojo-redis-0 data-defectdojo-postgresql-0
 
 # General information about chart values
 
-![Version: 1.8.1-dev](https://img.shields.io/badge/Version-1.8.1--dev-informational?style=flat-square) ![AppVersion: 2.53.0-dev](https://img.shields.io/badge/AppVersion-2.53.0--dev-informational?style=flat-square)
+![Version: 1.8.2-dev](https://img.shields.io/badge/Version-1.8.2--dev-informational?style=flat-square) ![AppVersion: 2.53.0-dev](https://img.shields.io/badge/AppVersion-2.53.0--dev-informational?style=flat-square)
 
 A Helm chart for Kubernetes to install DefectDojo
 

unittests/scans/generic/generic_report1_more_tags.json

@@ -0,0 +1,34 @@
+{
+    "findings": [
+        {
+            "title": "test title",
+            "description": "Some very long description with\n\n some UTF-8 chars à qu'il est beau",
+            "active": true,
+            "verified": true,
+            "severity": "Medium",
+            "impact": "Some impact",
+            "date": "2021-01-06",
+            "cve": "CVE-2020-36234",
+            "cwe": 261,
+            "cvssv3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
+            "tags": ["security", "network", "hardened"],
+            "unique_id_from_tool": "3287f2d0-554f-491b-8516-3c349ead8ee5",
+            "vuln_id_from_tool": "TEST1"
+        },
+        {
+            "title": "test title2",
+            "description": "Some very long description with\n\n some UTF-8 chars à qu'il est beau2",
+            "active": true,
+            "verified": false,
+            "severity": "Medium",
+            "impact": "Some impact",
+            "date": "2021-01-06",
+            "cve": "CVE-2020-36235",
+            "cwe": 287,
+            "cvssv3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
+            "tags": ["security", "network", "hardened"],
+            "unique_id_from_tool": "42500af3-68c5-4dc3-8022-191d93c2f1f7",
+            "vuln_id_from_tool": "TEST2"
+        }
+    ]
+}

unittests/scans/jfrog_xray_unified/issue_13628.json

@@ -0,0 +1,36 @@
+{
+	"total_rows": 123,
+	"rows": [
+		{
+			"cves": [
+				{
+					"cve": "CVE-2023-42282",
+					"cvss_v3_score": 9.8,
+					"cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+				}
+			],
+			"cvss3_max_score": 9.8,
+			"severity": "Critical",
+			"component_physical_path": "ip:2.0.0",
+			"impact_path": [
+				"somepath"
+			],
+			"fixed_versions": [
+				"2.0.1",
+				"1.1.9"
+			],
+			"issue_id": "XRAY-123",
+			"project_keys": [
+				"somepath"
+			],
+			"applicability": null,
+			"applicability_result": "not_scanned",
+			"summary": "The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.",
+			"vulnerable_component": "npm://ip:2.0.0",
+			"impacted_artifact": "build://[some_artifact_id]",
+			"path": "somepath",
+			"published": "2024-02-09T16:30:10Z",
+			"artifact_scan_time": "2025-11-03T11:42:09Z"
+		}
+	]
+}

unittests/test_tags.py

@@ -15,8 +15,9 @@ class TagTests(DojoAPITestCase):
     def setUp(self, *args, **kwargs):
         super().setUp()
         self.login_as_admin()
-        self.scans_path = get_unit_tests_scans_path("zap")
-        self.zap_sample5_filename = self.scans_path / "5_zap_sample_one.xml"
+        self.zap_sample5_filename = get_unit_tests_scans_path("zap") / "5_zap_sample_one.xml"
+        self.generic_sample_with_tags_filename = get_unit_tests_scans_path("generic") / "generic_report1.json"
+        self.generic_sample_with_more_tags_filename = get_unit_tests_scans_path("generic") / "generic_report1_more_tags.json"
 
     def test_create_product_with_tags(self, expected_status_code: int = 201):
         product_id = Product.objects.all().first().id
@@ -285,6 +286,28 @@ def test_import_multipart_tags(self):
             for tag in success_tags:
                 self.assertIn(tag, response["tags"])
 
+    def test_import_report_with_tags(self):
+        def assert_tags_in_findings(findings: list[dict], expected_finding_count: int, desired_tags: list[str]) -> None:
+            self.assertEqual(expected_finding_count, len(findings))
+            for finding in findings:
+                self.assertEqual(len(desired_tags), len(finding.get("tags")))
+                for tag in desired_tags:
+                    self.assertIn(tag, finding["tags"])
+
+        # Import a report with findings that have tags
+        import0 = self.import_scan_with_params(self.generic_sample_with_tags_filename, scan_type="Generic Findings Import")
+        test_id = import0["test"]
+        response = self.get_test_findings_api(test_id)
+        findings = response["results"]
+        # Make sure we have what we are looking for
+        assert_tags_in_findings(findings, 2, ["security", "network"])
+        # Reimport with a different report that has more tags
+        self.reimport_scan_with_params(test_id, self.generic_sample_with_more_tags_filename, scan_type="Generic Findings Import")
+        response = self.get_test_findings_api(test_id)
+        findings = response["results"]
+        # Make sure we have what we are looking for
+        assert_tags_in_findings(findings, 2, ["security", "network", "hardened"])
+
 
 class InheritedTagsTests(DojoAPITestCase):
     fixtures = ["dojo_testdata.json"]

unittests/tools/test_jfrog_xray_unified_parser.py

@@ -345,3 +345,12 @@ def test_parse_file_with_another_report(self):
         findings = parser.get_findings(testfile, Test())
         testfile.close()
         self.assertEqual(7, len(findings))
+
+    def test_parse_file_issue_13628(self):
+        testfile = (get_unit_tests_scans_path("jfrog_xray_unified") / "issue_13628.json").open(encoding="utf-8")
+        parser = JFrogXrayUnifiedParser()
+        findings = parser.get_findings(testfile, Test())
+        testfile.close()
+        self.assertEqual(1, len(findings))
+        self.assertEqual("Critical", findings[0].severity)
+        self.assertEqual("XRAY-123 - The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.", findings[0].title)