From 5beb6dbd9f049f08fbbe57785ca90e11fb3559bd Mon Sep 17 00:00:00 2001 From: Wolfram Huesken Date: Wed, 30 Apr 2025 00:09:40 +0200 Subject: [PATCH 1/3] Store fingerprint from bearer in unique_id_from_tool --- dojo/settings/settings.dist.py | 1 + dojo/tools/bearer_cli/parser.py | 1 + 2 files changed, 2 insertions(+) diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index 196c871156f..6519ada7955 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -1584,6 +1584,7 @@ def saml2_attrib_map_format(din): "MobSF Scorecard Scan": DEDUPE_ALGO_HASH_CODE, "OSV Scan": DEDUPE_ALGO_HASH_CODE, "Nosey Parker Scan": DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE, + # The bearer fingerprint is not unique across multiple scans, so it shouldn't be used for deduplication (https://github.com/DefectDojo/django-DefectDojo/pull/12346#issuecomment-2841561634) "Bearer CLI": DEDUPE_ALGO_HASH_CODE, "Wiz Scan": DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE, "Deepfence Threatmapper Report": DEDUPE_ALGO_HASH_CODE, diff --git a/dojo/tools/bearer_cli/parser.py b/dojo/tools/bearer_cli/parser.py index 0c72db38776..86dd5b49037 100644 --- a/dojo/tools/bearer_cli/parser.py +++ b/dojo/tools/bearer_cli/parser.py @@ -46,6 +46,7 @@ def get_findings(self, file, test): sast_source_line=bearerfinding["source"]["start"], sast_source_file_path=bearerfinding["filename"], vuln_id_from_tool=bearerfinding["id"], + unique_id_from_tool=bearerfinding["fingerprint"], ) items.append(finding) From 8bc9978171c4d58cdf9557d0ac5fd460b2ca5dd9 Mon Sep 17 00:00:00 2001 From: valentijnscholten Date: Fri, 16 May 2025 17:51:21 +0200 Subject: [PATCH 2/3] Update dojo/tools/bearer_cli/parser.py --- dojo/tools/bearer_cli/parser.py | 1 + 1 file changed, 1 insertion(+) diff --git a/dojo/tools/bearer_cli/parser.py b/dojo/tools/bearer_cli/parser.py index 86dd5b49037..4fafeb26861 100644 --- a/dojo/tools/bearer_cli/parser.py +++ b/dojo/tools/bearer_cli/parser.py @@ -46,6 +46,7 @@ def get_findings(self, file, test): sast_source_line=bearerfinding["source"]["start"], sast_source_file_path=bearerfinding["filename"], vuln_id_from_tool=bearerfinding["id"], + # the fingerprint is not constant over time, but because it's not used for dedupe it's safe and useful to set it unique_id_from_tool=bearerfinding["fingerprint"], ) From fbc3d8f2b7347f4c9f1b50f6dc217122fcf27193 Mon Sep 17 00:00:00 2001 From: Wolfram Huesken Date: Sat, 17 May 2025 12:53:43 +0200 Subject: [PATCH 3/3] Updated bearer unit test to assert on the fingerprint being set into unique_id_from_tool --- unittests/tools/test_bearer_cli_parser.py | 1 + 1 file changed, 1 insertion(+) diff --git a/unittests/tools/test_bearer_cli_parser.py b/unittests/tools/test_bearer_cli_parser.py index 43488a772fc..33898942dd2 100644 --- a/unittests/tools/test_bearer_cli_parser.py +++ b/unittests/tools/test_bearer_cli_parser.py @@ -20,6 +20,7 @@ def test_bearer_parser_with_one_vuln_has_one_findings(self): self.assertEqual("https://docs.bearer.com/reference/rules/javascript_lang_dangerous_insert_html", findings[0].references) self.assertEqual("js/adminer/editing.js", findings[0].file_path) self.assertEqual(581, findings[0].line) + self.assertEqual("804174abc284c6bc747d886b3e9ba757_0", findings[0].unique_id_from_tool) def test_bearer_parser_with_many_vuln_has_many_findings(self): testfile = (get_unit_tests_scans_path("bearer_cli") / "bearer_cli_many_vul.json").open(encoding="utf-8")