A bug was found related to the code uploaded in #12398 which causes an error under certain circumstances when uploading Checkov reports into Defect Dojo. It's an issue that wasn't caught in any unit tests but was caught later during internal use.
The problem lies in lines 125-131, i.e., the passage of benchmark references into the Mitigations field.
if "benchmarks" in vuln:
bms = vuln["benchmarks"].keys()
if len(bms) > 0:
mitigation += "\nBenchmarks:\n"
for bm in bms:
for gl in vuln["benchmarks"][bm]:
mitigation += f"- {bm} # {gl['name']} : {gl['description']}\n"In the current latest version, this code is present. The problem is that the first if statement only checks if the benchmarks attribute exists in the finding, not if it's set to None, which sometimes happens when PrismaCloud does not find any benchmark references for the finding. Otherwise, it will contain a dictionary where keys are benchmark reference IDs, and the values are the actual benchmark rules.
The parser is only ready to parse findings with benchmark references. If it detects a None, it will not make the distinction and try to access the data inside, which causes a NoneType object does not have 'keys' attribute error, causing the whole report to be discarded.
Steps to reproduce
Steps to reproduce the behavior:
- Go to the app's Swagger instance to have easier access to the API
- Have a test Product Type, Product and Engagement at the ready
- Use the
import-scan API method to import a Checkov report. Make sure the report has vulnerabilities with the 'benchmarks' field empty.
- Defect Dojo's API should return status code 500 and a
NoneType object does not have 'keys' attribute error.
Expected behavior
For the report to have been correctly parsed and the findings imported, with the API returning status code 201.
Deployment method (select with an X)
Environment information
- Operating System: CentOS Linux release 7.7.1908
- Docker Compose Version: 2.6.0
- DefectDojo version: 2.48.*
Sample scan files
demo.json
A bug was found related to the code uploaded in #12398 which causes an error under certain circumstances when uploading Checkov reports into Defect Dojo. It's an issue that wasn't caught in any unit tests but was caught later during internal use.
The problem lies in lines 125-131, i.e., the passage of benchmark references into the Mitigations field.
In the current latest version, this code is present. The problem is that the first if statement only checks if the benchmarks attribute exists in the finding, not if it's set to
None, which sometimes happens when PrismaCloud does not find any benchmark references for the finding. Otherwise, it will contain a dictionary where keys are benchmark reference IDs, and the values are the actual benchmark rules.The parser is only ready to parse findings with benchmark references. If it detects a
None, it will not make the distinction and try to access the data inside, which causes aNoneType object does not have 'keys' attributeerror, causing the whole report to be discarded.Steps to reproduce
Steps to reproduce the behavior:
import-scanAPI method to import a Checkov report. Make sure the report has vulnerabilities with the 'benchmarks' field empty.NoneType object does not have 'keys' attributeerror.Expected behavior
For the report to have been correctly parsed and the findings imported, with the API returning status code 201.
Deployment method (select with an
X)Environment information
Sample scan files
demo.json