Skip to content

🎉 implement new threatmapper file format #13639#13655

Merged
mtesauro merged 4 commits intoDefectDojo:bugfixfrom
manuel-sommer:fix_13639
Nov 13, 2025
Merged

🎉 implement new threatmapper file format #13639#13655
mtesauro merged 4 commits intoDefectDojo:bugfixfrom
manuel-sommer:fix_13639

Conversation

@manuel-sommer
Copy link
Copy Markdown
Contributor

@manuel-sommer manuel-sommer commented Nov 9, 2025

@dryrunsecurity
Copy link
Copy Markdown

dryrunsecurity Bot commented Nov 9, 2025
edited
Loading

DryRun Security

This pull request includes a finding that the malware CSV parsing functions in dojo/tools/deepfence_threatmapper/malware.py access multiple header keys without sufficient existence checks, which can raise an unhandled KeyError when expected headers (e.g., 'File Name', 'Summary', 'Severity') are missing and potentially expose stack traces or internal details. Although calling code performs some initial checks, the lack of comprehensive key validation or a higher-level try/except makes the code vulnerable to information disclosure on malformed input.

Information Disclosure via Unhandled Key Error in dojo/tools/deepfence_threatmapper/malware.py
Vulnerability Information Disclosure via Unhandled Key Error
Description The _parse_old_format and _parse_new_format methods in dojo/tools/deepfence_threatmapper/malware.py access multiple keys from the headers dictionary without comprehensive checks for their existence. While the calling code in parser.py and the get_findings method in malware.py perform initial checks for a few critical headers, these checks are insufficient to guarantee the presence of all keys subsequently accessed within the parsing functions. If a malformed input CSV file is processed where a required header (e.g., 'File Name', 'Summary', 'Severity') is missing, a KeyError will be raised. Without a higher-level try...except block to handle this specific exception, it could lead to an unhandled exception, potentially exposing sensitive stack traces or internal system details in error messages or logs.

django-DefectDojo/dojo/tools/deepfence_threatmapper/malware.py

Lines 45 to 47 in 9d9c0ea

Rule_Name = row[headers["Rule Name"]]
File_Name = row[headers["File Name"]]
Summary = row[headers["Summary"]]

All finding details can be found in the DryRun Security Dashboard.

@valentijnscholten valentijnscholten added this to the 2.52.2 milestone Nov 10, 2025
valentijnscholten
valentijnscholten reviewed Nov 10, 2025
View reviewed changes
Comment thread dojo/tools/deepfence_threatmapper/compliance.py
mtesauro
mtesauro approved these changes Nov 13, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@mtesauro mtesauro merged commit 0ff017f into DefectDojo:bugfix Nov 13, 2025
150 checks passed
@manuel-sommer manuel-sommer deleted the fix_13639 branch November 13, 2025 05:37
@shodanwashere
Copy link
Copy Markdown
Contributor

shodanwashere commented Nov 13, 2025

Nice! is there an estimate on when these changes will be reflected? will we get this fix on the new minor or further down the line?

@manuel-sommer
Copy link
Copy Markdown
Contributor Author

manuel-sommer commented Nov 13, 2025

on the next release, so upcomming monday they should be live @shodanwashere

Maffooch pushed a commit to valentijnscholten/django-DefectDojo that referenced this pull request Feb 16, 2026
@manuel-sommer
🎉 implement new threatmapper file format DefectDojo#13639 (DefectDojo…
dc4a353 
…#13655)

* 🎉 implement new threatmapper file format

* update
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtesauro mtesauro mtesauro approved these changes

@valentijnscholten valentijnscholten valentijnscholten approved these changes

@Maffooch Maffooch Maffooch approved these changes

@Jino-T Jino-T Jino-T approved these changes

@blakeaowens blakeaowens Awaiting requested review from blakeaowens

Assignees

No one assigned

Labels

parser unittests

Projects

None yet

Milestone

2.52.2

Development

Successfully merging this pull request may close these issues.

6 participants

@manuel-sommer @shodanwashere @mtesauro @valentijnscholten @Maffooch @Jino-T