cvssv3 validation

Author: valentijnscholten

dojo/api_v2/serializers.py

@@ -119,6 +119,7 @@
 )
 from dojo.user.utils import get_configuration_permissions_codenames
 from dojo.utils import is_scan_file_too_large, tag_validator
+from dojo.validators import cvss3_validator
 
 logger = logging.getLogger(__name__)
 deduplicationLogger = logging.getLogger("dojo.specific-loggers.deduplication")
@@ -1849,6 +1850,8 @@ def validate(self, data):
         # doing it here instead of in update because update doesn't know if the value changed
         self.process_risk_acceptance(data)
 
+        cvss3_validator(data.get("cvssv3"), exception_class=RestFrameworkValidationError)
+
         return data
 
     def validate_severity(self, value: str) -> str:
@@ -1979,6 +1982,8 @@ def validate(self, data):
             msg = "Active findings cannot be risk accepted."
             raise serializers.ValidationError(msg)
 
+        cvss3_validator(data.get("cvssv3"), exception_class=RestFrameworkValidationError)
+
         return data
 
     def validate_severity(self, value: str) -> str:
@@ -2005,6 +2010,8 @@ class Meta:
         exclude = ("cve",)
 
     def create(self, validated_data):
+        cvss3_validator(validated_data.get("cvssv3"), exception_class=RestFrameworkValidationError)
+
         to_be_tagged, validated_data = self._pop_tags(validated_data)
 
         # Save vulnerability ids and pop them
@@ -2030,9 +2037,12 @@ def create(self, validated_data):
             new_finding_template.save()
 
         self._save_tags(new_finding_template, to_be_tagged)
+
         return new_finding_template
 
     def update(self, instance, validated_data):
+        cvss3_validator(validated_data.get("cvssv3"), exception_class=RestFrameworkValidationError)
+
         # Save vulnerability ids and pop them
         if "vulnerability_id_template_set" in validated_data:
             vulnerability_id_set = validated_data.pop(

dojo/models.py

@@ -44,6 +44,8 @@
 from tagulous.models import TagField
 from tagulous.models.managers import FakeTagRelatedManager
 
+from dojo.validators import cvss3_validator  # to avoid circular import
+
 logger = logging.getLogger(__name__)
 deduplicationLogger = logging.getLogger("dojo.specific-loggers.deduplication")
 
@@ -2334,8 +2336,9 @@ class Finding(models.Model):
                               verbose_name=_("EPSS percentile"),
                               help_text=_("EPSS percentile for the CVE. Describes how many CVEs are scored at or below this one."),
                               validators=[MinValueValidator(0.0), MaxValueValidator(1.0)])
-    cvssv3_regex = RegexValidator(regex=r"^AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]", message="CVSS must be entered in format: 'AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'")
-    cvssv3 = models.TextField(validators=[cvssv3_regex],
+    # cvssv3_regex = RegexValidator(regex=r"^AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]", message="CVSS must be entered in format: 'AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'")
+    # cvssv3 = models.TextField(validators=[cvssv3_regex],
+    cvssv3 = models.TextField(validators=[cvss3_validator],
                               max_length=117,
                               null=True,
                               verbose_name=_("CVSS v3"),
@@ -3521,8 +3524,10 @@ class Finding_Template(models.Model):
                            blank=False,
                            verbose_name="Vulnerability Id",
                            help_text="An id of a vulnerability in a security advisory associated with this finding. Can be a Common Vulnerabilities and Exposures (CVE) or from other sources.")
-    cvssv3_regex = RegexValidator(regex=r"^AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]", message="CVSS must be entered in format: 'AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'")
-    cvssv3 = models.TextField(validators=[cvssv3_regex], max_length=117, null=True)
+    # cvssv3_regex = RegexValidator(regex=r"^AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]", message="CVSS must be entered in format: 'AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'")
+    # cvssv3 = models.TextField(validators=[cvssv3_regex], max_length=117, null=True)
+    cvssv3 = models.TextField(validators=[cvss3_validator], max_length=117, null=True)
+
     severity = models.CharField(max_length=200, null=True, blank=True)
     description = models.TextField(null=True, blank=True)
     mitigation = models.TextField(null=True, blank=True)

dojo/validators.py

@@ -0,0 +1,36 @@
+import logging
+from collections.abc import Callable
+
+import cvss.parser
+from cvss import CVSS2, CVSS3, CVSS4
+from django.core.exceptions import ValidationError
+
+logger = logging.getLogger(__name__)
+
+
+def cvss3_validator(value: str | list[str], exception_class: Callable = ValidationError) -> None:
+    logger.error("cvss3_validator called with value: %s", value)
+    cvss_vectors = cvss.parser.parse_cvss_from_text(value)
+    if len(cvss_vectors) > 0:
+        vector_obj = cvss_vectors[0]
+
+        if isinstance(vector_obj, CVSS3):
+            # all is good
+            return
+
+        if isinstance(vector_obj, CVSS4):
+            # CVSS4 is not supported yet by the parse_cvss_from_text function, but let's prepare for it anyway: https://github.com/RedHatProductSecurity/cvss/issues/53
+            msg = "Unsupported CVSS(4) version detected."
+            raise exception_class(msg)
+        if isinstance(vector_obj, CVSS2):
+            # CVSS2 is not supported yet by the parse_cvss_from_text function, but let's prepare for it anyway: https://github.com/RedHatProductSecurity/cvss/issues/53
+            msg = "Unsupported CVSS(2) version detected."
+            raise exception_class(msg)
+
+        msg = "Unsupported CVSS version detected."
+        raise exception_class(msg)
+
+    # Explicitly raise an error if no CVSS vectors are found,
+    # to avoid 'NoneType' errors during severity processing later.
+    msg = "No CVSS vectors found by cvss.parse_cvss_from_text()"
+    raise exception_class(msg)

