Store fingerprint from bearer in unique_id_from_tool#12346
Conversation
github-actions
Bot
added
settings_changes
|
No security concerns detected in this pull request. All finding details can be found in the DryRun Security Dashboard. |
|
Thanks for your PR. Could you add some asserts to the unit tests on this field? I also notice the |
|
Checking the source where the fingerprints are generated it looks like they're only unique within one scan. If the code changes and a weakness is fixed, then the fingerprints will be re-used. The fingerprint is the md5 hash of the filename and the rule id suffixed with the index of findings of this specific file. The old fingerprint has the same hash, but is suffixed with the index of all findings. I assume that this was just the old way of calculating the fingerprint. This is a bug in bearer, because if you ignore the fingerprint with the index 2 and then fix the weakness with the index 0, the weakness which previously had index 3 will be ignored now instead. This sounds like we should not use the fingerprint to track findings across multiple scans. That means I should revert deduplication setting back to DEDUPE_ALGO_HASH_CODE right? |
Yep, you've got the right idea 😉 if the current hash code fields of title and severity are fitting the need we may be okay here |
|
If I remember correctly the title is the rule id + file name + line number, so this would be "uniquer". |
wolframite
force-pushed
the
enhancement/add-fingerprint-to-bearer-parser
branch
from
b262c3c to
97ff876
Compare
github-actions
Bot
removed
the
settings_changes
Maffooch
left a comment
Maffooch
left a comment
There was a problem hiding this comment.
This should be strictly additive without change to dedupe settings for existing folks, so this seems safe
wolframite
force-pushed
the
enhancement/add-fingerprint-to-bearer-parser
branch
from
97ff876 to
5beb6db
Compare
github-actions
Bot
added
the
settings_changes
…unique_id_from_tool
* Store fingerprint from bearer in unique_id_from_tool * Update dojo/tools/bearer_cli/parser.py * Updated bearer unit test to assert on the fingerprint being set into unique_id_from_tool --------- Co-authored-by: valentijnscholten <valentijnscholten@gmail.com>
5 participants
Description
I'm storing the unique fingerprint from bearer which is always present in the scan file in the field unique_id_from_tool. I also changed the deduplication algorithm setting in dojo/settings/settings.dist.py from DEDUPE_ALGO_HASH_CODE to DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE
Test results
There is no existing unit test to extend.
Documentation
Updating the documentation should not be necessary for this tiny change
Checklist
This checklist is for your information.
dev.dev.bugfixbranch.Extra information
This is my first PR for defect dojo, please let me know if I made a mistake. I'll fix it right away.