Fix Qualys parser to prevent merging findings on different ports#14269
Closed
ArnaavSinghSandhu wants to merge 26 commits intoDefectDojo:masterfrom
Closed
Fix Qualys parser to prevent merging findings on different ports#14269ArnaavSinghSandhu wants to merge 26 commits intoDefectDojo:masterfrom
ArnaavSinghSandhu wants to merge 26 commits intoDefectDojo:masterfrom
Conversation
….55.0-2.56.0-dev Release: Merge back 2.55.0 into dev from: master-into-dev/2.55.0-2.56.0-dev
Bumps [pyjwt](https://github.com/jpadilla/pyjwt) from 2.10.1 to 2.11.0. - [Release notes](https://github.com/jpadilla/pyjwt/releases) - [Changelog](https://github.com/jpadilla/pyjwt/blob/master/CHANGELOG.rst) - [Commits](jpadilla/pyjwt@2.10.1...2.11.0) --- updated-dependencies: - dependency-name: pyjwt dependency-version: 2.11.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…ocker-compose.yml) (DefectDojo#14223) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…43 (.github/workflows/renovate.yaml) (DefectDojo#14222) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: kiblik <5609770+kiblik@users.noreply.github.com>
…efectDojo#14214) Bumps [datatables.net](https://github.com/DataTables/Dist-DataTables) from 2.3.6 to 2.3.7. - [Release notes](https://github.com/DataTables/Dist-DataTables/releases) - [Commits](DataTables/Dist-DataTables@2.3.6...2.3.7) --- updated-dependencies: - dependency-name: datatables.net dependency-version: 2.3.7 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…3.11 to v (dockerfile.integration-tests-debian) (DefectDojo#14233) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
….55.1-2.56.0-dev Release: Merge back 2.55.1 into dev from: master-into-dev/2.55.1-2.56.0-dev
…rfile.nginx-alpine) (DefectDojo#14245) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…2.11 to v (docker-compose.yml) (DefectDojo#14252) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…dded-email-template Fix email template rendering for product_type_added notification
….55.2-2.56.0-dev Release: Merge back 2.55.2 into dev from: master-into-dev/2.55.2-2.56.0-dev
Bumps [ruff](https://github.com/astral-sh/ruff) from 0.14.14 to 0.15.0. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](astral-sh/ruff@0.14.14...0.15.0) --- updated-dependencies: - dependency-name: ruff dependency-version: 0.15.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
….12 to v (dockerfile.nginx-alpine) (DefectDojo#14263) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…3.12 to v (dockerfile.integration-tests-debian) (DefectDojo#14264) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Maffooch
requested changes
Feb 10, 2026
Contributor
Maffooch
left a comment
Maffooch
left a comment
There was a problem hiding this comment.
This PR needs to be rebased against dev or bugfix. If there are extra unrelated commits in the PR as a result, best advice is to close the PR and open a new one based from the desired branch
| return [ | ||
| "title", | ||
| "severity", | ||
| "endpoints", |
Contributor
There was a problem hiding this comment.
Suggested change
| "endpoints", |
The dedupelication fields are not being updated here (and they should not be) so this should be removed
Bumps [setuptools](https://github.com/pypa/setuptools) from 80.10.2 to 82.0.0. - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](pypa/setuptools@v80.10.2...v82.0.0) --- updated-dependencies: - dependency-name: setuptools dependency-version: 82.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
ArnaavSinghSandhu
force-pushed
the
fix-qualys-port-deduplication
branch
from
0d1eec6 to
65ec294
Compare
Contributor
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
ArnaavSinghSandhu
force-pushed
the
fix-qualys-port-deduplication
branch
from
65ec294 to
faf3f9c
Compare
Contributor
|
Conflicts have been resolved. A maintainer will review the pull request shortly. |
Author
|
Hi @Maffooch, thanks for the review. You're right—the branch has drifted too far and picked up unrelated commits during the rebase attempt. I'm going to close this PR now and open a fresh one against the dev branch with the requested change (removing 'endpoints' from dedupe fields) to keep the history clean |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Fix: Qualys Infrastructure Scan merging findings on different ports.
Currently, the Qualys parser collapses multiple findings of the same QID into a single finding if they occur on the same host, even if they are on different ports (e.g., a vulnerability found on both port 80 and port 443). This results in data loss during the import process.
This PR implements the following:
Updated parse_finding in dojo/tools/qualys/parser.py to correctly extract the tag from the Qualys XML.
Correctly maps these ports to the unsaved_endpoints and unsaved_locations attributes of the Finding object.
Ensures that findings remain distinct in DefectDojo by recognizing the unique port/endpoint combination.
Test results
I have verified this fix using the following steps:
New Unit Test: Added test_parse_file_with_multiple_ports_for_same_qid to unittests/tools/test_qualys_parser.py.
Sample Data: Created unittests/scans/qualys/test_qualys.xml which contains a single QID assigned to two different ports on the same host.
Execution: Ran the unit test suite inside the Docker environment.
Result: Ran 1 test in 0.009s. OK. The parser now correctly identifies 2 distinct findings instead of 1.
Documentation
No documentation changes are required as this is a bug fix for existing parser logic to bring it in line with expected DefectDojo behavior.
Checklist
[x] Bugfixes should be submitted against the bugfix branch.
[x] Give a meaningful name to your PR.
[x] Your code is flake8 compliant.
[x] Add applicable tests to the unit tests.