run-unittest.sh

@@ -51,7 +51,7 @@ then
 fi
 
 echo "Running docker compose unit tests with test case $TEST_CASE ..."
-# Compose V2 integrates compose functions into the Docker platform, continuing to support 
-# most of the  previous docker-compose features and flags. You can run Compose V2 by 
+# Compose V2 integrates compose functions into the Docker platform, continuing to support
+# most of the  previous docker-compose features and flags. You can run Compose V2 by
 # replacing the hyphen (-) with a space, using docker compose, instead of docker-compose.
-docker compose exec uwsgi bash -c "python manage.py test $TEST_CASE -v2 --keepdb"
+docker compose exec uwsgi bash -c "python manage.py test $TEST_CASE -v 3 --keepdb"  --debug-mode

unittests/test_rest_framework.py

@@ -1281,6 +1281,42 @@ def test_severity_validation(self):
         self.assertEqual(result.status_code, status.HTTP_400_BAD_REQUEST, "Severity just got set to something invalid")
         self.assertEqual(result.json()["severity"], ["Severity must be one of the following: ['Info', 'Low', 'Medium', 'High', 'Critical']"])
 
+    # See https://github.com/DefectDojo/django-DefectDojo/issues/8264
+    def test_cvss3_validation(self):
+        with self.subTest(i=0):
+            self.assertEqual(None, Finding.objects.get(id=2).cvssv3)
+            result = self.client.patch(self.url + "2/", data={"cvssv3": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"})
+            self.assertEqual(result.status_code, status.HTTP_200_OK)
+            self.assertEqual("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", Finding.objects.get(id=2).cvssv3)
+
+        with self.subTest(i=1):
+            # extra slash makes it invalid
+            result = self.client.patch(self.url + "3/", data={"cvssv3": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/"})
+            self.assertEqual(result.status_code, status.HTTP_400_BAD_REQUEST)
+            self.assertEqual(result.json()["cvssv3"], ["No CVSS vectors found by cvss.parse_cvss_from_text()"])
+            self.assertEqual(None, Finding.objects.get(id=3).cvssv3)
+
+        with self.subTest(i=2):
+            # no CVSS version prefix makes it invalid
+            result = self.client.patch(self.url + "3/", data={"cvssv3": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"})
+            self.assertEqual(result.status_code, status.HTTP_400_BAD_REQUEST)
+            self.assertEqual(result.json()["cvssv3"], ["No CVSS vectors found by cvss.parse_cvss_from_text()"])
+            self.assertEqual(None, Finding.objects.get(id=3).cvssv3)
+
+        with self.subTest(i=3):
+            # CVSS4 version makes it invalid
+            result = self.client.patch(self.url + "3/", data={"cvssv3": "CVSS:4.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"})
+            self.assertEqual(result.status_code, status.HTTP_400_BAD_REQUEST)
+            self.assertEqual(result.json()["cvssv3"], ["No CVSS vectors found by cvss.parse_cvss_from_text()"])
+            self.assertEqual(None, Finding.objects.get(id=3).cvssv3)
+
+        with self.subTest(i=4):
+            # CVSS4 version makes it invalid
+            result = self.client.patch(self.url + "3/", data={"cvssv3": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P"})
+            self.assertEqual(result.status_code, status.HTTP_400_BAD_REQUEST)
+            self.assertEqual(result.json()["cvssv3"], ["No CVSS vectors found by cvss.parse_cvss_from_text()"])
+            self.assertEqual(None, Finding.objects.get(id=3).cvssv3)
+
 
 class FindingMetadataTest(BaseClass.BaseClassTest):
     fixtures = ["dojo_testdata.json"]

unittests/tools/test_generic_parser.py

@@ -456,6 +456,8 @@ def test_parse_json(self):
                 self.assertIn("network", finding.unsaved_tags)
                 self.assertEqual("3287f2d0-554f-491b-8516-3c349ead8ee5", finding.unique_id_from_tool)
                 self.assertEqual("TEST1", finding.vuln_id_from_tool)
+                finding.clean_fields(exclude=["reporter", "numerical_severity", "planned_remediation_date"])
+                finding.save_no_options()
             with self.subTest(i=1):
                 finding = findings[1]
                 self.assertEqual("test title2", finding.title)