legacy reimport: make matching on title case-insensitive#12487
Merged
valentijnscholten merged 2 commits intoMay 22, 2025
Merged
Conversation
|
This pull request identifies a potential vulnerability in Django ORM queries related to case-sensitive title matching, which could compromise finding deduplication and lead to unintended information disclosure in security tracking systems. 💭 Unconfirmed Findings (1)
All finding details can be found in the DryRun Security Dashboard. |
3 tasks
valentijnscholten
changed the title
Maffooch
approved these changes
May 21, 2025
dogboat
approved these changes
May 22, 2025
hblankenship
approved these changes
May 22, 2025
xansec
pushed a commit
to xansec/django-DefectDojo
that referenced
this pull request
Jun 18, 2025
…12487) * legacy reimport: match title case insensitive * update reimporter
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
In some scenario's the reimporter will fall back to the legacy dedupe algorithm that looks at the
titleandseverityof existing findings. Although this is not a preferred situation, it happens when no dedupe hash field configuration is present for the parser.At the time of writing this is the case for the OpenVAS parser. This can lead to false negative matching behavior as reported in #12378. This is because Defect Dojo uses
titlecaseto format the title of a finding before saving. So existing findings will can have a differenttitlefrom the findings being processed by the reimporter because the latter are not saved yet. Since Postgres is performing case sensitive comparisons by default, we have to explicitly make the comparison case insensitive with this PR.There are no tests cases covering this I believe. Adding a test case is doable, for example using an OpenVAS report. However we will probably add hash code config soon for OpenVAS rendering the test case useless. I think we should accept that we don't have explicit test cases for this "corner" or "legacy" scenario. I do think it's beneficial to merge this fix as it might be something first time users / PoC users run into for certain less used scan formats.